Running John the Ripper

13 Dec 2016

In trying to set up a cloud-config with working passwords there was a comment:

#   passwd: The hash -- not the password itself -- of the password you want
#           to use for this user. You can generate a safe hash via:
#               mkpasswd --method=SHA-512 --rounds=4096
#           (the above command would create from stdin an SHA-512 password hash
#           with 4096 salt rounds)
#
#           Please note: while the use of a hashed password is better than
#               plain text, the use of this feature is not ideal. Also,
#               using a high number of salting rounds will help, but it should
#               not be relied upon.
#
#               To highlight this risk, running John the Ripper against the
#               example hash above, with a readily available wordlist, revealed
#               the true password in 12 seconds on a i7-2620QM.
#
#               In other words, this feature is a potential security risk and is
#               provided for your convenience only. If you do not fully trust the
#               medium over which your cloud-config will be transmitted, then you
#               should use SSH authentication only.
#
#               You have thus been warned.

This of course needed to be tried. Here is a quick outline of how to run this

docker run -ti ubuntu bash
apt-get update
apt-get install -y john
apt-get install -y whois   # for mkpasswd
mkpasswd --method=SHA-512 --rounds=4096 > passhash
# when it asks for password, give it the one you want to try
john passhash

Timings (running on a small vm): test (0s), bart (5s), monkey (0s), Monkey (8s), m0nkey (s).