jason schaefer . com

"arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say."

Category: security

Migrating SMSSecure (Silence) keys and texts
For those unfamiliar: SMSSecure (now called Silence) is a text messaging application that supports encryption. It has exceptional integration on your phone and will handle your non-encrypted ~~friends~~ acquaintances texts as well.
https://smssecure.org
I recommend using fdroid to install it. F-droid is a Free Software repository for Android.
https://f-droid.org

UPDATE: You can now export an encrypted copy of Silence. This export includes your encryption keys. From your old phones Silence “app”lication, under the three horizontal “…” -> “Import / Export” -> “Export encrypted backup”. This exports to the phones /sdcard/SilenceExport or from mtp “mtp://[usb:xxx,xxx]/Internal storage/SilenceExport”. Copy this directory to the new phone, to the equivalent path (/sdcard/). Install Silence on the new phone. In my experience the first-run import prompt didn’t work so I had to do it manually. Click the three horizontal “…” -> “Import / Export” -> “Restore encrypted backup”. Your done!

I wanted to do this transfer using mtp but neither thunar or nautilus could “see” the SilenceExport directory. I had to do the following:
plug in old phone and copy the export to my laptop:
adb pull /sdcard/SilenceExport/
plug in the new phone:
adb push SilenceExport/
Remember you have to authorize your laptop from the phone.

THE FOLLOWING INSTRUCTIONS ARE CONSIDERED OUT OF DATE yet still useful for some.

When moving to a new phone you can export a plain text copy of all your sms texts for import on the new phone. This is fine but has many drawbacks. ~~The export feature of smssecure does not export a users encryption keys.~~ Here are instructions on doing this yourself. Its really not as bad as it might seem and is worth doing to avoid re-keying with every friend you text with. You can also avoid exporting sensitive txt’s to plain-text.

PREREQ’s:
Install SMSSecure on the new phone.
You will need adb access to both phones.

Enable developer options by going into Settings -> About phone -> then press “Build number” 7 times.

Enable adb access under Settings -> Developer options -> Android debugging.

Allow adb root access from “developer options -> Root access” “Apps and ADB”. Otherwise you will get a permission error like so:
```
shell@ville:/ $ su -
Permission denied
```
Also, be sure your computer can see the phone:
[jason@local ~] $ adb devices List of devices attached 393520931D5B00EC device
Now connect to the phone over the network:
[jason@local ~] $ adb connect 192.168.123.12:5555

You can continue as if it was plugged in directly…
To disconnect from the phone use this:
[jason@local ~] $ adb disconnect 192.168.123.12:5555

STEPS:
I wasn’t able to directly copy the smssecure directory to my computer. It errors with zero files transferred:
```
[jason@local ~] $ adb pull /data/data/org.smssecure.smssecure/ org.smssecure.smssecure-balz
pull: building file list...
0 files pulled. 0 files skipped.
```
First I copy it to the sdcard of the old phone:
```
[jason@local ~] $ adb shell
shell@crespo:/ $ su -
root@crespo:/ # cp -rv /data/data/org.smssecure.smssecure/ /sdcard/
```
Copy the smssecure data from your old phone /sdcard/ to your local computer:
```
[jason@local ~] $ adb pull /sdcard/org.smssecure.smssecure/ org.smssecure.smssecure
```
Now plugin the new phone

Next, we will copy the org.smssecure.smssecure directory to the new phone:
Note: I attempted to copy directly to the new phone at /data/data but there was a permission denied:
```
[jason@local ~] $ adb push org.smssecure.smssecure/ /data/data/
push: org.smssecure.smssecure/databases/messages.db-journal -> /data/data/databases/messages.db-journal
failed to copy 'org.smssecure.smssecure/databases/messages.db-journal' to '/data/data/databases/messages.db-journal': Permission denied
```
Instead copy it to the /sdcard/ of the new phone, first:
UPDATE: This doesn’t work anymore
```
[jason@local ~] $ adb push org.smssecure.smssecure/ /sdcard/
adb: warning: skipping empty directory 'org.smssecure.smssecure/code_cache/'
adb: warning: skipping empty directory 'org.smssecure.smssecure/app_captures/'
adb: error: failed to copy 'org.smssecure.smssecure/lib' to '/sdcard/org.smssecure.smssecure/lib': symlink failed: Operation not permitted
```
The brilliant developers of adb didn’t write in support for adb push to be recursive? We have to get creative as usual with Android. Use zip if you have unzip on your phone.
```
[jason@local ~] $ zip -r org.smssecure.smssecure.zip org.smssecure.smssecure/

And then,
adb push org.smssecure.smssecure.zip /sdcard/
adb shell
cd /sdcard/
unzip org.smssecure.smssecure.zip
```
Before we proceed lets check what permissions the org.smssecure.smssecure directory is currently set to (from the phones shell). In this case its chown u0_a63.u0_a63 and chmod 755:
```
root@crespo:/ # ls -ld /data/data/org.smssecure.smssecure/
drwxr-xr-x u0_a63   u0_a63            2015-12-06 21:35
```
Keep note of this for later.

