LabEx
Log InJoin Free

Understand John the Ripper Dictionary Attacks

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will gain a practical understanding of dictionary attacks using John the Ripper, a powerful password cracking tool. You will learn how to select and combine dictionaries effectively, understand the inherent limitations of this attack method, and even generate custom dictionaries to enhance your cracking capabilities. By the end of this lab, you will be able to analyze the success rates of dictionary attacks and appreciate their role in cybersecurity.

Select Appropriate Dictionaries

In this step, you will learn how to select and use an appropriate dictionary file for a John the Ripper dictionary attack. A dictionary attack attempts to crack passwords by trying every word in a predefined list (dictionary). The effectiveness of this attack heavily depends on the quality and relevance of the dictionary used.

First, let's verify that John the Ripper is installed and the dummy password file passwords.txt and dictionary file rockyou.txt are present in your ~/project directory.

john --version
ls -l ~/project/passwords.txt ~/project/rockyou.txt

You should see output similar to this, confirming the presence of the files:

John the Ripper password cracker, version 1.9.0-jumbo-1 ...
-rw-r--r-- 1 labex labex XX Mar XX:XX /home/labex/project/passwords.txt
-rw-r--r-- 1 labex labex XX Mar XX:XX /home/labex/project/rockyou.txt

Now, let's perform a basic dictionary attack using the rockyou.txt dictionary against our passwords.txt file. The --wordlist option specifies the dictionary file to use.

john --wordlist=/home/labex/project/rockyou.txt /home/labex/project/passwords.txt

John the Ripper will attempt to crack the passwords. If successful, it will display the cracked passwords. You might see output similar to this:

Using default input encoding: UTF-8
Loaded 4 password hashes with no different salts (MD5 [MD5])
Will run till all hashes are cracked, or till a key is found for each (whichever comes first)
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (user1)
admin            (user2)
123456           (user3)
labex            (user4)
4g 0:00:00:00 DONE (2023-03-15 10:30) 100.0% (ETA: 2023-03-15 10:30) 4g/s 16.0p/s 16.0c/s 16.0C/s password...labex
Session completed.

To view the cracked passwords at any time, you can use the --show option:

john --show /home/labex/project/passwords.txt

This command will display the cracked passwords and the corresponding usernames.

user1:password (user1)
user2:admin (user2)
user3:123456 (user3)
user4:labex (user4)

4 password hashes cracked, 0 left

This demonstrates how to select and use a dictionary for a basic attack. The rockyou.txt file is a common example of a dictionary containing frequently used passwords.

Combine Dictionaries for Comprehensive Attacks

In this step, you will learn how to combine multiple dictionaries to create a more comprehensive wordlist for John the Ripper. Combining dictionaries can significantly increase the chances of cracking passwords, especially if the target passwords are not found in a single dictionary.

First, let's create another small dictionary file named common_words.txt in your ~/project directory.

echo "welcome" > ~/project/common_words.txt
echo "security" >> ~/project/common_words.txt
echo "network" >> ~/project/common_words.txt

Now, we will combine rockyou.txt and common_words.txt into a new file called combined_dictionary.txt. We can use the cat command to concatenate the files and then sort and unique the entries to remove duplicates.

cat ~/project/rockyou.txt ~/project/common_words.txt | sort | uniq > ~/project/combined_dictionary.txt

Let's inspect the content of the new combined_dictionary.txt to ensure it contains words from both original dictionaries and no duplicates.

cat ~/project/combined_dictionary.txt

You should see a sorted list of unique words from both rockyou.txt and common_words.txt.

123456
admin
labex
network
password
secret
security
test
welcome

Now, let's use this combined_dictionary.txt for a dictionary attack. For this demonstration, we will first clear John's previous cracking session to ensure a fresh start.

john --session=clear

Then, run the attack using the combined dictionary:

john --wordlist=/home/labex/project/combined_dictionary.txt /home/labex/project/passwords.txt

John the Ripper will attempt to crack the passwords using the expanded wordlist. If new passwords were added to passwords.txt that are present in common_words.txt, they would now be cracked. Since our passwords.txt only contains passwords from rockyou.txt, the output will be similar to the previous step, but it demonstrates the process of using a combined dictionary.

