Skip to main content

John the Ripper: Notes

"John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems."

https://github.com/openwall/john

Example brute force md5 hash

# john --format=raw-md5 --wordlist /usr/share/wordlists/rockyou.txt robot.md5
Warning: invalid UTF-8 seen reading /usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 52 password hashes with no different salts (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
emerald          (?)
1g 0:00:00:00 DONE (2020-12-23 15:01) 33.33g/s 118200p/s 118200c/s 6060KC/s !@#$%..sss
Warning: passwords printed above might not be all those cracked
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed

Yet another example of md5

root@X220:/mnt/d/OneDrive/tryhackme/ctf# john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt creds
Using default input encoding: UTF-8
Loaded 9 password hashes with no different salts (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
scoobydoo2       (seina@fowsniff)
orlando12        (parede@fowsniff)
apples01         (tegel@fowsniff)
skyler22         (baksteen@fowsniff)
mailcall         (mauer@fowsniff)
07011972         (sciana@fowsniff)
carp4ever        (mursten@fowsniff)
bilbo101         (mustikka@fowsniff)
8g 0:00:00:01 DONE (2021-01-17 17:29) 5.333g/s 9562Kp/s 9562Kc/s 24454KC/s  fuckyooh21..*7¡Vamos!
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed
root@X220:/mnt/d/OneDrive/tryhackme/ctf#

Example brute force gpg hash

# john --format=gpg --wordlist=data-15.txt personal.txt.gpg.hash
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65011712 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:01:01 42.94% (ETA: 09:41:28) 0g/s 8.592p/s 8.592c/s 8.592C/s piagnucolassero..piagnucolerebbe
0g 0:00:01:33 62.31% (ETA: 09:41:34) 0g/s 8.233p/s 8.233c/s 8.233C/s riselezionarono..riselezionavate
valamanezivonia  (?)
1g 0:00:02:33 DONE (2020-12-19 09:41) 0.006504g/s 7.961p/s 7.961c/s 7.961C/s vezzeggerebbero..villeggerebbero
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Example brute force ssh hash

# john --format=ssh --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
james13          (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:06 DONE (2020-12-19 21:56) 0.1485g/s 2131Kp/s 2131Kc/s 2131KC/sa6_123..*7¡Vamos!
Session completed

Yet another example of brute force ssh hash

# john --format=ssh --wordlist=/usr/share/wordlists/rockyou.txt sshhash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
delicious        (idrsa.id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:06 DONE (2021-01-03 10:24) 0.1557g/s 2233Kp/s 2233Kc/s 2233KC/sa6_123..*7¡Vamos!
Session completed

Example of gpg

# john --format=gpg --wordlist=/usr/share/wordlists/rockyou.txt gpghash
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
alexandru        (tryhackme)
1g 0:00:00:00 DONE (2021-01-10 11:51) 2.325g/s 2493p/s 2493c/s 2493C/s marshall..alexandru
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Example of sha512crypt

# john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt advice9
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
kakashi1         (?)
1g 0:00:00:27 DONE (2021-01-15 14:10) 0.03667g/s 1032p/s 1032c/s 1032C/s 010292..skate123
Use the "--show" option to display all of the cracked passwords reliably
Session completed


# john --wordlist=/usr/share/wordlists/rockyou.txt hash_id_rsa
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
cupcake          (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:15 DONE (2021-03-13 09:10) 0.06631g/s 951040p/s 951040c/s 951040C/sa6_123..*7¡Vamos!
Session completed
#

ssh2john

Get ssh2john.py at https://raw.githubusercontent.com/koboi137/john/bionic/ssh2john.py

ssh2john

# python3 ssh2john.py
Usage: ssh2john.py <RSA/DSA/EC/OpenSSH private key file(s)>

# python3 /usr/local/bin/ssh2john.py idrsa.id_rsa > sshhash

gpg2john

office2john

# ls -la .
total 44
drwxr-xr-x 1 root root   512 Mar 20 10:02 .
drwxr-xr-x 1 root root   512 Mar 20 09:44 ..
-rw-r--r-- 1 root root 15360 Mar 20 10:08 RSA-Secured-Credentials.xlsx
-rw-r--r-- 1 root root 18432 Mar 20 10:01 RSA-Secured-Document-PII.docx
# ls -la /usr/share/john/office2john.py
-rwxr-xr-x 1 root root 131690 May 14  2019 /usr/share/john/office2john.py
# cat credentials
RSA-Secured-Credentials.xlsx:$office$*2013*100000*256*16*95f4b8616169cc40904836f94aa3524f*ebfc9c7c926ba55752740a60ee7cf222*4ec8ea0badcf0dd4b3f44993a9d5cdf0fc215d03d7b519bc16327bacdb992819
# john --wordlist=/usr/share/wordlists/rockyou.txt credentials
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 128/128 AVX 4x / SHA512 128/128 AVX 2x AES])
Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

Practice

>>> THM | Encryption - Crypto 101 - Task 9 - SSH Authentication

>>> THM | Badbyte

Related articles

Hashcat: Notes

Labels:

Popular posts from this blog

Linux command: lsusb

lsusb - list USB devices NAME        lsusb - list USB devices SYNOPSIS        lsusb [ options ] DESCRIPTION        lsusb is a utility for displaying information about USB buses in the system and the devices connected to them. OPTIONS        -v, --verbose               Tells  lsusb to be verbose and display detailed information about the devices shown.  This includes configuration descriptors for the device's cur‐               rent speed.  Class descriptors will be shown, when available, for USB device classes including hub, audio, HID, communications, and chipcard.        -s [[bus]:][devnum]               Show only devices in specified bus and/or devnum.  Both ID's are given in decimal and may be omitted.        -d [vend...
Read more

DrayTek VigorAP 910C as Universal Repeater

3 steps to extend wi-fi coverage using DrayTek VigorAP 910C Set Operation Mode to Universal Repeater mode VigorAP 910C: Set Operation Mode Configuration to Universal Repeater Connect DrayTek VigorAP 910C to existing Wi-Fi Access Point Connect DrayTek VigorAP 910C to existing Wi-Fi Access Point Set Security Mode & Pass Phrase for DrayTek VigorAP 910C Set Security Mode & Pass Phrase for DrayTek VigorAP 910C Check Online Status
Read more