Introduction
In this lab, you will dive into the world of password security by learning how to use John the Ripper, a popular open-source password cracking tool. Understanding how passwords can be guessed or cracked is crucial for developing stronger security practices. You will explore different password guessing strategies, from basic brute-force to more advanced combinator and hybrid attacks. By the end of this lab, you will have a practical understanding of these techniques and how to apply them using John the Ripper.
Understand Common Password Guessing Techniques
In this step, you will learn about the fundamental concepts behind password guessing techniques, specifically focusing on dictionary attacks and simple brute-force. John the Ripper can utilize these methods to attempt to crack passwords.
First, let's use John the Ripper to crack a simple MD5 hash using a dictionary attack. We have already prepared a passwords.txt file containing a hashed password and a wordlist.txt file with common passwords.
Open your terminal and navigate to the ~/project directory.
cd ~/project
Now, run John the Ripper with the wordlist.txt file:
john --format=raw-md5 --wordlist=wordlist.txt passwords.txt
You should see output indicating John is trying to crack the password. If successful, it will show the cracked password.
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5])
Cost 1 (MD5 [MD5]) is not supported.
Will run John the Ripper in single-threaded mode.
Press 'q' or Ctrl-C to abort, almost any other key for status.
password (user1)
1g 0:00:00:00 DONE (2023-10-27 08:00) 100.0g/s 100.0p/s 100.0c/s 100.0C/s password
To view the cracked passwords, you can use the --show option:
john --show passwords.txt
user1:password
1 password hash cracked, 0 left
This demonstrates a basic dictionary attack. John the Ripper successfully found "password" in the provided wordlist.
Implement Brute-Force with Specific Patterns
In this step, you will explore brute-force attacks using John the Ripper's incremental mode. Incremental mode allows John to generate passwords based on character sets (e.g., lowercase, uppercase, digits, symbols) and length, effectively performing a brute-force attack.
First, let's create a new password hash that is not in our simple wordlist. We will use testuser:testpass (MD5 hash of testpass is 5d41402abc4b2a76b9719d911017c592).
echo "testuser:5d41402abc4b2a76b9719d911017c592" > /home/labex/project/brute_passwords.txt
Now, we will use John the Ripper in incremental mode. For simplicity and speed, we will limit the character set and password length. We'll use the digits mode to crack a password that consists only of digits.
Let's assume we have a password that is 4 digits long, e.g., 1234. The MD5 hash for 1234 is 81dc9bdb52d04dc20036dbd8313ed055.
echo "digituser:81dc9bdb52d04dc20036dbd8313ed055" > /home/labex/project/digit_passwords.txt
Now, run John the Ripper in incremental mode, specifically targeting digits:
john --format=raw-md5 --incremental=digits digit_passwords.txt
This command will try all combinations of digits until it finds the password. This might take a moment depending on the password length.
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5])
Cost 1 (MD5 [MD5]) is not supported.
Will run John the Ripper in single-threaded mode.
Press 'q' or Ctrl-C to abort, almost any other key for status.
1234 (digituser)
1g 0:00:00:00 DONE (2023-10-27 08:05) 100.0g/s 100.0p/s 100.0c/s 100.0C/s 1234
Once cracked, you can show the result:
john --show digit_passwords.txt
digituser:1234
1 password hash cracked, 0 left
This demonstrates how brute-force can be used when the password structure is known or limited.
Utilize Combinator Attacks
In this step, you will learn about combinator attacks, which combine words from two different wordlists. This is useful when passwords are formed by concatenating two common words.
First, let's create a new password hash for a combinator attack. We will use john_doe as the password (MD5 hash of john_doe is 112233445566778899aabbccddeeff00).
echo "combo_user:112233445566778899aabbccddeeff00" > /home/labex/project/combo_passwords.txt
We have already prepared base_wordlist.txt with "john" and "doe". Now, let's create a second wordlist, second_wordlist.txt:
echo "doe" > /home/labex/project/second_wordlist.txt
echo "smith" >> /home/labex/project/second_wordlist.txt
Now, use John the Ripper with the Combinator mode. This mode takes two wordlists and combines each word from the first list with each word from the second list.
john --format=raw-md5 --rules=Combinator --wordlist=base_wordlist.txt --stdout > /home/labex/project/combined_words.txt
john --format=raw-md5 --wordlist=combined_words.txt combo_passwords.txt
The first command generates combinations and saves them to combined_words.txt. The second command then uses this generated wordlist to crack the password.
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5])
Cost 1 (MD5 [MD5]) is not supported.
Will run John the Ripper in single-threaded mode.
