Time
18 minutes
Difficulty
Intermediate

Video Transcription

00:02
Thank you.
00:03
Hello, everyone. And welcome to the inaugural breaking stuff with Joe Video. I'm your instructor, the eponymous Joe Perry. For those who don't already know me, I'm the director of research here. It's library, which means that my spectacular day job is to get to come in here and perform research to help build on the cybersecurity knowledge base and then also to provide training and information
00:22
to do professionals or two experienced professionals
00:24
to help build their careers. In the world of cyber security. This video today is gonna be about a tool called John the Ripper. If you don't already know, John the Ripper is a spectacularly powerful password cracking tool. It's used mostly by pen testers, but it's got a ton of use throughout the cybersecurity world. If you're a pen tester, this sort of thing
00:41
you might use to crack passwords on your target system. We're even just to identify
00:45
whether or not their passwords are sufficiently secure. Perhaps you're looking to see if they've implemented a secure, secure password policy, and if they have your might you might be looking to see have people actually used it correctly. This tool is gonna be able to crack basic weak passwords in seconds, it's gonna be able to crack common passwords in a matter of minutes.
01:02
And theoretically, any password could be cracked given enough time.
01:06
But as I said, John the Ripper is just a really useful. It's sort of the gold standard in password cracking. So we're going to spend the next about 15 to 30 minutes just talking about that tool and getting familiar with it as we can over the course, this video, I've got three specific subjects we're gonna cover. We're gonna talk about the etc. Password Nancy shadow files understanding exactly what those are and how they work together.
01:26
And how John the Ripper uses those to crack passwords
01:29
there were gonna actually install and use John the Ripper from 0 to 100. We're gonna do the entire process of pulling it down and cracking passwords. And finally, we're gonna spend a little bit of time talking about the different modes and the ways that you can extend Jack John the Ripper's usage and be able to actually use it for even more complex and difficult passwords than it can handle by default.
01:47
So there's gonna be our primary objectives for the course of this video. As I said, it's gonna be about a 15 to 30 minutes long video. I'm very, very excited to have you all here. I do want to say this is a video that started a little bit more towards people who have the basic knowledge of cybersecurity already down. This isn't really an intro video. It's intro to the tool. I'll teach you the whole process of installing using it.
02:07
But if you're uncomfortable with your cybersecurity knowledge,
02:09
it may be best to do a little bit of brushing up on that. Before you dig into here. This video's could be targeting reasonably experienced ikey professionals and cyber security professionals. We're looking to build knowledge of pen testing or free people who are already pen testers who may not be familiar with or may not remember all the uses of John the Ripper.
02:27
So that's our target audience. Those are our objectives. I'm your instructor,
02:30
and I look forward to seeing you here in Cyber Aires breaking stuff with Joe.
02:36
So, as I said, the first learning objective for this course is understanding the two files that are gonna be really key to making John the Ripper actually function against our group onto target. So those two files of the two files that govern users and password policies that's gonna be etc. Password and etc shadow now, despite its name, etc. Password isn't actually where your password is stored.
02:55
Instead, it contains all of your user information.
02:58
So here we see the first entry into this field is your actual user name in this on this particular VM, my user name is just Perry. Next that you're gonna see, there's the letter X, and that's gonna be pretty much every entry in your password file is gonna have an ax, and that indicates that the password is not stored here. That's the indication to the operating system
03:15
to go looking in the etc. Shadow file for your password.
03:20
Next, you're gonna have your user. I d. In my case, that's 1000 because on the first user made on this machine, I'm gonna admit all that sort of thing. And of course, my group I d is also 1000 because I wasn't added any special groups.
03:30
And then you're gonna have your full name now for this B. M. I just put my full name is being Perry. You can see there some comments there as it tried to automatically fill in my middle of last names that didn't quite work out. Totally okay, but that's where your full name is gonna be. And then you've got your home directory. In most cases, your home directory is going to be your user name just inside of the home parent directory.
03:50
And then you're going tohave your log in shell your long and shell is whatever.
03:53
Uh oh, bun to Shelburne to command terminal is design is intended to be turned on when you first log into the system. So when you first boot in tow, you know you're a bunch of machine
04:04
for my case, it's gonna be been bashed That comes up. That's the case for most users. There are some special cases where that may not happen, but that's gonna be the case for most of them.
