August 1, 2011
Resuscitating John the Ripper for SHA-512
John the Ripper (http://www.openwall.com/john) is a well-known and mature password auditing tool. However, if you are working from a recent OS (e.g., Ubuntu 9.04 or later) that uses SHA-512 hashing John has a problem.
The Problem
Let’s take a look at a sample line from an /etc/shadow file (Ubuntu 10.04):
jason:$6$.QKEPz6E$SW2kjRQFQpXYgc98F.:11825:0:80:5:40:12066:
The field of interest for us is the second field- $[n]$. Here [n] will be equal to one of the following values: $1$, $5$, or $6$. Each of those values corresponds to a specific hash algorithm.
1 = md5
5= sha256
6= sha512
As we can see, the example entry above this /etc/shadow file is using SHA 512 hashing to protect password data at rest. Now, the current version of John the Ripper does not handle SHA 512 at all. If you try to run John you will receive the following message:
No password hashes loaded
What can we do?
The Solution
Thankfully, we can patch John to deal with SHA-512.
First, download the source for John and unpack it. You can get john from www.openwall.com/john. Do not compile the program just yet though. Next, follow the directions over at Dr. Junjun Mao’s blog to manually patch John to handle SHA 512.
Note: there is a small mistake in Junjun’s directions. You have two ways to correct the problem. Either create crypt_fmt.c as fmt_crypt.c or change the lines added to john.c to reference crypt_fmt.c instead of fmt_crypt.c. My advice: change the file name to fmt_crypt.c since that matches the already present naming standard.
Go ahead and compile john now. When finished, give it a test run- I am sure you will enjoy the resuscitated John the Ripper!