Cracking Passwords with John the Ripper

[Posted February 15, 2006 by cook]

John the Ripper is a general purpose password cracking application:

John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

[John the Ripper] Version 1.7 of John was announced on February 9 by Solar Designer: "John the Ripper became a lot faster, primarily at DES-based hashes. This is possible due to the use of better algorithms (bringing more inherent parallelism of trying multiple candidate passwords down to processor instruction level), better optimized code, and new hardware capabilities (such as AltiVec available on PowerPC G4 and G5 processors)." This is the first release that is not considered a development snapshot. Version 1.7 of John also adds better use of x86 MMX hardware, improved vectorization support, an event logging framework, new build targets, and more.

Compiling a working version of John was a simple matter of downloading the source code, reading the installation documentation, and running a make command with the specified computer architecture. The passwd file and shadow file, with the encrypted passwords, were combined into a working password file using the supplied unshadow command. John was then run with the unshadowed password file. Decryption is a compute-intensive operation, it would be advisable to run John on the fastest system you have access to, and import password files to that machine.

I did a test run John on my new 3Ghz Athlon 64 Lini box, it quickly spit out the default password for the default gvuser account, then proceeded to crank heavily (near 100% cpu utilization) for a long time with no further output. John had amassed nearly an hour of CPU time by the time I finished this article.

John should be considered an important utility for any systems administrator's collection of tools. It found a weak password on my system (since changed) and will be useful for testing other password files for weak points. Administrators with Internet-exposed or otherwise accessible machines would be advised to give this handy utility a spin.

to post comments

Cracking Passwords with John the Ripper

Posted Feb 16, 2006 3:29 UTC (Thu) by primorec (guest, #2740) [Link] (6 responses)

I have no idea what I am doing wrong. Or in other words, I am not able to download the source code of the package. I've tried to download it from the original site ( http://www.openwall.com/john/)
and from the randomly picked mirror. (ftp://ftp.se.openwall.com/pub/ (Sweden)) using browser and/or using CLI ftp.

Result was in both cases the same. Download was not successeful. All I've gotten on the screen was:

ftp> get john-1.7.tar.bz2
local: john-1.7.tar.bz2 remote: john-1.7.tar.bz2
227 Entering Passive Mode
150 Opening BINARY mode data connection for john-1.7.tar.bz2 (688774 bytes).
550-Transfer failed. The file john-1.7.tar.bz2 is infected with the virus Misc/JohnRipper. File quarantined as 1a13131f.john-1.7.tar.bz2.
550 *
ftp> pwd
257 "/pub/projects/john"
ftp> dir
227 Entering Passive Mode
150 Here comes the directory listing.
drwxr-xr-x 10 ftp ftp 4096 Feb 07 16:55 contrib
drwxr-xr-x 2 ftp ftp 4096 Jan 26 18:21 historical
-rw-r--r-- 1 ftp ftp 688774 Jan 12 04:33 john-1.7.tar.bz2
-rw-r--r-- 1 ftp ftp 331 Jan 26 18:16 john-1.7.tar.bz2.sign
-rw-r--r-- 1 ftp ftp 799235 Jan 12 04:33 john-1.7.tar.gz
-rw-r--r-- 1 ftp ftp 331 Jan 26 18:16 john-1.7.tar.gz.sign
-rw-r--r-- 1 ftp ftp 331 Jan 26 18:16 john-17d.sig
-rw-r--r-- 1 ftp ftp 914476 Jan 12 04:33 john-17d.zip
-rw-r--r-- 1 ftp ftp 331 Jan 26 18:16 john-17w.sig
-rw-r--r-- 1 ftp ftp 1390684 Jan 12 04:33 john-17w.zip
226 Directory send OK.

Security tools considered harmful

Posted Feb 16, 2006 4:04 UTC (Thu) by xoddam (subscriber, #2322) [Link] (5 responses)

It's not you, it's your virus-scanning ftp proxy. Someone thinks
security tools are bad for you. Do you have the same problem when you
use http instead? If not, or if you can simply use ftp without the
proxy, fine. If you can't go around it (your firewall blocks or diverts
all outgoing ftp transactions), you'll have to bring it in from
elsewhere.

Security tools considered harmful

Posted Feb 16, 2006 4:41 UTC (Thu) by primorec (guest, #2740) [Link]

It's not you, it's your virus-scanning ftp proxy.

Very likely.. yes... I was behind the company firewall (and all other thingies)

Someone thinks security tools are bad for you.

;-)

Do you have the same problem when you use http instead?

yes

If not, or if you can simply use ftp without the
proxy, fine. If you can't go around it (your firewall blocks or diverts
all outgoing ftp transactions), you'll have to bring it in from
elsewhere.

You were righ! I've DL the file at home without a problem.

Thanks for the hint

Security tools considered harmful

Posted Feb 16, 2006 11:42 UTC (Thu) by nix (subscriber, #2304) [Link] (3 responses)

It's a nice example of how the word 'virus' is being bleached of any useful meaning, too. I can't see *any* definition of 'virus' which would include john (or libcrack, say); they're not malware at all.

If 'virus' equals 'security tool', then antivirus products are viruses! :)

Security tools considered harmful

Posted Feb 16, 2006 13:13 UTC (Thu) by The_Flatlander (guest, #19245) [Link] (2 responses)

>> I can't see *any* definition of 'virus' which would include john (or libcrack, say); they're not malware at all. <<

I agree with you, but it is possible that a copy of of John could turn a small security lapse into a large one quite rapidly, so other than your sysadmins, you probably don't want anyone else having a copy of that. Moreover, if the anti-virus tool were scanning the stream, rather than just blocking the site, it seems quite likely, (to the point of certainty), that some actual trojans or other malware programs contain some of the same routines. (It isn't a great leap to figure that malware writers might have mis-appropriated such code to their own nefarious purposes.)

The Flatlander

Security tools considered harmful

Posted Feb 16, 2006 23:33 UTC (Thu) by xorbe (guest, #3165) [Link] (1 responses)

And we all know that someone that knows how to download JohnTR and compile it and use it successfully, will be completely stumped by a proxy filter...

Security tools considered harmful

Posted Feb 18, 2006 19:39 UTC (Sat) by erwbgy (subscriber, #4104) [Link]

Indeed. Adding a few question marks on to the end of the URL often fools
them.

How fast is it?

Posted Feb 18, 2006 22:13 UTC (Sat) by kevinbsmith (guest, #4778) [Link] (1 responses)

In a little review like this, I would have appreciated if it would have included some really (really) rough benchmarks. Something like seeding the database with a weak password ("heaven37"), a better password that is still memorable by mortals (twinkle%celebrate22) and something even stronger. And then let the machine run for a while. Would each of these get cracked in 30 seconds, 30 hours, 30 days, or ???

I know it's hardware dependent, but even a very small sample like this, on one specific machine, would be useful information. I didn't see any benchmarks on the JtR site either.

Does anyone want to post some urls or take the time to produce some really crappy but interesting stats like these?

How fast is it?

Posted Mar 7, 2006 22:20 UTC (Tue) by barrygould (guest, #4774) [Link]

Last time I ran John (in 2005 on a Pentium M 1.6GHz, IIRC), even after 2 days it was unable to crack a file with only a few passwords in the form of a 6-char dictionary word + 2 digits.

I don't know if things are different today.

Some people have been recommending using abreviations of phrases as passwords, e.g. arltr = "all roads lead to Rome", but if that becomes common, all it takes is a digital version of Bartlett's Familiar Quotations to break common phrases.
I guess movie quotes or song lyrics or something more obscure would be better.

Barry