Test your users password security with JTR

You can do that using John The Ripper.

Installing john the ripper:
Login as root, then:
# wget
http://www.openwall.com/john/f/john-1.7.0.2.tar.gz
# tar -zxvf john-1.7.0.2.tar.gz
# cd john-1.7.0.2/src
# make generic
# cd ../run

Running the wordlist provided with John the Ripper against your password file (for linux /etc/shadow ):
# ./john -wordlist:password.lst /etc/shadow

After decrypting process of your /etc/shadow file (it should take some time) , you can view the passwords that were decrypted:
# ./john -show /etc/shadow

You will get it on the format: username:password, if you get any results you should change those passwords.

Remove the .pot (you should remove it, because it contains login information decrypted):
# rm -rf john.pot

And it is done, now you can do it all the weeks to get informed about password security level.

0 Comments: