[sf-lug] John the Ripper

Rick Moen rick at linuxmafia.com
Fri Jan 25 03:12:58 PST 2008


Quoting Alex Kleider (a_kleider at yahoo.com):

> ..by the way: john cracked 2 of 13 passwords within a split second: not
> very imaginative passwords to be sure- one was the same as the user's
> log on ID and the other was the users last name with a 1 tacked on to
> the end of it. I will have to scold them severely ..   
> It's also inspired me to learn about the deluser command!

(D'oh!)

OK, that answers my question about "When are you actually going to
_find_ a readable password file to run John the Ripper against?"
Answer is:  When you're the _root user_, seeking to check up on whether
any of your users is being stupid.

FWIW, my point (earlier) was that the main usage of John the Ripper and 
predecessors -used- to be by the bad guys, running it against _other_
people's /etc/passwd files -- back in the days when that file was
world-readable, i.e., before shadow passwords blocked that avenue of
attack.

So, that entire class of traditional uses for password crackers is long
obsolete.  The _other_ use, by sysadmins to keep a wary eye for local
user stupidity, certainly does still apply.

As a side-comment:  The truly wary sysadmin tries hard to _not_ trust
local shell users, and assumes that, at any time, someone using a
legitimate user's authentication token (either password or public-key
pair) might be a bad guy who's stolen that credential.  Therefore, the
wary sysadmin tries to fortify the system against _local_ attack as well
as remote attack.

Possibly relevant reading:

http://linuxmafia.com/faq/Security/breakin-without-remote-vulnerability.html
  (Rumours that I was talking about shells.sourceforge.net and breakin
  to the sensitive internal network at VA $WHATEVER are... unconfirmed 
  at this time.)
http://security.itworld.com/4352/LWD000829hacking/pfindex.html
http://linuxgazette.net/issue98/moen.html




More information about the sf-lug mailing list