THM – John The Ripper – Part 15

Byaghanim

This is a continued series where I document my path through different tryhackme courses. I recommend everyone that wants to learn cyber security to subscribe to tryhackme.com and take the courses there.

Cracking Basic Hashes

John Basic Syntax

Basic Syntax for John the Ripper commands:

john [options] [path to file]

john – invokes the John the ripper program

[path to file] – The file contains the hash you’re trying to crack.

Automatic Cracking

John has a built-in feature to detect what type of has its been given. It selects the appropriate rules and formats to crack it for you. Not always reliable.

Syntax:

john --wordlist=[path to wordlist] [path to file]

--wordlist= – Specify using wordlist mode, reading from the file you supply.

[path to wordlist] – The path to the wordlist.

Example:

john --wordlist=usr/share/wordlist/rockyou.txt hash_to_crack.txt

Identifying Hashes

Multiple ways to identify a hash, such as using an online hash identifier. You can use a tool called hash-identifier.

To use hash-identifier, you can just pull the python file from gitlab using: wget https://gitlab.com/kalilinux/packages/hash-identifier/-/raw/kali/master/hash-id.py

Format-Specific Cracking

Syntax for telling john the hash you’re dealing with:

john --format=[format] --wordlist=[path to wordlist] [path to file]

--format= – Flag tells john you’re giving it a hash of a specific format.

[format] – Hash format

Example:

john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txthash_to_crack.txt

A note on the formats:

When you are telling john to use formats, if you’re dealing with a standard hash type, e.g. md5 as in the example above, you have to prefix it with raw – to tell john you’re just dealing with a standard hash type, though this doesn’t always apply. To check if you need to add the prefix or not, you can list all of John’s formats using john --list=formats and either check manually, or grep for your hash type using something like john --list=formats | grep -iF "md5".

Cracking Windows authentication Hashes

Cracking Windows Hashes

Authentication hashes are the hashed version of passwords that are stored by operating systems. Its sometimes possible to crack them using the brute-force method. To get these hashes, you must often already have a privileged user.

NTHash/NTLM

NThash is the hash format that modern Windows OS machines will store user and service password in. Also commonly referred to as NTLM, which reference the previous version of Windows format of hashing passwords known as LM, therefor NT/LM.

The NTHash/NTLM hash can be aquired by dumping the SAM database on a Windows machine, by using tool like Mimikatz or from the Active Directory database: NTDS.dit. May not always have to crack the hash to continue privilege escalation. Can use a technique called Pass the Hash attack instead.

Cracking /etc/shadow Hashes

The /etc/shadow file is the file Linux machines where password hashes are stored. Also stores information, such as date of last password change and password expiration information. Contains one entry per line for each user or user account of the system. Usually only accessible by the root user.

Unshadowing

For John to be able to crack /etc/shadow passwords, you must combine it with the /etc/passwd file in order for John to understand the data its being given. To do this, we use a tool built into the John suite called unshadow. Basic syntax:

unshadow [path to passwd] [path to shadow]

unshadow – Invokes the unshadow tool
[path to passwd] – The file that contains the copy of the /etc/passwd file you’ve taken from the target machine
[path to shadow] – The file that contains the copy of the /etc/shadow file you’ve taken from the target machine

Example:

unshadow local_password local_shadow > unshadowed.txt

Note on the files

When using unshadow, you can either use the entire /etc/passwd and /etc/shadow file – or you can use the relevant line from each.

Cracking

The output we get from the unshadow we can use feed directly into John. Should have to specify a mode, however in some cases you will need to speicfy the format as we have done previously using: --format=sha512crypt

john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txt

Single Cracking Mode

John has a mode called Single Crack mode. In this mode, john uses only the information privded in the username, to try and work out a possible passwords heuristically, but changing letters and numbers in the username.

Word mangling

Example to understand Single Crack Mode and word mangling.

Username: Markus

Some possible passwords could be:

  • Markus1, Markus2, Markus3 (etc.)
  • MArkus, MARkus, MARKus (etc.)
  • Markus!, Markus$, Markus* (etc.)

GECOS

What are Gecos? The entries in /etc/shadow and /etc/password is seperated by colon “:”. Each one of these fileds that these records are split into are called Gecos fields. John can take information stored in those records, such as full name and home dir to add it to the wordlist it generates when cracking /etc/shadow hashes with single crack mode.

Using Single Crack Mode

Syntax:

john --single --format=[format] [path to file]

--single – This flag lets john know you want to use the single hash cracking mode.

Example Usage:

john --single --format=raw-sha256 hashes.txt

A note on file formats in single crack mode

If you’re cracking ashes in single crack mode, you need to change the file fomrat that you’re feeding john for it to understand what data to create a wordlsit from. You do this by prepending the hash with the username that the hash belongs to, so according to the above example- we would change the file hashes.txt

From:

1efee03cdcb96d90ad48ccc7b8666033

To:

mike:1efee03cdcb96d90ad48ccc7b8666033

Custom Rules

What are custom rules?

You can define your own sets of rules, which John will use to dynamically create passwords.

How to create Custom Rules

Custom rules are defined in the john.conf file, usually located in /etc/john/john.conf if you have installed John using package manager or built from source with make.

You can take a look at the wiki in order to get a full view of the types of modifier you can use, as well as examples. https://www.openwall.com/john/doc/RULES.shtml

The first line:

[List.Rules:THMRules] – Is used to define the name of your rule, this is what you will use to call your custom rule as a John argument.

Then use a regex style pattern match to define where in the word will be modified. The most common modifiers:

Az – Takes the word and appends it with the characters you define

A0 – Takes the word and prepends it with the characters you define

c – Capitalises the character positionally

These can be used in combination to define where and what in the word you want to modify.

Last, we need to define what characters should be appended, prepended or otherwise included. Do this by adding [ ] in the order they should be used. The directly follow the modifier patters inside of double quotes “ “.  Examples:

[0-9] – Will include numbers 0-9

[0] – Will include only the number 0

[A-z] – Will include both upper and lowercase

[A-Z] – Will include only uppercase letters

[a-z] – Will include only lowercase letters

[a] – Will include only a

[!£$%@] – Will include the symbols !£$%@

Example for generating a wordlist from the password “Polopassword1!”.

[List.Rules:PoloPassword]

cAz"[0-9] [!£$%@]"

In order to:

Capitalise the first  letter – c

Append to the end of the word – Az

A number in the range 0-9 – [0-9]

Followed by a symbol that is one of [!£$%@]

Using Custom Rules

We could then call this custom rule as a John argument using the  --rule=PoloPassword flag.

As a full command: 

john --wordlist=[path to wordlist] --rule=PoloPassword [path to file]

Cracking Password Protected Zip Files

Zip2John

Convert the zip file into a hash format that John is able to understand, and maybe crack. Basic usage:

zip2john [options] [zip file] > [output file]

[options] – Allows you to pass specific checksum options to zip2john, this shouldn’t often be necessary

[zip file] – The path to the zip file you wish to get the hash of

> – This is the output director, we’re using this to send the output from this file to the…


[output file] – This is the file that will store the output from

Example Usage

zip2john zipfile.zip > zip_hash.txt

Cracking

We’re then able to take the file we output from zip2john in our example use case called “zip_hash.txt” and, as we did with unshadow, feed it directly into John as we have made the input specifically for it.

john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt

Cracking Password Protected RAR Files

Rar2John

Almost identical to the zip2john tool that we just used, we’re going to use the rar2john tool to convert the rar file into a hash format that John is able to understand. The basic syntax is as follows:

rar2john [rar file] > [output file]

rar2john – Invokes the rar2john tool

[rar file] – The path to the rar file you wish to get the hash of

> – This is the output director, we’re using this to send the output from this file to the…