Using the new phone’s root shell you will delete the existing (un-used) directory and copy your smssecure directory (with all your text’s) from sdcard to /data/data:
```
[jason@local ~] $ adb shell
shell@crespo:/ $ su -
root@crespo:/ # 
root@crespo:/ # rm -fr /data/data/org.smssecure.smssecure/
root@crespo:/ # cp -rv /sdcard/org.smssecure.smssecure  /data/data/
```
Note: If you try using move (mv) instead of copy (cp) and your sdcard is on a separate partition you will get this error:
root@maguro:/ # mv /sdcard/org.smssecure.smssecure/ /data/data/ failed on '/sdcard/org.smssecure.smssecure/' - Cross-device link 255|

Back to permissions:
After the data is copied to the new phone the directory and file permissions will be wrong (owned by root):
```
root@crespo:/ # ls -l /data/data/org.smssecure.smssecure/       
drwxrwx--- root     root              2015-12-06 21:35 app_parts
drwxrwx--- root     root              2015-12-06 21:35 databases
drwxrwx--- root     root              2015-12-06 21:35 files
lrwxrwxrwx install  install           2015-12-06 15:07 lib -> /data/app-lib/org.smssecure.smssecure-1
drwxrwx--- root     root              2015-12-06 21:35 shared_prefs
```
We need to change ownership to user and group. In my case I need to change it to u0_a63. Android’s chown doesn’t work as expected:
```
root@crespo:/ # chown -R u0_a63.u0_a63 /data/data/org.smssecure.smssecure/
No such user '-R'
```
Unfortunately, android sucks and chown is broken so we must get creative. Like any puzzle, its simple once you know the answer :-)
```
root@crespo:/ # find /data/data/org.smssecure.smssecure/ -exec chown u0_a63.u0_a63 {} \;
```
Luckily, chmod works ok:
```
chmod -R 755 /data/data/org.smssecure.smssecure/
```
Be sure to reboot your phone.
Note: My SMSSecure disappeared and I needed to re-install. Everything was there after I re-installed and it survived subsequent reboots.

done;
December 6, 2015
Encrypting /home directory and decrypting on login with pam_mount
Instead of encrypting your entire drive and operating system you can encrypt just the data that matters, /home/

Full disk encryption (FDE) vs. data only /home/ + swap
– FDE cannot survive a remote reboot because it asks for the password before the system is fully running.
– FDE is more secure in the sense that it encrypts any possible user data. Temporary or cached files in /tmp/ or /var/ and swap will be automatically encrypted. Meta data or sensitive file names can be leaked with programs like mlocate or databases stored under /var/.
– Data-only encrypting with pam_mount is seamless, allowing someone to use a single password to simultaneously login and decrypt their data. (Psssst, its two passwords. One for login and one for decrypting. If they match, two birds one stone).

This is a vast subject and I have barely touched on it. Check out some other resources that can help formulate a proper solution for your needs.
https://en.wikipedia.org/wiki/Disk_encryption
https://wiki.archlinux.org/index.php/Disk_encryption
Lastly, if you just want simple file/directory encryption (as opposed to file system encryption as laid out here) you might like EncFS.
At the end of the day we all have no excuse for not using encryption so just go ahead and implement something reasonable. And don’t use non-free encryption!

