Use a Password Cracking Utility in Linux

Learners will gain hands-on-experience preparing and conducting password audits using a Linux utility called John the Ripper (Johnny). This virtual lab makes up the fifth one in the Cybersecurity: Offensive Tools - Challenge Series. Lab exercises will include creating Linux users and passwords at various security levels, manipulating user accounts, permissions, and text files to verify password security and running attacks using the Linux utility.

Beginners who do not have any Linux experience can start right away with the lab. Participants will need to set aside a full 30 - 45 minutes to complete the virtual lab, as users will not be able to return to the lab mid-way. You can, however, attempt the lab more than once if needed. Learners enter commands in Terminal and use the John the Ripper general user interface (GUI) to complete tasks in Kali Linux.

Understanding password vulnerabilities and how to check for weak ones make for critical skills in many IT professions, including CyberDefense, CyberSecurity, and System Administrator roles. Enforcing good password creation and using a command-line interface to set up new accounts will give learners a fundamental skill in managing computer systems. Knowledge about unmasking passwords and setting up to test their strength, using Linux commands, will help develop troubleshooting and data quality testing skills. Finally, executing an attack with the Johnny application will inform beginners about the utility configuration, how to run and stop an attack, and how to view and interpret the results.

Understanding the Scenario:

You are a Linux systems administrator responsible for password security. You need to audit passwords to ensure that users are creating secure passwords. First, you create five local users in Linux, and then you configure passwords for the users. Next, you test the security of the passwords in Linux by using John the Ripper.

Create Users and Passwords in Linux:

In this section, you log into the lab's virtual Kali Linux machine. Then you use the 'useradd' and 'passwd' commands to create data for Johnny to test. You learn that creating a user and a password must be done separately, and password values remain hidden from view. You will need to do additional preparation, covered in the next section, to read and write password data.

Use John the Ripper:

This section has learners prepare password data for testing, using Linux command-line, by manipulating permissions, writing unmasked passwords, and feeding Johnny password values to use in its cracking attack.

Lab participants use an 'umask' command to read and write user account files. Since the previous lab module instructs learners to create new users and passwords, the learner becomes the owner of that data and can read and write passwords to a file.

After outputting the password data to a file, you use gedit, a Linux text application, to remove entries not applicable for the Johnny test. Then you extract a word list of common passwords that Johnny will use in its attack. You configure Johnny's settings to run the extracted word list against the document with the outputted password data. You learn to start and pause the attack using Johnny's GUI menu options.

As you view Johnny's results on the main screen, you see how the Linux VM has secured the passwords Passwords that Johnny cracks appear on the screen. Johnny takes a little under ten minutes to crack the four out of the five passwords. You can pause the program and move to the summary.

Summary:

You will learn to audit Linux passwords, using the Linux command interface, Terminal, and create and execute a penetration test. At the end of this lab, you will know how to:

• Create five user accounts with passwords that vary in quality.
• Prepare the Linux system and the Johnny utility to audit passwords.
• Conduct a penetration test.

When you have successfully finished this lab, you will be on track to complete the Cybersecurity: Offensive Tools - Challenge Series online labs. Also, you may wish to consider other Cybrary virtual labs to advance your batch scripting and penetration testing skills.