04:14
So that's what the etc password entry looks like again. That's just your user information. And all of those fields are actually going to be relevant to John the river for reasons we're gonna discuss here in just a couple of minutes. Before we do that, we're gonna look at the etc. Shadow forward for the A T shadow file. Rather now, here you can see the entry looks a little bit different. You still have my user name.
04:31
But next to that, you're gonna have this entry here. Now, the hash in brackets is actually not what is in the file.
04:38
The reason why I did this is because a shot 5 12 hash is very, very long and doesn't show up very well on a screen for a presentation like this one. That said next to that, you've got the dough, the six pre pendant and upended with dollar signs. That is the indicator to your operating system that this particular hash is a shop 5 12 hash.
04:58
Next you're gonna have over here. Uh, 17 931 In my case, that's well, in all cases, that is the number of days since your password has changed. The reason why that number is so long in my case or so large in my case, is because my passwords never actually been changed. In the case when your password has not been changed since your account was created,
05:16
it's just counting the number of days since January, July the
05:20
30th 1970 maybe January. Whatever the date of the pockets, I should know that off the top of my head. But spacing, I guess next to that, you're gonna have the number of days
05:32
until you are allowed to change your password. This is pretty often going to be zero very rarely to pass for policies exist that say, you're not allowed to change your password regularly. There might be specific cases where you can't for whatever reason, but I'd say
05:47
conservatively, 90% of the time 99% of the time. Even that's gonna be a zero. Next to that, you have the number of days until your password changes. Mandatory five nines indicates not. Actually, that is 108,999 days. Instead, it indicates that your password is not required to be changed on any specific interval
06:08
on my V. M. I haven't set up that way. Obviously, for a lot of organizations, you're gonna have specific password policies in place,
06:14
which will mean that you're gonna have a different number here
06:16
next to that one. You have the number of days of warning. So that's seven. There indicates that one week before my password expires, the operating system will start warning me about my passwords imminent expiration. There are actually two more fields to the right of this number that are showing up here because I don't have them in my shadow file because you're not terribly important.
06:35
One of them is the number of days
06:38
after the password expires that the user can still log in to change it. So if your password expires today and you have 10 in that field 10 days from now, you can still log in and change your password so that your account doesn't expire. If you cross that threshold, your account expires and an administrator has to unlock it
06:55
next to that, the last digit there. The last entry that would be in this file would be the number of days that a specific account has been expired.
07:01
That's just keeping track of how long it's been since your account expired for administrative information, that sort of thing.
07:08
So that's our pastor or etc, Shadow files. Those two files together contain the vast majority of our user information and our password policy information. So those are the files that obviously we're gonna want to target with John the Ripper.
07:21
All right, so now that we're in R V M, there's gonna go ahead and unlock this real fast my extremely secure for character password that we're actually getting ready to break in just a couple of minutes. Uh, now, obviously, to use a tool like John the Ripper or really any tool in the world first you're gonna have to download it,
07:36
Not even in your operating system That can be challenging. John the Ripper is a tool that's often just distributed source code.
07:43
You actually compile and make yourself. Fortunately, you bunch who doesn't have that problem? It's actually already been added to the APP store, which means that toe add John the repertory system. We just need to do Sudo Apt install
07:55
John,
07:56
and it's gonna take just a couple of seconds to load that up. It's not a very big tool. Doesn't take terribly long to load. Once that's done, we could Once that's done, we can verify that John exists just by invoking the command and seeing the hell pop up
08:07
fantastic. We now have John the Ripper on this system, we're ready to get cracking on some passwords
08:13
now. The first thing that we need to do for that is we need to create the file that John the Ripper can interpret. The reason why we needed to talk about Etc. Passport and etc. Shadow is because John the Ripper needs both of those files, but you need, but it needs to be combined in order to be used.
08:28
Fortunately, John the Ripper does included an excellent utility that'll do that work for us. However, to use that, we do need to be acting his route. So instead of just running pseudo for that command, what we need to do is actually use pseudo tak I to drop ourselves into an interactive room show. The reason for those who don't already know the reason why we need to be route
08:46
is because only route can access the etc shadow
08:48
and password files. So now we have root and we're going to use the utility under shadow, and then we're gonna pass it at the password, ghost first and Etc. Shadow is second,
09:01
and then we're going to pipe that in
09:07
to our folder. Now, your folder probably isn't going quite be the exactly the same as mine. If you're using Perry is the user name on your V M. You're being extremely literal and following the instructions. But that is OK, I guess. You know, whatever it takes to make sure that you have what you need to do s o we have inside of this breaking stuff, Joe folder. I have a john lesson already created. What?