1. Backup /home to external drive
2. Install cryptsetup, libpam-mount
3. Format home partition
4. Open encrypted partition, make a filesystem inside and copy data back
5. Edit /etc/security/pam_mount.conf.xml
6. Remove “/home” from /etc/fstab
7. Change your password to match the crypt password
8. Alternately, encrypt swap

1.
rsync -av /home /backup

2.
apt-get install cryptsetup libpam-mount

3.
umount /home/
cryptsetup luksFormat /dev/sdaX

4.
cryptsetup luksOpen /dev/sdaX home mkfs.xfs -L home /dev/mapper/home mount /dev/mapper/home /home/
rsync -av /backup/home/ /home

5.
Backup the default config
cp /etc/security/pam_mount.conf.xml /root/
add the following after “Volume definitions”.
vi /etc/security/pam_mount.conf.xml
```

<volume user="jason" fstype="crypt" path="/dev/disk/by-uuid/2a350c84-f047-4d17-a715-ddca5d9c0561" mountpoint="/home" options="noatime,exec,fsck,nodev,nosuid"/>
```
Use blkid to determine the correct uuid for your path=

6.
Remove /home from /etc/fstab. Comment it out with a little note that pam_mount is handling it.

7.
Change your password to match the crypt password used in step 3.

8.
Alternately, to be more secure you can encrypt swap.
Add the following to /etc/crypttab
```
sda3_crypt /dev/disk/by-id/ata-ST1000LM014-1EJ164_W7734HLY-part3 /dev/urandom cipher=aes-xts-plain64,size=256,swap
```
I use a clever program called cryptdisks_[start/stop] to start and stop these crypts. You need to stop your existing, unencrypted swap with swapoff -a
Now start the crypt
cryptdisks_start sda3_crypt
This creates /dev/mapper/sda3_crypt
Now replace your existing /etc/fstab swap line with something like the following:
```
/dev/mapper/sda3_crypt    none    swap    sw    0    0
```
swapon -a
this turns on the swap, now its encrypted!

swapon -s
```
Filename				Type		Size	Used	Priority
/dev/dm-0                              	partition	9769980	0	-1
```
done;
April 13, 2015
OpenVPN on VyOS
OpenVPN Client/Server Implemenation

==== key signing ====
You can host the certificate authority on the vyos device itself. This is obviously not as secure as hosting it on a separate system. If someone was to get into the vyos they would have access to all your keys and would be able to sign new keys against the CA. Nonetheless, it is convenient and secure-enough for many sites. This is how it can be done.
From the VyOS, copy the easy-rsa directory into /config, where it won’t get lost on an upgrade.
```
cp -rv /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /config/easy-rsa2
vi /config/easy-rsa2/vars
```
edit the options at the bottom of /config/easy-rsa2/vars to personalize them. Increasing KEY_SIZE to 2048 is recommended. Also, you can increase the certificate authority and key expiration. These are the defaults:
```
 ...
# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
```
now load the variables
```
$ cd /config/easy-rsa2/
```
```
$ source ./vars
```
start fresh in case there is something old lingering around in there. This will delete all keys, etc.
```
$ ./clean-all
```
Build the certificate authority files
```
$ ./build-ca
```
Build the diffie-hellman key exchange
```
$ ./build-dh
```
Build the key for the server
```
$ ./build-key-server js-server
```
Copy the certs and keys into /config/auth
```
sudo cp /config/easy-rsa2/keys/ca.crt /config/auth/
sudo cp /config/easy-rsa2/keys/dh1024.pem /config/auth/
sudo cp /config/easy-rsa2/keys/js-server.key /config/auth/
sudo cp /config/easy-rsa2/keys/js-server.crt /config/auth/
```
Now you can build the key for the client and distribute to them
use ./build-key to generate a certificate that will connect to the vpn without a pass-phrase and ./build-key-pass if you want the user to enter a pass-phrase before connecting. ./build-key-pass is more secure in case someone steals your certificate and key they will still need to enter a password to connect.
```
$ ./build-key jimmy
```
answer all questions accordingly and be sure to answer yes to “Sign the certificate?” the “1 out of 1 certificate requests certified, commit?”
Now copy the keys and certs and create a config for Jimmy to remote in with. This is how I do it.
first make a directory for the client in /config/easy-rsa2/keys
```
cd /config/easy-rsa2/keys
mkdir jimmy
cp jimmy* jimmy/
cp ca.crt jimmy/
```
create a client config with your favorite text editor,
```
vi jimmy/jsvpnserver.ovpn
```
and add the following
```
client
proto udp
remote-cert-tls server
verb 2
dev tun0
cert jimmy.crt
key jimmy.key
ca ca.crt
remote [vpn-server host or ip] 1194
```
From your local computer download the config directory (jimmy) from the vpn server
```
$ scp -r vyos@10.101.101.1:/config/easy-rsa2/keys/jimmy .
```
this copies the jimmy directory into the current directory on your computer (the period designates current directory). If your on MS Windows you will need to use cygwin or putty-scp to do this. Also, if using MS Windows you will need to run unix2dos on those files
from your computer where you downloaded the jimmy folder to.
```
unix2dos jimmy/*
```
I wrote a script to do all this for you -> http://jasonschaefer.com/stuff/easyrsa-user-setup-vyos.sh.txt

Setting up the OpenVPN Server

The server subnet needs to be a different subnet from your LAN. Set it to something unique that will be unlikely on any remote networks your clients will be on.
The “–push route 10.101.101.0 255.255.255.0” needs to be changed to the subnet on the LAN of the router. The one you will VPN in to access.
```
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 10.206.109.0/24
set interfaces openvpn vtun0 server name-server 10.101.101.1
set interfaces openvpn vtun0 server domain-name jasonschaefer.com
set interfaces openvpn vtun0 server push-route 10.101.101.0/24
set service dns forwarding listen-on vtun0
set interfaces openvpn vtun0 tls cert-file /config/auth/js-server.crt
set interfaces openvpn vtun0 tls key-file /config/auth/js-server.key
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun0 tls dh-file /config/auth/dh1024.pem
```
#Set the firewall to allow openvpn through
```
set firewall name wan-local rule 40 action accept
set firewall name wan-local rule 40 destination port openvpn
set firewall name wan-local rule 40 protocol udp
commit
save
```
Thats it! Your done!

STATIC CLIENT ADDRESS

The static ip address for each client is done with this command:
```
set interfaces openvpn vtun0 server client leroy ip 10.206.109.123
```
The name “leroy” is the Common Name of the certificate. After this is committed leroy will receive .123 on his laptop each time he connects to the vpn.

ROUTING VARIOUS LAN’s OVER VPN

The routing between a remote LAN (iroute) is done like this:
```
set interfaces openvpn vtun0 server client leroyhome ip 10.206.109.0.3
set interfaces openvpn vtun0 server client leroyhome subnet 10.101.103.0/24
```
The “subnet” option is openvpn’s internal route (iroute) function. This tells openvpn what the remote LAN subnet is. In this example, 10.101.103.0/24 is leroys house LAN.

Now you can add a static route in order to route to this remote LAN.
```
set protocols static route 10.101.103.0/24 next-hop 10.206.109.1
```
10.206.109.1 is the openvpn routers interface vtun0 ip address.

If your designing a network with multiple remote sites its convenient to make their addresses contiguous and route to them all with a single route.

10.101.101.0/24 (my house)
10.101.102.0/24 (geoff’s house)
10.101.103.0/24 (leroy’s house)

I use subnetcalc to figure out the host ranges
```
$ subnetcalc 10.101.101.0/22
  Host Range    = { 10.101.100.1 - 10.101.103.254 }
  - 10.101.101.0 is a HOST address in 10.101.100.0/22
```
So, a slash 22 cover from .100-.103, that’s perfect for our small network.
```
set protocols static route 10.101.100.0/22 next-hop 10.206.109.1
```
and you need to push this route to all the clients
```
set interfaces openvpn vtun0 server push-route 10.101.100.0/22
```
SITE TO SITE VPN

basic instructions:

generate the passive key for head office from inside the easyrsa folder
```
source ./vars
./build-key-server site2site_server-passive
scp keys/site2site_server-passive.* user@vpn-server-passive-host:/config/auth/
```
#active key for branch office, this side initiates the vpn handshakes
```
./build-key site2site_active
scp keys/site2site_active.* user@vpn-server-active-host:/config/auth/
```
active site files in /config/auth/
ca.crt,
site2site_active.key,
site2site_active.crt

passive site files in /config/auth/
ca.crt,
site2site_server-passive.key,
site2site_server-passive.crt,
dh1024.pem

