cracking unix password files for beginners.html

1000 HOWTOs for various needs [WINDOWS]

<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF" text="#000000">
<table width="680" border="0" cellspacing="2" cellpadding="2" align="center">
  <tr> 
    <td width="693"> 
      <pre>
                        :::::::::   ::::::::  :::::::::  :::::::::: 
                        :+:    :+: :+:    :+: :+:    :+: :+:        
                        +:+    +:+ +:+        +:+    +:+ +:+        
                        +#++:++#+  +#++:++#++ +#++:++#:  :#::+::#   
                        +#+    +#+        +#+ +#+    +#+ +#+        
                        #+#    #+# #+#    #+# #+#    #+# #+#        
                        #########   ########  ###    ### ###  
                         
              	             <a href="http://blacksun.box.sk" target="_blank">http://blacksun.box.sk</a>
                           _____________________________
    ______________________I       <b>   Topic:</b>             I_____________________
   \                      I                             I                    /
    \     HTML by:        I   <b>Cracking Unix password</b>    I   Written by:     /
    >                     I    <b>files for beginners</b>      I   <a href="mailto:myonlyemail1@yahoo.com">Caboom</a>         < 
   /      <a href="mailto:black_mesa@gmx.de">Martin L.</a>       I_____________________________I   <a href="mailto:barakirs@netvision.net.il">R a v e N</a>       \
  /___________________________>                    <_________________________\</pre>
    </td>
  </tr>
</table>
<p>Version 1.0<br>
  Date: 14/1/2000</p>
<font size="4"><b>1) First thing's first</b></font>
<hr width="250" align="left">
<p><br>
  I guess you're a newbie in pass-cracking like I was and you've probably started 
  John the Ripper full of enthusiasm, and got.... nothing. So the first thought 
  you have is 'my god this must be hard, and I'm a newbie'. Forget it!!! You're 
  always a newbie, and we all are... in pass cracking world, pardon, pass recovering 
  world (or any world else) you always have something to learn. Sometimes, even 
  if you are experienced in password cracking, you won't be able to crack the 
  password or even get your own password. This is a pure technical manual and 
  will give you only the recipe for cracking, but every password needs different 
  approach...</p>
<p>OK, so a good way to get somewhere is to start getting somewhere...<br>
  What you're about to learn is to crack *nix(Unix/Linux/etc.) password files. 
  It does not mean that you need to have some Unix distribution on your box, but 
  it means you'll have to stop clicking your ass off all around the screen... 
  'What this fool is trying to say', you'll probably ask... This fool is trying 
  to say that john is a DOS program (there is also Linux/Unix version, but I guess 
  that most of the people that read this tutorial have win boxes). I will try 
  to put this tutorial through the examples so it wouldn't look like a boring 
  script with incredible amount of switches. After reading this text it wouldn't 
  be a bad idea to look at the texts you get with John. I learnt it all from there, 
  but that, of course, was the hard way, and you want the easy way, right? Right.</p>
<p>First, it wouldn't be a bad idea to get yourself John the Ripper, I guess... 
  if you don't have it you can find it at:</p>
<p>1) packetstorm.securify.com (look at archives, password cracking)<br>
  2) neworder.box.sk (do some searching by yourself)</p>
<p>John can be found practically anywhere. For example: try going to altavista.com 
  and running a search for 'john the ripper'.</p>
<p>Second thing you'll need is.... a HUUUUGE amount of password dictionaries (I'll 
  explain what these are in a minute). The best dictionary around is at www.theargon.com 
  and packetstorm (look at the archives) and is called theargonlistserver1 and 
  is about 20Mb packed, and over 200Mb<br>
  unpacked... get it!!!! The people at theargon did a terrific job.</p>
<p>You should also get some smaller dictionary files (I'll explain why later).</p>
<font size="4"><b>2) Do we look like *nix?</b></font><br>
<hr width="250" align="left">
<p><br>
  So now you have john, loaded with that huuuuge pass dictionary, and you think 
  that you can crack anything... If you plan to live for 100000 years, that wouldn't 
  be a problem, but you only have some 80 years left in the best case scenario 
  (unless, of course, scientists find a way to... oh, nevermind).</p>
<p>Now, the first thing is that you have to make sure your password file really 
  looks like a Unix password file (were talking about the /etc/passwd file).</p>
<p>Let's see how Unix pass files look like</p>
<p> owner:Ejrt3EJUnh5Ms:510:102:Some free text:/home/subdir/owner:/bin/bash</p>
<p>The important part is the username and the encrypted password, which are the 
  first and the second parts (each line is divided into seven parts by : symbols)</p>
<p> owner:Ejrt3EJUnh5Ms</p>
<p>Owner is the username and 'that other thing' is the crypted password (encrypted 
  in altered DES (Data Encryption Standard) encryption). For the other part you 
  can put anything that looks like that but the structure must be same so the 
  john could recognize it as unix pass. In fact the other part</p>
<p> :510:102:Some free text:/home/subdir/owner:/bin/bash</p>
<p>Is just some information about the user, his home directory, etc...</p>
<p>Sometimes you'll have passes that have only the first and second part, such 
  as password files that you got from a webboard running matt's web board script.</p>
<p> owner:Ejrt3EJUnh5Ms</p>
<p>You'll have to put the other part so that password would look like unix pass, 