09:26
And I'm gonna pipe that into P W d s dot t x t. And you see, it executes pretty much instantly. It's not a very heavy lift to take care of that. Then we're just real quickly, and it changed the permissions on that because we created it as user there as the route user. Rather, we need to get permissions to others To access it. Summers can use the mode 1666
09:48
Wrong file home. Perry documents.
09:56
There we go. And now that we've finished creating our file and giving the permissions, we're gonna need to use it correctly. We're gonna drop out of the show because there's nothing worse than running around his route. If you don't need to, I suppose thermonuclear war would probably be worse, but don't cause that either. All right, so now we're back in our folder. We see we have two files here. The password stop text we just created.
10:15
And this other file 100 k passwords, not text,
10:16
which we will talk about in just a minute. So now that we've got the file down, we've under shouted it and we can look at it real quick if we want to, just with less and see what it looks like here. You can see that it's a combination if I could make it work. There you here, you can see it's a combination of password and shadow
10:35
where instead of just having an X, it's actually got an asterisk for all the accounts. Don't have passwords.
10:39
And then the accounts do have passwords, have their hash is stored.
10:43
So we've got it. It exists. We created it. Fantastic. How do we get rid of those past? How do we break him? Well, we're gonna run the utility, John, and they're just gonna give it the file name and let it run. Now you can see it's loading. Three. Password hash is with three different salts. There's one hash remaining, which were actually not going to give it time to break just yet.
11:00
The reason for that is because we're gonna actually find that in our word list here in just a minute.
11:03
Now, the 1st 2 passwords that it cracked, we could easily find just by typing John Tax show. And it's gonna be pwd s dot text. Now, those passwords are actually stored in a dot bot or adopt pot file, which is not really human readable. That's that's an internal file type that John the river makes use of. So you don't really need to go hunting for that. Just used the tax show command
11:24
and you'll see we have to crack passwords. We have Perry, which is my user name and that my terribly, terribly secure password, P A s s. We have the second account. The user name is all asterisks, and the password is hunter to that is a very, very stupid joke that it's totally okay if you don't get it
11:39
now we've cracked these two passwords that happened extremely fast. The reason it happened very quickly with the 1st 1
11:46
is because John the Ripper's first mode, the first of the three most we're gonna talk about is a mode called Single Crack. And what that does is it identifies very commonly used methods for creating passwords. So first, obviously, does all the variations on the word password it does, replacing letters with characters with numbers we call. They call that mangling,
12:05
which is a phenomenal name for it.
12:07
They replace you know, for example, the letter A with the at sign that capitalize the letters semi randomly, that you threw all the potential variations of password that still looked most like the word password, which is why pass was caught instantaneously, then the second mode that it's gonna go into the other things. Actually, before I go that far, the other things that it's going to draw from,
12:26
where it's gonna look for the different passwords in the single crack moat
12:31
is gonna look at your user name. If your user name and password of the same thing, it's gonna crack that instantly less than a second. If your username or if your password is based on your home directory, it's based on your full name or if it's based on your log in shell. All of those are things that is going to check in single crack mode before it even touches a wordless or attempts. Any other type of of cracking
12:50
single crack mode is extremely, extremely fast.
12:52
It's generally done in its executions inside of 30 seconds at the very far end, and you're usually going to. If someone's password falls under that sort of heading, you're going to crack it very quickly, very easily.
13:03
Sometimes, however, that mode doesn't work very quickly. The file or the password that it also cracked right next to it. The 100 to the reason why it broke that so quickly is because I was actually testing this out with the word list to make sure everything was gonna work and that information is actually stored in configuration files to make it a little bit faster in a little bit easier under the hood
13:22
that set or it's stored in deputy file from rather than configuration files. That said, for the third pass with one's gonna be a little bit tougher to crack. Uh, what we can do is we can pull up a word list, and wordless based cracking is essentially using a giant dictionary of common passwords. The one that you saw earlier this 100 K passwords, not text.
13:43
I just pulled down from Get Hub with the W get
13:46
It's just going. It's 100,000 of the most common passwords in order, ranked in order of use. So obviously you know your top. You're gonna be things like password or various curse words. A couple of really common names, things like that.
