Sei sulla pagina 1di 3

John the Ripper Tutorial - r00tsecurity

http://r00tsecurity.org/forums/topic/5643-john-the-ripper-tutorial/

[ Log In | Register ]

r00t forums resource database tools wiki irc search links store

HELLO VISITOR #
Are you looking for a mature web hosting and tech based community where you can talk about anything freely? If so, we would like to encourage you to sign up today and start asking your questions. We have lots to offer including rewards you can buy with our points you can earn by contributing to our growing community, so feel free to post and share ideas, guides, and other content with the us. Have questions? Be sure to sign up today and post your question(s) on the forums and our field of experts will be happy to answer your questions! We answer questions on a wide range of subjects. Join us on IRC You can join us on IRC by connecting to the following: irc.r00tsecurity.org #r00tsecurity - We love idlers =)

Network Access...
USER ID PASSWORD

Latest Topics
+ Spy Emergency. 10.0.705.0+patch + Webvulscan Web Application Vulnerability Scanner + Adobe Photoshop CS5.1 U3D.8BI Collada

Page 1 of 1

John the Ripper Tutorial


ShapeShifters
Posted 21 May 2008 - 11:10 PM

Asset Elements Stack Overflow + sqlcake 1.1 + PRTG Network Monitor 12.2.1.1767 + + AO4822 datasheet + MD5 MySQL Brute Forcer + Kerio WinRoute Firewall Source Code

John the Ripper Tutorial


---Introduction--Well I've decided to make a John the Ripper tutorial. John the Ripper is a pretty good password cracking tool. Here is a description from the site(displayed later) where you get it: Quote John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches. I'm going to go through the Windows way to use John the Ripper and I will cover some of the basic types of attacks and things you can do with John the Ripper. This article will be fairly long so I can try and explain things in a way that I hope most people can understand.

Disclosure + Adobe Shockwave Player .dir Memory Corruption

Latest Exploits
+ Apache Struts2 <= 2.3.1 Multiple

Vulnerabilities
+ DD-WRT Information Disclosure

Vulnerability
+ Wordpress 3.0.3 stored XSS IE7,6

---Some Bits of Information--DES Hashes John the Ripper is known very well for it's ability to deal with DES hashes (and is the main one I'll be concentrating on in this article). I'm going to briefly explain a bit about what a DES hash is. DES stands for Data Encryption Standard and is a method for encrypting information like passwords. The Key length for DES is 56 bits. Well the key actually consists of 64 bits but only 56 of these are actually used by the algorithm and the other 8 bits are used solely for checking parity(error detection) and are therefore discarded. The DES hash will have 13 characters and will have a username or something on the front of it. Therefore, a DES hash will look like this: shape:CRjRYEn9g3PUc As you can see the username "shape" is in front of the 13 character encryption and they are separated by a colon(:). If you would like to learn more about DES you can go here: http://en.wikipedia.org/wiki/Data_Encryption_Standard

NS8.1
+ vBukketub Vs 4.0.2 Exploits + Winplot (.wp2 File) Local Buffer

Overflow Exploit
+ LinPha 1.3.4 SQL Injection + PHP-Chat 0.1 Alpha SQL Injection + Mozilla Firefox 2.0.0.16 UTF-8 URL

Remote Buffer Overflow Exploit


+ Oracle Secure Backup Server

10.3.0.1.0 Auth Bypass/RCI Exploit


+ Microsoft Visual Studio

If you want to make your own DES hash just follow these steps: - Go to this site: http://www.yellowpipe.com/yis/tools/encrypter/index.php - Type the text/password or whatever that you want to be encrypted in the text box - Click on the drop-down menu and choose the option "DES Crypt (one way)" *Note that it says one way because while this site decrypts many things, it will not decrypt a DES hash, only encrypt something into one. - Click ok - Copy the encrypted text and past it in notepad with username: in front of it so it looks like my above example - Save it in the run folder of John the Ripper as a .txt file You now have your own DES hash As you will see further in the article, dictionary attacks use wordlists. If you want to get a wordlist you can search online through google or something and find them easily. There are many many many places that have wordlists. All a wordlist is, is a text document full of words that you place in the run folder of John the Ripper. An example of such a site is this: http://www.theargon.com/achilles/wordlists/

(Msmask32.ocx) ActiveX Remote BOF Exploit

Latest Exploits
+ portscanner + Network Destroyer ARP TCP Flooder + Monkey || ARP Poisoning tool + syringe + Java Drive-by + ARP Cache Poisoning + Code Binary + Smurf 4.0 + Fraggle + gmail.py

Now lets start the tutorial.

---Installing on Windows--First things first, if you don't already have John the Ripper, go here to download it: http://www.openwall.com/john/ The download you want as a windows user is John the Ripper 1.7.0.1 (Windows - binaries, ZIP, 1360 KB) if you were confused. Some tips when you install John the Ripper that will make things easier on you but you do not have to do them if you don't want to: - Save it in the plain old C:/ location, none of that program files location or anything - When it installs it will probably look something like C:/John/john1701/ etc. Move everything out of the john1701 folder and into the first folder.

