Technical Guide to Auditing Weak Corporate Passwords with John the Ripper.
This is the first post of a two-part series on why and how to crack passwords. This first part will focus on how to use the “John the ripper” tool, while the second part will focus on the overall password cracking process and a suggested approach to efficient password cracking. First, why even bother with that, you may ask? Well, often, organizations can have very weak passwords, or default passwords that are assigned by service desk folks to all employees, and never changed. This means many accounts in your Active Directory, or in your hybrid AD-Azure AD deployment, can have very weak easy to guess passwords, and lots of accounts could have the same weak password. This can have dire consequences as it would allow an adversary to easy guess or brute force an account to get a foothold into an organization, and easily move laterally from there given many accounts share passwords. So it is best practice, on a regular basis, to extract passwords from an organization’s Active Directory, and attempt to crack them, to ascertain whether or not the organization suffers from the aforementioned issues, and to what extend, so it can be addressed.
There are two leading tools when it comes to password cracking: “John the ripper”, and Hashcat. John the ripper has been around the longest, and is good at cracking passwords on CPUs alone or with the help of GPUs, while Hashcat may have the edge when it comes to leveraging powerful GPUs for fast cracking. John the ripper has more cracking modes and options available though.In this post, we will focus on John the ripper, and explain what each cracking mode does, and how to use them, since there’s very little information out there about that, aside from spending a lot of time reading all the documentation pages on their Github. This is intended as a nice little summary of everything you need to know so you can hit the ground running.
Running john without options (called batch mode)It does the following: - It runs the single mode with this set of mangling rules: ‘Single’ - It then runs the wordlist mode (with the default wordlist as per john.conf file) with this set of mangling rules: ‘Wordlist’ - And finally it runs the incremental mode (with charset and options as per the john.conf file; DefaultIncremental = ASCII).
See below for command assistance:
Single mode:
Syntax:
john --single[=mangling_rules]
It comes up with its own word list based on account name, GECOS field, etc.
It uses this default set of mangling rules: ‘Single’
It can be augmented by seed words that you choose:
--single-seed=WORD[,WORD][,...])
--single-wordlist=FILE
Wordlist mode:
Syntax:
john --wordlist[=FILE]
It uses a wordlist
The default wordlist as per john.conf file is ‘password.lst’
‘rockyou’ is a great word list
No mangling rules are used by default
Use the --rules=[word_list] option to use specific mangling rules
‘Wordlist’ is the default set of mangling rules if none are specified (you still have to use the –rules flag)
‘Jumbo’ and ‘hashcat’ are great sets of mangling rules
Use ‘All’ for the complete set of manging rules
Incremental mode:
Syntax:
john --incremental[=MODE]
That’s the brute force mode
MODE specifies a character set, minimum length, and maximum length
Default mode settings:
[Incremental:ASCII]
File = $JOHN/ascii.chr
MinLen = 0
MaxLen = 13
CharCount = 95
Use the --min-length=N and --max-length=N options to use a specific password length / length range instead of the default ones for a given incremental mode, as specified in the john.conf file
Loopback mode:
Allows you to “recurse”, or dig deeper to crack more passwords based on passwords already cracked and stored in the .pot file, provided they are similar
So it behaves like the wordlist mode, but using the content of a .pot file as a word list
Syntax:
john --loopback[=FILE]
It uses john’s default .pot file, unless instructed otherwise
Rules:
Since it works like the wordlist mode, it supports mangling rules as well
Contrary to the wordlist mode, there is a default set of mangling rules: List.Rules:Loopback
To use no mangling rules, use: --rules=none
A good set of mangling rules to use is ‘All’: --rules=All
Markov mode:
This mode uses a strategy based on Markov chains
It’s a complex mode, so refer to the documentation for more details
Cracking will go up to a default max Markov level (MkvLvl in config file), and a default max password length (MkvMaxLen in config file)
Syntax:
john --markov[=[MINLEVEL-]LEVEL]
to specify a max Markov level, and also optionally a min one - Use --min-length=N and --max-length=N to use a specific password length / length range instead of the default ones - Mangling rules aren’t allowed in this mode - How to use this mode: - First step: - Run this command:
john --format=NT --fork=4 --markov=max_level --max-run=max_runtime_in_seconds
- Choose a max level high enough that it runs at least for the chosen max time
- In the output of that command, look for the average number of passwords per second it can try
- Figure out how long you're OK to run this mode for, and thus – given the average number of passwords per second John the ripper can attempt to crack, as per the previous step – how many passwords you'll be able to try in this timeframe
- This command will also create a 'stats' file that can be used to estimate how many passwords will be tried by each Markov level (see next step)
- Second step:
- Run this command:
genmkvpwd stats 0 max_pwd_length
- It will show the estimated number of passwords that are tried for **each** Markov level (not only the one set in the previous command)
- Third step: select the Markov level closest to the amount of passwords you can afford to try (as determined in step 1)
- Last step: you can then run the Markov mode with the appropriate Markov level
Subsets mode:
Syntax:
john --subsets=[=charset]
This mode exploits the weakness of low entropy passwords
It will try subsets of a given character set, with increasing lengths
It divides the keyspace in several (subset size, password length) pairs, and will always try a smaller sub-keyspace before a larger one. For example, it will try very long passwords consisting of few unique characters before it tries a short one with more unique characters
With no option specified, the subsets mode will start with a length of 1 and a subset size of 1, and then increment both of them, starting with the subset size, and then incrementing the password length, ending at length 32 or the format’s max length, whichever is lower
Use the --min-length=N and --max-length=N options to use a specific password length / length range
By default, no more than 7 different characters from the character set will be used for any word even at password lengths over 7
Use the --subsets-min-diff=N and --subsets-max-diff=N options to force the size of a subset
Mangling rules aren’t allowed in this mode
“Pattern” cracking” modes:
“Pattern cracking” can be done using the mask mode (--mask) or the regex mode (--regex) (this mode is experimental / not supported)
Mask mode is very similar to globbing, but it’s slightly less powerful (no * globbing equivalent, for example)
Mangling rules aren’t allowed in either mode
External mode:
Let’s you create “C”-like code (interface to implement) that generates password candidates using a custom logic
Mode stacking:
Modes can be stacked, i.e. you can run a mode on top of another mode
You just to specify two modes (or more) in a row
The first mode is used, and then each password candidate generated by the first mode is used as an input to the second mode that generates more, etc.
Password formats:
Use --format=NT for NT hash (wrongly referred to as “NTLM hash”), which is the password format on Windows systems (local account passwords and AD passwords)
Use the --list=formats option to see all supported formats
Performance:
Use the --fork=number_of_cpu option for parallel execution on several CPUs / cores