  and you can do a copy-paste from another pass, you can even use</p>
<p> :510:102:His name:/home/subdir/owner:/bin/bash</p>
<p>What you have now should look like:</p>
<p> owner:Ejrt3EJUnh5Ms:510:102:His name:/home/subdir/owner:/bin/bash</p>
<p>Hell, you can even put</p>
<p> owner:Ejrt3EJUnh5Ms:a:a:a:a:a</p>
<p>It won't matter to john at all.</p>
<font size="4"><b>3) We're getting somewhere... nowhere</b></font><br>
<hr width="250" align="left">
<p>Now you're ready to crack. Type in</p>
<p> john -w:words.lst password.file</p>
<p>Where words.lst is password dictionary and password file where you have your 
  password or passwords. If you use it on example i gave to you you'll probably 
  get password because it's really weak pass. You'd be surprised to see that people 
  usually use really weak passes like their names, pet names, or even their username 
  (for example: username=zalabuk, password=zalabuk).</p>
<p> Hint: Don't be stupid! Use strong passes like<br>
  <br>
  p4sswr!@<br>
  p@s$w11s<br>
  with as many characters you can remember. Hint is to use special characters 
  and numbers those passes are much harder to crack (I'll explain why in a minute).<br>
  The other hint is to use passes as long as you can remember, 8 characters are 
  sometimes not enough... it depends what box that someone who cracks has... on 
  dual alpha is certainly not enough... in other words... more than 10 characters 
  will do fine, even more wouldn't hurt (like 16...). By the way, older *nix have 
  fixed pass length of 8 chars... that is old DES crypted pass that uses a 64-bit 
  key... now there are 128-bit keys, and some perverts use even more, so there 
  is more fun now :)<br>
  <br>
  john -w:words.lst password.file</p>
<p>Wait wait wait! What am I doing here?<br>
  Alright, listen up carefully. The DES encryption that Unix uses CANNOT be reversed. 
  Some encryptions can be reversed using a sometimes simple or sometimes incredibly 
  complicated algorithm (in the 3rd century AD, Ceasar used to send encrypted 
  letters which used a formula of &quot;shift by three&quot;, which means that 
  d stands for a, e stands for b etc'. At that time, such an algorithm was just 
  fine. Today, it isn't).<br>
  So anyway, the altered DES encryption that Unix uses for it's password files 
  cannot be reversed. Why? Because it's a key-based encryption. The encryption 
  algorithm uses a bunch of letters (lowercase and uppercase), numbers and symbols 
  within the algorithm. So, in other words, to run the decryption algorithm you 
  will need this key, which you simply cannot just have, because the key is the 
  password! You see, when a user picks a password, the system generates an encrypted 
  password for him, called a hash (which is what you get when you somehow acquire 
  a password file), which is created by running this altered DES algorithm using 
  the user's password as a key. If you try to decrypt the password using standard 
  reversable DES encryption, you get a null string.<br>
  So how do John and other password crackers do it? Easy. They try to recreate 
  this process by taking passwords out of these dictionary files (or wordlists) 
  and using them as keys for this altered DES algorithm process. Then, they compare 
  the result to all the encrypted passwords within the password file you've given 
  them. If the two strings match - there you have it! The password is yours!</p>
<p>If the first step doesn't work, the next step would be to do this:</p>
<p> john -w:words.lst -rules password.file</p>
<p>This switch turn on not only browsing through the dictionary, but it uses some 
  modifications of the words that are word dictionary (like adding a number at 
  the end of pass - fool -&gt; fool1, etc' etc'). This one will take long with 
  huge pass dictionary, but it may give better results... For a start you could 
  do a try with a small pass dictionary, and if it doesn't works you can try it 
  with a huge pass dictionary.</p>
<p>Sometimes people are not stupid when they choose passwords and basic rules 
  won't do a job... aaargh. As you've seen it takes more and more time for your 
  CPU to crack this thing out as we go further. Now you can leave your computer 
  on and go to sleep....</p>
<p>If you want to get even more possible passwords out of your password file, 
  try typing</p>
<p> john -i password.file</p>
<p>This -i stands for incremental cracking, not a really good word for it, but...<br>
  Okay, what the hell does it do? It uses the default incremental mode parameters, 
  which are defined in john.ini.<br>
  What does this mean? Do you remember -rules? Yes, well, of course you do, unless 
  you're either incredibly senile or you've stopped reading after this part and 
  only came back, like... a couple of years later. That is very much like rules, 
  but much much more powerful than -rules, and it takes much, much more time.</p>
<font size="4"><b>4) So where are we now (dictionary vs. brute-force)?</b></font><br>
<hr width="250" align="left">
<p><br>
  You can see that in all cases you use so-called dictionary cracking... but hell, 
  why not just run John on a mode where it tried all possible combinations of 
  lowercase and uppercase letters, numbers and symbols? I mean, this would be 
  much more efficient, right? ... WROOOOOOONGG!!!<br>
  This method is called 'brute-force' attack (basically, dictionary attack is 
  also sort of brute-force attack, but most people use the word brute-force for 
  this specific attack).<br>
  What are the differences? First and most important, with dictionary you go through 
  the selected words that could be passwords and their modifications, and with 
  brute force cracking you use ALL possible combinations. That means you have<br>
  comb=nrch^let</p>