December 19th, 2002, 08:42 AM
John the ripper again
Hi...hope you all not bored with the question of password cracker, john the ripper
I have tried to use john the ripper to crack my own computer password by putting my own password to the "password.lst" file.
the reason to crack is of course i want to learn how it works and i hope this is not an illegal post as my intension is for knowledge only.
the result : i can retrieve my admin password successfully, but it cant retrieve other user password.
i have created one user under my computer and i purposely put that user's password and the admin's password to the "password.lst" file, but still it only retrieve the admin password.
my question is:
is there any special command to retrieve all the admin and the user password ?
I have seen the example allready, but still i cant retrieve it.
any comments will be much appreciated , thanksss
December 19th, 2002, 05:39 PM
John the Ripper isnt what i would call a lame tool. You would be surprised at how many sys admins use this to test the strength of their users passwords.
It has good word lists included and you can also download wordlists for it to use, which makes it a very useful tool for the sys admins out there!
Im not defending silverstormboy, because i dont know if his/her reason for using this is legitimate, however it is good once in a while to give the benefit of doubt to a newbie!
December 19th, 2002, 06:15 PM
*sys admins (at least the ones at my work) have special filters to make sure that the user passwords contain certain properties such as multiple cases and the appearance of numbers, another one is that the password may not contain any variation of your name etc, etc, etc… Maybe I should start a post for this question but- Does John the whatever PW Cracker assign numbers, mix cases, etc?
When you connect to your ISP, you are potentially opening your computer to the world. There are \'naughty people\' out there who enjoy breaking into other people\'s computers. Give some thought to the security of your computer...
December 19th, 2002, 08:24 PM
Yes it does...... It is far from lame IMO.......
I can't find where I read it but there were some tests run against it on a mock pw file, (win2k), with pw's of varying strength..... something like this:-
I love you
It found it's first pw in about 13 seconds if i remember rightly then the other three came over about 23 hours. Funnily enough the order of the cracks was no what you would expect. The one that took the longest was I love you...... Note it contained only one upper case, no special characters or numerics, just two spaces...... I was shocked too. It took some six or seven hours longer to get that than it did the leet_haxxor$ pw. Not something I would have though. The upshot was that where a strong pw is required then a sentence is as good as anything.
Oh, and BTW...... Yes Win2k can enforce password complexity but there is a downside. That policy is enforced across the entire domain..... So the strength of password I would desire for my staff would be enforced on my (L)users...<s> Do you have any idea how many phone calls 650 users can generate on such a little issue as 9 characters, upper case and lower case, numerics and special characters required???
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
December 20th, 2002, 05:21 AM
hi everybody, thanks for your comment.
the reason for me to try that cracker is for learning purpose only. well, everybody have to start from the beginning right? and how can you know if you never start practising?
for my opinion, it is up to the person to decide whether the tools are going to be used for an illegal thing or not and he/she will have to take the risk and concequences for that.
I hope i wont be banned for asking this question.
Practice makes perfect