Windows password anatomy and cracking using John The Ripper. I will show you how to crack Windows passwords using John The Ripper. John the Ripper is a fast password cracker, primarily for cracking Unix (shadow) passwords. Other than Unix-type encrypted passwords it also supports cracking Windows LM hashes and many more with open source. John the Ripper - how to install Installing John the Ripper. First of all, most likely you do not need to install John the Ripper system-wide. Instead, after you extract the distribution archive and possibly compile the source code (see below), you may simply enter the 'run' directory and invoke John from there.
John the Ripper password cracker is a Open Source and free password cracking software tool which works on different platforms. It can support up to 407 formats for “John The Ripper” version 1.9.0-Jumbo-1. This post will guide you on how to install John The Ripper via github. For Ubuntu apt package repository only support up to version (1.8.0-2build1) according to https://packages.ubuntu.com/bionic/all/
Before installing JohnTheRipper, there have some pre-require applications before proceed with John-the-ripper installation.
Step 1: Install prerequisite applications, type the following command
linuxref@pc-linuxref:~/passwordattacks$ sudo apt-get -y install cmake bison flex libicu-dev
linuxref@pc-linuxref:~/passwordattacks$ sudo apt-get -y install build-essential libssl-dev git zlib1g-dev
linuxref@pc-linuxref:~/passwordattacks$ sudo apt-get -y install yasm libgmp-dev libpcap-dev pkg-config libbz2-dev
Step 2: Clone git JohnTheRipper repository
linuxref@pc-linuxref:~/passwordattacks$ git clone git://github.com/magnumripper/JohnTheRipper -b bleeding-jumbo
Cloning into ‘JohnTheRipper’…
remote: Enumerating objects: 22, done.
remote: Counting objects: 100% (22/22), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 90188 (delta 6), reused 9 (delta 5), pack-reused 90166
Receiving objects: 100% (90188/90188), 113.07 MiB | 5.19 MiB/s, done.
Resolving deltas: 100% (70698/70698), done.
Checking out files: 100% (1894/1894), done.
linuxref@pc-linuxref:~/passwordattacks$
Step 3: Build JohnTheRipper
linuxref@pc-linuxref:~/passwordattacks/JohnTheRipper/src$ sudo ./configure –disable-openmp && make -s clean && make -sj4
…………………………………………………………
…………………………………………………………
CConfigured for building John the Ripper jumbo:
How To Use John The Ripper Windows 10
Target CPU …………………………… x86_64 XOP, 64-bit LE
AES-NI support ……………………….. run-time detection
Target OS ……………………………. linux-gnu
Cross compiling ………………………. no
Legacy arch header ……………………. x86-64.h
Optional libraries/features found:
Memory map (share/page large files) …….. yes
Fork support …………………………. yes
OpenMP support ……………………….. no
OpenCL support ……………………….. no
Generic crypt(3) format ……………….. yes
libgmp (PRINCE mode and faster SRP formats) yes
128-bit integer (faster PRINCE mode) ……. yes
libz (pkzip and some other formats) …….. yes
libbz2 (gpg2john extra decompression logic) yes
libpcap (vncpcap2john and SIPdump) ……… yes
OpenMPI support (default disabled) ……… no
ZTEX USB-FPGA module 1.15y support ……… no
Install missing libraries to get any needed features that were omitted.
Configure finished. Now “make -s clean && make -sj4” to compile.
ar: creating aes.a
ar: creating ed25519-donna.a
ar: creating secp256k1.a
Make process completed.
linuxref@pc-linuxref:~/passwordattacks/JohnTheRipper/src$ mv ../run/john ../run/john-non-omp
linuxref@pc-linuxref:~/passwordattacks/JohnTheRipper/src$ sudo ./configure CPPFLAGS=’-DOMP_FALLBACK -DOMP_FALLBACK_BINARY=””john-non-omp””‘
linuxref@pc-linuxref:~/passwordattacks/JohnTheRipper/src$ sudo make -s clean && make -sj4
Step 4: Install JohnTheRipper
linuxref@pc-linuxref:~/passwordattacks/JohnTheRipper/src$ sudo make shell-completion
[ -d /etc/bash_completion.d ] && cp ../run/john.bash_completion /etc/bash_completion.d/ || true
[ -d /usr/local/etc/bash_completion.d ] && cp ../run/john.bash_completion /usr/local/etc/bash_completion.d/ || true
[ -d /opt/local/etc/bash_completion.d ] && cp ../run/john.bash_completion /opt/local/etc/bash_completion.d/ || true
Bash-completion for JtR opportunistically installed.
