John the Ripper: Notes

"John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems."

https://github.com/openwall/john

Example brute force md5 hash

# john --format=raw-md5 --wordlist /usr/share/wordlists/rockyou.txt robot.md5
Warning: invalid UTF-8 seen reading /usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 52 password hashes with no different salts (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
emerald          (?)
1g 0:00:00:00 DONE (2020-12-23 15:01) 33.33g/s 118200p/s 118200c/s 6060KC/s !@#$%..sss
Warning: passwords printed above might not be all those cracked
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed

Yet another example of md5

root@X220:/mnt/d/OneDrive/tryhackme/ctf# john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt creds
Using default input encoding: UTF-8
Loaded 9 password hashes with no different salts (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
scoobydoo2       (seina@fowsniff)
orlando12        (parede@fowsniff)
apples01         (tegel@fowsniff)
skyler22         (baksteen@fowsniff)
mailcall         (mauer@fowsniff)
07011972         (sciana@fowsniff)
carp4ever        (mursten@fowsniff)
bilbo101         (mustikka@fowsniff)
8g 0:00:00:01 DONE (2021-01-17 17:29) 5.333g/s 9562Kp/s 9562Kc/s 24454KC/s  fuckyooh21..*7¡Vamos!
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed
root@X220:/mnt/d/OneDrive/tryhackme/ctf#

Example brute force gpg hash

# john --format=gpg --wordlist=data-15.txt personal.txt.gpg.hash
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65011712 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:01:01 42.94% (ETA: 09:41:28) 0g/s 8.592p/s 8.592c/s 8.592C/s piagnucolassero..piagnucolerebbe
0g 0:00:01:33 62.31% (ETA: 09:41:34) 0g/s 8.233p/s 8.233c/s 8.233C/s riselezionarono..riselezionavate
valamanezivonia  (?)
1g 0:00:02:33 DONE (2020-12-19 09:41) 0.006504g/s 7.961p/s 7.961c/s 7.961C/s vezzeggerebbero..villeggerebbero
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Example brute force ssh hash

# john --format=ssh --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
james13          (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:06 DONE (2020-12-19 21:56) 0.1485g/s 2131Kp/s 2131Kc/s 2131KC/sa6_123..*7¡Vamos!
Session completed

Yet another example of brute force ssh hash

# john --format=ssh --wordlist=/usr/share/wordlists/rockyou.txt sshhash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
delicious        (idrsa.id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:06 DONE (2021-01-03 10:24) 0.1557g/s 2233Kp/s 2233Kc/s 2233KC/sa6_123..*7¡Vamos!
Session completed

Example of gpg

# john --format=gpg --wordlist=/usr/share/wordlists/rockyou.txt gpghash
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
alexandru        (tryhackme)
1g 0:00:00:00 DONE (2021-01-10 11:51) 2.325g/s 2493p/s 2493c/s 2493C/s marshall..alexandru
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Example of sha512crypt

# john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt advice9
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
kakashi1         (?)
1g 0:00:00:27 DONE (2021-01-15 14:10) 0.03667g/s 1032p/s 1032c/s 1032C/s 010292..skate123
Use the "--show" option to display all of the cracked passwords reliably
Session completed

# john --wordlist=/usr/share/wordlists/rockyou.txt hash_id_rsa
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
cupcake          (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:15 DONE (2021-03-13 09:10) 0.06631g/s 951040p/s 951040c/s 951040C/sa6_123..*7¡Vamos!
Session completed
#

ssh2john

Get ssh2john.py at https://raw.githubusercontent.com/koboi137/john/bionic/ssh2john.py

ssh2john

# python3 ssh2john.py
Usage: ssh2john.py <RSA/DSA/EC/OpenSSH private key file(s)>

# python3 /usr/local/bin/ssh2john.py idrsa.id_rsa > sshhash

gpg2john

office2john

# ls -la .
total 44
drwxr-xr-x 1 root root   512 Mar 20 10:02 .
drwxr-xr-x 1 root root   512 Mar 20 09:44 ..
-rw-r--r-- 1 root root 15360 Mar 20 10:08 RSA-Secured-Credentials.xlsx
-rw-r--r-- 1 root root 18432 Mar 20 10:01 RSA-Secured-Document-PII.docx
# ls -la /usr/share/john/office2john.py
-rwxr-xr-x 1 root root 131690 May 14  2019 /usr/share/john/office2john.py
# cat credentials
RSA-Secured-Credentials.xlsx:$office$*2013*100000*256*16*95f4b8616169cc40904836f94aa3524f*ebfc9c7c926ba55752740a60ee7cf222*4ec8ea0badcf0dd4b3f44993a9d5cdf0fc215d03d7b519bc16327bacdb992819
# john --wordlist=/usr/share/wordlists/rockyou.txt credentials
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 128/128 AVX 4x / SHA512 128/128 AVX 2x AES])
Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

Practice

>>> THM | Encryption - Crypto 101 - Task 9 - SSH Authentication

>>> THM | Badbyte

Related articles

Hashcat: Notes