John the Ripper
The most popular of these distributions is the "Jumbo John"
use sudo apt install john to install john
Installing on Windows
To install Jumbo John the Ripper on Windows, you just need to download and install the zipped binary for either 64 bit systems here or for 32 bit systems here
Wordlists
To dictionary attack hashes, you need a list of words that you can hash and compare, unsurprisingly this is called a wordlist. There are many different wordlists out there, a good collection to use can be found in the SecLists repository. There are a few places you can look for wordlists on your attacking system of choice, we will quickly run through where you can find them.
On Parrot, Kali and TryHackMe's AttackBox- you can find a series of amazing wordlists in the /usr/share/wordlists directory.
If you are not using any of the above distributions, you can get the rockyou.txt wordlist from the SecLists repository under the /Passwords/Leaked-Databases subsection. You may need to extract it from .tar.gz format, using tar xvzf rockyou.txt.tar.gz.
Basic Syntax
Basic syntax of John the Ripper commands
john [options] [path to file]
Automatic Cracking
john --wordlist=[path to wordlist] [path to file]
john --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt
Identifying Hashes
Using an online hash identifier like this one. I like to use a tool called hash-identifier, a Python tool that is super easy to use and will tell you what different types of hashes the one you enter is likely to be, giving you more options if the first one fail
To use hash-identifier, you can just pull the python file from gitlab using:wget https://gitlab.com/kalilinux/packages/hash-identifier/-/raw/kali/master/hash-id.py.
Then simply launch it with python3 hash-id.py and then enter the hash you're trying to identify
Format-Specific Cracking
syntax: john --format=[format] --wordlist=[path to wordlist] [path to file]
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt
you can list all of John's formats using john --list=formats and either check manually, or grep for your hash type using something like john --list=formats | grep -iF "md5"
A Note on Formats:
When you are telling john to use formats, if you're dealing with a standard hash type, e.g. md5 as in the example above, you have to prefix it withraw- to tell john you're just dealing with a standard hash type, though this doesn't always apply. To check if you need to add the prefix or not, you can list all of John's formats using john --list=formats and either check manually, or grep for your hash type using something like john --list=formats | grep -iF "md5"
Example
What type of hash is hash1.txt? 2e728dd31fb5949bc39cac5a9f066498 | result = md5
What is the cracked value of hash1.txt? | biscuit
Solution:
s1: cat hash1.txt to reveal hash | cat *
s2: identify hash using https://hashes.com/en/tools/hash_identifier
s3: crack hash using john: john --format=raw-sha1 --wordlist=/usr/share/wordlists/rockyou.txt /root/first_task_hashes/hash2.txt
Cracking Windows Hashes
What do we need to set the "format" flag to, in order to crack this? What is the cracked value of this password? 5460C85BD858A11475115D2DD3A82333 - Possible algorithms: NTLM
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt '/root/ntlm.txt' | mushroom
Cracking Hashes from /etc/shadow
in order to crack /etc/shadow passwords, you must combine it with the /etc/passwd file in order for John to understand the data it's being given. To do this, we use a tool built into the John suite of tools called unshadow. The basic syntax of unshadow is as follows:
unshadow [path to passwd] [path to shadow]
unshadow - Invokes the unshadow tool
[path to passwd] - The file that contains the copy of the /etc/passwd file you've taken from the target machine
[path to shadow] - The file that contains the copy of the /etc/shadow file you've taken from the target machine
Example Usage:
unshadow local_passwd local_shadow > unshadowed.txt
Note on the files
When using unshadow, you can either use the entire /etc/passwd and /etc/shadow file- if you have them available, or you can use the relevant line from each, for example:
FILE 1 - local_passwd
Contains the /etc/passwd line for the root user:
root:x:0:0::/root:/bin/bash
FILE 2 - local_shadow
Contains the /etc/shadow line for the root user:
root:$6$2nwjN454g.dv4HN/$m9Z/r2xVfweYVkrr.v5Ft8Ws3/YYksfNwq96UL1FX0OJjY1L6l.DS3KEVsZ9rOVLB/ldTeEL/OIhJZ4GMFMGA0:18576::::::
Cracking
We're then able to feed the output from unshadow, in our example use case called "unshadowed.txt" directly into John. We should not need to specify a mode here as we have made the input specifically for John, however in some cases you will need to specify the format as we have done previously using: --format=sha512crypt
john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txt
john unshadow rootx0:0::/root:/bin/bash /root/etchashes.txt
Using Single Crack Mode
John uses only the information provided in the username, to try and work out possible passwords heuristically, by slightly changing the letters and numbers contained within the username.
john --single --format=[format] [path to file]
--single - This flag lets john know you want to use the single hash cracking mode.
Example Usage:
john --single --format=raw-sha256 hashes.txt
A Note on File Formats in Single Crack Mode:
If you're cracking hashes in single crack mode, you need to change the file format that you're feeding john for it to understand what data to create a wordlist from. You do this by prepending the hash with the username that the hash belongs to, so according to the above example- we would change the file hashes.txt
From:
1efee03cdcb96d90ad48ccc7b8666033
To
mike:1efee03cdcb96d90ad48ccc7b8666033
example:
hash: 7bf6d9bb82bed1302f331fc6b816aada
assuming that the user it belongs to is called "Joker"., crack it
Solution:
s1: append user name to hash : Joker:7bf6d9bb82bed1302f331fc6b816aada3
s2: crack has using single mode:
john --single --format=raw-md5 '/root/hash7.txt'
Custom Rule
can define your own sets of rules, which John will use to dynamically create passwords
https://www.openwall.com/john/doc/RULES.shtml
https://cheatography.com/davechild/cheat-sheets/regular-expressions/
The first line:
[List.Rules:THMRules] - Is used to define the name of your rule, this is what you will use to call your custom rule as a John argument.
