LabEx
Log InJoin Free

John the Ripper for Penetration Testing Scenarios

Kali LinuxBeginner
Practice Now

Introduction

Welcome to this lab on using John the Ripper (JtR) in penetration testing scenarios. John the Ripper is a powerful and popular open-source password cracking tool. For a penetration tester, it is an essential utility for identifying and exploiting weak passwords, which remain one of the most common security vulnerabilities.

In this lab, you will learn how to integrate JtR into a typical pentesting workflow. You will start by cracking a user's password from a captured shadow file, use that information in a privilege escalation context, and then apply JtR to crack the password of a protected file. Finally, you will learn the crucial steps of documenting and reporting your findings to stakeholders.

Integrate John the Ripper into a Pentesting Workflow

In this step, you will perform the first phase of a password attack: cracking hashes obtained during reconnaissance. A common target for local privilege escalation is the /etc/shadow file, which stores user password hashes on Linux systems. We have already simulated this by providing a shadow.txt file in your ~/project directory.

First, let's run John the Ripper against the shadow.txt file using a custom wordlist. A wordlist is simply a text file containing potential passwords.

Execute the following command to start the cracking process:

john --wordlist=wordlist.txt shadow.txt

John will load the hashes and test each password from wordlist.txt against them. Since the password for weakuser is in our wordlist, it will be cracked quickly.

Using default input encoding: UTF-8
Loaded 1 password hash (sha512, 512/512 AVX512BW 16x)
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 processing threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password123      (weakuser)
1g 0:00:00:00 DONE (2023-10-27 10:30) 100.0g/s 100.0p/s 100.0c/s 100.0C/s password123
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Once a password is cracked, John stores it in a file called john.pot located in the ~/.john/ directory. To view the cracked passwords for a specific hash file, you can use the --show option.

Run this command to display the cracked password:

john --show shadow.txt

You will see the username and the cracked password.

weakuser:password123:19657:0:99999:7:::

1 password hash cracked, 0 left

You have successfully cracked the user's password, a critical first step in many penetration tests.

Use John the Ripper for Local Privilege Escalation

In this step, you will learn how a cracked password can be used to escalate privileges. After cracking the password for weakuser, the next logical step is to see what access this account provides. If weakuser has sudo privileges or access to sensitive files, you can gain more control over the system.

Let's simulate this by attempting to switch to the weakuser account using the password you just cracked (password123).

Use the su (substitute user) command to switch to weakuser:

su weakuser

The system will prompt you for a password. Enter password123 and press Enter.

Password:

If the password is correct, your command prompt will change, indicating you are now operating as weakuser.

weakuser@...:/home/labex/project$

In a real penetration test, you would now explore the system from this user's perspective, for example, by running sudo -l to check for sudo rights. For this lab, simply demonstrating that you can access the account is sufficient.

Now, type exit to return to your original labex user shell.

exit

This exercise demonstrates the direct impact of a weak password: it can lead to unauthorized account access, which is a stepping stone for further system compromise.

Apply John the Ripper in Network Penetration Tests

In this step, you'll see how John the Ripper's versatility extends beyond system password hashes. Pentesters often find password-protected files, such as ZIP archives, on file shares or during post-exploitation. JtR can crack these as well.

We have provided a password-protected file named protected.zip in your ~/project directory. The process involves two stages: first, extracting a crackable hash from the file, and second, using John to crack that hash.

Many JtR-related tools help extract hashes from different file types. For ZIP files, we use zip2john. Run the following command to extract the hash from protected.zip and save it to a file named zip_hash.txt:

zip2john protected.zip > zip_hash.txt

You can view the contents of zip_hash.txt to see what the hash looks like.

cat zip_hash.txt

Now, run John the Ripper on this new hash file. This time, we won't specify a wordlist and will let John use its default modes, which include a single-crack mode that tries common password variations.

john zip_hash.txt

John should crack the password very quickly.

Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP, 32/64)
Cost 1 (iteration count) is 1000 for all loaded hashes
Will run 4 processing threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supersecret      (protected.zip)
1g 0:00:00:00 DONE (2023-10-27 10:35) 100.0g/s 12345p/s 12345c/s 12345C/s supersecret
Session completed

Just like before, use the --show option to view the cracked password for the ZIP file.

john --show zip_hash.txt

protected.zip:supersecret

1 password hash cracked, 0 left

You have successfully recovered the password for the ZIP file, demonstrating how JtR can be applied to different types of data found during a penetration test.

Document Findings from John the Ripper Attacks

In this step, you will focus on a critical, non-technical aspect of penetration testing: documentation. Simply finding vulnerabilities is not enough; you must document them clearly so they can be fixed. A good report details the vulnerability, its impact, and a recommendation for remediation.

You will now create a simple findings report in a markdown file. Use the nano text editor to create a file named findings.md.

nano findings.md

Inside the nano editor, copy and paste the following text. This template documents the two vulnerabilities you've discovered so far.

## Penetration Test Findings - Weak Passwords

### Finding 1: Weak User Account Password

- **Vulnerability:** Weak password for user `weakuser`.
- **Password:** `password123`
- **Impact:** Potential for local privilege escalation and unauthorized system access.
- **Recommendation:** Enforce a strong password policy that requires complexity and length. Reset the password for `weakuser`.

### Finding 2: Weak Password on Protected Archive

- **Vulnerability:** Weak password for the archive `protected.zip`.
- **Password:** `supersecret`
- **Impact:** Sensitive data within the archive is exposed to anyone who finds the file.
- **Recommendation:** Use strong, complex passwords for all encrypted files and archives.

After pasting the text, save the file and exit nano by pressing Ctrl+X, then Y, and finally Enter.

You have now created a clear and concise record of your findings, which is an essential part of any professional penetration test.

Report Weak Passwords to Stakeholders

In this final step, you will practice creating a high-level summary suitable for stakeholders, such as system administrators or management. While the detailed findings document is for technical teams, a summary report communicates the risk and the need for action in a more direct way.

You will create a simple text file named report_summary.txt that simulates an email or a report summary.

Use the nano editor to create the file:

nano report_summary.txt

Inside the nano editor, copy and paste the following summary. This text clearly and concisely communicates the problem and the required action.

To: System Administrator
From: Penetration Tester
Subject: Critical Vulnerability: Weak Passwords Detected

This report summarizes critical password vulnerabilities discovered during the recent penetration test.

1. User 'weakuser' has a crackable password ('password123'), posing a risk of privilege escalation.
2. A protected file 'protected.zip' uses a weak password ('supersecret'), exposing its contents.

Immediate action is required to enforce a stronger password policy and reset the identified weak passwords.

Save the file and exit nano by pressing Ctrl+X, then Y, and Enter.

This finalizes the penetration testing workflow for this scenario. You have not only identified and exploited vulnerabilities but have also documented and prepared a report to ensure they are addressed. This completes the cycle from discovery to remediation.

Summary

Congratulations on completing this lab! You have successfully walked through a realistic penetration testing workflow using John the Ripper.

In this lab, you learned how to:

  • Integrate John the Ripper into a pentesting process by cracking hashes from a shadow file.
  • Use a cracked password to simulate a local privilege escalation attempt.
  • Apply JtR to different data types by cracking the password of a protected ZIP archive.
  • Understand the critical importance of documenting your findings in a clear and structured manner.
  • Create a summary report to effectively communicate vulnerabilities to stakeholders.

These skills are fundamental for any cybersecurity professional involved in ethical hacking and security auditing.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux