Windows password anatomy and cracking using John The Ripper
I will show you how to crack Windows passwords using John The Ripper.
John the Ripper is a fast password cracker, primarily for cracking Unix (shadow) passwords. Other than Unix-type encrypted passwords it also supports cracking Windows LM hashes and many more with open source contributed patches.
Plus, I'm really digging the tablet. So before I went ahead and installed VirtualBox and ran JtR in a VM I figured I'd try and install JtR using the new Windows Subsystem on Linux (WSL). Long story short, it worked great and was straightforward to do, so I figured I'd share my experiences. Other Options for Running John the Ripper on Windows. To use John's OpenMP support, you need to either use an existing OpenMP-enabled build (e.g., 'john-omp.exe' on Windows) or make an OpenMP-enabled build by uncommenting one of the OMPFLAGS lines near the beginning of Makefile. This requires GCC 4.2 or newer, or another OpenMP-capable C compiler.
Now lets talk about the password protection method used by Windows. Windows user account passwords are typically stored in SAM hive of the registry (which corresponds to %SystemRoot%system32configSAM file), in the SAM file the password is kept encrypted using the NTLM hash is very well known for its cryptanalysis weaknesses.
The SAM file is further encrypted with the SysKey (Windows 2000 and above) which is stored in %SystemRoot%system32configsystem file.During the boot-time of Windows the hashes from the SAM file gets decrypted using the SysKey and the hashes are loaded to the registry is then used for authentication purpose. Both system and SAM files are unavailable (i.e, locked by kernel) to standard programs (like regedit) during Windows’ runtime .
How To Install John The Ripper Windows 10
As told earlier NTLM hash is very weak for encrypting passwords. The NTLM encryption algorithm is explained below :
•ASCII password is converted to uppercase
•Padding with null is done until 14 bytes
•Split it in two 7-byte arrays
•Pad both to make 64 bits (8-byte) which will be used to create a DES key
•DES-encrypt the string “KGS!@#$%” using the array as key for each 7-byte array (results 8-byte stream)
•Join 2 cipertexts which forms the NTLM hash (16-byte)
Major failures of NTLM hash :
•ASCII is not Unicode
•Uppercase reduce complexity
•LM fails with passwords length more than 14 characters
•Salting is not available
•It is easy to determine whether the password is less than or more than 7 characters
Cracking Windows Passwords John The Ripper
For the sake of demonstrating this I had already set a dummy account called “demo” and allotted a password “iRock” to it, which will be cracked later-on.
User Accounts showing “demo” user
Terminal Commands with notes :
I booted using the Ubuntu LiveCD and mounted my Windows partition (/dev/sda1)
How To Install John The Ripper Windows 7 Windows 10
asif@localhost:~$ sudo mkdir /mnt/WIN
asif@localhost:~$ sudo mount /dev/sda1 /mnt/WIN -r
Then copied SAM and system files to /home/asif folder:
asif@localhost:~$ cd /mnt/WIN
asif@localhost:/mnt/WIN$ cd WINDOWS
asif@localhost:/mnt/WIN/WINDOWS$ cd system32
asif@localhost:/mnt/WIN/WINDOWS/system32$ cd config
asif@localhost:/mnt/WIN/WINDOWS/system32/config$ cp SAM /home/asif && cp system /home/asif
Then installed samdump2 and John The Ripper :
asif@localhost:~$ sudo apt-get install samdump2
asif@localhost:~$ sudo apt-get install john
Then dumped the syskey and NTLM hashes from system and SAM file, respectively :
asif@localhost:~$ bkhive system sys.txt
(bkhive is bundled with samdump2, retrieves the SysKey from system file)
asif@localhost:~$ samdump2 SAM sys.txt > hashes.txt (decrypts the SAM file using the recovered syskey and dumps the NTLM hashes of user accounts stored in SAM file)
NTLM hashes recovered from SAM file
Then bruteforced the password using John The Ripper :
asif@localhost:~$ john -format=LM hashes.txt
Loaded 7 password hashes with no different salts (LM DES [64/64 BS MMX])
(Logical)
(SUPPORT_388945a0)
(Guest)
(Administrator)
guesses: 4 time: 0:00:00:05 (3) c/s: 4805K trying: CERSUKA – CEROMPS
guesses: 4 time: 0:00:00:06 (3) c/s: 5902K trying: HEPIL1 – HEPIMI
IROCK (demo)
Session aborted
Mission accomplished ! ! !.