14:00
And so you're able Thio put that word list into John the Ripper, and it will be able to make use of that violence, cracking these passwords to see if any of those match. And it's going to do that by actually computing the appropriate hash for each of those words. And comparing that hash against the hash is that it's received
14:16
once that's done, if that has failed to crack your password, John the Ripper is going to try what they call incremental mode. Now, Incremental Mode is the slowest but most surefire way of cracking a password. You likely know it as brute, forcing what you're gonna do with incremental motives. It's actually gonna try every single possible combination
14:35
of binary digits until such time as it gets the password that it's looking for.
14:39
This is an intensely slow process in a lot of cases, and the obvious reason for that is because it's trying every possible combination. And theoretically, there are an infinite number of combinations. Now, some clever programming and some commonly applied logic can take forever and make it a very short period of time. I've seen incremental mode crack passwords in a matter of hours.
14:58
Occasionally, I've had to leave it running for days or even a couple of weeks.
15:01
Generally speaking, though, if your only target if the system you're targeting you can't get access until you've gone a week, ERM or an incremental mode, it's safe to say that is a reasonably secure system. And unless you have an absolutely excellent reason to keep trying, you can generally say that those passwords are secure and either go back to your customer. Go back to where whoever your pen testing and say
15:20
no, we're good to go. Your passwords are fine.
15:24
Most of the time you're gonna crack something with being with the single crack mode or with your word list. The vast majority of cases you're going to get a hit on one of those So we've got our wordless. We have one password in this list, which is apparently too hard for John to crack in single crack mode. So what we're gonna do now is we're gonna tell him. Try using this instead.
15:43
And we can see how we're gonna give John
15:45
that instructions with help.
15:50
Just type John. Then it's gonna be difficult
15:52
we can go through. This is slightly rough to read just because of the fact that the size of the fact that I'm using could mess with formatting.
16:00
Here we go.
16:00
Perfect word list equals file. Now, the file here is obviously gonna be your variable argument in this case is gonna be the name of that file. But before I run that the reason I wanted to pull this up is to show you this command right underneath it rules when I talk about word mangle your name, mangling earlier rules is the command toe apply mangling to your word list
16:21
now that can make the word list execute extremely slowly compared to just running through the words.
16:26
But it also means you're much more likely to get your target because of the fact that a lot of people are going to use one of these common passwords, but with some mangling implemented so rules can slow down your search. But it will also cast a much wider net and give you a better chance of success.
16:41
So we're gonna go ahead. We're gonna run John
16:45
Word list equals
16:47
100 k.
16:49
Now, I can remember the exact name of the file.
16:52
There you go, John.
16:53
Word list
16:56
equals 100 k
16:59
p w B s stop t X t.
17:02
And we're gonna go ahead and implement the rules
17:07
DVDs,
17:07
T X team, and we're gonna start this running now. Now, this actually can take a very long time. So we're gonna go ahead. We're gonna skip forward in the video a little bit, so you don't have to sit here with me while I'm waiting,
17:21
all right? And we are back now. You can see there's a little bit more text on the screen than when I left that when we did that cross dissolve. That's because it wants it. Found the password. I went ahead and printed it out for us. It didn't take terribly long. Just a couple of minutes of dead air while I was waiting for that. Now we can go ahead and just the same way we did before we can use John Tax Show
17:41
and then give it the file that were referencing
17:44
and you see, here we now have three passwords cracked. We have the original that we saw, the other one that was saved in the dot bot information. And then, of course, we have Carson with the password of Eagles. He should really know better than to use that password.
17:56
So there you have it. That's John the Ripper. Now the third mode that does exist and I'm not going to show you here because it could take an incredibly long period of time is incremental. We're not going to spend any time on that, just because again it could take weeks or even on the order of months. In some cases, that said, That's John the Ripper. That's how this tool works. That's what it does. It's a really spectacularly powerful tool.
18:17
I'm a huge fan of it myself, and I've used it many, many times.
18:19
I am gonna recommend if you want to learn more, you check out open wall. That is actually the password that is actually the password, but the organization that maintains John the Ripper, which is just spectacular. And I'm a huge fan of. So, by all means, check out our supplemental material on the side. A cz well is going out to that website and checking out some of their tutorials.
18:38
As always, I have been your instructor, Joe Perry, and it has been my absolute pleasure
18:42
to tell you about John the Ripper here on breaking stuff with Joe. Thanks. And we'll see you again next time.

How to Use John the Ripper (BSWJ)

John the Ripper is quite possibly the most famous password-cracking tool in the world. It's capable of incremental (brute-force) attacks, dictionary attacks, and "single-crack" mode, a technique which exploits common password flaws.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor