labs / tiddlers / content / labs / 03 / _Labs_03_John the

Unfortunately, the version of John the Ripper in the lab environment is very old and lacks support for the mask parameter, so this section will be for information only.

In this section, we will briefly introduce John the Ripper, an open-source password cracking tool (officially termed a "security auditing and password recovery tool"). The following exercises briefly illustrate its use.

First, we can calculate the hash of a readily-crackable password:

echo -n Qwert56 | md5sum  | tr -d '  -'

This pipeline computes the MD5 hash of the (rather poor) password "Qwert56". The -n flag tell echo not to output a newline (which would affect the hash, since it accounts for all bits in the input). The tr command at the end of the pipeline removes extraneous output from md5sum leaving just the hash as a hexadecimal string.

Copy the hex string from the output before proceeding (just the string, without any newline!).

Next, we can run John the Ripper on the hash to brute-force determine the original password (the command is simply john). Run the following command, which will await your input:

john --format=raw-md5 --fork=4 --mask="?u?l?l?l?l?d?d" /dev/stdin

Then paste in the MD5 hex string from before and type Ctrl-D to signal end of input. John will then search the specified space for passwords that produce that MD5 sum as output.

The mask parameter allows you to specify a pattern or general description of the kinds of characters that should be tried at each position within the passwords being generated and tested. Some example pattern characters:

  • ?l lower-case ASCII letters
  • ?u upper-case ASCII letters
  • ?d numeric digits
  • ?s special characters such as punctuation (all printable ASCII characters not in ?l, ?u or ?d)

Exercises: Comment on the likely patterns that would result from password requirements such as having a minimum of one capital letter and a minimum of one digit. What effect would this have on the password entropy?