Using default input encoding: UTF-8
Loaded 4 password hashes with no different salts (MD5 [MD5])
Will run till all hashes are cracked, or till a key is found for each (whichever comes first)
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (user1)
admin            (user2)
123456           (user3)
labex            (user4)
4g 0:00:00:00 DONE (2023-03-15 10:35) 100.0% (ETA: 2023-03-15 10:35) 4g/s 16.0p/s 16.0c/s 16.0C/s password...labex
Session completed.

This process highlights the importance of having a diverse and comprehensive dictionary for effective password cracking.

Understand Dictionary Attack Limitations

In this step, you will explore the limitations of dictionary attacks. While powerful, dictionary attacks are only effective against passwords that exist within the dictionary. They are ineffective against complex, unique, or randomly generated passwords that are not present in the wordlist.

To demonstrate this limitation, let's add a new user with a strong, random password to our passwords.txt file. We will use a password that is highly unlikely to be found in a standard dictionary. For example, P@ssw0rd!23AbC. We will generate its MD5 hash.

echo "user5:$(echo -n 'P@ssw0rd!23AbC' | md5sum | awk '{print $1}')" >> /home/labex/project/passwords.txt

Now, let's clear John's previous session and attempt to crack the passwords again using our combined_dictionary.txt.

john --session=clear
john --wordlist=/home/labex/project/combined_dictionary.txt /home/labex/project/passwords.txt

Observe the output. John the Ripper will likely crack the first four passwords (user1, user2, user3, user4) but will fail to crack user5's password because P@ssw0rd!23AbC is not in our dictionary.

Using default input encoding: UTF-8
Loaded 5 password hashes with no different salts (MD5 [MD5])
Will run till all hashes are cracked, or till a key is found for each (whichever comes first)
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (user1)
admin            (user2)
123456           (user3)
labex            (user4)
4g 0:00:00:00 DONE (2023-03-15 10:40) 80.0% (ETA: 2023-03-15 10:40) 4g/s 16.0p/s 16.0c/s 16.0C/s password...labex
Session completed.

To confirm, use the --show option:

john --show /home/labex/project/passwords.txt

You will see that user5's password remains uncracked.

user1:password (user1)
user2:admin (user2)
user3:123456 (user3)
user4:labex (user4)

4 password hashes cracked, 1 left

This demonstrates that dictionary attacks are limited by the content of the dictionary. Passwords that are not in the dictionary, especially strong, unique ones, will not be cracked by this method. This highlights the importance of using strong, unpredictable passwords.

Implement Custom Dictionary Generation

In this step, you will learn how to generate a custom dictionary. While large pre-made dictionaries like rockyou.txt are useful, sometimes you need to create a dictionary tailored to a specific target or scenario. This could involve using known information about the target (e.g., company names, common phrases, dates) to generate potential passwords.

We will use the crunch tool, which is excellent for generating wordlists based on specified character sets and patterns. crunch is not installed by default, so let's install it first.

sudo apt install -y crunch

Now, let's generate a simple custom dictionary. For example, we can generate all possible combinations of lowercase letters of a specific length. Let's create a dictionary of all 4-character lowercase words.

crunch 4 4 -o ~/project/custom_4char_dictionary.txt -t @@@@
  • 4 4: Specifies the minimum and maximum length of the words to generate (here, both are 4).
  • -o ~/project/custom_4char_dictionary.txt: Specifies the output file.
  • -t @@@@: Specifies a pattern. @ represents lowercase letters.

