Introduction
In this lab, you will explore the capabilities of John the Ripper, a widely used open-source password cracking tool. You will focus on cracking MD5 hashes, which are commonly used for storing password representations. Understanding how to crack hashes is crucial for security professionals to assess the strength of passwords and identify vulnerabilities. You will learn to generate MD5 hashes, prepare them for John the Ripper, and then use different cracking techniques, including wordlist attacks and incremental mode.
Generate MD5 Hashes from Passwords
In this step, you will generate MD5 hashes for a few sample passwords. This will simulate a scenario where you have access to hashed passwords and need to crack them. You will use the echo command piped to md5sum to create these hashes.
First, let's generate an MD5 hash for the password password123:
echo -n "password123" | md5sum
You should see an output similar to this:
202cb962ac59075b964b07152d234b70 -
Next, generate MD5 hashes for a few more passwords: labex and secret.
echo -n "labex" | md5sum
echo -n "secret" | md5sum
The outputs will be:
202cb962ac59075b964b07152d234b70 -
a0b923820dcc509a86619210ed1572e4 -
5ebe2294ecd0e0f08eab7690d2a6ee69 -
These generated hashes will be used in the subsequent steps for cracking.
Create a Hash File for MD5
In this step, you will create a file containing the MD5 hashes you generated. John the Ripper typically takes a file as input, where each line contains a hash to be cracked. You will create a file named hashes.txt in your ~/project directory and populate it with the MD5 hashes.
First, let's create the hashes.txt file and add the MD5 hashes. We will only add the hash part, not the - or filename.
echo "202cb962ac59075b964b07152d234b70" > ~/project/hashes.txt
echo "a0b923820dcc509a86619210ed1572e4" >> ~/project/hashes.txt
echo "5ebe2294ecd0e0f08eab7690d2a6ee69" >> ~/project/hashes.txt
Now, verify the content of the hashes.txt file using the cat command:
cat ~/project/hashes.txt
The output should look like this:
202cb962ac59075b964b07152d234b70
a0b923820dcc509a86619210ed1572e4
5ebe2294ecd0e0f08eab7690d2a6ee69
This file will serve as the input for John the Ripper.
Specify Hash Type for John the Ripper
In this step, you will learn how to tell John the Ripper which hash type it is dealing with. John the Ripper supports a wide variety of hash types, and specifying the correct type is crucial for successful cracking. For MD5 hashes, you will use the raw-md5 format.
To check if John the Ripper recognizes raw-md5 and to see other supported formats, you can use the --list=formats option. However, for this lab, we will directly use the raw-md5 format.
You can test John the Ripper with a single hash and specify the format using the --format option. This won't crack it yet, but it confirms John can process the format.
john --format=raw-md5 ~/project/hashes.txt --stdout
This command will attempt to process the hashes in hashes.txt as raw-md5 and print them to standard output. You won't see cracked passwords yet, but it confirms the format is recognized. The output will be the hashes themselves, as John is just processing them without cracking.
202cb962ac59075b964b07152d234b70
a0b923820dcc509a86619210ed1572e4
5ebe2294ecd0e0f08eab7690d2a6ee69
This step ensures that John the Ripper is correctly configured to handle MD5 hashes.
Crack MD5 Hashes with Wordlist
In this step, you will use a wordlist to crack the MD5 hashes. A wordlist attack attempts to crack passwords by trying every word in a predefined list. This is a common and often effective method for cracking weak passwords.
First, you need a wordlist. For this lab, you will create a simple wordlist file named wordlist.txt in your ~/project directory containing common passwords, including the ones you hashed earlier.
echo "password123" > ~/project/wordlist.txt
echo "labex" >> ~/project/wordlist.txt
echo "secret" >> ~/project/wordlist.txt
echo "test" >> ~/project/wordlist.txt
echo "admin" >> ~/project/wordlist.txt
Now, use John the Ripper with the wordlist option to crack the hashes:
john --format=raw-md5 --wordlist=~/project/wordlist.txt ~/project/hashes.txt
John the Ripper will process the hashes.txt file, trying each word from wordlist.txt against the MD5 hashes. If a match is found, it will display the cracked password.