==================

#site to site openvpn
```
set interfaces openvpn vtun9
set interfaces openvpn vtun9 local-address 172.16.9.[1 | 2]
set interfaces openvpn vtun9 remote-address 172.16.9.[1 | 2]
set interfaces openvpn vtun9 remote-host [remote-vpn-host]
```
#standard openvpn port is 1194, best used for client/server mode. prevents ovpn config from needing port setting
```
set interfaces openvpn vtun9 local-port 1195
set interfaces openvpn vtun9 remote-port 1195
set interfaces openvpn vtun9 mode site-to-site
set interfaces openvpn vtun9 tls ca-cert-file /root/ca.crt
#the passive site cert/key needs to be signed as a server!
set interfaces openvpn vtun9 tls key-file /root/[passive.key | active.key ]
set interfaces openvpn vtun9 tls cert-file /root/[passive.crt | active.crt]
set interfaces openvpn vtun9 tls role [active | passive]
#dh1024.pem is required on passive host only!
set interfaces openvpn vtun9 tls dh-file /root/dh1024.pem
commit;save
```
#open firewall for openvpn
```
set firewall name wan-local rule 20 action accept
set firewall name wan-local rule 20 destination port 1195
set firewall name wan-local rule 20 protocol tcp_udp
```
#set static routes to networks on other side of vpn, if any
```
set protocols static route 192.168.7.0/24 next-hop 172.16.9.[1 | 2]
set protocols static route 192.168.8.0/24 next-hop 172.16.9.[1 | 2]
commit;save
```
DYNAMIC DNS

How to reach your vpn server and avoid using a static ip. We will be using afraid.org to automatically update a hostname’s A record with the public ip of your Vyos VPN server.

You will need to register for an account at https://freedns.afraid.org. Then create a subdomain, for this example it will be myvpnserver.mooo.com. Go to the “Dynamic DNS” section and copy the “Direct URL”.

Create a script under /config/scripts on your Vyos.
vi /config/scripts/myvpnserver.mooo.com.sh

#!/bin/bash /usr/bin/curl -k [paste your direct url here]

Make it executable
chmod 755 /config/scripts/myvpnserver.mooo.com.sh

Now tell Vyos to run this with cron.
set system task-scheduler task dynamicDNS executable path /config/scripts/myvpnserver.mooo.com.sh set system task-scheduler task dynamicDNS interval 15m

REVOKE KEYS ON VYOS

vyos@router:~$ cd /config/easy-rsa2/

vyos@router:/config/easy-rsa2$ ./revoke-full jimmy
```
Using configuration from /config/easy-rsa2/openssl.cnf
Revoking Certificate 0E.
Data Base Updated
Using configuration from /config/easy-rsa2/openssl.cnf
jimmy.crt: /C=US/ST=NM/L=SantaFe/O=Blah/CN=jimmy/emailAddress=jimmy@localhost.local
error 23 at 0 depth lookup:certificate revoked
```
The error 23 at 0 … is normal and expected.

Now copy the updated CRL (certificate revocation list) to /config/auth
vyos@router:/config/easy-rsa2$ cp keys/crl.pem /config/auth/

If this is the first revocation you need to add it to the config as well:

vyos@router:~$ configure
vyos@router# set interfaces openvpn vtun0 tls crl-file /config/auth/crl.pem
vyos@router# save; commit; exit
Saving configuration to ‘/config/config.boot’…
Done
No configuration changes to commit
exit

VERIFY REVOKED CERTIFICATES

You can verify the revoked keys with the openssl command
vyos@router:~$ openssl crl -in /config/auth/crl.pem -text
…
```
Revoked Certificates:
    Serial Number: 08
        Revocation Date: Jan 30 00:19:24 2016 GMT
    Serial Number: 0E
        Revocation Date: Jul 13 22:51:50 2016 GMT
```
…

In the above example keys 08 and 0E have been revoked
vyos@router:~$ cat /config/easy-rsa2/keys/index.txt
…
```
V	230804225528Z		        02	unknown	/C=US/ST=NM/L=SantaFe/O=SITC/CN=jason/emailAddress=jason@local
R	230806213443Z	160130001924Z	08	unknown	/C=US/ST=NM/L=SantaFe/O=Blah/CN=john/emailAddress=john@localhost
R	260711225142Z	160713225150Z	0E	unknown	/C=US/ST=NM/L=SantaFe/O=Blah/CN=jimmy/emailAddress=jimmy@localhost.local
```
…

From this file index.txt, you can ascertain which serial numbers belong to which users!
February 5, 2014
Public Key Authentication in OpenWRT using dropbear sshd
UPDATE: The easiest way to do this is through the web interface (LuCI). System -> Administration -> SSH-Keys. Paste your public key (~/.ssh/id_rsa.pub) and click “Add key”

I’ve been using so many openwrt devices lately I wanted to setup my public ssh key on each device so I can auto login. Also, I can setup a really unfriendly password for the root account that is very secure and use my public key to authenticate. Convenient and secure? What a concept!!
Since this is dropbear and not openssh the typical ~/.ssh/authorized_keys file doesn’t work. Instead you need the authorized_keys file to be in /etc/dropbear/

This is how I do it quickly and efficiently.

