John the Ripper is a widely-used password cracking tool installed by default on Kali Linux. It supports various modes of password cracking including Single, Wordlist, and Incremental Mode.

In this lab, you will be using John the Ripper to crack passwords on a Linux system.

The purpose of this activity is to provide information regarding how these programs function in order that adequate defenses can be designed and implemented. These programs should never be used in a malicious fashion against another user.

Part 1: Create a User

1. Create a snapshot of the Kali VM. Turn on the Kali VM.
2. In Terminal, create a user clifford. You may have to enter your kali password if prompted.

    sudo useradd clifford
   

   The sudo command gives you temporary superuser permissions to run the privileged action such as using the useradd command.

3. Give the new account a password.

    sudo passwd clifford
   

4. Enter Reddog as the password.
5. Confirm that the account has been created.

    id -u clifford
   

   It should return the user ID number.

6. Repeat steps 2 and 3 to create another user minnie with Mickey! as the password.
7. Repeat steps 2 and 3 to create another user student with passwd1 as the password.
8. Repeat steps 2 and 3 to create another user gatsby with 1357 as the password.
9. Repeat steps 2 and 3 to create another user superuser with kali as the password.
10. Repeat steps 2 and 3 to create another user admin and this time choose a password that is 7 characters long.

Part 2: Crack Passwords

11. Switch to the Desktop. Then copy the passwd and shadow files from the /etc/ directory.

    cd ~/Desktop
    sudo cp /etc/passwd passwd_copy
    sudo cp /etc/shadow shadow_copy
    

    The passwd file stores usernames, user IDs, and password policies, while the shadow file stores their respective password hashes.

12. Use the pwd command to print your working directory, which should be /home/kali/Desktop.

    pwd
    

13. Enter ls -la to view the files within your current directory. This will show you the read and write privileges, owners, sizes, last modified times, and names of the directory’s contents.

    ls -la
    

    The top entry noted by . is essentially the working directory.
    The second entry .. is essentially the containing directory.
    In there, you’ll also see the two files you’ve just copied.
    Notice the owner of those files. Notice that all users have at least read permissions shown by r to the passwd_copy file, but only root has write permissions shown with w.

14. Open each file to view its contents.

    cat passwd_copy
    cat shadow_copy
    

    Due to the file’s ownership, you may need superuser privileges to read the files.

15. Review the format of the passwd and shadow files. Notice that the password hashes are stored in the second column.

    The passwords were at one time held in the /etc/passwd file, but it was since moved to the less permissive /etc/shadow file. The /etc/passwd file now contains an x to indicate that the password is held in /etc/shadow, which would contain a hashed password for the user.

16. Now, change ownership of the copied files to the kali user.

    sudo chown kali ./*_copy
    

17. Repeat step 13 to confirm the new file owner.
18. We’ll be using John the Ripper tools which are located in /usr/sbin/. But if you use the which command as the kali user, notice that the system doesn’t recognize where the john executable is located as opposed to when it’s done with sudo privileges.

    which john
    sudo which john
    

19. Print the environment variables and filter the output for “PATH”.

    printenv | grep PATH
    

20. Look for the PATH variable PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games which is delimited by colons. Notice that /usr/sbin is missing.

    Another way to view that environment variable is to echo it directly.

    echo $PATH
    

21. Add the directory to the PATH variable.

    export PATH=$PATH:/usr/sbin
    

22. Repeat step 18 to confirm that john is now found with the kali user.
23. Have John the Ripper’s unshadow tool merge the two files together.

    unshadow passwd_copy shadow_copy > merged.txt
    

24. Purge any John the Ripper log files that may exist from previous runs. Then begin cracking the passwords with the default wordlist.

    rm /home/kali/.john/*
    john merged.txt
    

    This may take a few minutes. If any remaining passwords are not cracked after 5 minutes, you may press Ctrl+C to stop it from continuing.

25. Review the log files to see how long it took to crack each password and how long it took before the tool switched cracking modes.

    grep 'Cracked\|Proceed' /home/kali/.john/john.log
    

26. Review the modes John the Ripper used by entering john | grep mode in the Terminal.

    john | grep mode
    

    John the Ripper begins with simple checks to a dictionary comparison to more intensive brute-forcing. Single mode uses usernames to try to crack their passwords. Wordlist mode uses a dictionary file supplied by the user. Incremental mode uses brute-forcing to try to hash and compare every combination of characters, which could take a very long time.

27. Read the comments in the John the Ripper wordlist. Review to see if you can find some of the passwords in this wordlist.

    grep comment /usr/share/john/password.lst
    

28. Turn off the Kali VM and restore it to the snapshot.
29. Write up a paragraph answering the following questions.
    1. In step 14, are the password hashes salted? How can you tell?
    2. Why did some passwords take longer than others to crack? What are the constraints on this tool’s performance?
    3. How could an administrator use what they know of John the Ripper to protect the user accounts on a system?

More Info