John the Ripper and Darvin ???

[detlef]

Hi,

I want to test my unix login names with John the Ripper.
I downloaded the program from www.openwall.com/john.

Since Darvin is not listed as an option during installation I installed generic. I then tried to test my netinfo passwords with john (nidump passwd into a file followed by john analysis).
The result was "Loaded 0 passwords".
That cannot be. There are several passwd in the nidump file.

I suspect the generic installation is the problem. Does anybody know which of the many freeBSD options for the john installation would be closed to Darvin and function properly?

Detlef

[detlef]

well I found a GUI that does the job

http://software.theresistance.net/

John The Ripper for MacOS X
v. 1.6.34 (OS X)
MacOS X port of the popular "John The Ripper" password cracking tool with a native Mac GUI. Make sure the users on your systems are using secure passwords, or John The Ripper will crack them.
Freeware

http://software.theresistance.net/fi...eRipper.dmg.gz

Detlef

[detlef]

well I announced success to early. This GUI doesn't seem to work with OSX 10.3

The program was only able to locate uid 0 but was not able to crack the password. My password is a no-brainer. Anybody can guess that one.

Loaded 1 password (Traditional DES [32/32 BS])

Mmmm, I guess I still need some advice.

Detlef

[nkuvu]

The password file isn't the same on Panther as it was previously. So when you nidump the file there aren't any passwords in it. Or at least, that's my understanding.

What I did on Panther was to copy the passwd file from /etc, then use the command openssl passwd 'some_password' to generate some passwords I wanted to test. Then feed that file into John.

John is pretty minimal on ouput -- it doesn't include the time it took to break the password. Which is important to me -- if I'm running this against my Admin password for six weeks I don't want to sit and watch it with a stopwatch. So I modified the source a bit and added functions to print timestamps. If you're really interested in this bit, you can look on the last page of the thread on Macfora. (Not that I am trying to promote one site over the other, it's more that I'm too lazy to copy and paste here )

[AHunter3]

Saw this and decided to give it a whirl. Either I've got good passwords or it isn't really running. (After a very brief spinning "gear-wheel" cursor, no visual feedback after clicking the "Crack Encrypted Passwords" button. Button appears to be "live" and clickable again. Nothing appears in bottom window).

I'll let it churn away, or not, as the case may be, while I'm sleeping tonight and see if I get a result when I wake up.

[nkuvu]

I haven't used the GUI version, but the CLI version gives just about no indication at all that it's running. So I put in a few weak passwords in the passwd file I fed to John -- 'words like "tortoise" and "topsecret". Those pop out in very short order, so I can see that it's working.

I'll have to check out the GUI version when I get home -- sounds interesting.

Edit: Added "just about" qualifier to first sentence after reading yellow's post.

[yellow]

It should say:

Quote: Loaded X passwords with X different salts (Traditional DES [32/32 BS])

Where X is a number indicative of the amount of users and the amount of different salted password hashes.

If you got no visual output from the 'Get Encrypted Passwords' button, it's because this GUIfied JtR was written for (<=) Jaguar, not Panther and doesn't see Panther's shadowed passwords.

[yellow]

I just started using nkuvu's modified code on the CLI version, quite helpful for my job. The only problem is, I hate to have to download 250 different password dumps and run JtR on each one individually. I know I could put them all in one file, but then I don't (necessarily) know which machine they were cracked from (we don't have a centralized login system for Macs).

edit: Thanks nkuvu!

[nkuvu]

Quote: Originally posted by yellow Thanks nkuvu!

You're more than welcome. It really wasn't a huge change, as I'm sure you can tell. But I found it to be quite useful.

Perhaps I'll send this on to the author to see if anyone else might find it useful...

[AHunter3]

I'm in Jaguar (10.2.8) today, not Panther, but I've been running it right off the mounted .dmg... it appears to be happier when it's in /Applications.

I've got the "salts" message this time, and the gear-wheel stays whirling in place, much better.

(Also good: it didn't immediately hork up my passwords )

[detlef]

as I said earlier when using the John the Ripper GUI the program found only one password. The encrypted password of root.

When I tried to crack the password I got the following result:
Loaded 1 password (Traditional DES [32/32 BS])
Then the wheel spun for 2 seconds and that was it.

So I had 2 problems with this outcome. One, John should have found passwords for uid 501 and 502 and two, John should have cracked the password for root.

So investiagted and found that the password for root was actually cracked. The password was blank. I discovered that when I tried to change the password for root. When I enabled root originally I must have left the password blank.

After I changed the password I tried John again and it found the new root password and cracked it in 2 seconds.

The reason why John the Ripper (GUI) didn't find the other 2 uid password is because they are asterixed out in netinfo. So the nidump command which John is using in the background do not reveal these passwords. That is different to 10.2 where all the passwords are displayed in their hashed form.

In 10.3 the passwords are stored in the /var/db/shadow/hash folder. I have not tried yet to run these encryted passwords in John.

What I want to know at this point is why is my root password not asterixed out? The authentication_authority in netinfo is set to ;ShadowHash; so there should only be asterixes. I don't understand it. If somebody knows how I can fix that that would be great. One additional peace of info, I upgraded from 10.2.8 to 10.3

Detlef