Source “. ../run/john.bash_completion” or logout/login to activate the changes
[ -d /usr/share/zsh/functions/Completion/Unix ] && cp ../run/john.zsh_completion /usr/share/zsh/functions/Completion/Unix/_john || true
[ -d /usr/share/zsh/site-functions ] && cp ../run/john.zsh_completion /usr/share/zsh/site-functions/_john || true
[ -d /usr/local/share/zsh/site-functions ] && cp ../run/john.zsh_completion /usr/local/share/zsh/site-functions/_john || true
zsh-completion for JtR opportunistically installed.
Source “. ../run/john.zsh_completion” or logout/login to activate the changes
linuxref@pc-linuxref:~/passwordattacks/JohnTheRipper/src$
Step 5: Create symbolic link to /usr/bin/john
linuxref@pc-linuxref:~/passwordattacks/JohnTheRipper/src$ sudo ln -s ~/passwordattacks/JohnTheRipper/run/john /usr/bin/john
Step 6: Test the JohnTheRipper build
linuxref@pc-linuxref:~/passwordattacks/JohnTheRipper/run$ john –test=0
Testing: dynamic_2006 [md5(md5($p).$s) (PW > 55 bytes) 128/128 XOP 4×2]… PASS
Testing: dynamic_2008 [md5(md5($s).$p) (PW > 23 bytes) 128/128 XOP 4×2]… PASS
Testing: dynamic_2009 [md5($s.md5($p)) (salt > 23 bytes) 128/128 XOP 4×2]… PASS
Testing: dynamic_2010 [md5($s.md5($s.$p)) (PW > 32 or salt > 23 bytes) 128/128 XOP 4×2]… PASS
Testing: dynamic_2011 [md5($s.md5($p.$s)) (PW > 32 or salt > 23 bytes) 128/128 XOP 4×2]… PASS
Testing: dynamic_2014 [md5($s.md5($p).$s) (PW > 55 or salt > 11 bytes) 128/128 XOP 4×2]… PASS
Testing: dummy [N/A]… PASS
Testing: crypt, generic crypt(3) [?/64]… PASS
All 407 formats passed self-tests!
linuxref@pc-linuxref:~/passwordattacks/JohnTheRipper/run$
Step 7: Benchmark the JohnTheRipper build
linuxref@pc-linuxref:~/passwordattacks/JohnTheRipper/run$ john –test
Benchmarking: dynamic_2014 [md5($s.md5($p).$s) (PW > 55 or salt > 11 bytes) 128/128 XOP 4×2]… DONE
Many salts: 18117K c/s real, 18117K c/s virtual
Only one salt: 7198K c/s real, 7127K c/s virtual
Benchmarking: dummy [N/A]… DONE
Raw: 84348K c/s real, 84348K c/s virtual
Benchmarking: crypt, generic crypt(3) [?/64]… DONE
Speed for cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) of 1, cost 2 (algorithm specific iterations) of 1
Many salts: 197760 c/s real, 197760 c/s virtual
Only one salt: 197568 c/s real, 197568 c/s virtual
All 407 formats passed self-tests!
linuxref@pc-linuxref:~/passwordattacks/JohnTheRipper/run$
The End:
You should able to install JohnTheRipper version 1.9.0-Jumbo-1 in the Ubuntu 18.04 which out of apt package installation.
Reference:
1. https://github.com/magnumripper/JohnTheRipper
2. https://www.openwall.com/john/
I recently needed to recover passwords from a Linux system where I had the drive which I could connect to a Windows PC but this presented several issues starting with finding the right file then what tools to use and most importantly how to mate it correctly in OpenCL mode to get the benefit of graphics card processing power!
