Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

John the ripper taking too long

Status
Not open for further replies.
Donboy

Donboy

IS-IT--Management
Aug 20, 2002
73
US
I have downloaded and installed John and everything seemed OK for the installation. I started John and it said something about only needing to test 4 passwords with 4 different salts. Not sure what "salts" means, but anyway...

I ran it for just a few minutes before it cracked one of my passwords. Cool.. I know it's working. But after another 7 hours, it still hadn't finished. I ended up killing the process and restarting. Now it says I only need to test 3 of them. I guess that's because it already cracked one of them and now it's working on the other 3.

When I run John now, it says something like what I'm showing below. Every few minutes i would hit a key on the keyboard just to see what it was doing. Here's what it says...

Loaded 3 passwords with 3 different salts (FreeBSD MD5 [32/32])
guesses: 0 time: 0:00:00:36 28% (2) c/s: 2674 trying: symbol5
guesses: 0 time: 0:00:00:42 32% (2) c/s: 2674 trying: dookie6
guesses: 0 time: 0:00:00:51 41% (2) c/s: 2673 trying: pckrs
guesses: 0 time: 0:00:00:57 48% (2) c/s: 2674 trying: Nedlog
guesses: 0 time: 0:00:01:04 53% (2) c/s: 2675 trying: 2isabelle
guesses: 0 time: 0:00:01:52 89% (2) c/s: 2675 trying: fictioned
guesses: 0 time: 0:00:02:09 (3) c/s: 2643 trying: salach
guesses: 0 time: 0:00:02:28 (3) c/s: 2625 trying: supped
guesses: 0 time: 0:00:04:04 (3) c/s: 2594 trying: mediande
guesses: 0 time: 0:00:10:16 (3) c/s: 2650 trying: maj75
guesses: 0 time: 0:01:19:56 (3) c/s: 2671 trying: scoopeck
guesses: 0 time: 0:02:27:54 (3) c/s: 2667 trying: todfger


This looks weird. It's not showing percentages now. I'm not sure if this is bad or not. I looked high and low for some documentation for John but I couldn't find much of anything on their website. I don't know if this was because (A) I wasn't looking hard enough, or (B) their website could use an overhaul to make sure the information is easier to find or (C) they don't offer documentation. If they do, I will gladly kick myself in the goodies for posting such a doofus question.

How long is John supposed to run before I should assume it's not doing anything. And should I be concerned about the fact that it keeps saying "guesses: 0" for all of them? Finally, where can I find some good info about running John on Linux.
 
Sort by date Sort by votes
Think about it this way : did you put good passwords on your linux machine? or did you put something that there is no way can be associated with a word, in sound and form? If so, that's why.

John cracks passwords, yes. But john is only a brute force program, it's got nothing else. Why do you think most kiddies run the thing in the background on a box they have user access that they can't elevate? because they know that if they can leave the thing running as long as possible they will have a better chance of getting the almighty root password.

just my 2 canadian cents.
--Dave

_____________________________
when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried.
 
Upvote 0 Downvote
I generally agree with lullysing, but John is also a dictionary cracker. The dictionary that comes with it is poor at best. There are numerous dictionaries on the net, and installing them will greatly increase your speed of password recovery if people are using dictionary-based passwords.

And if you are only interested in the root password, then edit the password file to only include the user root. It will speed the cracking marginally (you only compare the hash against 1 hash, not 3).

I had to run John for 2 1/2 days on one machine to get a relatively easy root password with the default dictionary. But if you are curious if John still running, just check top. I'm sure that it will be relatively close to the top as it has a high CPU utilization.

Brute force password cracking is always possible, but it takes a long time unless the password is simple. Some of the things that you can do to improve the cracking performance involve using John's option switches to match password construction rules. If you know that a numeric or special character is required, then set those options in John. That way you won't waste time looking at all alpha passwords when they aren't even possible.

Oh, and a "salt" is an initialization vector for the hashing algorithm. It is the lack of a salt that makes Windows passwords so trivial to crack. On Unix, each machine has a salt that it uses (I don't recall how you arrive at it), so if you use the same password for two users on the same system, their hash will be the same, but if you use the same password on two different systems, the hash will likely be different.


pansophic
 
Upvote 0 Downvote
Thanks for all your help, guys. I feel pretty good about my passwords and my methods for logging in, but I wanted to use John as a final verification.

First, I have only one user account that is allowed to use SSH. It's an unprivlidged account and the only purpose for the account is logging in to SSH. It is not used for FTP, email, or any other purpose, so if it turns up in my logs, I will know that's its only use.

Once I have logged in using that account, I will su - to change to the root account which has a totally different password. Of course it's a royal pain having to enter 2 different usernames and passwords, but security is obviously the greater concern.

If it weren't for the fact that I need to be able to SSH from different locations all the time, I would just disable SSH completely or only allow it from select IP's but I never know where I'm going to be.

So do you think this scheme is pretty safe?? Should I be doing something else that maybe I've not considered?

I had no idea John would take so long. I've been reading "Linux Security" by Ramon J Hontanon and while it's a very good book, it didn't say anything that suggested that it might take days to run John on my /etc/passwd file.

Thanks again for your insight.
 
Upvote 0 Downvote
John the Ripper is a great *nix password cracker. It's speed isn't so bad. It checks common passwords initially, like names, words, places, etc. If the password isn't found in the initial check, it then does true brute forcing (trying all possible password combinations). This step takes some time, depending on the length of the password. Because of all of the password possibilities, obviously it is going to take a while. No password cracker will be much faster.

--Sapient2003 - sapient@sapient2003.com
"The worst insecurity is believing you are too secure."
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
230
nnaarrnn
nnaarrnn
DivemasterBill
  • Locked
  • Question
Cannot connect via the SonicWall Login webpage
Replies
0
Views
79
DivemasterBill
DivemasterBill
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
91
Russtoleum
Russtoleum
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
75
ChrisHirst
ChrisHirst
2ffat
  • Locked
  • News
Just how serious is the Russian password hack?
Replies
1
Views
63
PalmTest
PalmTest

Part and Inventory Search

Sponsor

Back
Top