John The Ripper

Wordlists

• dictionary attacks require wordlists
• sometimes preinstalled under /usr/share/wordlists
• https://github.com/danielmiessler/SecLists
• common password list is rockyou.txxt

Cracking Basic Hashes

• basic syntax john <options> <file>
• using a wordlist john --wordlist=<wordlist> <file>
• john can automatically identify haches, but is slow
  • use https://hashes.com/en/tools/hash_identifier or https://gitlab.com/kalilinux/packages/hash-identifier/-/tree/kali/master instead
  • john --format=<hash format> --wordlist=<wordlist> <file>
  • to check available formats use john --list=formats

Cracking Windows Authentication Hashes

• NTHash is format that moden windows store user and service passwords in, also knonw as NTLM
• can be acquired by dumping SAM database on windows machine
  • using tool like mimikatz of from active directory database NTDS.dit
• john --format=NT --wordlist=<wordlist> <file>

Cracking /etc/shadow Hashes

• file where passwords hashes are stored, one line per user
• needs to be combined with /etc/passwd file for john to understand given data
  • use tool built into john, unshadow
  • unshadow <path to passwd> <path to shadow> then direct into new file
• crack using john --format=sha512crypt --wordlist=<wordlist> <file>

Single Crack Mode

• another mode in john called single crack
• uses information provided in username to try out possible passwords heuristically
  • by changing letters and numbers in username
  • formatted as usernam:hash
• john --single --format=<format> <file>

Custom Rules

• useful for respecting password rules, e.g.
  • capial letters
  • numbers
  • symbols
• can exploit fact that most users will be predictable, e.g.
  • letter and symbols at end of password
• creating custom rules
  • defined in /etc/john/john.conf
• to use custom rules john --wordlist=<wordlist> --rule=<name of rule> <file>

[List.Rules:<name of rule>]
<regex style pattern MATCH to define modifiers> <list of characters to use> 

Example

[List.Rules:PoloPassword]
cAz"[0-9] [!£$%@]"

• capitalize first letter c
• append to end of word Az
• number in range 0-9 [0-9]
• followed by a symbol from list !£$%@ [!£$%@]

Cracking Password Protected Zip Files

• using zip2john
• zip2john <options> <zip> > <output file>
  • then crack that file using regular john

Cracking Password Protected rar Archives

• using rar2john
• rar2john <options> <rar> > <output file>
  • then crack that file using regular john

Cracking SSH Keys

• using ssh2john
• formats ids_rsa private key into hash
• ssh2john <options> <id_rsa private key file> > <output file>
  • then crack that file using regular john