Firstly the drive was formatted as EXT3 which Windows doesn’t natively support. After a bit of research I found a free program called Ext Volume Manager and gave it a go. It worked perfectly and after giving a list of available drives you can double click and mount the drive as a drive letter in Windows then just browse to it like any other drive. It was simple and worked really well.
Now that problem out the way we needed to find the password file. In Linux passwords were historically stored in a hashed form in root/etc/ in a file named passwd so this is the first place to look. Open it in notepad or similar and it is highly likely you will see a series of lines line this:
root:x:0:0:root:/root:/bin/bash
The X is where the hash would have been found historically but when the security was updated this method was changed and so the X just shows that there is a password configured but it’s stored elsewhere.
That elsewhere is a file in the same location called ‘shadow’. The structure of this file is very similar to ‘passwd’ but in Linux has different permissions. Luckily in windows this doesn’t make much difference so we can just open it.
root:$6$THMmaDC5$k/fXJE/K73OSr3KuXBs.TzBjX6i3kj1dEwrEuV7DvsTxQ0YBDceTpHVQRKSPRTqhMFbdZfZl/lZVfnMCrkFJX1:15726:0:99999:7:::
The data should look more like this (I have cropped out some of the line to avoid it filling the screen. The $6$ in this case identifies the password hash as being sha512crypt format but yours may differ, the options are:
- $1 = MD5 hashing algorithm.
- $2 =Blowfish Algorithm is in use.
- $2a=eksblowfish Algorithm
- $5 =SHA-256 Algorithm
- $6 =SHA-512 Algorithm
The next bit ‘ THMmaDC5 ‘ is the ‘salt’ value which is random data used to encode the password as the hash making it more difficult to guess.
The remainder up to the colon is the hashed password which is what needs to be guessed so now we have the right file.
Next go ahead and download Cygwin ( https://www.cygwin.com/ ) this is basically a miniature Linux platform on Windows which lets you compile Linux programs to run under Windows if they are compiled for it.
How To Install John The Ripper Windows 7 64-bit
When installing Cygwin generally you can just use defaults and whatever local mirror you fancy however when the list of tools is shown search for OpenCL and add this to the installation.
Add the highlighted component to the install and continue and you should find you will soon have a Linux installation in a folder on your PC (default location is C:cygwin64 ).
Next download the zip of latest version of John the Ripper ( https://www.openwall.com/john/ ) – this is a widely recognised tool for this purpose and seems to work best. I also tried a program called HashCat but this didn’t seem to be able to find the hashes in the file. The version I used was 1.9.0-jumbo-1-64 Bit.
Hopefully the zip will look like this. Copy the all the folders and paste them into the Cygwin folder – there will already be a folders with those names so merge them. This operation adds the descriptors to allow Cygwin to recognise your OpenCL device however on my PC (and from what I’ve been reading online several others the path was incorrect so we’ll fix that.
Browse to the following path C:cygwin64etcOpenCLvendors and open the amd.icd file in notepad.
Next go the the system32 folder as shown and search for ‘amdocl64.dll’ . In my case this wasn’t present in the system32 folder directly but I found a match in System32DriverStoreFileRepository . If that is what you find just copy the file and paste it into system32 itself and this should correct the mismatch.
Next copy your ‘shadow’ file into ‘C:cygwin64run’ – technically this isn’t required but it makes life easier. In my case I edited it to have a .txt extension to make testing easier. Now to test it!
Open a command prompt Window and browse to ‘C:cygwin64run’ then enter the following command:
john shadow.txt –format=sha512crypt-opencl
Interchanging the format for whatever is relevant to your hash type. If you run john without specifying a hash format it will recognise it correctly but will default to CPU only mode rather than the OpenCL version which comes with a performance hit for most people.
All going well you should see something like this :
That tells us its working fine and has successfully found the graphics card as a processing device. Now take a break and leave it to churn through its options for as long as it takes. It won’t be fast!