|
|
| (16 intermediate revisions by the same user not shown) |
| Line 15: |
Line 15: |
| Second, John has support for many encryption mechanisms built-in, so it can handle a wide variety of password files. If you have a Unix password file with a list of users and encrypted passwords, John can brute force it. | | Second, John has support for many encryption mechanisms built-in, so it can handle a wide variety of password files. If you have a Unix password file with a list of users and encrypted passwords, John can brute force it. |
|
| |
|
| =Using John as a Password Generator= | | =Using John on Shadow Files= |
|
| |
|
| My introduction and main experience with John is feeding it wordlists and using it to generate passwords to test from that wordlist.
| | Unix stores password hashes in the <code>/etc/shadow</code> file, and user information in the <code>/etc/passwd</code> file. [[John the Ripper]] can use this information to crack the passwords of Unix users. |
|
| |
|
| See [[John the Ripper/Password Generation]]
| | [[John the Ripper/Shadow File]] - a guide to using John to crack passwords from an <code>/etc/shadow</code> file. |
|
| |
|
| =Using John to Crack WPA= | | =Using John as a Password Generator= |
|
| |
|
| You can convert airodump-ng pcap files into a format that John can understand using the following steps [http://openwall.info/wiki/john/WPA-PSK]: | | You can feed John the Ripper a wordlist, and use it to generate a slew of variations on that wordlist, using rules. (For example, from a wordlist containing "password" you can generate the variants "p4ssw0rd", "Password", "password0000", etc.) |
|
| |
|
| ==cap2hccap==
| | See [[John the Ripper/Password Generation]] |
|
| |
|
| First, you'll need to convert the pcap to a hashcat pcap (hccap) file, using cap2hccap tool: http://sourceforge.net/projects/cap2hccap/files/
| | This can even be used in conjunction with the pw-inspector tool, which will take a list of passwords as inputs and return only those passwords that meet certain criteria. More info: http://tools.kali.org/password-attacks/hydra |
|
| |
|
| Download it, and unzip it to a directory. Run <code>make</code> and it will make a tool called <code>cap2hccap.bin</code>, which you will then run as an executable.
| | =Using John to Crack WPA= |
| | |
| Call the bin file, pass it your cap file, then tell it where to output the hccap file:
| |
| | |
| <pre>
| |
| $ ./cap2hccap.bin /path/to/my.cap my.hccap
| |
| </pre>
| |
| | |
| ==hccap2john==
| |
| | |
| Now you'll need to use hccap2john, a tool that comes with John the Ripper. if you don't have it (if you're using John the Ripper as part of a package manager, that doesn't build it), it's ok, you can just make a local build of John and use the tool from there.
| |
| | |
| Download John the Ripper, and make it.
| |
| | |
| <pre>
| |
| $ tar xzf john-1.7.9-jumbo-7.tar.gz
| |
| $ cd john*
| |
| $ cd src
| |
| $ make linux-x86-64
| |
| </pre>
| |
| | |
| Make sure you have LibSSL headers installed:
| |
| | |
| <pre>
| |
| $ apt-get install libssl-dev
| |
| </pre>
| |
| | |
| Now that you've finished building everything, all your binary tools will be in the <code>run</code> directory:
| |
| | |
| <pre>
| |
| $ ls -l john-1.7.9-jumbo-7/run/
| |
| total 2880
| |
| -rw------- 1 root root 341064 Jul 10 2012 all.chr
| |
| -rw------- 1 root root 232158 Jul 10 2012 alnum.chr
| |
| -rw------- 1 root root 131549 Jul 10 2012 alpha.chr
| |
| -rwx------ 1 root root 3908 Jul 10 2012 benchmark-unify
| |
| -rwxr-xr-x 1 root root 8736 Aug 16 17:00 calc_stat
| |
| -rwx------ 1 root root 579 Jul 10 2012 cracf2john.py
| |
| -rw------- 1 root root 4099 Jul 10 2012 dictionary.rfc2865
| |
| -rw------- 1 root root 40391 Jul 10 2012 digits.chr
| |
| -rw------- 1 root root 42268 Sep 19 2012 dumb16.conf
| |
