Sabtu, 10 Desember 2016

cracking password with john_the_ripper

john_the_ripper has become one of the known tool for password cracking. it uses method of dictionary based attack. the primary use of john_the_ripper is to crack and detect "weak" password UNIX password and It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix versions (based on DES, MD5, or Blowfish).

 noted: The greater the password list , the longer it takes to crack the password

i use kali linux-1.0.6 version in this exercise

1. i create a new user in my kali linux vmware machine, and the password is : password

2. i create a new directory called natasha to put the password result. is up to you to create new directory or not


3. we unshadow the password file . linux store the password hashes in "etc/passwd" and "etc/shadow". for some of you who see inside these two files you may be thinking what is difference between these two.

the answer is:

passwd is the file where the user information (like username, user ID, group ID, location of home directory, login shell, ...) is stored when a new user is created

shadow is the file where important information (like an encrypted form of the password of a user, the day the password expires, whether or not the passwd has to be changed, the minimum and maximum time between password changes, ...) is stored when a new user is created.


that is why necessary combining this two password file to be used for cracking later. 

4. before we crack the unshadow file , we have to locate password.lst file that is used going to as the dictionary

command: locate password.lst

 
5. now that we have locate the path, we can proceed to crack the password. copy the path and put in command argument 
command : john --wordlist=/usr/share/john/password.lst "your_password_file"
 
 after the password file is done cracking it will prompt you the result you can see it again with--show features
command:john --show "your_password_file"

 
so that is it . i encourage you all to try a different features of john the ripper tools and also try to download a larger password list file to try it . have a good day 

Diposting oleh di 2 komentar:
Langganan: Postingan (Atom)