CyberSec Lab — John the Ripper

🔓 ASSIGNMENT GOALS

Examine /etc/passwd and /etc/shadow on the target.

Combine the files using unshadow.

Identify the hash types in use.

Run a wordlist attack and crack the passwords.

Use john --show to display cracked credentials.

Complete the pentest report and submit.

PHASE 1 — EXAMINE TARGET FILES

💻

Terminal

📖

Reference Manual

📋

Pentest Report

📝

Notepad

⚠ CLASSIFIED — PENTEST ENGAGEMENT

MISSION BRIEFING

Operation: Cracked Vault | Tool: John the Ripper

SCENARIO

During a red team engagement against Apex Systems Inc., you have gained read access to a Linux server and successfully exfiltrated the /etc/passwd and /etc/shadow files.

Your objective is to use John the Ripper to crack as many password hashes as possible, identify weak credentials, and produce a penetration test findings report documenting the vulnerability.

This simulates a real-world post-exploitation phase where cracked credentials could be used for lateral movement or privilege escalation.

OBJECTIVES

cat /etc/passwd and /etc/shadow — examine the exfiltrated files.

Run unshadow to combine passwd and shadow into a single crackable file.

Identify hash types using the $prefix in shadow entries. Consult the Reference Manual.

Run john with a wordlist and rules to crack the hashes.

Use john --show to display all cracked credentials.

Fill out the Pentest Report with your findings and submit.

TOOLS

💻

Terminal

john, unshadow, cat, ls, file, clear, help

📖

Reference Manual

Hash type chart, john syntax, shadow format guide

📋

Pentest Report

Structured findings form — submit your results here

Display Mode

TERMINAL — root@kali : ~/loot

John the Ripper Lab Terminal — Kali Linux 2024.1

Working directory: /root/loot (passwd, shadow files available)

Type 'help' for available commands.

root@kali:~/loot#

REFERENCE MANUAL — JOHN THE RIPPER

SHADOW FILE FORMAT

Each line in /etc/shadow follows this format:
username:$id$salt$hash:lastchg:min:max:warn:inactive:expire

HASH TYPE IDENTIFIERS ($id$)

PREFIX	ALGORITHM	STRENGTH	JOHN FORMAT
$1$	MD5crypt	Weak	md5crypt
$2a$ / $2b$	bcrypt	Strong	bcrypt
$5$	SHA-256crypt	Medium	sha256crypt
$6$	SHA-512crypt	Strong	sha512crypt
$y$	yescrypt	Very Strong	yescrypt
(none)	DES crypt	Very Weak	descrypt
!	Locked account	N/A	N/A
*	No password	N/A	N/A

WORKFLOW

# Step 1: Combine passwd + shadow
unshadow /etc/passwd /etc/shadow > shadow.txt

# Step 2: Wordlist attack
john shadow.txt --wordlist=/usr/share/wordlists/rockyou.txt

# Step 3: Rules-based attack
john shadow.txt --wordlist=/usr/share/wordlists/rockyou.txt --rules

# Step 4: Show cracked passwords
john shadow.txt --show

# Specify format explicitly
john shadow.txt --format=md5crypt --wordlist=...

JOHN SYNTAX REFERENCE

FLAG	DESCRIPTION
--wordlist=FILE	Use a wordlist for dictionary attack
--rules	Apply mangling rules to wordlist words
--show	Display all cracked passwords
--format=NAME	Force a specific hash format
--list=formats	List all supported hash formats
--incremental	Brute-force attack (slow)
--single	Single crack mode (uses username etc.)
--status	Show cracking progress

RISK RATINGS

RATING	CRITERIA
CRITICAL	DES/MD5 hashes with dictionary passwords
HIGH	SHA-512 with common/short passwords
MEDIUM	Strong hashes, complex passwords
LOW	bcrypt/yescrypt, long random passwords

PENTEST REPORT — PASSWORD AUDIT FINDINGS

PASSWORD AUDIT FINDINGS REPORT

APEX SYSTEMS INC. — RED TEAM ENGAGEMENT — FILL IN YOUR FINDINGS

SECTION 1 — CRACKED CREDENTIALS

Number of Accounts Cracked

Cracked Username #1

Cracked Password #1

Cracked Username #2

Cracked Password #2

Cracked Username #3

Cracked Password #3

Cracked Username #4

Cracked Password #4

SECTION 2 — RISK ASSESSMENT

Overall Risk Rating

Attack Method Used

Recommendations