Test your passwords the brutal way

What is there to do on an average Sunday? Well, you can for example work your way through 30 hacker movies. One movie is definately missing there though, namely 23. Learning German hacker slang is pretty cool, however, as your paranoia creeps up your spine, you may wanna check your own security for a bit. Fortunately, you can play NSA in your home nowadays, by toying with John the Ripper.

Even though John the Ripper doesn’t come with a nice 3D graphical user interface, which are common in the hacker movies, it is really easy to use, even if you are a newbie. And by using it, you will learn some fundamentals about how passwords are used on computers.

This is what you need:

1. A computer. The faster CPU it has, the better.

2. A modern operating system. John the Ripper works on many platforms, but it is much easier on real operating systems such as Linux.

3. You will need to be root/superuser on the system.

4. A shirt. You need to dress up a little to get the right kind of energy of the mind. (In Swedish it is called ”hackarskjorta”)

Let’s do this.

First off, you install John the Ripper. In Debian/Ubunty just hit sudo apt-get install john. If you are on some other g33kstation, you head over to the project website to grab a download. Now, there is a small glitch here in versions on Debian and Ubuntu which may cause John not to work properly. The version in the repositories is quite old, and can’t handle sha 512 encryption (which will be what your system uses). I did this test by extracting passwords from an old Debian 5 machine. But to attack more recent versions, you need to follow some manual install instructions.

John can then perform 3 types of attacks on your passwords; Testing passwords against a wordlist of common password phrases (a so called dictionary attack), performing a single-crack attack on the user information provided by the system, or doing an incremental brute-force attack on the password.

These modes have their benefits and drawbacks. If you have an awesome wordlist with lots of common passphrases, the dictionary attack can be very powerful. The single-crack method utilizes, on the other hand, takes a shortcut via the /etc/password file. View it with cat /etc/password when logged in as super user. The third method is the most powerful, but, also it is the one in need of a fast cpu.

To warm up your CPU a little, you can start off by running john -test to benchmark the performance of the system. If needed, open the windows in your apartment or house to get air flowing.

Now, you first need to retrieve the password hashes from your system. Maybe you have friends that use your machine, and even though you have made a really long and secure password for yourself, your friends may be sloppier. Use the following command on your system:

unshadow /etc/passwd /etc/shadow > sekrit.phile.db

This will create a file with usernames and password hashes. The content of the file will be all users of the system, and it looks like this (don’t even try, I made up the hashsum by pressing randomly on the keyboard):

cameron:k6j3jnjjY)%¤gJ%¤%JJGJoI)()()/&()JJKhejk%&%%8:1000:1000:cameron,,,:/home/cameron:/bin/bash

Now, to unleash John the Ripper, just hit:

john sekrit.phile.db

And John will output its status when you hit any key. Pressing Ctrl-C will abort, but still save potentially cracked passwords. Looks like this:

Loaded 16 password hashes with 16 different salts (FreeBSD MD5 [32/64 X2])

guesses: 0 time: 0:00:51:18 (3) c/s: 5475 trying: trdjac - trdjah

guesses: 0 time: 0:00:54:37 (3) c/s: 5475 trying: 1213a - 1218e

guesses: 0 time: 0:00:57:24 (3) c/s: 5476 trying: potash1 - potashe

To make sure you are doing everything right, you can add a dummy user with a weak password. Then, unshadow again, and edit the text file (sekrit.phile.db). Remove all other passwords and just keep the dummy user. This is what mine looked like on first attempt:

root@turbot:~# cat sekrit.phile.db

clumsyfool:$1$pSWRdlUU$6aI6Mr4/GGQQpqYz9I7KV1:1015:1015:,,,:/home/clumsyfool:/bin/bash

Then just give the clumsy fool a dust of John the Ripper:

root@turbot:~# john sekrit.phile.db

Loaded 1 password hash (FreeBSD MD5 [32/64 X2])

abc (clumsyfool)

guesses: 1 time: 0:00:00:00 100% (2) c/s: 3103 trying: aaaaaa - abc

Oups, that was pretty easy. Protip: Don’t use abc as your password.

Oh, and one more thing. The unshadowed file should not just lye around on your system. Someone with a super computer could get hold of it and then you are 0wned. Make sure to get rid of it by:

shred sekrit.phile.db

rm sekrit.phile.db

Have a great Dark Sunday!

1 reaktion till “Test your passwords the brutal way”

Kommentera

E-postadressen publiceras inte. Obligatoriska fält är märkta *

Time limit is exhausted. Please reload CAPTCHA.