| -rw------- 1 root root 57177 Sep 19 2012 dumb32.conf
| |
| -rw------- 1 root root 11230 Sep 17 2012 dynamic.conf
| |
| -rwx------ 1 root root 1868 Jul 10 2012 genincstats.rb
| |
| -rwxr-xr-x 1 root root 23408 Aug 16 17:00 genmkvpwd
| |
| lrwxrwxrwx 1 root root 4 Aug 16 17:00 hccap2john -> john
| |
| -rwxr-xr-x 1 root root 1381216 Aug 16 17:00 john
| |
| -rw------- 1 root root 25902 Sep 17 2012 john.bash_completion
| |
| -rw------- 1 root root 41299 Sep 17 2012 john.conf
| |
| -rw-r--r-- 1 root root 0 Aug 16 17:00 john.local.conf
| |
| lrwxrwxrwx 1 root root 4 Aug 16 17:00 keepass2john -> john
| |
| lrwxrwxrwx 1 root root 4 Aug 16 17:00 keychain2john -> john
| |
| -rw------- 1 root root 215982 Jul 10 2012 lanman.chr
| |
| -rwx------ 1 root root 453 Jul 10 2012 ldif2john.pl
| |
| -rwx------ 1 root root 860 Jul 10 2012 lion2john-alt.pl
| |
| -rwx------ 1 root root 979 Jul 10 2012 lion2john.pl
| |
| -rwx------ 1 root root 1289 Jul 10 2012 mailer
| |
| -rwxr-xr-x 1 root root 7736 Aug 16 17:00 mkvcalcproba
| |
| -rwx------ 1 root root 9658 Jul 10 2012 netntlm.pl
| |
| -rwx------ 1 root root 5190 Jul 10 2012 netscreen.py
| |
| -rwx------ 1 root root 4078 Jul 10 2012 odf2john.py
| |
| -rwx------ 1 root root 94733 Sep 20 2012 pass_gen.pl
| |
| -rw------- 1 root root 26215 Jul 10 2012 password.lst
| |
| lrwxrwxrwx 1 root root 4 Aug 16 17:00 pdf2john -> john
| |
| lrwxrwxrwx 1 root root 4 Aug 16 17:00 pwsafe2john -> john
| |
| lrwxrwxrwx 1 root root 4 Aug 16 17:00 racf2john -> john
| |
| -rwx------ 1 root root 6660 Sep 17 2012 radius2john.pl
| |
| lrwxrwxrwx 1 root root 4 Aug 16 17:00 rar2john -> john
| |
| -rwxr-xr-x 1 root root 7576 Aug 16 17:00 raw2dyna
| |
| -rwx------ 1 root root 5943 Jul 10 2012 relbench
| |
| -rwx------ 1 root root 9032 Sep 17 2012 sap2john.pl
| |
| -rwx------ 1 root root 526 Jul 10 2012 sha-dump.pl
| |
| -rwx------ 1 root root 491 Jul 10 2012 sha-test.pl
| |
| -rwx------ 1 root root 633 Jul 10 2012 sipdump2john.py
| |
| lrwxrwxrwx 1 root root 4 Aug 16 17:00 ssh2john -> john
| |
| -rw------- 1 root root 107571 Jul 10 2012 stats
| |
| -rwxr-xr-x 1 root root 9080 Aug 16 17:00 tgtsnarf
| |
| lrwxrwxrwx 1 root root 4 Aug 16 17:00 unafs -> john
| |
| lrwxrwxrwx 1 root root 4 Aug 16 17:00 undrop -> john
| |
| lrwxrwxrwx 1 root root 4 Aug 16 17:00 unique -> john
| |
| lrwxrwxrwx 1 root root 4 Aug 16 17:00 unshadow -> john
| |
| lrwxrwxrwx 1 root root 4 Aug 16 17:00 zip2john -> john
| |
| </pre>
| |
| | |
| We're interested in the <code>hccap2john</code> tool.
| |
| | |
| Call it as follows:
| |
| | |
| <pre>
| |
| $ ./hccap2john ./my.hccap
| |
|
| |
|
| $WPAPSK$Walrus#k1xC0LKY57WA9vVgdLZS3uQhnqJsGeDNJX9BLVGPpRxBT.EG7gBNwlspasqW5AwOy03m5MkoPkJjbO9EBqITgJJoeXJdqLPAYkvN1k61.8w02wc.2..........0cWnD4jUVQVqAB4w3PtqWo1RZ5v3JR89pORZqn7ACqEwrNFylJLGeBKbNRgmH1hZEx7cS........................................I/huMokkg.aNsr/qbBolaxbAWal9ZvEBLiiR3vONMyyMB2NkH11csbvLqGIPBMWFjZ8K9XyZddJYVmQQhQ/K7T15qgPrH3N4T8CvvYHf3WUa......................................................................................................0w.....U...6OaRKi13gXzk8c2z29pCqc
| | See the [[John the Ripper/WPA]] page for notes. |
| </pre>
| |
| | |
| Or, to dump it to a password file and then call John on it:
| |
| | |
| <pre>
| |
| $ ./hccap2john ./my.hccap > crackme
| |
| </pre>
| |
| | |
| ==Crack with John==
| |
| | |
| Now we have a password file that we can crack with John and a wordlist:
| |
| | |
| <pre>
| |
| john --wordlist=rockyou-10.txt --format=wpapsk crackme
| |
| </pre>
| |
|
| |
|
| =Using Rules with John= | | =Using Rules with John= |
|
| |
|
| Download an excellent set of John the Ripper rules from KoreLogic security here: http://openwall.info/wiki/_media/john/korelogic-rules-20100801.txt
| | See [[John the Ripper/Rules]] |
| | |
| Based on the 2010 Defcon Crack Me If You Can contest.