1 of 3

5/14/2012 2:53 PM

John the Ripper Tutorial - r00tsecurity

http://r00tsecurity.org/forums/topic/5643-john-the-ripper-tutorial/

Then delete john1701. - Now when you go into your C drive and open up the john folder, you should see both the doc and run folders instead of john1701 - In the run folder you will see the application "john-386" or "john-something". Just rename that to "john" These few tips will make less work(not a whole lot less, but a little) when writing out the commands that are following. When you install John the Ripper, you will not open anything in the installed folders nor would you go to Start and Programs to find it newly installed there for easy access. No, With John the Ripper you have to open it via the MS-DOS command line. I assume you already know how to open the command line but in case you don't and don't want to have to admit that to someone for fear of getting made fun of, Go Start, run, and type in cmd or command. Once you have that open you have to go to the John the Ripper directory. If you did what I said above in the tips, the it should be in the folder "C:/john/run/". If you didn't, yet you still installed it with at least the first tip, it should look something like this "C:/john/john1701/run/". To go to the location in the command line you have to type this command: cd C:/john/run With this command typed in the next line should look like this: C:\john\run> Now type in "john" or "john-386" (without the quotation marks of course) depending on the name of it. You should have the program information menu come up and it should give you the list of things it can do. Now is when we will get into the types of attacks I will show you in this article. -Bruteforce AttackFirst I will show you John the Ripper's bruteforcing mode. All this mode does is try every possibly combination of letters(both upper and lowercase), numbers, symbols or any combination of the three until it finds the password. Before I tell you how to do it, we have to take our hash (I'm going to use shape:CRjRYEn9g3PUc from above), copy and past it in notepad, and save it in the "run" directory in John the Ripper as a .txt file. I'm going to call it hash.txt. One way to do this type of attack is to type in "john hash.txt" (all commands will be without the quotation marks) and press enter. This will start trying to bruteforce the password. Another way would be to drag the hash.txt file and drop it on the john application (this will be done in the run folder). There is a big problem with this type of attack though and that is that it can take extremely long and no one wants to wait long periods of time if they don't have to. You can stop the process at any time by pressing "ctrl+C". Also John the Ripper doesn't show the progress but you can check the progress by pressing any key(assume the key wont do something to interrupt the program; just use enter or an arrow key or something) -Bruteforce Attack with conditionsOne way you can shorten things up is by choosing if you only want to use letters or numbers to crack the password. So if you think the password only contains letters you can use the command "john -i:alpha hash.txt", if you think the password only contains numbers you can use the command "john -i:digits hash.txt", you can also use the command "john -i:all hash.txt" to guess the password which uses both the letters and numbers. -Dictionary AttackNow when passwords get long even this method can be a long task. So another type of attack you can do is called a dictionary attack. What a dictionary attack does is it takes a wordlist (a text document full of words, be it an actual dictionary or more) and checks each word in that list until it finds a match. This is a much faster way that the bruteforcing methods above. However, the only way this type of attack will work is if the decrypted hash is among the words in the wordlist. For this example the wordlist I will use will be called "wordlist.txt". To do a dictionary attack, type in this command: john -w:wordlist.txt hash.txt When John the Ripper is done cracking the password and comes back with an answer it will display the password on screen (at least it does for me). However, if it doesn't(or if you want to go back and look at it in the future) there are two ways you can view the password. One is using the command "john -show hash.txt" which will display the cracked hash on screen and the other is "john.pot" (or you can manually open it from the run folder) which will open up a powerpoint document and have the passes display on it. -Simple AttackI'm not entirely sure what simple attack does so someone can correct me if I'm wrong. Through using it, it seems to me that simple attack will take your username in the hash (in mine it's "shape" remember) and only run a bruteforce using that word and add a little to it. For example it will try shape with numbers and symbols after it like shape1. It will also try the options by adding an uppercase to the first letter so it will check things like this Shape43. It appears that it will try all numbers up to 200 after the word as I tried shape320 and it would not crack it and it shows shape200 when it stops trying. It will not try for example sHapE3 though, only check the first letter with uppercase not all the letters. This should give you a basic idea of what it can do. It might be able to do more but I haven't played around with it to figure more out. Feel free to do this on your own though. -Additional NotesIf you get an error saying "No hash loaded" there could be a couple reasons for this. One is that the hash you entered and saved is not recognized as being a hash and you should check to make sure you copied things right. Two is that the hash has previously been cracked and you can check the john.pot file to see if it has. Also when your doing your attacks if you want to get the answer saved to a file, you can type "> something.txt" after the command and it will save it to that text file in the "run" folder. So a full dictionary attack example would look like this: john -w:wordlist.txt hash.txt > cracked.txt One more thing. If you didn't notice me saying it above, the quotes("...") above any of the commands above -The "format" option attackNow everything I have demonstrated up until now are attacks on a DES hash. So you might be asking yourself, "Is this all John the Ripper can crack?". Well the answer to that question is no. It is capable of cracking such hashes as BSDI, MD5, BF, AFS, LM. The command you are going to use for this attack looks like this: john -format:hashtype hash.txt So DES looks like this: john -format:des hash.txt And MD5 looks like this: john -format:md5 hash.txt etc

