Establishing Digital Trust: Don't Sacrifice Security for Convenience
John the Ripper is an open source password cracker that is used by security researchers to help audit, crack and test password security. The core project is sponsored by security vendor Openwall led by developers Alexander Peslyak and Roman Rusakov. Thanks to funding from security vendor Rapid7, leaders of the open source Metasploit project, Peslyak and Rusakov were able to expand John the Ripper with improved performance and capabilities for testing and cracking password hashes.
"John the Ripper is a tool I have used since the mid-90s, the team behind it has dedicated a large portion of their to the open source community and improving the security of open source software in general," HD Moore, Metasploit chief architect and Rapid7 CSO told InternetNews.com. "This was an opportunity for Rapid7 to give something back and benefit the security community as a whole in the process."
Moore explained that Rapid7 provided funding to Openwall for the research; this made it possible for Peslyak and Rusakov to spend time that would have otherwise been allocated to commercial work.The specific improvements that have been made deal with performance gains for cracking data encryption standard (DES) based password hashes. According to Openwall, the DES improvements have led to a 17 percent performance boost for cracking password hashes.
According to Moore, the DES improvements are available in the Jack the Ripper 1.7.8 release under an open source license. He added that he fully expects these improvements to be incorporated by other password testing tools.
Overall, Moore noted that John the Ripper is an amazing piece of software for many reasons. The speed of the cryptographic implementations has always been impressive even as the number of hash types continues to grow. John the Ripper has also become much better at using distributed resources and multiple processor cores.
"John is seeing some competition from the GPGPU tools, but these tools are often not open source, and are definitely not as flexible as what John provides for free," Moore said.
While the new update's key addition to password cracking, Moore noted that the tool has an incredible backend for password transformations and word list generation.
"Quite a few tools use John the Ripper as a way to permute a word into similar possibilities (hacker -> h4ck3r -> h4ck3r123) and simply feed its output into their own offline or live password cracking engines," Moore said. "The rules engine built into the tool provides an incredible amount of flexibility with a level of performance that a typical scripting language will be hard pressed to match."
Rapid7 is the lead commercial sponsor behind the open source Metasploit project and sells the commercial Metasploit Pro and Express editions. Moore noted that the Metasploit Framework has often been a tool that was used alongside John, but the two have never been fully integrated.
"Now that the Metasploit Framework has a central database for storing collected password hashes, we would like to do more direct integration with John and offline password cracking tools in general," Moore said. "We are still sorting out the best way to deliver this, but our community has been asking for better integration for years and we plan to deliver."
A possible integration could come in Metasploit Pro, where Moore said he is considering the use of John as a way to quickly enumerate weak hashes in collected data. Moore explained that such an integration would make password relay attacks easier when weak credentials are found and allow collected hashes to be cracked and tested against services that do not allow pass-the-hash style attacks.
"This is a long way from wrapping a GUI around John and selling it. We have no plans to go that direction and are more than happy with how Openwall manages John the Ripper's commercial options," Moore said. "Any commercial use by Rapid7 of the John the Ripper software would be in full accordance with the open source license and spirit."
Moving forward, Moore said that Rapid7 will continue to support the John the Ripper project and they look forward to more integration with Rapid7 products.
"We believe that John the Ripper is a critical piece of the open source security ecosystem and it will continue to raise the bar," Moore said.