For this tutorial we use John the Ripper which is a free password cracking software tool. It combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker.
It can crack various encrypted password formats including several crypt password hash types most commonly found on various Unix versions (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. (With an additional module it has the ability to include MD4-based password hashes and passwords stored in LDAP, MySQL, etc.)John the Ripper is different from tools like Hydra, because this does blind brute-forcing by trying username/password combinations on a service daemon like ftp server or telnet server. John the Ripper however, needs the hash first, which can be done using free rainbow tables available online. (Rainbow tables store common words and their hashes in a large database)
We must use the passwd and shadow file to create an output file and run dictionary attack against that file to crack it.
John the Ripper uses /etc/passwd where the username and password is stored, and the /etc/shadow file which contains the hash.
Let’s start to create a user named sander with the password qwerty. (simple password for demo purposes)
See this tutorial for more information on creating an user in Kali linux.
Create the user sander with:
sander@linuxsource:~# useradd -m sander -G sudo -s /bin/bash
Change the password of sander to qwerty:
sander@linuxsource:~# passwd sander Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
With the unshadow command you will combine the extries of /etc/passwd and /etc/shadow and redirect it to 1 file with the username and password details.
To combine the entries and redirect this output to an file, use this command:
sander@linuxsource:~# unshadow /etc/passwd /etc/shadow > /root/sanders-password
Now we need a dictionary file and start cracking with a small password file included with John the Ripper.
This file is located at:
/usr/share/john/password.lst
Crack the password with the file earlier created by typing:
sander@linuxsource:~# john --wordlist=/usr/share/john/password.lst /root/sanders-password
The cracking starts and shows the output:
Created directory: /root/.john Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x]) Press 'q' or Ctrl-C to abort, almost any other key for status qwerty (sander) 1g 0:00:00:20 DONE (2017-01-05 22:07) 0.04992g/s 177.0p/s 357.2c/s 357.2C/s paagal..sss Use the "--show" option to display all of the cracked passwords reliably Session completed
When it’s complete, you can use the following command to show a list of cracked passwords:
sander@linuxsource:~# john --show /root/sanders-password sander:qwerty:1000:1002::/home/sander:/bin/bash 1 password hash cracked, 1 left
This completes the basic use of John the Ripper. For more and advanced usage examples go to this link.