John the Ripper - Cracking Hashes

July 07, 2020

John the Ripper - Cracking Hashes

John the Ripper is one of the most used and popular password cracking tools. It supports a lot of encryption technologies (unix encrypt (3), des, sha-encrypt hashes etc.), for Unix and Windows based systems. JtR detects the encryption on the hashed data and next if compares it with a large text file that contains popular passwords, checks each password and stops when a match if found. It helps to find poor passwords and weak password policies. JtR also contains its wordlist of common passwords used in different languages. This is an advantage for the program as it provides a lot of possible password matches from which it can find the corresponded hash value of the target password.

Usually John the Ripper is available on Kali Linux as it is part of cracking metapackages, but if this is not the case sudo apt-get install john command is used to install it on Kali Linux virtual machine.

You can check if John is installed on your virtual machine:

To try cracking hash values using JrR, firstly let's create the file called file.txt. After that we need to use the command sha256sum, which will generate us the hash value for file.txt. The algorithm used is SHA256, which generates a fixed size 256-bit hash of the text. The hash value is not encryption, we cannot decrypt back to the original text, as it is a one-way function and a fixed size of any text. Since we need to crack this hash value, we simply paste the generated one on another text that we create, in this case it is called hashfile.txt.

Next, we need to crack the hash value, and for that we use the JtR standard command as above. We insert the algorithm that we are using (sha256) and the name of the text file we want to attack, which is hashfile.txt, that file that we pasted the generated hash value of “uendi”.

As we can see above, we were lucky to generate this password in this short time. We can also see the wordlist that John checked to find the word hidden in the hashed value.

On the result the three attacking modes of JrR are displayed: single, wordlist and incremental mode.

Single crack mode is the mode which starts the cracking. It uses the login names, user's home directory's as target for password.
Wordlist mode is the simplest mode of JtR. We do the attack by simply specifying the wordlist we are going to use (we can also make one by ourselves) and the file we want to attack. When this mode is enabled, John applies the rule in every line of the wordlist, and produces multiple passwords from each source that may match the attacked word.
The last is incremental mode, and it is the most powerful mode of cracking. This mode tries all possible chars of ASCII.

Still, this is not always be the case, as we can have longer password, or even more than one password in one single file. So, we can now try with three words in a file and check how JrR will performs its attack.

Below are three hashed stored on hashfile.txt.

By following the same method as before we can see that the result is not the same with more than one line to crack on the file. It is going to need more time as it checks all the possible passwords in order to find each of the line in the hashfile.txt.

Below are three hashes stored on uendifile.txt file. (password1, password2, pass3)

The standard wordlist list on /usr/share/wordlists/rockyou.txt is used. Rockyou.txt is compressed, so we need to unzip it using the command: gzip –d rockyou.text.gz

When John checks the wordlist, it immediately finds the above passcodes, as they are standard passwords and are easier to find. John uses char frequency tables, so such passcodes are straightforwardly found by the cracker tool. Also, their format can be already on the wordlist that is used, thus it is faster to detect and crack them.

Now let’s try different passwords, ones that are not easily "predictable" from John.

As the result shows, only two of three passwords are cracked by John, and done in a short period of time.

Below hashcat is used as a password cracker in order to compare the results of these hashes:

We can check that we get the same output as before, thus leading to one password not cracked yet.

As a result, wordlist mode performs as a dictionary attack. So, it takes the SHA256 hash of the string on the file, separately in lines, and check the words in the list and encrypts them in the same format as the attacked password. At the end it compares the output to the encrypted string. It also can be called a brute force attack, as it goes through all possible words to hash each of them and match them with the input hash value. Since JtR practically tries every possible candidate word as password using the given wordlist, if there is no combination to find, it will stop checking. This means that password is not in the wordlist, or doesn't have any combination of the words in the wordlist that is specified. Not to mention that incremental mode of JtT supports not more than 8 characters, and since in our case the password had more than 8, it is required by us to built our own John and normally it will take time to crack it.

So, the successful attack of John the Ripper is not always achievable. It depends on the characters we use, the number of passwords to generate and also the frequency of the characters each password has. The tool will easily find a password like “password1” than “securityclass”. So it has limits on cracking passcodes and you can only be successful if the hashes are frequently used, combinable with the wordlist and has a limit of characters.