John the Ripper was originally
developed for Unix operating systems but is now available for several operating
systems (“John the Ripper password cracker”) and is mostly written in C (“Openwall-John the Ripper”). John
was developed by Alexander Peslyak, also known as Solar Designer, who is a Russian
security expert and open source software designer. He is the Founder and Chief
Technology Officer at Openwall and has been working in the field of
cybersecurity since 1997 (Solar, “Alexander Peslyak’s Bio”).
John is part of Openwall, which is a source for various open
source security software. Openwall publishes articles, and provides
presentations and other professional services including remote information
security consulting and source code reviews for vulnerabilities (“Openwall services”).
As mentioned in a previous section, Openwall also maintains wordlist
collections that can be used with John the Ripper and other password cracking
tools (“Openwall wordlists collection”). John is available in different
versions including a pro version, an official free version and a community
enhanced version. For this paper I downloaded the John the Ripper 1.7.9 Windows
binaries (“John the Ripper Password Cracker”).
John can be used with a command line interface or a Graphical user
interface (GUI). A GUI named Johnny was developed for the use of John the
Ripper. Johnny runs on all major desktop
platforms. It allows the user to operate John the Ripper’s attack modes in an
interface that is simple to use. Johnny is an open source GUI designed by Shinnok and implemented by Aleksey
Cherepanov as part of GSoC 2012 (Google Summer of Code). The development
started as part of the Summer of Security 2011. Johnny was improved by Mathieu
Laprise as part of GSoC 2015. The goal of Johnny is to automate and simplify
password cracking using John the Ripper. Johnny adds improved hash and password
workflow, multiple attacks and session management, visual feedback, and more.
Johnny further allows the user to manually guess passwords by using the guess-function
John supports a variety of
different hash types that are used for password hashing. Hashing differs from
regular encryption in that it is not reversible. It takes a readable file or
password and converts into a cipher. When a password is entered, a hash value
is created and compared to the password hash stored in the password file. If
the two hashes match, the validity of the password is verified (Greenberg). The
hash types supported by John include traditional DES-based, md5 format,
BDSI crypt, Big crypt, bcrypt, LanMan and others. (Solar, “Sample Password Hash Encoding Strings”)
John supports different cracking modes, including
cracking mode, incremental mode, external mode, wordlist mode, and a default
cracking mode. Those modes can be easily selected using the Johnny GUI or can
be manually specified using the command line interface. Both, the GUI and the
command prompt interface support almost all the same functions.
When using wordlist mode, the user can specify a wordlist, which
contains one word per line and consists of a list of common passwords. Over the past years, systems have been cracked and
passwords of millions of users have been captured and stored. Using those lists
improves the chances of successfully cracking a password. The user can
also enable word mangling rules which modify words to produce other likely
passwords. Wordlists are often sorted based on likely candidate passwords on
the top or alphabetically. Sorting wordlists alphabetically allows John to run
slightly faster due to similarity in words from one to the next.
Single cracking mode uses login names, user’s home directory
names, and GECOS fields as possible passwords. GECOS fields are entries in the
/etc/passwd file that contain information about the user account. Single crack
mode is faster than wordlist mode and it can use a larger set of word mangling
rules to create more possible passwords. Running many password files
simultaneously may sometimes get more passwords cracked than running individual
password files separately because more hashes can be compared simultaneously (“John
the Ripper – Cracking Modes”).
Incremental mode is the most powerful mode. It can try all
possible character combinations as passwords. Incremental mode requires
specific definitions for the mode’s parameters including password length limits
and charset. A user can either use a pre-defined incremental mode or define a
custom one. There are several pre-defined incremental modes, including
“ASCII” (all 95 printable ASCII characters) and “LM_ASCII” for
the use on LM hashes (“John the Ripper – Cracking Modes”).
An external cracking mode can be defined to be used with John the
Ripper. External mode is the most flexible because the user can define his own
code to generate possible password (“John the Ripper – Cracking Modes”).
mode is a way to produce possible password given a “mask” that describes what
the words should look like.
mode creates word-like strings based on an algorithm based using rules like the
likeliness of characters following other certain characters.
There are different pages that can be used to create password
hashes. I used the page http://sherylcanter.com/encrypt.php which lets the user create DES-hashes and Md5-hashes for a
To demonstrate how to use John, I created a password file called “password.txt”,
in which I copied and pasted several password hashes. When using the
command prompt, there are several options on how to use John. Typing “John”
will give the user a list of all the options and functions that John provides.
John’s default cracking mode using the command “john password.txt” will use
“single crack” mode, then use a wordlist and then “incremental” mode. John has
a default wordlist called “password.lst”.
Cracking modes, wordlists, and password files can all be specified
using the command prompt. John also lets the user check the status of a running
session and continue interrupted sessions. When a password file contains
several different types of hashes, the user can specify specific formats in the
command prompt. One example is “john –format=descrypt password.txt” to crack the
passwords using DES crypt.
passwords are cracked they are stored in “$JOHN/john.pot”. To display the
content of pot file we use the command “john –show password.txt” in the command
window (“John the Ripper- Usage Examples”).
During my research I learned that password cracking is a long and
CPU-intensive process. When running John the Ripper, my CPU activity increased
to about 89%-100%. It takes a lot of processing power to crack complex
password. Cracking a password can take hours or days depending on the
processing power of the user’s computer. Furthermore, tools like John the
Ripper are relatively easy to figure out and use, which allows ordinary people,
who do not necessarily have any hacking skills, to take advantage of such tools.
People oftentimes think their passwords are
unique and therefore safe. However, common patterns are often used when
creating a password. Those common patterns include the use of family names,
birthdays or pet names. Developers of password cracking tools are aware of such
patterns and therefore accordingly adjust their password cracking tools. Wordlists,
for example, contain commonly used passwords. Having a strong password that is unique,
and complex is important. To make it more difficult for a tool to crack a
password, some rules can be followed that enhance the strength of a password. It
is important to remember that a password should be difficult to crack but at
the same time easy to remember for the user. The size of a password and the use
of upper case letters, lower case letters, numbers and special characters play an
important role. Furthermore, it is recommended to use password phrases rather
than words, to further enhance the strength of a password. A password phrase
could be as simple as “I have 1 Dog and 2 Cats” which would create the password
“Ih1Da2C”. Password phrases are more difficult to crack since they the letters
are in random order and do not use common words used in wordlists. Furthermore,
password phrases are still somewhat easy to remember (Goldberg, “Toward Better Master Passwords”).
Password cracking does not always take a professional or skilled
hacker. Tools like John the Ripper provide an easy-to-use password cracking interface
that can be used by amateur hackers or ordinary people. Password cracking tools are becoming more and more powerful
and developers of those tools know common passwords used. However, as password users
we can protect our data and information by applying some rules to make our passwords
stronger. More complex password might still be able to be cracked it will take
more time and skill to do so.