This command will generate a large file. For demonstration purposes, let's generate a smaller, more manageable custom dictionary. We will generate words of length 3 to 4, using only lowercase letters, and starting with 'a'.

crunch 3 4 abcdefghijklmnopqrstuvwxyz -o ~/project/custom_small_dictionary.txt -t a%@
  • 3 4: Minimum length 3, maximum length 4.
  • abcdefghijklmnopqrstuvwxyz: Specifies the character set to use.
  • -o ~/project/custom_small_dictionary.txt: Output file.
  • -t a%@: Pattern. a is a literal 'a', % represents numbers, @ represents lowercase letters. Let's correct this to generate only lowercase letters.

Let's try a more relevant example for a custom dictionary: generating variations of a known word, like "labex", with numbers appended. We'll use john's built-in wordlist rules for this, which is more practical for common password variations.

First, let's create a base wordlist with just "labex".

echo "labex" > ~/project/base_word.txt

Now, we'll use John's --rules option with a common rule set (like Wordlist) to generate variations. This is often used with a base wordlist.

john --wordlist=/home/labex/project/base_word.txt --rules=Wordlist --stdout > ~/project/labex_variations.txt
  • --wordlist: The base wordlist.
  • --rules=Wordlist: Applies the default wordlist rules (e.g., appending numbers, changing case, etc.).
  • --stdout: Prints the generated words to standard output.
  • > ~/project/labex_variations.txt: Redirects the output to a file.

Let's inspect the generated variations:

head -n 10 ~/project/labex_variations.txt

You will see variations like labex1, Labex, labex!, etc.

labex
Labex
LABEX
labex1
labex2
labex3
labex4
labex5
labex6
labex7

This demonstrates how to generate custom dictionaries or variations of words, which can be crucial for targeted attacks where specific patterns or known information about the target are available.

Analyze Dictionary Attack Success Rates

In this step, you will analyze the success rates of dictionary attacks based on the dictionaries used and the complexity of the target passwords. Understanding success rates helps in evaluating the effectiveness of your cracking efforts and the security posture of systems.

We have already seen that simple dictionary words are easily cracked, while complex passwords are not. Let's quantify this by looking at the number of cracked passwords versus the total number of hashes.

First, ensure John's session is clear.

john --session=clear

Now, let's run the attack again with our combined_dictionary.txt against passwords.txt (which now includes user5 with a strong password).

john --wordlist=/home/labex/project/combined_dictionary.txt /home/labex/project/passwords.txt

After the attack completes, use the --show option to see the results.

john --show /home/labex/project/passwords.txt

The output will show the cracked passwords and the number of hashes cracked versus the total.

user1:password (user1)
user2:admin (user2)
user3:123456 (user3)
user4:labex (user4)

4 password hashes cracked, 1 left

From this output, we can calculate the success rate: (Number of cracked hashes / Total number of hashes) _ 100%. In this case, (4 / 5) _ 100% = 80%.

This 80% success rate indicates that while many common passwords were cracked, the strong password for user5 remained secure against this dictionary attack. This highlights that dictionary attacks are highly effective against weak, common, or dictionary-based passwords but fail against strong, unique passwords.

To further analyze, you could experiment with different dictionaries (e.g., a very small, specific dictionary vs. a very large, general one) and observe how the success rate changes. The larger and more relevant the dictionary, the higher the potential success rate against common passwords. However, for truly random and complex passwords, dictionary attacks will always have a low success rate, emphasizing the need for other cracking techniques (like brute-force) or, more importantly, strong password policies.

This analysis reinforces the importance of using strong, unique passwords that are not easily guessable or found in common dictionaries to protect against such attacks.

Summary

In this lab, you gained hands-on experience with John the Ripper and dictionary attacks. You learned how to select and combine dictionaries to enhance cracking efforts. You also understood the inherent limitations of dictionary attacks, particularly against strong, unique passwords. Furthermore, you explored methods for generating custom dictionaries and analyzed the success rates of these attacks. This lab has provided you with practical insights into a fundamental password cracking technique and reinforced the importance of robust password security practices.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux