John the Ripper
Unshadow
in order to crack /etc/shadow passwords, you must combine it with the /etc/passwd file in order for John to understand the data it's being given. To do this, we use a tool built into the John suite of tools called unshadow. The basic syntax of unshadow is as follows: unshadow [path to passwd] [path to shadow]
Zip2John
Similarly to the unshadow tool that we used previously, we're going to be using the zip2john tool to convert the zip file into a hash format that John is able to understand, and hopefully crack. The basic usage is like this: zip2john [options] [zip file] > [output file]
[options]
- Allows you to pass specific checksum options to zip2john, this shouldn't often be necessary[zip file]
- The path to the zip file you wish to get the hash of>
- This is the output director, we're using this to send the output from this file to the...[output file]
- This is the file that will store the output from
Rar2John
Almost identical to the zip2john tool that we just used, we're going to use the rar2john tool to convert the rar file into a hash format that John is able to understand. The basic syntax is as follows: rar2john [rar file] > [output file]
SSH2John
Using John to crack the SSH private key password of id_rsa files. you can configure key-based authentication, which lets you use your private key, id_rsa, as an authentication key to login to a remote machine over SSH. However, doing so will often require a password- here we will be using John to crack this password to allow authentication over SSH using the key. ssh2john [id_rsa private key file] > [output file]
Its usual location is /usr/share/john/ssh2john.py
List Hash Formats
To list john hash formats, john --list=formats
Dynamic Hash Formats
Lets suppose, we want to crack a SHA-512 Hash which has a Salt with it. We would use dynamic formats john --format='dynamic=sha512($p.$s)'
And we will change our hash to be hash$salt
Single Crack Mode
In this mode, John uses only the information provided in the username, to try and work out possible passwords heuristically, by slightly changing the letters and numbers contained within the username.
Word Mangling
If we take the username: Markus Some possible passwords could be:
Markus1, Markus2, Markus3 (etc.)
MArkus, MARkus, MARKus (etc.)
Markus!, Markus$, Markus* (etc.)
John is building it's own dictionary based on the information that it has been fed and uses a set of rules called "mangling rules" which define how it can mutate the word it started with to generate a wordlist based off of relevant factors for the target you're trying to crack.
GECOS
John's implementation of word mangling also features compatibility with the Gecos fields of the UNIX operating system, and other UNIX-like operating systems such as Linux. You can see that each field of /etc/shadow or /etc/passwd is seperated by a colon ":". Each one of the fields that these records are split into are called Gecos fields. John can take information stored in those records, such as full name and home directory name to add in to the wordlist it generates when cracking /etc/shadow hashes with single crack mode.
Using Single Crack Mode
To use single crack mode, we use roughly the same syntax that we've used to so far, for example if we wanted to crack the password of the user named "Mike", using single mode, we'd use:
john --single --format=[format] [path to file]
--single - This flag lets john know you want to use the single hash cracking mode.
File Formats in Single Crack Mode
If you're cracking hashes in single crack mode, you need to change the file format that you're feeding john for it to understand what data to create a wordlist from. You do this by prepending the hash with the username that the hash belongs to
From: 1efee03cdcb96d90ad48ccc7b8666033
To: mike:1efee03cdcb96d90ad48ccc7b8666033
Custom Rules
You can define your own sets of rules, which John will use to dynamically create passwords. This is especially useful when you know more information about the password structure of whatever your target is.
Common Custom Rules
Many organisations will require a certain level of password complexity to try and combat dictionary attacks, meaning that if you create an account somewhere, go to create a password and enter: polopassword
You may receive a prompt telling you that passwords have to contain at least one of the following:
Capital letter
Number
Symbol
This is good! However, we can exploit the fact that most users will be predictable in the location of these symbols. For the above criteria, many users will use something like the following: Polopassword1!
A password with the capital letter first, and a number followed by a symbol at the end. This pattern of the familiar password, appended and prepended by modifiers (such as the capital letter or symbols) is a memorable pattern that people will use, and reuse when they create passwords. This pattern can let us exploit password complexity predictability.
Creating Custom Rules
Custom rules are defined in the john.conf
file, usually located in /etc/john/john.conf
.
The first line: [List.Rules:THMRules]
- Is used to define the name of your rule, this is what you will use to call your custom rule as a John argument.
We then use a regex style pattern match to define where in the word will be modified, again- we will only cover the basic and most common modifiers here:
Az
- Takes the word and appends it with the characters you defineA0
- Takes the word and prepends it with the characters you definec
- Capitalises the character positionally
These can be used in combination to define where and what in the word you want to modify.
Lastly, we then need to define what characters should be appended, prepended or otherwise included, we do this by adding character sets in square brackets [ ]
in the order they should be used. These directly follow the modifier patterns inside of double quotes " "
. Here are some common examples:
[0-9]
- Will include numbers 0-9[0]
- Will include only the number 0[A-z]
- Will include both upper and lowercase[A-Z]
- Will include only uppercase letters[a-z]
- Will include only lowercase letters[a]
- Will include only a[!£$%@]
- Will include the symbols !£$%@
Putting this all together, in order to generate a wordlist from the rules that would match the example password "Polopassword1!"
(assuming the word polopassword was in our wordlist) we would create a rule entry that looks like this:
In order to:
Capitalise the first letter - c
Append to the end of the word - Az
A number in the range 0-9 - [0-9]
Followed by a symbol that is one of [!£$%@]
Using Custom Rules
We could then call this custom rule as a John argument using the --rule=PoloPassword
flag. As a full command: john --wordlist=[path to wordlist] --rule=PoloPassword [path to file]
Jumbo John already comes with a large list of custom rules, which contain modifiers for use almost all cases. If you get stuck, try looking at those rules [around line 678] if your syntax isn't working properly.
Last updated