Friday, May 14, 2021

Cracking Passwords

Enforcing password security with a multiple-user system can be a hassle —
users all too often use inadequate passwords. john-the-ripper (also available
via most distros) is a password-cracking tool that enables the identification of
vulnerable passwords before someone with nefarious intentions finds the
weakness.

The first step is to extract the username/password information from the relevant files, using the provided unshadow tool:

unshadow /etc/passwd /etc/shadow > /tmp/password.db

After that, john has three cracking modes:

  • Dictionary mode, which tests passwords based on dictionary words. You can
    use the provided dictionary or provide your own, and there’s an option to
    enable “word mangling” rules.
  • “Single crack” mode, which uses login names and various
    /etc/passwd values as password candidates, as well as applying

    word mangling rules.

  • Incremental mode, which tries all possible character combinations and
    will obviously take a very, very long time to run. You can change the
    parameters for this via the config file.

    You can run one at a time (in which case, try “single crack” mode
    first), or run all of them consecutively with

    john /tmp/password.db

    To show results, use

    john --show /tmp/password.db

    unshadow will produce a password database only on systems that
    use /etc/passwd and /etc/shadow for login. For centralized
    systems, there’s a Kerberos5
    module
    available, or the supplied unafs utility extracts
    Kerberos AFS passwords. There’s also a LDAP module.

    Also remember that you can limit cracking attempts
    through measures such as locking out specific IP addresses after multiple failed ssh attempts or limiting the number of times a user can get a password wrong when logging on.


    This article was first published on ServerWatch.com.

    Similar articles

    Latest Articles

    Database-Tuning Platform Launches and...

    PITTSBURGH — A team out of Carnegie Mellon University is launching its automatic database-tuning product today with the help of $2.5 million in funding.   OtterTune,...

    Top 10 Professional Services...

    Professional services automation (PSA) software aims to offer service-based companies most of the software they will need to run their businesses in one package....

    What is Data Aggregation?

    Data aggregation is the process where raw data is gathered and presented in a summarized format for statistical analysis. The data may be gathered...

    Dell APEX: Our...

    One of the missteps IBM made last century was collapsing their sales model, which was services based, to generate a short-term revenue spike. Up...