December 7, 2012

Crack Passwords using John the Ripper

In this tutorial we will describe the main options of John The Ripper. We will explain the basic operation for using JTR to crack Passwords (LM, NTML, MD5) making use of a wordlist or brute-force attack.

About John The Ripper
John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker.
It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL, and others.

(Note: For the Purpose of this tutorial we will use BackBox (Based on Ubuntu) as OS and the latest installation package of John the Ripper (JTR) .) 

Download - Install JTR

Download one of the latest official free versions of JTR from the official site
Next we will extract the .tar.gz file typing the following command:
tar -xzf john-1.7.8.tar.gz
Now we will navigate to the folder where we extracted the JTR and we will type simply "John" to run it.
root@liatsisfotis:~# john 
John the Ripper password cracker, version 1.7.8
Copyright (c) 1996-2011 by Solar Designer
Homepage: http://www.openwall.com/john/

Usage: john [OPTIONS] [PASSWORD-FILES]
--single                   "single crack" mode
--wordlist=FILE --stdin    wordlist mode, read words from FILE or stdin
--rules                    enable word mangling rules for wordlist mode
--incremental[=MODE]       "incremental" mode [using section MODE]
--external=MODE            external mode or word filter
--stdout[=LENGTH]          just output candidate passwords [cut at LENGTH]
--restore[=NAME]           restore an interrupted session [called NAME]
--session=NAME             give a new session the NAME
--status[=NAME]            print status of a session [called NAME]
--make-charset=FILE        make a charset, FILE will be overwritten
--show                     show cracked passwords
--test[=TIME]              run tests and benchmarks for TIME seconds each
--users=[-]LOGIN|UID[,..]  [do not] load this (these) user(s) only
--groups=[-]GID[,..]       load users [not] of this (these) group(s) only
--shells=[-]SHELL[,..]     load users with[out] this (these) shell(s) only
--salts=[-]COUNT           load salts with[out] at least COUNT passwords only
--format=NAME              force hash type NAME: DES/BSDI/MD5/BF/AFS/LM/crypt
--save-memory=LEVEL        enable memory saving, at LEVEL 1..3

Options - Explanation

Options may be specified along with password files or on their own. All options are case sensitive, can be abbreviated as long as the abbreviations are unambiguous, can be prefixed with two dashes (GNU-style) or with one dash, and can use "=" or ":" to indicate an argument.

Enables the "single crack" mode, using rules from the configuration file section.
--single
john --single file_to_crack.txt
Enable the wordlist mode (dictionary attack). This is quicker than the default (bruteforce) attack
--wordlist=FILE
john --wordfile:password.lst file_to_crack.txt
Lets you define the rules for using wordlists.
--rules

Enables an incremental mode that allows you to do a bruteforce attack under certain modes.
--incremental[=MODE]
john --incremental:alpha file_to_crack.txt
john --incremental:digits file_to_crack.txt
Continues an interrupted cracking session, reading state information from the specified session file or from $JOHN/john.rec by default.
--restore[=NAME]
john --restore:restore
(Note: If you used the-session option, you must specify the session name to restore the process.)

This option can only be used when starting a new cracking session and its purpose is to give the new session a name (to which John will append the ".rec" suffix to form the session file name).
--session=NAME
john --session:[filename_to_save] file_to_crack.txt
(Note: This option create and holds the data of your session that allow you to restore it later. )

Prints status of an interrupted or running session.
--status[=NAME]
john --status:[filename]
Shows the cracked passwords for given password files. You can use this option to see what John did so far.
--show
john --show file_to_crack.txt
Tests all of the compiled in hashing algorithms for proper operation and benchmarks them.
--test[=TIME]
john --test
Allows you to select just a few accounts for cracking or for other operations.
--users=[-]LOGIN|UID
john --users:User file_to_crack.txt
This option is useful to load accounts with a valid shell only or to not load accounts with a bad shell.
--shells=[-]SHELL

Allows you to override the hash type detection. Currently, valid "format names" are DES, BSDI, MD5, BF, AFS, LM, and crypt
--format=NAME
john --format:DES file_to_crack.txt 
john --format:BSDI file_to_crack.txt
john --format:MD5 file_to_crack.txt 
john --format:BF file_to_crack.txt 
john --format:AFS file_to_crack.txt 
john --format:LM file_to_crack.txt

Examples - Brute Force

On this part of tutorial we will create and crack a Hash .txt file which will include some passwords (LM/NTLM/HASH format).