[output file] – This is the file that will store the output from

Example Usage

rar2john rarfile.rar > rar_hash.txt

Cracking

Once again, we’re then able to take the file we output from rar2john in our example use case called “rar_hash.txt” and, as we did with zip2john we can feed it directly into John..

john --wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txt

Cracking SSH Keys with John

SSH2John

ssh2john converts the id_rsa private key that you use to login to the SSH session into hash format that john can work with. Note that if you don’t have ssh2john installed, you can use ssh2john.py, which is located in the /opt/john/ssh2john.py. If you’re doing this, replace the ssh2john command with python3 /opt/ssh2john.py or on Kali, python /usr/share/john/ssh2john.py.

ssh2john [id_rsa private key file] > [output file]

ssh2john – Invokes the ssh2john tool

[id_rsa private key file] – The path to the id_rsa file you wish to get the hash of

> – This is the output director, we’re using this to send the output from this file to the…

[output file] – This is the file that will store the output from

Example Usage

ssh2john id_rsa > id_rsa_hash.txt

Cracking

We’re feeding the file we output from ssh2john, which in our example use case is called “id_rsa_hash.txt” and, as we did with rar2john we can use this seamlessly with John:

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txt

Similar Posts

THM – Common Linux Privilege Escalation – Part 20

THM – Common Linux Privilege Escalation – Part 20

Byaghanim

This is a continued series where I document my path through different tryhackme courses. I recommend everyone that wants to learn cyber security to subscribe to tryhackme.com and take the courses there. Table Of ContentsDirection og Privilege EscalationEnumerationAbusing SUID/GUID FilesFinding SUID BinariesExploiting Wriitable /etc/passwdEscaping Vi EditorExploiting CrontabExploitning PATH Variable Direction og Privilege Escalation Two main…

THM – SSRF – Part 9

THM – SSRF – Part 9

Byaghanim

This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Table Of ContentsWhat is an SSRF?Types of SSRFWhat’s the impact?SSRF ExamplesFinding an SSRFDefeating Common SSRF DefensesDeny ListAllow ListOpen Redirect What is an SSRF? SSRF stands for Server-Side Request Forgery. It’s…

THM – Network Services – MySQL – Part 8

THM – Network Services – MySQL – Part 8

Byaghanim

Table Of ContentsUnderstanding MySQL Enumerating MySQL Exploit MySQL Understanding MySQL  What is MySQL?   In its simplest definition, MySQL is a relational database management system (RDBMS) based on Structured Query Language (SQL).   Database:   A database is simply a persistent, organized collection of structured data.   RDBMS:   A software or service used to create and manage databases based on a relational model. The word “relational” just menas…

THM – Walking An Application – Part 3

THM – Walking An Application – Part 3

Byaghanim

This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Table Of ContentsIntroductionExploring The WebsiteViewing the Page SourceHow do I view the Page Source?Let’s view some Page Source!Developer Tools – InspectorDeveloper ToolsInspectorDeveloper Tools – DebuggerDeveloper Tools – DebuggerDeveloper Tools –…

THM – Burp suite – Part 11

THM – Burp suite – Part 11

Byaghanim

Table Of ContentsIntro  Proxy Target Definition TASKS  Tasks Tasks Tasks Tasks  Intro   Burp Suite is a framework of web appliccation pentesting tool. It is used to perform web app testing.   To install burp suite follow this guide. https://portswigger.net/burp/documentation/desktop/getting-started  Overview of Features  Proxy – What allows us to funnel traffic through Burp Suite for further analysis  Target – How we set the scope of our project. We can also use this to effectively create a site map of the application we are testing….

THM – Network Services – NFS – Part 6

THM – Network Services – NFS – Part 6

Byaghanim

Table Of ContentsUnderstanding NFS Enumerating NFS Exploiting NFS  Understanding NFS  What is NFS?   NFS stands for Network File System and allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files. It does this by mounting all, or portion of a file system…