| |
| | |
| ==Install the Rules==
| |
| | |
| To install the rules, download that text file. Now run this command to add those rules to John's configure file:
| |
| | |
| <pre>
| |
| $ cat korelogic-rules-20100801.txt >> /etc/john/john.conf
| |
| </pre>
| |
|
| |
|
| ==Using Rules== | | =Recovering Passwords from John= |
|
| |
|
| Now you can use any of the rules that are listed here (http://contest-2010.korelogic.com/rules.html) or that you see in the form of <code>[List.Rules:KoreLogicRulesPrependSeason]</code> in the rules file (just get rid of the <code>List.Rules:</code> part.)
| | A page on how to actually recover the passwords once John has cracked them: [[John the Ripper/Password Recovery]] |
| | |
| <pre>
| |
| $ john --wordlist=rockyou-10.txt --format=wpapsk --rules=KoreLogicRulesPrependYears crackme
| |
| </pre>
| |
| | |
| ==List All the Rules==
| |
| | |
| <pre>
| |
| for ruleset in `grep KoreLogicRules /etc/john/john.conf | cut -d: -f 2 | cut -d\] -f 1`; do echo ${ruleset}; done
| |
| KoreLogicRulesPrependSeason
| |
| KoreLogicRulesAppendSeason
| |
| KoreLogicRulesPrependHello
| |
| KoreLogicRulesPrependYears
| |
| KoreLogicRulesAppendYears
| |
| KoreLogicRulesAppendCurrentYearSpecial
| |
| KoreLogicRulesAppend4Num
| |
| KoreLogicRulesAppend5Num
| |
| KoreLogicRulesAppend6Num
| |
| KoreLogicRulesAppendSpecial3num
| |
| KoreLogicRulesAppendSpecial4num
| |
| KoreLogicRulesPrependCAPCAPAppendSpecial
| |
| KoreLogicRulesPrependNumNumAppendSpecial
| |
| KoreLogicRulesPrependNumNum
| |
| KoreLogicRulesPrependNumNumNum
| |
| KoreLogicRulesPrependNumNumNumNum
| |
| KoreLogicRulesPrependNumNumSpecial
| |
| KoreLogicRulesPrepend2NumbersAppend2Numbers
| |
| KoreLogicRulesPrependSpecialSpecial
| |
| KoreLogicRulesAppendSpecialNumberNumber
| |
| KoreLogicRulesAppendSpecialNumberNumberNumber
| |
| KoreLogicRulesPrependSpecialSpecialAppendNumber
| |
| KoreLogicRulesPrependSpecialSpecialAppendNumbersNumber
| |
| KoreLogicRulesPrependSpecialSpecialAppendNumbersNumberNumber
| |
| KoreLogicRulesAppend2Letters
| |
| KoreLogicRulesPrepend4NumAppendSpecial
| |
| KoreLogicRulesAppend4NumSpecial
| |
| KoreLogicRulesAppend3NumSpecial
| |
| KoreLogicRulesAppend2NumSpecial
| |
| KoreLogicRulesAddJustNumbersLimit8
| |
| KoreLogicRulesDevProdTestUAT
| |
| KoreLogicRulesPrependAndAppendSpecial
| |
| KoreLogicRulesAppendJustNumbers
| |
| KoreLogicRulesAppendNumbers_and_Specials_Simple
| |
| KoreLogicRulesAppendJustSpecials
| |
| KoreLogicRulesMonthsFullPreface
| |
| KoreLogicRulesAddShortMonthsEverywhere
| |
| KoreLogicRulesPrepend4LetterMonths
| |
| KoreLogicRulesAdd2010Everywhere
| |
| KoreLogicRulesPrependDaysWeek
| |
| KoreLogicRulesAdd1234_Everywhere
| |
| KoreLogicRulesAppendMonthDay
| |
| KoreLogicRulesAppendMonthCurrentYear
| |
| KoreLogicRulesReplaceNumbers2Special
| |
| KoreLogicRulesReplaceNumbers
| |
| KoreLogicRulesReplaceLettersCaps
| |
| KoreLogicRulesAddDotCom
| |
| KoreLogicRulesAppendCap-Num_or_Special-Twice
| |
| KoreLogicRulesAppendSpecialLowerLower
| |
| KoreLogicRulesAppendJustSpecials3Times
| |
| KoreLogicRulesPrependJustSpecials
| |
| KoreLogicRulesAppend1_AddSpecialEverywhere
| |
| KoreLogicRulesPrependNumNum_AppendNumSpecial
| |
| KoreLogicRulesAppendNum_AddSpecialEverywhere
| |
| KoreLogicRulesAppendNumNum_AddSpecialEverywhere
| |
| KoreLogicRulesAppendNumNumNum_AddSpecialEverywhere
