John the Ripper is one of the most used hash-cracking tools out there. Fast, great range of hash types and loads of tutorials and information.
Let’s slash it through this topic in our daily #FromZeroToHacker challenge.
| Table of contents |
| Introduction |
| What have I learnt today? |
| Stats |
| Resources |
Introduction to John the Ripper
What are hashes?
A hash is a way of taking a piece of data of any length and representing it in another form that is a fixed length, masking the original value of the data with a hashing algorithm.
If we take “polo“, a 4-characters string, and run it through an MD5 hashing algorithm, the output is b53759f3ce692de7aff1b5779d3964da, a standard 32-character MD5 hash.
If we take “polomints“, a 9-character string and do the same process, we get 584b6e4f4586e136bc280f27f9c64f3b, another 32-character MD5 hash.
Where John comes in…
Even if the algorithm is not reversible, that doesn’t mean there aren’t ways to crack the hashes.
We can do a dictionary attack and compare the result until we find the password.
What have I learnt today?
Setting up John the Ripper
John the Ripper has support on many operating systems and it is easy to install:
- Parrot and Kali:
sudo apt install john - Blackarch:
pacman -Qe | grep "john" - Windows: Download either the 64-bit version or the 32-bit version.
Wordlists
Wordlists
Wordlists are used on a dictionary attack and are a list of words that we hash and compare their results against the hash we try to crack. We have a good collection here: Dictionary lists for Dictionary attacks SecLists.
- Parrot and Kali: You can find loads of wordlists in the
/usr/share/wordlistsdirectory. - RockYou: Obtained from a data break dating 2009, rockyou.txt is one of the most used wordlists with more than 14 million passwords.
Cracking basic hashes
Cracking basic hashes
There are multiple ways to use John the Ripper to crack simple hashes. Let’s see the base usage.
John basic syntax
john <OPTIONS> <PATH_TO_FILE>
john invokes the John the Ripper programoptions uses optional flagspath_to_file is the path to the file containing the hash(es) you want to crack.
Automatic cracking
John can detect the type of hash automatically…most of the time. But it is a good starting point:
john --wordlist=<PATH_TO_WORDLIST> <PATH_TO_FILE>john --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt
Identifying hashes
Sometimes John can’t automatically recognise the hash. Luckily we have other tools to do it, like Hashes.com, an online hash identifier.
Format-specific cracking
john --format=<FORMAT> --wordlist=<PATH_TO_WORDLIST> <PATH_TO_FILE>john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt
Cracking Windows authentication hashes
Cracking Windows hashes
Authentication hashes are the hashed versions of passwords stored by operating systems, and sometimes we can crack them with brute-force attacks.
NTHash/NTLM
NThash is the hash format used by modern Windows operating system, commonly referred to as NTLM (New Technology LAN Manager).
We can acquire the NTLM hashes by dumping the SAM database on a Windows machine with a tool like Mimikatz or from the Active Directory database: NTDS.dit.
Cracking /etc/shadow Hashes
Cracking hashes from /etc/shadow
The /etc/shadow/ is the file on Linux machines where password hashes are stored, along with other information such as the date of the last password change and password expiration information. This file is only accessible by the root user (technically).
Unshadowing
Unshadowing is the process of combining the /etc/shadow and /etc/passwd files to create a new file with both information combined in a format readable for John the Ripper.
unshadow <PATH_TO_PASSWD> <PATH_TO_SHADOW>unshadow local_passwd local_shadow > unshadowed.txt
Cracking
With a format usable for John the Ripper, we can feed the new file created from both /etc/shadow and /etc/passwd files directly to John.
john --wordlist=<PATH_TO_WORDLIST> --format=sha512crytp <PATH_TO_FILE>john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txt
Note: Most of the time we don’t need to specify the format, but it doesn’t hurt to do so.
Single crack mode
Single crack mode
We have been using John’s wordlist mode to deal with brute forcing simple hashes. But we can use another mode, Single crack mode, where John uses only the information provided by the username to create a list of possible passwords heuristically, by shifting letters and numbers contained within the username.
Word mangling
John creates it’s own dictionary based on the information provided (such as the username), using a set of rules called mangling rules, which define how to mutate the word to generate the said list. But it is easier if I show you.
Let’s say we know the username, Markus. Some possible passwords could be:
- Markus1, Markus2, Markus3 (etc.)
- MArkus, MARkus, MARKus (etc.)
- Markus!, Markus$, Markus* (etc.)
Simple, right?
Using single crack mode
To use the single crack mode, we use the --single flag:
john --single --format=<FORMAT> <PATH_TO_FILE>john --single --format=raw-sha256 hashes.txt
Note: When we want to create a list of passwords based on the username, we need to add the username to the hash.
From:1efee03cdcb96d90ad48ccc7b8666033
To:markus:1efee03cdcb96d90ad48ccc7b8666033
Cracking a password-protected zip file
Cracking a password-protected zip file
Yeah! John the Ripper can crack zip files, so you don’t need to pay for Winzip or Winrar.
Zip2John
Instead of john, we are going to use the zip2john program:
zip2john <OPTIONS> <PATH_TO_ZIP_FILE> > <PATH_TO_OUTPUT_HASHED_FILE>zip2john zipfile.zip > zip_hash.txt
Cracking
Once we have a hash created by zip2john, it is time to crack it.
john --wordlist=<PATH_TO_WORDLIST> <PATH_TO_HASHED_FILE> john –wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt“
I hope you see the pattern here: We take a file (with a hash, a zip file, etc), we process it to make it usable by John (by Unshadowing, using zip2john…) then we use John the Ripper with a wordlist to crack it.
Cracking a password-protected RAR archive
Cracking a password-protected RAR archive
Same as with zip files, we can crack rar wiles with ease.
Rar2John
Similar to zip2john tool, without an optional flag.
rar2john <PATH_TO_ZIP_FILE> > <PATH_TO_OUTPUT_HASHED_FILE>rar2john rarfile.zip > rar_hash.txt
Cracking
The process we just did was to create a hash usable by John, so we repeat the same process to crack it.
john --wordlist=<PATH_TO_WORDLIST> <PATH_TO_HASHED_FILE> john –wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txt“
Cracking SSH keys with John
Cracking SSH key passwords
We can crack SSH private key password of id_rsa files too!
SSH2John
Yep, another conversion tool using the same syntax. Yet, this time, for some reason, we need to invoke a Python script:
python3 <PATH_TO_ssh2john_FILE> <PATH_TO_ID_RSA_PRIVATE_KEY_FILE> > <PATH_TO_HASHED_FILE> python3 ssh2john.py id_rsa > id_rsa_hash.txt“
Cracking
What do we do with a hashed file? Exactly: The same as always:
john --wordlist=<PATH_TO_WORDLIST> <PATH_TO_HASHED_FILE>john --wordlist=/usr/share/wordlists/rockyou.txt id_rsahash.txt
Summary
Again, we cracked the case! Sorry. Today we have learnt about:
- What hash functions are and their different types.
- Uses for hashing.
- Recognising password hashes.
- Password cracking.
- Hashing for integrity checking.
Stats
From 64.440th to 62.378th.
Here is also the Skill Matrix:
Resources
Module: Cryptography
Other resources
Hashing basics
John the Ripper for Windows: 64 bit version
John the Ripper for Windows: 32 bit version
Dictionary lists for Dictionary attacks SecLists
Rockyou.txt file
Hashes.com
