After password cracking examples with hashcat, I want to show you how to crack passwords with John the Ripper (remember we also produced hashes for John the Ripper: lm.john.out and nt.john.out).
First we use the rockyou wordlist to crack the LM hashes:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=rockyou.txt --pot=john-rockyou-lm.pot lm.john.out
Option –wordlist specifies the wordlist to use, and option –pot specifies the pot file I want to create/use.
Output:
Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4" Use the "--format=HAVAL-128-4" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "lotus5" Use the "--format=lotus5" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "MD2" Use the "--format=MD2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mdc2" Use the "--format=mdc2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mscash" Use the "--format=mscash" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mscash2" Use the "--format=mscash2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "NT" Use the "--format=NT" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4" Use the "--format=Raw-MD4" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5" Use the "--format=Raw-MD5" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u" Use the "--format=Raw-MD5u" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "ripemd-128" Use the "--format=ripemd-128" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Snefru-128" Use the "--format=Snefru-128" option to force loading these as that type instead Loaded 47 password hashes with no different salts (LM [DES 128/128 SSE2]) Warning: poor OpenMP scalability for this hash type Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) RACHELL (user03:1) AMOROSA (user07:1) BEAUFOR (user10:1) GIRLISH (user06:1) 2020 (user06:2) 1 (user09:2) 007 (user12:2) THURLOW (user09:1) OVEJA (user07:2) EANNE (user03:2) AS (user22) MAISIE2 (user12:1) F (user29:2) ZORDIC7 (user04) YELIZ6 (user14) TADOB (user15) R (user28:2) LM11819 (user16:1) KURT!!! (user05) CUNINGO (user17) LZAC08@ (user19) FEPARAG (user20:1) 4537584 (user08:1) 24g 0:00:00:00 DONE (2016-07-15 23:57) 27.39g/s 16374Kp/s 16374Kc/s 461233KC/s "WHENIC..♦*♥7▒VA Warning: passwords printed above might be partial Use the "--show" option to display all of the cracked passwords reliably Session completed
And then we use option –show to display the (partially) recovered passwords:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-rockyou-lm.pot lm.john.out
Output:
user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106:: user03:RACHELLEANNE:S-1-5-21-3188177830-2933342842-421106997-1108:: user04:ZORDIC7:S-1-5-21-3188177830-2933342842-421106997-1109:: user05:KURT!!!:S-1-5-21-3188177830-2933342842-421106997-1110:: user06:GIRLISH2020:S-1-5-21-3188177830-2933342842-421106997-1111:: user07:AMOROSAOVEJA:S-1-5-21-3188177830-2933342842-421106997-1112:: user08:4537584???????:S-1-5-21-3188177830-2933342842-421106997-1113:: user09:THURLOW1:S-1-5-21-3188177830-2933342842-421106997-1114:: user10:BEAUFOR???????:S-1-5-21-3188177830-2933342842-421106997-1115:: user12:MAISIE2007:S-1-5-21-3188177830-2933342842-421106997-1117:: user14:YELIZ6:S-1-5-21-3188177830-2933342842-421106997-1119:: user15:TADOB:S-1-5-21-3188177830-2933342842-421106997-1120:: user16:LM11819???????:S-1-5-21-3188177830-2933342842-421106997-1121:: user17:CUNINGO:S-1-5-21-3188177830-2933342842-421106997-1122:: user19:LZAC08@:S-1-5-21-3188177830-2933342842-421106997-1124:: user20:FEPARAG???????:S-1-5-21-3188177830-2933342842-421106997-1125:: user22:AS:S-1-5-21-3188177830-2933342842-421106997-1127:: user28:???????R:S-1-5-21-3188177830-2933342842-421106997-1133:: user29:???????F:S-1-5-21-3188177830-2933342842-421106997-1134:: 24 password hashes cracked, 23 left
Cracking NTLM hashes is done with a similar command, it’s just the name of the files that changes:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=rockyou.txt --pot=john-rockyou-nt.pot nt.john.out
Output:
Warning: detected hash type "NT", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32]) Warning: no OpenMP support for this hash type Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) mychemicalromance (user02) beautifulprincess (user11) beaufort1 (user10) thurlow1 (user09) rachelleanne (user03) maisie2007 (user12) maiseythorne2007 (user13) zordic7 (user04) yeliz6 (user14) tadob (user15) lm1181992 (user16) kurt!!! (user05) girlish2020 (user06) cuningo (user17) amorosaoveja (user07) Lzac08@ (user19) Horselover1493@hotmail.com (user18) FEPARAGON (user20) 453758487l (user08) 20g 0:00:00:01 DONE (2016-07-16 00:06) 19.15g/s 13739Kp/s 13739Kc/s 411618KC/s 000..♦*♥7▒Vamos!♥ Use the "--show" option to display all of the cracked passwords reliably Session completed
And then we use option –show to display the recovered passwords:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-rockyou-nt.pot nt.john.out
Output:
user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106:: user02:mychemicalromance:S-1-5-21-3188177830-2933342842-421106997-1107:: user03:rachelleanne:S-1-5-21-3188177830-2933342842-421106997-1108:: user04:zordic7:S-1-5-21-3188177830-2933342842-421106997-1109:: user05:kurt!!!:S-1-5-21-3188177830-2933342842-421106997-1110:: user06:girlish2020:S-1-5-21-3188177830-2933342842-421106997-1111:: user07:amorosaoveja:S-1-5-21-3188177830-2933342842-421106997-1112:: user08:453758487l:S-1-5-21-3188177830-2933342842-421106997-1113:: user09:thurlow1:S-1-5-21-3188177830-2933342842-421106997-1114:: user10:beaufort1:S-1-5-21-3188177830-2933342842-421106997-1115:: user11:beautifulprincess:S-1-5-21-3188177830-2933342842-421106997-1116:: user12:maisie2007:S-1-5-21-3188177830-2933342842-421106997-1117:: user13:maiseythorne2007:S-1-5-21-3188177830-2933342842-421106997-1118:: user14:yeliz6:S-1-5-21-3188177830-2933342842-421106997-1119:: user15:tadob:S-1-5-21-3188177830-2933342842-421106997-1120:: user16:lm1181992:S-1-5-21-3188177830-2933342842-421106997-1121:: user17:cuningo:S-1-5-21-3188177830-2933342842-421106997-1122:: user18:Horselover1493@hotmail.com:S-1-5-21-3188177830-2933342842-421106997-1123:: user19:Lzac08@:S-1-5-21-3188177830-2933342842-421106997-1124:: user20:FEPARAGON:S-1-5-21-3188177830-2933342842-421106997-1125:: 20 password hashes cracked, 23 left
Didier Stevens 