Detecting weak passwords with john the ripper
Posted by Steve on Mon 20 Dec 2004 at 22:30
Many times system compromises occur because a password has been guessed, or brute-forced, because it is too simple. Even if you have a well-defined password policy for your users you typically have no idea what kind of passwords they are choosing.
This is where the package john the ripper can be useful.
It will read the encrypted passwords from your system-wide password file, /etc/shadow and attempt to crack each one.
The Debian package will install a cronjob allowing the tool to be run on a regular basis. By default this is disabled, but if you wish you can enable it by editting the file /etc/cron.daily/john.
Remove the comment characters "#" from the front of the bottom two lines and you will be left with the following:
# # Start john everyday at the same to try to crack the passwords. The # second line will then later stop the process so that it doesn't # consume system resources that are needed otherwise. You are # encouraged to change the times. # # Also notice that John is 'nice'd, if you don't like this (you # believe that your system can run fine with john doing its work) # just remove the 'nice' call # # JOHN_OPTIONS = foo bar (man 5 crontab) # 00 1 * * * root [ -x /usr/share/john/cronjob ] && nice /usr/share/john/c ronjob start 00 7 * * * root [ -x /usr/share/john/cronjob ] && /usr/share/john/cronjo b stop
This will start the password cracking attempt at one minute past midnight, and stop it at seven minutes past.
The root user will be mailed with details of any user upon your system who has a weak password guessed, and then can advise the user to change their password - and use something more secure.
You may attempt to manually crack your own passwords by running:
john -single /etc/shadow
That forces john to run in "single mode", which is only one of the many modes it has - there are plenty of examples included in the file /usr/share/doc/john/EXAMPLES.gz - which you can read by running:
The output will show any revealed passwords. For example if you have a login account called test with the password of test (bad idea!) you will see the following output:
root@undecided:~# john -single /etc/shadow Loaded 3 passwords with 3 different salts (FreeBSD MD5 [32/32]) test (test) guesses: 1 time: 0:00:00:00 100% c/s: 5219 trying: 999991969