John the Ripper is different from tools like Hydra, because this does blind brute-forcing by trying username/password combinations on a service daemon like ftp server or telnet server. John the Ripper however, needs the hash first, which can be done using free rainbow tables available online. (Rainbow tables store common words and their hashes in a large database)
We must use the passwd and shadow file to create an output file and run dictionary attack against that file to crack it.
John the Ripper uses /etc/passwd where the username and password is stored, and the /etc/shadow file which contains the hash.
Let’s start to create a user named sander with the password qwerty. (simple password for demo purposes)
See this tutorial for more information on creating an user in Kali linux.
Create the user sander with:
sander@linuxsource:~# useradd -m sander -G sudo -s /bin/bash
Change the password of sander to qwerty:
1 2 3 4 | sander@linuxsource:~# passwd sander Enter new UNIX password: <enter qwerty> Retype new UNIX password: <enter qwerty> passwd: password updated successfully |
With the unshadow command you will combine the extries of /etc/passwd and /etc/shadow and redirect it to 1 file with the username and password details.
To combine the entries and redirect this output to an file, use this command:
sander@linuxsource:~# unshadow /etc/passwd /etc/shadow > /root/sanders-password
Now we need a dictionary file and start cracking with a small password file included with John the Ripper.
This file is located at: /usr/share/john/password.lst
Crack the password with the file earlier created by typing:
sander@linuxsource:~# john --wordlist=/usr/share/john/password.lst /root/sanders-password
The cracking starts and shows the output:
1 2 3 4 5 6 7 8 9 10 11 | Created directory: /root/.john Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x]) Press 'q' or Ctrl-C to abort, almost any other key for status qwerty (sander) 1g 0:00:00:20 DONE (2017-01-05 22:07) 0.04992g/s 177.0p/s 357.2c/s 357.2C/s paagal..sss Use the "--show" option to display all of the cracked passwords reliably Session completed |
When it’s complete, you can use the following command to show a list of cracked passwords:
1 2 3 4 | sander@linuxsource:~# john --show /root/sanders-password sander:qwerty:1000:1002::/home/sander:/bin/bash 1 password hash cracked, 1 left |