Lab 10 - John the Ripper

Introduction

John the Ripper is a password-cracking tool that is capable of performing a dictionary, hybrid, or brute-force attack. There are also versions that can perform a distributed attack. You will use John the Ripper to attempt to decipher the passwords from the hashes you captured in the previous lab.

Lab Goals

After completing this lab, you will be able to

  1. Use John the Ripper to crack passwords.

Setup

You should have finished the previous lab and have a file with the hashes named MetaHashes.txt on your desktop.

Lab Steps

  1. Open a terminal.

  2. At the command prompt, type man john. This will access the manual for John the Ripper.

On the desktop you should have a file called MetaHashes.txt. These are the hashes for passwords on the Metasploitable machine. It is a dump of the /etc/shadow file. Let’s view the hashes.

  1. In a Terminal window, type nano /root/Desktop/MetaHashes.txt.

    1. How many password hashes do you see in the list? (Don’t the usernames with *; use only the ones that have the long hash values.)

  2. Press CTRL-X to exit nano.

  3. Type john --test >/root/Desktop/johntest.txt. This command sends the output to a text file so you can view it later. It will take a few minutes to complete.

  4. When it is done, right-click the file on the desktop and open it with Leafpad. This will allow you to scroll up and down. The output will show you the number of crypts per second (c/s).
    1. How many raw crypts per second will your machine do for FreeBSD MD5? Be sure to multiply the number by the K, which represents the number 1,024.

Now you will run John the Ripper with just the password file. The password file is in the /usr/share/john directory. Take a look at the password file that comes with John the Ripper. The command less will show you the contents of a file one page at a time.

  1. At the command line, type {cd /usr/share/john.

  2. At the command line, type less password.lst.

    1. Look through the list.
    2. Do you see any passwords that are on the Linux server?
    3. Do you see any passwords that you have used before on other computers?
  3. Quit less.

  4. To use only the dictionary to attack the hashes, type the following: john --wordlist=password.lst /root/Desktop/MetaHashes.txt

    1. How many password hashes were loaded?
    2. What type of hash did it detect? (It should be one of the hashing methods listed in the test done earlier.)
    3. How many passwords did it find?
    4. How long did it take?

Now try a hybrid attack and see what you find. To do that, you need to add the --rules option. You first have to delete the john.pot file. That file contains the passwords found.

  1. At the command line, type rm /root/.john/john.pot. Note that the discovered passwords go into a hidden directory, .john, in the /root folder.

  2. Type john --wordlist:password.lst --rules /root/Desktop/MetaHashes.txt.

    1. How many passwords did it find?
    2. How long did it take?

Now you will launch a combination attack. You will do a dictionary, hybrid, and brute-force attack. This is John the Ripper’s default attack, so you will use no switches.

  1. At the command line, type rm /root/.john/john.pot.

  2. Type john /root/Desktop/MetaHashes.txt. (While John the Ripper is running, you can press ENTER, and John the Ripper will report how many guesses, how much time has passed since it started, and the number of crypts per second. It will also show where it is in the brute-force process. Let John the Ripper run for about ten minutes to see whether it finds any more passwords.)

    1. To see how long John the Ripper has been running and the calculations per second it has processed, press ENTER.
    2. How many passwords did John the Ripper find at the end of ten minutes?

  3. To stop John the Ripper, press ctrl-c.

Show Me

Turn in the passwords that you were able to decrypt.

AdvancedNetworkSecurity/Labs/Lab10 (last edited 2019-04-11 15:41:53 by scot)