John
Identifying Hashes
https://hashes.com/en/tools/hash_identifier
https://www.tunnelsup.com/hash-analyzer/
https://md5hashing.net/hash/
Online Hash Crackers
https://crackstation.net
https://hashes.com/en/decrypt/hash
Format-Specific Cracking
Once you have identified the hash that you're dealing with, you can tell john to use it while cracking the provided hash using the following syntax:
This is the flag to tell John that you're giving it a hash of a specific format, and to use the following format to crack it
--format=
Example Usage:
A Note on Formats:
When you are telling john to use formats, if you're dealing with a standard hash type, e.g. md5 as in the example above, you have to prefix it withraw- to tell john you're just dealing with a standard hash type, though this doesn't always apply.
To check if you need to add the prefix or not, you can list all of John's formats using john --list=formats and either check manually, or grep for your hash type using something like
Cracking Windows Hashes
NTHash and NTLM
NThash is the hash format that modern Windows Operating System machines will store user and service passwords in.
It's also commonly referred to as "NTLM" which references the previous version of Windows format for hashing passwords known as "LM", thus "NT/LM". -You can acquire NTHash/NTLM hashes by dumping the SAM database on a Windows machine.
By using a tool like Mimikatz or from the Active Directory database: NTDS.dit.
You may not have to crack the hash to continue privilege escalation- as you can often conduct a "pass the hash" attack instead, but sometimes hash cracking is a viable option if there is a weak password policy.
Cracking Hashes on Linux
Unshadowing
John can be very particular about the formats it needs data in to be able to work with it, for this reason- in order to crack /etc/shadow passwords, you must combine it with the /etc/passwd file in order for John to understand the data it's being given. To do this, we use a tool built into the John suite of tools called unshadow. The basic syntax of unshadow is as follows:
unshadow
- Invokes the unshadow tool[path to passwd]
- The file that contains the copy of the /etc/passwd file you've taken from the target machine[path to shadow]
- The file that contains the copy of the /etc/shadow file you've taken from the target machine
Example Usage:
Note on the files
When using unshadow, you can either use the entire /etc/passwd and /etc/shadow file- if you have them available, or you can use the relevant line from each, for example:
FILE 1 - local_passwd
Contains the /etc/passwd line for the root user:
FILE 2 - local_shadow
Contains the /etc/shadow line for the root user:
Cracking
We're then able to feed the output from unshadow, in our example use case called "unshadowed.txt" directly into John.
We should not need to specify a mode here as we have made the input specifically for John.
However in some cases you will need to specify the format as we have done previously using:
--format=sha512crypt
.
Cracking Zip Password Protected File
Zip2John
Similarly to the unshadow tool that we used previously, we're going to be using the zip2john tool to convert the zip file into a hash format that John is able to understand
The basic usage is like this:
[options]
- Allows you to pass specific checksum options to zip2john, this shouldn't often be necessary[zip file]
- The path to the zip file you wish to get the hash of>
- This is the output director, we're using this to send the output from this file to the...[output file]
- This is the file that will store the output from
Example Usage
Cracking
We're then able to take the file we output from zip2john in our example use case called "zip_hash.txt" and, as we did with unshadow, feed it directly into John as we have made the input specifically for it.
Cracking a Password Protected RAR Archive
Rar2John
Almost identical to the zip2john tool that we just used, we're going to use the rar2john tool to convert the rar file into a hash format that John is able to understand.
The basic syntax is as follows:
rar2john
- Invokes the rar2john tool[rar file]
- The path to the rar file you wish to get the hash of>
- This is the output director, we're using this to send the output from this file to the...[output file]
- This is the file that will store the output from
Example Usage
Cracking
Once again, we're then able to take the file we output from rar2john in our example use case called "rar_hash.txt" and, as we did with zip2john we can feed it directly into John..
Cracking SSH Keys
SSH2John
As the name suggests ssh2john converts the id_rsa private key that you use to login to the SSH session into hash format that john can work with.
Note that if you don't have ssh2john installed, you can use ssh2john.py, which is located in the
/opt/john/ssh2john.py
.If you're doing this, replace the ssh2john command with python3 /opt/ssh2john.py or on Kali, python /usr/share/john/ssh2john.py.
ssh2john
- Invokes the ssh2john tool[id_rsa private key file]
- The path to the id_rsa file you wish to get the hash of>
- This is the output director, we're using this to send the output from this file to the...[output file]
- This is the file that will store the output from
Example Usage
Cracking
For the final time, we're feeding the file we output from ssh2john, which in our example use case is called "id_rsa_hash.txt" and, as we did with rar2john we can use this seamlessly with John:
PGP Keys
Have a file
tryhackme.adc
(the PGP Private Key block) andcredential.pgp
(the encrypted file)Use
gpg2john
output the PGP key to a hash format
Should look like this:
Crack the hash
Should end up with the file contents
Now need to use gpg to import the key back on the target box
GPG Errors
Errors populates despite it being the correct key -> Memory daemon needs restarting
Rule Based Attacks
Also known as hybrid attacks.
Assumes attacker knows something about the password policy.
John config file:
Look for
List.Rules
to see the available rules.Example:
best64
rule contains the best 64 built inJohn
Rules.To use:
--wordlist= to specify the wordlist or dictionary file.
--rules to specify which rule or rules to use.
--stdout to print the output to the terminal.
|wc -l to count how many lines John produced.
By running the previous command we have expanded our password list from 1 (tryhackme) to 76.
Another Good Rule to use:
Creating Custom Rules
we want to add special characters to the beginning and a number to the end, the format would be:
We can add our rule to the end of john.conf:
[List.Rules:THM-Password-Attacks] specify the rule name THM-Password-Attacks.
Az
represents a single word from the original wordlist/dictionary using-p
."[0-9]"
append a single digit (from 0 to 9) to the end of the word. For two digits, we can add"[0-9][0-9]"
and so on.^[!@#$]
add a special character at the beginning of each word.^
means the beginning of the line/word. Note, changing^
to$
will append the special characters to the end of the line/word.
Note
All credit goes to the creator(s) of the John the Ripper Tool on THM.
www.tryhackme.com/room/johntheripper0
Last updated