We then use a regex style pattern match to define where in the word will be modified, again- we will only cover the basic and most common modifiers here:
Az - Takes the word and appends it with the characters you define
A0 - Takes the word and prepends it with the characters you define
c - Capitalises the character positionally
These can be used in combination to define where and what in the word you want to modify.
Lastly, we then need to define what characters should be appended, prepended or otherwise included, we do this by adding character sets in square brackets [ ] in the order they should be used. These directly follow the modifier patterns inside of double quotes " ". Here are some common examples:
[0-9] - Will include numbers 0-9
[0] - Will include only the number 0
[A-z] - Will include both upper and lowercase
[A-Z] - Will include only uppercase letters
[a-z] - Will include only lowercase letters
[a] - Will include only a
[!£$%@] - Will include the symbols !£$%@
Putting this all together, in order to generate a wordlist from the rules that would match the example password "Polopassword1!" (assuming the word polopassword was in our wordlist) we would create a rule entry that looks like this:
[List.Rules:PoloPassword]
cAz"[0-9] [!£$%@]"
In order to:
Capitalise the first letter - c
Append to the end of the word - Az
A number in the range 0-9 - [0-9]
Followed by a symbol that is one of [!£$%@]
Using Custom Rules
We could then call this custom rule as a John argument using the --rule=PoloPassword flag.
As a full command: john --wordlist=[path to wordlist] --rule=PoloPassword [path to file]
Cracking a Password Protected Zip File
Zip2John
the zip2john tool convert the zip file into a hash format that John is able to understand, and hopefully crack. The basic usage is like this:
zip2john [options] [zip file] > [output file]
[options] - Allows you to pass specific checksum options to zip2john, this shouldn't often be necessary
[zip file] - The path to the zip file you wish to get the hash of
> - This is the output director, we're using this to send the output from this file to the...
[output file] - This is the file that will store the output from
Example Usage
zip2john zipfile.zip > zip_hash.txt
Cracking
We're then able to take the file we output from zip2john in our example use case called "zip_hash.txt" and, as we did with unshadow, feed it directly into John as we have made the input specifically for it.
john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt
Practical
Now have a go at cracking the attached "secure" zip file!
s1: run zip2john '/root/secure.zip' > zip_hash.txt
result: pass123
open secure.zip/zippy folder
use pas123 to open flag.txt file
Cracking a Password Protected RAR Archive
We can use a similar process to the one we used in the last task to obtain the password for rar archives.
Rar2John
Almost identical to the zip2john tool that we just used, we're going to use the rar2john tool to convert the rar file into a hash format that John is able to understand. The basic syntax is as follows:
rar2john [rar file] > [output file]
rar2john - Invokes the rar2john tool
[rar file] - The path to the rar file you wish to get the hash of
> - This is the output director, we're using this to send the output from this file to the...
[output file] - This is the file that will store the output from
Example Usage
rar2john rarfile.rar > rar_hash.txt
rar2john [rar file] > [output file]
rar2john - Invokes the rar2john tool
[rar file] - The path to the rar file you wish to get the hash of
> - This is the output director, we're using this to send the output from this file to the...
[output file] - This is the file that will store the output from
Example Usage
rar2john rarfile.rar > rar_hash.txt
to use rar2john: '/opt/john/rar2john' '/root/secure.rar' > rar.txt
sudo apt install unrar
Cracking
Once again, we're then able to take the file we output from rar2john in our example use case called "rar_hash.txt" and, as we did with zip2john we can feed it directly into John..
john --wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txt
command
john --w '/usr/share/wordlists/rockyou.txt' '/root/secure_hash.txt' --format=RAR5
Cracking SSH Key Passwords SSH2John
ssh2john converts the id_rsa private key that you use to login to the SSH session into hash format that john can work with
Note that if you don't have ssh2john installed, you can use ssh2john.py, which is located in the /opt/john/ssh2john.py. If you're doing this, replace the ssh2john command with python3 /opt/ssh2john.py or on Kali, python /usr/share/john/ssh2john.py.
ssh2john [id_rsa private key file] > [output file] ssh2john - Invokes the ssh2john tool
[id_rsa private key file] - The path to the id_rsa file you wish to get the hash of
> - This is the output director, we're using this to send the output from this file to the...
[output file] - This is the file that will store the output from
Example Usage
ssh2john id_rsa > id_rsa_hash.txt
Cracking
For the final time, we're feeding the file we output from ssh2john, which in our example use case is called "id_rsa_hash.txt" and, as we did with rar2john we can use this seamlessly with John:
python '/opt/john/ssh2john.py' '/root/idrsa.id_rsa' > id_rsa_hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txt
python '/opt/john/ssh2john.py' > ssh.txt
Last updated