Use the John Ripper tool to try to crack a Linux password

Source: Internet
Author: User
Tags hash root access kali linux

John differs from tools such as Hdra. Hydra a blind brute force attack by attempting a username/password combination on a service daemon on an FTP server or Telnet server. However, John first needs to hash it out. So the bigger challenge for hackers is to get the hash that needs to be cracked first. Today, using the free Rainbow table (Rainbow table), which is available online, is easier to break down. Just go to one of the sites and submit the hash; If the hash is made up of a common word, the site will almost immediately display the word. The rainbow table basically stores common words and corresponding hashes in a large database. The larger the database, the more words are covered.

But if you want to hack the password locally on your system, then John is one of the good tools to try it. John is among the top ten security tools for Kali Linux. On Ubuntu, it can be installed via the newly-established Package Manager (Synaptic Package manager).

I'll show you how to use the Unshadow command, along with John, to crack a user's password on a Linux system in this article. On Linux, the user name/key details are stored in the following two files.

The code is as follows:
/etc/passwd
/etc/shadow

The actual password hash is stored in the/etc/shadow, and the file can be accessed as long as the machine has root access. So try to access the file from your own Linux system. Or create a new user with a simple password first. I will create a new user named Happy on my Linux system with a password of chess.

The code is as follows:
root@kali:~# AddUser Happy
Adding user ' happy ' ...
Adding new group ' happy ' (1001) ...
Adding new user ' happy ' (1000) with group ' happy ' ...
Creating home directory '/home/happy ' ...
Copying files from '/etc/skel ' ...
Enter New UNIX Password:
Retype new UNIX Password:
Passwd:password updated successfully
Changing the user information for happy
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [y/n] Y
root@kali:~#

For ease of presentation, it's a good idea to use a simple password so you don't have to wait too long. Since our new user has been created, we can now crack the password.

The Unshadow command basically combines/etc/passwd data with/etc/shadow data to create 1 files that contain details of user names and passwords. The usage is quite simple.

The code is as follows:
root@kali:~# Unshadow
Usage:unshadow Password-file Shadow-file
root@kali:~# Unshadow/etc/passwd/etc/shadow > ~/file_to_crack

We redirect the output of the Unshadow command to a new file named File_to_crack.

Steps

Let's take a look at the concrete steps, after the successful password in Jhon.pot, just the password:
1 into the/root/john-1.7.8/run directory, with Jhon tools Unshadow Read/etc/shadow

The code is as follows:
./unshadow/etc/passwd >/root/john-1.7.8/run/passwd.txt

Eg: if the root user can direct Cat/etc/shadow >/root/john-1.7.8/run/passwd.txt
2 first step using single crack mode to crack

The code is as follows:
Single crack

Specifically for the person who uses the password for the account, he will try a variant of the username and define the rule in [List.Rules:Single] in john.conf

The code is as follows:
./john--single Passwd.txt

If the crack succeeds, you can view the Jhon.pot, or use:

The code is as follows:
./jhon--show passwd.txt View passwords and users

3 The second step is cracked with wordlist mode
Wordlist mode is a relatively simple pattern, as long as you determine where the dictionary file is, there is a default dictionary file ' wordlist = $JOHN/password.lst ' in the jhon.conf profile The Password.lst file in the run directory, the wordlist mode rule is defined in the [List.Rules:Wordlist] module in jhon.conf, and under [List.Rules:Wordlist] There is also a [ The List.Rules:NT] module is a variation rule that defines rules.

The code is as follows:
./jhon--wordlist=password.lst Passwd.txt

Or

The code is as follows:
./jhon--wordlist=password.lst--rules Passwd.txt

4 Fourth step with incremental mode crack
Incremental is the most powerful mode, he will be exhaustive all the combination, and then as a password to crack, very time-consuming, in the configuration file has [Incremental:all],[incremental:alpha],[incremental:digits] , [Incremental:alnum],[incremental:lanman] and other modules. Each module name has a corresponding date file under run.

The code is as follows:
./jhon--incremental=all Passwd.txt

5 Fifth step with external mode crack
External allows users to write their own C-language crack mode, in the jhon.conf has brought some crack mode program.
Parameter explanation
--stdout Output Results to screen
--restore continues execution from the last time the decryption was interrupted, CTRL + C interrupts execution, and the current status is stored in a document named restore, using--restore to read the last interrupted location from restore and continue to crack
--session set the name of the current log file
--make-charset character frequency table, he will be cracked out of the password based on the generation of Character frequency table, can be used in incremental mode
--show shows that the password has been cracked because John. Pot does not store account information, you should enter the relevant passwd file when using show
--test test machine performs various types of password cracking speed
--users only cracked an account password, can be user name or UID number, preceded by '-' means not to crack the relevant user password
--groups only cracked a user's password in a group, preceded by '-' means not to crack a user's password in a group
--shells cracked using a user of some type of shell, preceded by '-' means not cracked
--salts only salts passwords that are larger than count, salts is the base unit that UNIX uses as a password encoding
--format the type of predefined password cracking des/bsdi/md5/bf/afs/lm/

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.