In this post we will present a short intro regarding the software password cracking tool named “John the Ripper” (JTR). This tool is designed to be both powerful and fast, and it combines several cracking modes in one program. It is available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS and it is the most popular available password cracking tool. The tool can be customized to mix different cracking techniques and also can auto detect password hash types.
JTR can work in three different modes: wordlist mode, single mode and incremental mode. Wordlist mode takes text string samples from a file (wordlist) containing words found in a dictionary or real passwords cracked before). Then it encrypts those words in the same format as the password being examined (including both the encryption algorithm and key), and comparing the output to the encrypted string. In addition, it can perform alternations to the data from the wordlist and compare these as well. Single mode uses login names, GECOS (information about the account or its user(s) such as their real name and phone number) and users’ home directory names as candidate passwords. This mode is faster than the wordlist mode since the used information is compared with passwords (and hashes with the same salt) for the account that is was taken from. JTR incremental mode is the most powerful mode since it can try any character combination until the password is found. However, this technique is often impractical due to the possible number of combinations that increase the computational cost (overhead). This mode actually uses trigraph frequencies tables (three letters combined together), separately for each character position and for each password length.
JTR supports two of the techniques described in the previous post, dictionary and brute force attacks. Single and wordlist modes are practically dictionary attacks, since as we explained above each one of them uses a wordlist that contains strings that can be used as a password. Of course, single mode will search in a shorter wordlist in length but nonetheless it can be classified as a dictionary attack. Moreover, JTR supports brute force attacks since the incremental mode theoretically is an implementation of this attack. As in brute force attacks, the incremental mode tries every combination of characters until the password is found. The practical difference is that incremental mode uses characters with trigraph frequency.
Information of how to install and use JTR can be found here. In the next post, we will show how to crack one million passwords from online leaked lists.