---Conclusion--Well this is the end of this article but don't think that this is all that John the Ripper can do because there is a lot more. These are just some of the basics and I'll leave you to figure out the rest on your own so play around with it and experiment. I hope this was a fairly good article and is able to help some people out. If anyone has any problems or questions, feel free to pm me and I will help you out if I can. I may return and add in more information if I feel like it. Also if I have any incorrect information you can pm me and I will correct it.

---Extra Resources--I've decided to throw in something extra that may be helpful to some people. For people who are looking for wordlists, here is a great collection of links: http://r00tsecurity.org/forums/index.php?showtopic=1445

Here is the official documentation for John the Ripper and should be a good resource for going further into using the program: http://www.openwall.com/john/doc/

immortal
nicely written article ShapeShifters appreciate the efforts :)

Posted 21 May 2008 - 11:54 PM

ShapeShifters

Posted 21 May 2008 - 11:58 PM

(http://r00tsecurity.org/forums/index.php?app=forums&module=forums&section=findpost&pid=16694) immortal, on May 21 2008, 09:24 PM, said: nicely written article ShapeShifters appreciate the efforts :) Thank you :)

Hitman007

2 of 3

5/14/2012 2:53 PM

John the Ripper Tutorial - r00tsecurity

http://r00tsecurity.org/forums/topic/5643-john-the-ripper-tutorial/
Posted 27 May 2008 - 12:17 PM

thanx really good

DoCKo
Nice tut. thanks for sharing this

Posted 27 May 2008 - 02:07 PM

ShapeShifters
No problem guys :)

Posted 27 May 2008 - 03:26 PM

fr3em1nd

Posted 04 September 2008 - 02:43 AM

amazing.. i have been training myself to use this software, finally, jobwelldone, i understood every step. it really is great tool for frustrated guy like me ^_^

NeverLoseFocus
C:\john1701\run>john-386 -i:alpha hash.txt stat: hash.txt: No such file or directory I get this when I do it? How do I fix it?

Posted 13 November 2008 - 09:39 PM

Futility

Posted 13 November 2008 - 09:45 PM

Well... would you happen to have a file in the directory named hash.txt? Because not having it would definitely cause that problem.

NeverLoseFocus

Posted 14 November 2008 - 03:53 PM

Yes I have it saved as hash.txt I was doing the one in the tutorial so I could get some training on it. It still says it cannot find it crazy. Can someone give me a breif tutorial of step by step instructions on how to do it without changing the name to john and doing all the tweaking.

ShapeShifters
Your sure you have it saved in the run folder of john?

Posted 14 November 2008 - 04:48 PM

Oh and by the way, changing the name of a folder or file doesn't effect anything besides how you write your command. This post has been edited by ShapeShifters: 14 November 2008 - 05:12 PM

matthiasb

Posted 05 May 2011 - 03:13 AM

I bloged about password cracking and John The Ripper. It is not as detailed as this tutorial but you may find some interesting info. http://codebazaar.bl...-p4ssw0rds.html (http://codebazaar.blogspot.com/2011/05/why-we-need-strong-p4ssw0rds.html) Matthias

clamzor
ty

Posted 07 June 2011 - 01:11 PM

mchlsmith982

Posted 30 January 2012 - 07:12 AM

Hey,hw much tym will John the ripper take fr the bruteforce attack??atleast approx. hw many hrs??so dat i cn leave my PC ON without xpectin ny results???please do reply....n thanx fr d tutorial!!! n wer is dat john.pot file??it is not der in my RUN folder.... This post has been edited by mchlsmith982: 30 January 2012 - 11:40 AM

Page 1 of 1
Community Forum Software by IP.Board

LOL LEGAL STUFF #


By continuing past this page, and by your continued use of this site, you agree to be bound by and abide by the User Agreement. 2008-2011 r00tsecurity network. All rights reserved. About Us | Contact Us | Support Us | Legal | Advertise | Privacy Policy r00tsecurity's network is powered and running off MeowPower Enterprise Software and is professionally monitored and managed by the Kittens In Suits.

COMMONLY ACCESSED #
Become a Christian Source Code Database Exploit Database Web Tool Collection Cheat Sheet Collection

INSPIRE ME #

" Education is a lifelong journey whose destination expands as


you travel.

"

~ Jim Stovall

3 of 3

5/14/2012 2:53 PM

Potrebbero piacerti anche