# Lab: John the Ripper.

The goal of this step is to setup for the lab.

### Step 3: John Operation

• Remember there is documentation for john.
• Run john on the password file
• john comes with an  unshadow utility
• This will make the password file usable by john.
• Run this
•  sudo unshadow /etc/passwd /etc/shadow > myPass
• Look at myPass
• Each line represents a user.
• Run john on this file
•  john myPass
• Notice this returns almost instantly. Read the text john produces.
• Run  john myPass --show
• This tells you that john has figured out the passwords for bob and alice.
• This is not a surprise as the first pass of john is to try information from the password file.
• If you run john again, it will not do anything
• John is designed as a long term continuous operation.
• It saves a history of the passwords it has found
• Look at the files in ~/.john
•  ls ~/.john
•  less ~/.john/john.log
•  less ~/.john/john.pot
• In the directory ~bob/passwordCode is a file myCrypt which will create a fake password file entry given a user name and a password.
• try  ../passwordCode/myCrypt user1 hello
• As we saw in the pwnkit lab, we can redirect output to a file with the > and >> operators.
• try  ../passwordCode/myCrypt user1 hello >> newPassFile
• Look at the contents of newPassFile
• run  john newPassFile
• This will return instantly so
• run  john --show newPassFile
• Using the command above add a few more entries to newPassFile.
user2 hell0
user3 hello1
user5 are
user6 fun
user7 to
user8 crack
kirk ncc1701
pickard ncc1701d
• Now try running john
•  john newPassFile
• At any time, you can press a key to see what john is working on.
• This includes
1. The number of passwords guessed
2. The length of time John has been running (D-H-M-S)
3. Percent done on the current pass.
4. Which pass it is on
5. Guess per second rate
7. Crypts per second.
8. The current words being tested.
• Note that within a minute or two John has guessed most of the passwords.
• We can help John out by giving it a different dictionary.
• Try  john --wordlist=lower newPassFile
• This tells john to use the file lower to check.
• Note that in a few minutes the other two passwords are found!
• You don't need to wait for the entire process to complete.
• Strangely, to is the hardest of this set to crack, but that is just an accident of the alphabet.
• At 400 PPS, it will take no longer than 12 minutes to find that one however.
• This will not work well on your simulated machine, but it will work.
• John works in parallel mode.
• Start by removing the .john directory in bob's home directory
• Remember, john caches the passwords it has found in this directory
• By removing this directory, you force john to start over.
• Be careful and do this right
•  rm -rf ~/.john
• Start john again but this time
•  john newPassFile --wordlist=lower --fork=2
• Try pressing the space bar now and monitor John's progress.
• You don't need to wait for the entire process to complete.
• On Mirkwood, with 4 real cores, it took nearly four minutes to find all these passwords
[bennett@mirkwood pass]\$ time john newPassFile --wordlist=lower --fork=4
Created directory: /home/bennett/.john
Loaded 10 password hashes with no different salts (crypt, generic crypt(3) [?/64])
Node numbers 1-4 of 4 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
are              (user5)
crack            (user8)
fun              (user6)
hello            (user1)