The output should show the cracked passwords:
Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts (raw-md5 [MD5])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password123 (202cb962ac59075b964b07152d234b70)
labex (a0b923820dcc509a86619210ed1572e4)
secret (5ebe2294ecd0e0f08eab7690d2a6ee69)
3g 0:00:00:00 DONE (2023-10-27 10:30) 100.0% (ETA: 00:00:00) 3.000g/s 15.00p/s 15.00c/s 15.00C/s password123 labex secret
Session completed.
You can also use john --show to display the cracked passwords from the John the Ripper pot file:
john --show ~/project/hashes.txt
Output:
202cb962ac59075b964b07152d234b70:password123
a0b923820dcc509a86619210ed1572e4:labex
5ebe2294ecd0e0f08eab7690d2a6ee69:secret
3 password hashes cracked, 0 left
This demonstrates the effectiveness of wordlist attacks against common or easily guessable passwords.
Crack MD5 Hashes with Incremental Mode
In this step, you will use John the Ripper's incremental mode to crack MD5 hashes. Incremental mode is a powerful brute-force attack that tries combinations of characters based on a character set (e.g., lowercase letters, numbers, symbols). It's useful when a wordlist attack fails, as it doesn't rely on pre-existing words.
First, let's clear John's pot file to ensure we are starting fresh for this cracking attempt. This is important because John stores cracked passwords, and we want to see the cracking process again.
john --session=my_session --restore=NONE
Now, let's try to crack the hashes using incremental mode. For demonstration purposes, we will use a very small character set and a short maximum length to keep the cracking time manageable. In a real scenario, incremental mode can take a very long time depending on the password complexity and length.
john --format=raw-md5 --incremental=alnum --max-len=8 ~/project/hashes.txt
Here:
--incremental=alnum: Tells John to use alphanumeric characters (a-z, A-Z, 0-9). John has predefined incremental modes likealnum,alpha,digits, etc.--max-len=8: Limits the maximum password length to 8 characters. This is crucial for keeping the cracking time short for this lab.
John the Ripper will start generating and testing combinations. Since our passwords (password123, labex, secret) are within the alnum character set and max-len=8 (for labex and secret), John should eventually crack them. password123 is 11 characters long, so it won't be cracked with max-len=8.
The output will show the cracked passwords as John finds them:
Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts (raw-md5 [MD5])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
labex (a0b923820dcc509a86619210ed1572e4)
secret (5ebe2294ecd0e0f08eab7690d2a6ee69)
2g 0:00:00:00 DONE (2023-10-27 10:35) 100.0% (ETA: 00:00:00) 2.000g/s 10.00p/s 10.00c/s 10.00C/s labex secret
Session completed.
You can again use john --show to display the cracked passwords:
john --show ~/project/hashes.txt
Output:
a0b923820dcc509a86619210ed1572e4:labex
5ebe2294ecd0e0f08eab7690d2a6ee69:secret
2 password hashes cracked, 1 left
Notice that password123 was not cracked this time because its length (11 characters) exceeded the --max-len=8 limit. This highlights the importance of setting appropriate parameters for incremental attacks.
Summary
In this lab, you successfully used John the Ripper to crack MD5 hashes. You started by generating MD5 hashes from sample passwords and then created a hash file for John the Ripper to process. You learned how to specify the hash type (raw-md5) and then applied two different cracking techniques: wordlist attack and incremental mode.
You observed that wordlist attacks are effective against common passwords found in dictionaries, while incremental mode provides a brute-force approach for more complex or unknown passwords, albeit with potentially much longer cracking times. This lab provides a foundational understanding of password cracking techniques using John the Ripper, which is a valuable skill for cybersecurity professionals.