| |
| KoreLogicRulesAppendYears_AddSpecialEverywhere
| |
| KoreLogicRulesL33t
| |
| KoreLogicRulesReplaceSpecial2Special
| |
| KoreLogicRulesReplaceLetters
| |
| </pre>
| |
| | |
| ==Use All the Rules==
| |
| | |
| USE ALL OF THE RULES!!!
| |
| | |
| <pre>
| |
| $ for ruleset in `grep KoreLogicRules /etc/john/john.conf | cut -d: -f 2 | cut -d\] -f 1`; do john --wordlist=rockyou-10.txt --format=wpapsk --rules=${ruleset} crackme; done
| |
| </pre>
| |
|
| |
|
| =References= | | =References= |
| Line 252: |
Line 60: |
|
| |
|
|
| |
|
| [[Category:John the Ripper]]
| | {{JohnFlag}} |
| | |
| | |
| [[Category:Kali]] | | [[Category:Kali]] |
| [[Category:Passwords]]
| |
John the Ripper is a tool for password cracking and recovery.
John is part of the Kali Top 10
How It Works
John works great with other programs, since it does many things well, and each of those capabilities are valuable on their own and can be combined with other programs. For an example, see Aircrack and John the Ripper
Password Generation
First, John has a powerful password generation mechanism. It does not simply take wordlists. It can generate many, many more passwords from those wordlists. For example, starting with a list of the 10,000 most common passwords, John can create additional lists with 400,000 or 8 million additional password variations to try. You can carefully control how those variations are generated to target your password search as you go.
Password Testing and Encryption
Second, John has support for many encryption mechanisms built-in, so it can handle a wide variety of password files. If you have a Unix password file with a list of users and encrypted passwords, John can brute force it.
Using John on Shadow Files
Unix stores password hashes in the /etc/shadow file, and user information in the /etc/passwd file. John the Ripper can use this information to crack the passwords of Unix users.
John the Ripper/Shadow File - a guide to using John to crack passwords from an /etc/shadow file.
Using John as a Password Generator
You can feed John the Ripper a wordlist, and use it to generate a slew of variations on that wordlist, using rules. (For example, from a wordlist containing "password" you can generate the variants "p4ssw0rd", "Password", "password0000", etc.)
See John the Ripper/Password Generation
This can even be used in conjunction with the pw-inspector tool, which will take a list of passwords as inputs and return only those passwords that meet certain criteria. More info: http://tools.kali.org/password-attacks/hydra
Using John to Crack WPA
See the John the Ripper/WPA page for notes.
Using Rules with John
See John the Ripper/Rules
Recovering Passwords from John
A page on how to actually recover the passwords once John has cracked them: John the Ripper/Password Recovery
References
John documentation: http://www.openwall.com/john/doc/OPTIONS.shtml
A fantastic and thorough list of tutorials for beginners: http://openwall.info/wiki/john/tutorials
WPA/WPA2 with John: http://openwall.info/wiki/john/WPA-PSK
John/Defcon Crack Me If You Can Contest: http://contest-2010.korelogic.com/
Using the korelogic rules: http://contest-2010.korelogic.com/rules.html
all the rules: http://openwall.info/wiki/_media/john/korelogic-rules-20100801.txt
Bunches of John + MPI tutorials: http://openwall.info/wiki/john/tutorials
