In-class Exercise 1: Cracking Passwords with John the Ripper

In-class Exercise 1: Cracking Passwords with John the Ripper (Sharon)

Password protection is important in any platform as is building robust passwords. You will need a copy of Kali Linux, as discussed previously, to perform this exercise. John and Ripper will be used to crack passwords. John performs different types of cracks: single mode; dictionary (wordlist mode), the one performed in this exercise, which applies a dictionary list of passwords for comparison; and brute-force (incremental) mode, which is the slowest of the three modes and attempts every combination of letters and numbers. You can download the Kali Linux and WinXP VMs at

  • Start Kali virtual machine.
  • Login: root   Password:  SCIA472

Before attempting to crack the existing passwords, enter a few more users to see how fast the passwords can be cracked.

  • root@kali: adduser user1
  • set the password to password
  • root@kali: adduser  user2
  • set the password to P@ssw0rd
  • root@kali: adduser  user3
  • set the password to !P@ssw0rD1

After the three users have been added, you will want to execute John.

  • ApplicationsàBackTrack->Provilege Escalation->Password Attacks->Offline Attacks-> john the ripper
  • root@kali:/pentest/passwords/john#: john /etc/shadow
  • Give it time to see how long it takes for each password to be cracked. Record those times here: User1:______ User2:_______User3:______
  • Refection: Did you notice a correlation between the times it took to crack a password versus the complexity of the password? You should have seen that more complex passwords take longer to recover.
  • Write your comment to this exercise including what you have learned, more practices you can think of, and what can be improved about this exercise.
  • Turn it in Blackboard by Tonight.