First lets create the crack .txt file.
root@liatsisfotis:~# nano crack_Hash_id1.txt
Then we will add the LM and NTLM Hashes as follows:
Username::LM:NTLM:::
Editor::A4A54C86C6E5B8D0D69E92D4A9360EB0:FC4CB75BCC71D23954F4C94AD31AF0B1:::
Then we will write the following command to crack the .txt file
root@liatsisfotis:~# john crack_Hash_id1.txt 
Loaded 2 password hashes with no different salts (LM DES [128/128 BS SSE2-16])
ATSIS            (Editor:2)
FOTISLI          (Editor:1)
guesses: 2  time: 0:00:00:50 (3)  c/s: 20094K  trying: FOTILVY - FOTIBFA
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
To preview the results of this operation we write:
root@liatsisfotis:~# john --show crack_Hash_id1.txt 
Editor:FOTISLIATSIS::FC4CB75BCC71D23954F4C94AD31AF0B1:::

2 password hashes cracked, 0 left
(Note: The crack_Hash_id1.txt file contained only alpha charset)

Now we will create the crack_Hash_id2.txt file which will contain alpha-numeric charset.
root@liatsisfotis:~# nano crack_Hash_id2.txt

Liatsis_Fotis#Post::C99FFEFFD8300629F500944B53168930:892A0EAA0CFE35F105138006D6415A2E:::
Liatsis_Fotis#About::5524ADDCF15F4B1EAAD3B435B51404EE:730F52CBC638F6ECD8E1F5D89600AA6A:::
Liatsis_Fotis#ID::686A307B45A7EC144207FD0DF35A59A8:C7DE72EBBFF0979175DF38D63294FFA9:::
Next we will write the following command adding the --format option and 'll specify the LM format.
root@liatsisfotis:~# john --format=LM crack_Hash_id2.txt 
Loaded 5 password hashes with no different salts (LM DES [128/128 BS SSE2-16])
L                (Liatsis_Fotis#Post:2)
12               (Liatsis_Fotis#ID:2)
JTR              (Liatsis_Fotis#About)
TUTORIA          (Liatsis_Fotis#Post:1)
PRIVACY          (Liatsis_Fotis#ID:1)
guesses: 5  time: 0:00:00:04 (3)  c/s: 15942K  trying: PRIVAI! - PRIVSM2
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
To preview the results of this operation we write:
root@liatsisfotis:~# john --show crack_Hash_id2.txt 
Liatsis_Fotis#Post:TUTORIAL::892A0EAA0CFE35F105138006D6415A2E:::
Liatsis_Fotis#About:JTR::730F52CBC638F6ECD8E1F5D89600AA6A:::
Liatsis_Fotis#ID:PRIVACY12::C7DE72EBBFF0979175DF38D63294FFA9:::

5 password hashes cracked, 0 left

Examples - Dictionary Attack

On this part we will write the following command adding the --wordlist option and we will specify our wordlist file location.
root@liatsisfotis:~# nano crack_Hash_id3.txt
Security::a001bc4192095047aad3b435b51404ee:a8c6e71dc39003852acc407cfA612363:::
root@liatsisfotis:~# john --wordlist=my_wordlist.txt crack_Hash_id3.txt  
Loaded 1 password hash (LM DES [128/128 BS SSE2-16]) 
PR1V@CY          (Security) 
guesses: 1  time: 0:00:00:00 100%  c/s: 248533  trying: PR1VYPV - PR1V@YC 
Use the "--show" option to display all of the cracked passwords reliably
To preview the results of this operation we write:
root@liatsisfotis:~# john --show crack_Hash_id3.txt 
Security:PR1V@CY::A8C6E71DC39003852ACC407CFA612363:::

1 password hash cracked, 0 left
(Note: As we noticed, the wordlist attack method took less time to crack the Hash code)

(Note: I used the onlinehashcrack.com to generate my passwords to LM/NTLM format)

Conclusion

The are a lot of ways and things we can do to pass a hash code file. This tutorial describes the basic things we can do to create/generate and crack a simple .txt file which include LM/NTML Hashes. The best way is to try every parameter on a virtual environment, creating our Hash codes and wordlists to figure out what the option does before proceed to real hash .txt files.

Designed and Created by Liatsis Fotis for liatsisfotis.com

Download Tutorial (PDF)