High speed password cracking with John the Ripper

John the Ripper has been out there for a long time, it’s a great tool for auditing passwords. How does it work, well simple: you take a password file with encrypted (or better hashed) passwords in it and give it to John. The program will first determine what kind of hash algorithm is used and will then start by taking normal words from an extensive wordlist and feed them one by one through the same hash algorithm. If the outcome matches with what is in the file that word is obviously the password.

After John has exhausted the wordlist it will try variations on the words. It will start every word with a capital and do the whole list again, than it could try every word backwards, substitute all letter “o” with zero’s, “i” with ones, “s” with “$”, and so on. Since computers have become mindboggling fast it can try a massive amount of combinations in a relative short time.

Since John the Ripper is around for a couple of years, it is written to be run on a single CPU. This is kind of a waste since we all got these dual core machines on our desks and even quad core’s or more in the servers in the racks. So how to make use of all this processing power?

Luckily there is a patch for John which allows it to use the Message Passing Interface to run multiple instances simultaneously, you can download this version: john-1.7.2-bp17-mpi2.tar.gz
and build it on your dual core box. Before the code will compile you need to install the MPI software, with yum on fedora this can be done with:

yum -y install openmpi*

next get the software (if not already done so), extract and move in there:

wget http://www.bindshell.net/tools/johntheripper/john-1.7.2-bp17-mpi2.tar.gz
gtar zxvf john-1.7.2-bp17-mpi2.tar.gz
cd john-1.7.2-bp17-mpi2/src

Make a small adaptation to the Makefile so it will work with openmpi:

vim Makefile
:%s/mpicc/om-mpicc/g
:wq

Now build the beast:

make linux-x86-mmx

If all goes well, you will see some warnings about pointers, but no errors and end up with a executable in ../run/john. Now change directory to
../run
and get hold of a shadow file, a .htaccess, a ldif with userpasswords, or anything with hashed passwords you would like to reverse back to the original form. If you don’t have anything yourself use Google with the right query to find something on the Net.
Give John his first assignment with the commandline:

om-mpirun -np 2 ./john -incremental my-hash-file.txt

The “-np 2” means that the “Number of Processors” is 2.
This is also the value to use if you have a single CPU machine with hyperthreading enabled.

Now if you want to get serious with decrypting hashed passwords, get the right wordlist for your language since people love to choose simple words they can easily remember. This is a good source:
ftp://ftp.mirrorgeek.com/openwall/wordlists
You can use the specific wordlist with John this way:

om-mpirun -np 2 ./john --wordlist=dutch_lower.txt my-hash-file.txt

So, when all is said and done, the main question remains. How fast is it?
Well John the Ripper has a build in benchmark function which you can
activate by using john -test, you then get lots of data for
all different ciphers which John supports.

I will take “FreeBSD MD5 [32/64 X2]” as a comparison metric.

On my Pentium D920 desktop running at 3.4GHz with linux /proc/cpuinfo:

cpu family: 15
model: 6
model name: Intel(R) Pentium(R) D CPU 3.40GHz
stepping: 2
dual cpu: Raw: 23511.00 c/s real 23488.00 c/s virtual
single cpu: Raw: 11786.00 c/s real 11786.00 c/s virtual

 

On my laptop: Core Duo CPU T2500 at 2.0GHz with linux /proc/cpuinfo:

cpu family: 6
model: 14
model name: Intel(R) CPU T2500 @ 2.00GHz
stepping: 8
dual cpu: Raw: 9622.00 c/s real 10106.00 c/s virtual
single cpu: Raw: 5061.00 c/s real 5061.00 c/s virtual

 

So what if this is not fast enough? There are two a number of roads you can take. There is Distributed Network Attack, this is like Seti at Home, where one master chops up the task at hand and delivers small chunks to thousands of computers which all complete the computations in spare processor time and then feed back the result to the master. The Secret Service has linked 4000 computers this way to try and decrypt passwords which it can’t break with “normal” supercomputer power.
You can build your own DNA password cracking universum by using Distributed John

An other way would be using Rainbow Tables where every possible password is already translated to it’s hash value. So if you have a hash from a password file and you want to know to which password it belongs, you can just do a lookup in the giant rainbow table and find the password.

Caveat Lector!
Usage of tools like “John the Ripper” might be unlawfull or illegal in your country, if you want to test strenght of passwords on systems which are not your own, get written permission of the owner first.

Author: Ewald

The grey haired professor

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.