Using the ssh-copy-id command to copy your public key to the remote devices authorized_keys. This is the same you would do to copy your public key to your server or such. Thanks to Sam for turning me onto this most valuable tool.

From your local user account (must have a public/private key, see ssh-keygen if you need to generate keys)
```
$ ssh-copy-id root@192.168.1.1
```
enter current password, the following will display if you entered password correctly
```
Now try logging into the machine, with "ssh 'root@192.168.1.1'", and check in:

~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.
```
now ssh to the device and move the authorized_keys to dropbear directory
```
$ ssh root@192.168.1.1
root@192.168.1.1's password:
```
```
root@MyOpenWrt:~# mv /root/.ssh/authorized_keys /etc/dropbear/
```
verify the permissions are 600
```
root@MyOpenWrt:~# ls -l /etc/dropbear/
-rw-------    1 root     root          394 Apr 24 20:09 authorized_keys
```
logout and ssh back to 192.168.1.1. This time it will ask for your ssh key passphrase instead of the root password. $ ssh root@192.168.1.1
Enter passphrase for key ‘/home/jason/.ssh/id_rsa’:

If you would like to login without ssh asking for your passphrase you can use ssh-agent to store your identity. Use ssh-add to add to ssh-agent.
```
$ ssh-add
Enter passphrase for /home/jason/.ssh/id_rsa:
```
Now ssh to 192.168.1.1 again, this time it doesn’t ask for a password!
```
$ ssh root@192.168.1.1
BusyBox v1.15.3 (2011-11-24 00:44:20 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

_______                     ________        __
|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
|_______||   __|_____|__|__||________||__|  |____|
|__| W I R E L E S S   F R E E D O M
Backfire (10.03.1, r29592) ------------------------
* 1/3 shot Kahlua    In a shot glass, layer Kahlua
* 1/3 shot Bailey's  on the bottom, then Bailey's,
* 1/3 shot Vodka     then Vodka.
---------------------------------------------------
root@MyOpenWrt:~# 
```
Voilà!

You can also do this via the luci web interface. Its actually very easy. Copy your ~/.ssh/id_rsa.pub and paste it into “System” -> “Administration” -> “SSH-Keys” and then “Save & Apply”. Done
April 24, 2013
* Creating a custom wordlist for john the ripper
I wanted a larger wordlist than the default /usr/share/john/password.lst, with only 3115 words. Openwall sells a really great wordlist, but if you don’t need anything that fancy you can follow these instructions. The apt-get bit is debian specific. I will install dictionaries and then concatenate them all into one file, remove duplicates, lower case and configure john to use the new list.
```
apt-get install john wamerican-huge wamerican-insane wamerican-large wamerican-small wamerican aspell
aspell dump master > custom-wordlist
cat /usr/share/john/password.lst >> custom-wordlist
cat /usr/share/dict/american-english* >> custom-wordlist
```
You can concatenate more wordlists into the custom-wordlist file as you find them. Debian has lots more dictionary type packages. For instance, apt-cache search wordlists. Use dpkg -L [installed-package-name] to find where the actual word list file is installed.
Lets count how many lines (words) are in our wordlist so far:
```
wc -l custom-wordlist
```
I got 1484152, There must be tons of duplicates. Lets get rid of them. We can also lowercase everything, since john toggles case automatically for us.
```
tr A-Z a-z < custom-wordlist.txt > custom-wordlist_lowercase
```
Now we remove the duplicates
```
sort -u custom-wordlist_lowercase > custom-wordlist_lowercase_nodups
```
How many lines do we have now?
```
wc -l custom-wordlist_lowercase_nodups
613517
```
Now we can set john up to use our custom wordlist file.
```
Edit the file /etc/john/john.conf
Wordlist = [path to custom-wordlist_lowercase_nodups]
```
Now we are ready to crack some passwords! First, combine the passwd and shadow files. This will allow john to use the GECOS information from the passwd file. GECOS is the user information fields such as first, last and phone. These fields will be used by john to make a more educated guess as to what that users password might be.
```
unshadow passwd shadow > unshadow.txt
```
run john against the resulting unshadow.txt file
```
john unshadow.txt
Loaded 15 password hashes with 15 different salts (FreeBSD MD5 [32/64 X2])
```
April 8, 2010