Press 'q' or Ctrl-C to abort, almost any other key for status.
john_doe (combo_user)
1g 0:00:00:00 DONE (2023-10-27 08:10) 100.0g/s 100.0p/s 100.0c/s 100.0C/s john_doe
To verify the cracked password:
john --show combo_passwords.txt
combo_user:john_doe
1 password hash cracked, 0 left
This demonstrates how combinator attacks can be effective when passwords are a combination of known words.
Explore Hybrid Attacks with John the Ripper
In this step, you will learn about hybrid attacks, which combine dictionary words with brute-force elements (like numbers or special characters). This is a very common and effective strategy for cracking passwords that are variations of common words.
Let's create a new password hash for a hybrid attack. We will use password123 as the password (MD5 hash of password123 is 28a112233445566778899aabbccddeeff).
echo "hybrid_user:28a112233445566778899aabbccddeeff" > /home/labex/project/hybrid_passwords.txt
We will use our existing wordlist.txt and apply a rule that appends four digits to each word. We have already created a simple rule file rules.txt in the setup.
Now, run John the Ripper using the wordlist.txt and the custom rule file:
john --format=raw-md5 --wordlist=wordlist.txt --rules=rules.txt hybrid_passwords.txt
This command will take each word from wordlist.txt and apply the rules defined in rules.txt (appending four digits).
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5])
Cost 1 (MD5 [MD5]) is not supported.
Will run John the Ripper in single-threaded mode.
Press 'q' or Ctrl-C to abort, almost any other key for status.
password123 (hybrid_user)
1g 0:00:00:00 DONE (2023-10-27 08:15) 100.0g/s 100.0p/s 100.0c/s 100.0C/s password123
To verify the cracked password:
john --show hybrid_passwords.txt
hybrid_user:password123
1 password hash cracked, 0 left
This demonstrates the power of hybrid attacks in cracking passwords that combine dictionary words with predictable patterns.
Develop Custom Guessing Strategies
In this step, you will learn how to develop custom guessing strategies by creating and using your own rule files with John the Ripper. This allows for highly targeted attacks based on known password patterns or user habits.
Let's create a new password hash for a custom strategy. We will use LabEx@2023 as the password (MD5 hash of LabEx@2023 is e0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5).
echo "custom_user:e0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5" > /home/labex/project/custom_passwords.txt
Now, let's create a custom rule file named custom_rules.txt that capitalizes the first letter, appends @, and then appends four digits.
nano /home/labex/project/custom_rules.txt
Add the following content to the custom_rules.txt file:
:
c
$@
$[0-9]$[0-9]$[0-9]$[0-9]
:(empty rule) - This is a placeholder, often used to start a rule set.c- Capitalizes the first letter of the word.$@- Appends the@symbol.$[0-9]$[0-9]$[0-9]$[0-9]- Appends four digits.
Save and exit nano (Ctrl+X, Y, Enter).
Now, let's use a base wordlist containing "labex":
echo "labex" > /home/labex/project/base_custom_wordlist.txt
Run John the Ripper with your custom rule file:
john --format=raw-md5 --wordlist=base_custom_wordlist.txt --rules=custom_rules.txt custom_passwords.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5])
Cost 1 (MD5 [MD5]) is not supported.
Will run John the Ripper in single-threaded mode.
Press 'q' or Ctrl-C to abort, almost any other key for status.
LabEx@2023 (custom_user)
1g 0:00:00:00 DONE (2023-10-27 08:20) 100.0g/s 100.0p/s 100.0c/s 100.0C/s LabEx@2023
To verify the cracked password:
john --show custom_passwords.txt
custom_user:LabEx@2023
1 password hash cracked, 0 left
This demonstrates the flexibility of John the Ripper's rule engine, allowing you to craft highly specific and effective password guessing strategies.
Summary
In this lab, you gained hands-on experience with John the Ripper, a powerful tool for password cracking. You learned about and implemented various password guessing strategies, including:
- Dictionary Attacks: Using pre-compiled lists of common passwords.
- Brute-Force Attacks: Systematically trying all possible character combinations within a defined set.
- Combinator Attacks: Combining words from multiple wordlists to form new password candidates.
- Hybrid Attacks: Blending dictionary words with brute-force elements using rules.
- Custom Guessing Strategies: Developing your own rules to target specific password patterns.
Understanding these techniques is crucial for both offensive security (penetration testing) and defensive security (creating strong password policies and educating users). By seeing how easily common password patterns can be cracked, you can better appreciate the importance of complex, unique passwords and multi-factor authentication.