In this article we describe how to crack password hashes with John the Ripper (JtR). It is not unheard of to come across a file containing password hashes during a penetration testing engagement. This can be a gold mine if you can crack the password hashes. Avery template 22804 free.
John the Ripper is a fantastic tool for ripping apart password hashes. Check out the full documentation here. Let us first take a look at how the tool works.
How does John the Ripper work?
John the Ripper is a password cracking tool capable or breaking a variety of hash types. When combined with a hefty word list such as the infamous rockyou.txt, the tool can make short work of simple passwords. John the Ripper determines the hash type of the password file and then attempts to find a match for those hashes.
This tool also highlights the importance of choosing a strong randomized password. Cracking passwords found in a word list is 10-fold faster than running an incremental brute-force attack.
By default the tool is capable of breaking the following hashes. If you need to break a hash that is not on the list, check the Internet. Given that JtR is open-source software it is likely someone has developed an extension capable of processing your hash type.
- UNIX crypt(3)
- Traditional DES-based
- bigcrypt
- BSDI extended DES-based
- FreeBSD MD5-based
- OpenBSD Blowfish-based
- Kerberos/AFS
- Windows LM (DES-based)
- DES-based tripcodes
- SHA-crypt hashes
What is John the Ripper used for?
John the Ripper is used by security professionals to crack password hashes. During a penetration testing engagement it is not uncommon to get your hands on a file containing hashed passwords. In order to make use of these passwords the hashes must first be broken. Lets start by getting a copy installed.
How to download John the Ripper?
Before we jump in, you will need to download a copy of John the Ripper. If you are using Kali Linux it is likely you already have a copy installed. This is the easiest method as it keeps all of your penetration testing tools in a single place.
Check out the tutorial to install Kali Linux in VirtualBox. Otherwise head over to the John the Ripper home page and do the install manually: download page
JtR is open-source software so you can also head over to the Github repository and download the source yourself.
Tutorials for using John the Ripper
Now that we have a copy of John the Ripper downloaded and installed we can jump into some basic commands.
You can run the following command at any time to list the built-in help:
Cracking Passwords
To actually crack passwords we need to provide a file of password hashes. John the Ripper will determine the hash types before stepping through a number of cracking modes.
The most common cracking modes that JtR uses are:
- Single Crack: Fastest mode if a full password file is available
- Wordlist: Attempts passwords found in word lists, works very well against simple passwords
- Incremental: True brute-force, tries every possible combination until a match is found (or not)
The easiest and usually fastest method is to start John the Ripper and let it automatically step through its most efficient modes. This is usually fastest unless you know the passwords in question will not be on a wordlist.
You can also use a specific wordlist such as one downloaded from the Internet:
Or specify which cracking mode to use:
This will start John the Ripper in single crack or incremental mode respectively.
What is Single Crack Mode?
In single-crack mode the program will use the login names, “GECOS” / “Full Name” fields, and users’ home directory names as candidate passwords. It also applies heavy mangling rules for efficient processing. Information is only used against accounts that it was taken from making this mode much faster than wordlist mode. Any successfully guessed passwords are also tried against other hashes in case users are using the same passwords.
Word Mangling Rules
Word mangling rules are key to making JtR more efficient. If you are trying to crack complex or long passwords you will want to operate as efficiently as possible (and even then it will take a long time, or a lot of hardware!).
Mangling rules pre process the wordlists and make optimizations to improve the cracking process.
Viewing Output
Hopefully at this point you’ve cracked some passwords. You can view any cracked passwords with:
This will show any cracked passwords for that password file. You can also filter the list to show users with a particular id or that are in a particular group:
Of course you can also pipe the output to another tool such as grep for further filtering: