John The Ripper

John The Ripper is a hash cracking tool.

Introduction

  • John the Ripper is one of the most well-known, well-loved and versatile hash cracking tools out there.

  • The basic syntax of John the Ripper commands is as follows: john <Options> <File to Crack>

  • John has built-in features to detect what type of hash it's being given, and to select appropriate rules and formats to crack it for you (not the most reliable): john --wordlist=<Wordlist> <File to Crack>

    • Example 1: john --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt

    • Example 2: john --wordlist=/usr/share/wordlists/rockyou.txt hash2.txt

  • Since John's automatic detection of hash isn't always reliable, there is another tool that can be utilized to identify the hash, /usr/share/hash-identifier/hash-id.py

    • If not installed, you can install it using: wget https://gitlab.com/kalilinux/packages/hash-identifier/-/raw/kali/master/hash-id.py

    • Usage is simple just run it using python (python3 /usr/share/hash-identifier/hash-id.py)and then paste the hash to get its type.

  • After identifying the format of the hash, we can start format-specific cracking using this command, john --format=<Format> --wordlist=<Wordlist> <File to Crack>

    • Example 1: john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt

    • Example 2: john --format=whirlpool --wordlist=/usr/share/wordlists/rockyou.txt hash4.txt

    • Example 3: john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt ntlm.txt

  • To crack the /etc/shadow file we first need to use a tool that's built-in John The Ripper to convert the shadow file into a format that John can understand (unshadow <Path to passwd> <Path to shadow>)

    • Example 1: sudo unshadow /etc/passwd /etc/shadow > unshadowed.txt

  • Single Crack mode: In this mode, John uses only the information provided in the username, to try and work out possible passwords heuristically, by slightly changing the letters and numbers contained within the username. ( john --single --format=<Format> <File to Crack>)

    • Example 1: john --single --format=raw-sha256 hashes.txt

  • If you're cracking hashes in single crack mode, you need to change the file format that you're feeding john for it to understand what data to create a wordlist from. You do this by prepending the hash with the username that the hash belongs to followed by \: so from 1efee03cdcb96d90ad48ccc7b8666033 it becomes <User Name>:1efee03cdcb96d90ad48ccc7b8666033

    • Example 1: mike:1efee03cdcb96d90ad48ccc7b8666033

    • Example 2: Joker:7bf6d9bb82bed1302f331fc6b816aada

Custom Rules

  • Many organisations will require a certain level of password complexity to try and combat dictionary attacks.

  • This is good! However, we can exploit the fact that most users will be predictable in the location of these symbols.

  • For example, A password with the capital letter first, and a number followed by a symbol at the end.

  • Custom rules can let us exploit password complexity predictability

  • Custom rules are defined in the john.conf file, usually located in /etc/john/john.conf

  • [List.Rules:<Rule Name>] is used to identify a rule (Example: [List.Rules:THMRules])

  • The full syntax of the custom rules language can be found in the Wiki of the tool.

  • These are some of the syntax:

    • Az - Takes the word and appends it with the characters you define

    • A0 - Takes the word and prepends it with the characters you define

    • c - Capitalises the character positionally

  • These can be used in combination to define where and what in the word you want to modify.

  • After that we need to identify the characters, we do this by adding character sets in square brackets [ ] in the order they should be used.

  • These directly follow the modifier patterns inside of double quotes " "

  • Examples:

    • [0-9] - Will include numbers 0-9

    • [0] - Will include only the number 0

    • [A-z] - Will include both upper and lowercase

    • [A-Z] - Will include only uppercase letters

    • [a-z] - Will include only lowercase letters

    • [a] - Will include only a

    • [!£$%@] - Will include the symbols !£$%@

  • We could then call this custom rule as a John argument using the --rule=<Rule Name>flag.

Other Types of Cracking

  • John The Ripper can also crack other things, like password protected zip files, password protected rar files, and SSH encrypted keys.

  • For each of these, similarly to the unshadow tool that we used previously, we're going to be using a specific tool to convert the file into a hash format that John is able to understand.

  • zip2john <Options> <ZIP File> > <Output File> - Used to convert the ZIP file into a format the John can understand.

  • rar2john <RAR File> > <Output File> - Used to convert the RAR file into a format that John can understand.

  • ssh2john <Key File> > <Output File> - Used to convert the SSH key file into a format that John can understand.

  • john --wordlist=<Wordlist> <File Name> - Used to try and crack any of the mentioned files (after conversion)

PreviousHydraNextWrite Ups

Last updated