Didier Stevens

Tuesday 19 July 2016

Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist

Filed under: Encryption — Didier Stevens @ 0:00

After password cracking examples with hashcat, I want to show you how to crack passwords with John the Ripper (remember we also produced hashes for John the Ripper: lm.john.out and nt.john.out).

First we use the rockyou wordlist to crack the LM hashes:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=rockyou.txt --pot=john-rockyou-lm.pot lm.john.out

Option –wordlist specifies the wordlist to use, and option –pot specifies the pot file I want to create/use.

Output:

Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4"
Use the "--format=HAVAL-128-4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "lotus5"
Use the "--format=lotus5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "MD2"
Use the "--format=MD2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mdc2"
Use the "--format=mdc2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash"
Use the "--format=mscash" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash2"
Use the "--format=mscash2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4"
Use the "--format=Raw-MD4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5"
Use the "--format=Raw-MD5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u"
Use the "--format=Raw-MD5u" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "ripemd-128"
Use the "--format=ripemd-128" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Snefru-128"
Use the "--format=Snefru-128" option to force loading these as that type instead
Loaded 47 password hashes with no different salts (LM [DES 128/128 SSE2])
Warning: poor OpenMP scalability for this hash type
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
RACHELL          (user03:1)
AMOROSA          (user07:1)
BEAUFOR          (user10:1)
GIRLISH          (user06:1)
2020             (user06:2)
1                (user09:2)
007              (user12:2)
THURLOW          (user09:1)
OVEJA            (user07:2)
EANNE            (user03:2)
AS               (user22)
MAISIE2          (user12:1)
F                (user29:2)
ZORDIC7          (user04)
YELIZ6           (user14)
TADOB            (user15)
R                (user28:2)
LM11819          (user16:1)
KURT!!!          (user05)
CUNINGO          (user17)
LZAC08@          (user19)
FEPARAG          (user20:1)
4537584          (user08:1)
24g 0:00:00:00 DONE (2016-07-15 23:57) 27.39g/s 16374Kp/s 16374Kc/s 461233KC/s "WHENIC..♦*♥7▒VA
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And then we use option –show to display the (partially) recovered passwords:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-rockyou-lm.pot lm.john.out

Output:

user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106::
user03:RACHELLEANNE:S-1-5-21-3188177830-2933342842-421106997-1108::
user04:ZORDIC7:S-1-5-21-3188177830-2933342842-421106997-1109::
user05:KURT!!!:S-1-5-21-3188177830-2933342842-421106997-1110::
user06:GIRLISH2020:S-1-5-21-3188177830-2933342842-421106997-1111::
user07:AMOROSAOVEJA:S-1-5-21-3188177830-2933342842-421106997-1112::
user08:4537584???????:S-1-5-21-3188177830-2933342842-421106997-1113::
user09:THURLOW1:S-1-5-21-3188177830-2933342842-421106997-1114::
user10:BEAUFOR???????:S-1-5-21-3188177830-2933342842-421106997-1115::
user12:MAISIE2007:S-1-5-21-3188177830-2933342842-421106997-1117::
user14:YELIZ6:S-1-5-21-3188177830-2933342842-421106997-1119::
user15:TADOB:S-1-5-21-3188177830-2933342842-421106997-1120::
user16:LM11819???????:S-1-5-21-3188177830-2933342842-421106997-1121::
user17:CUNINGO:S-1-5-21-3188177830-2933342842-421106997-1122::
user19:LZAC08@:S-1-5-21-3188177830-2933342842-421106997-1124::
user20:FEPARAG???????:S-1-5-21-3188177830-2933342842-421106997-1125::
user22:AS:S-1-5-21-3188177830-2933342842-421106997-1127::
user28:???????R:S-1-5-21-3188177830-2933342842-421106997-1133::
user29:???????F:S-1-5-21-3188177830-2933342842-421106997-1134::

24 password hashes cracked, 23 left

Cracking NTLM hashes is done with a similar command, it’s just the name of the files that changes:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=rockyou.txt --pot=john-rockyou-nt.pot nt.john.out

Output:

Warning: detected hash type "NT", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32])
Warning: no OpenMP support for this hash type
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
mychemicalromance (user02)
beautifulprincess (user11)
beaufort1        (user10)
thurlow1         (user09)
rachelleanne     (user03)
maisie2007       (user12)
maiseythorne2007 (user13)
zordic7          (user04)
yeliz6           (user14)
tadob            (user15)
lm1181992        (user16)
kurt!!!          (user05)
girlish2020      (user06)
cuningo          (user17)
amorosaoveja     (user07)
Lzac08@          (user19)
Horselover1493@hotmail.com (user18)
FEPARAGON        (user20)
453758487l       (user08)
20g 0:00:00:01 DONE (2016-07-16 00:06) 19.15g/s 13739Kp/s 13739Kc/s 411618KC/s    000..♦*♥7▒Vamos!♥
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And then we use option –show to display the recovered passwords:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-rockyou-nt.pot nt.john.out

Output:

user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106::
user02:mychemicalromance:S-1-5-21-3188177830-2933342842-421106997-1107::
user03:rachelleanne:S-1-5-21-3188177830-2933342842-421106997-1108::
user04:zordic7:S-1-5-21-3188177830-2933342842-421106997-1109::
user05:kurt!!!:S-1-5-21-3188177830-2933342842-421106997-1110::
user06:girlish2020:S-1-5-21-3188177830-2933342842-421106997-1111::
user07:amorosaoveja:S-1-5-21-3188177830-2933342842-421106997-1112::
user08:453758487l:S-1-5-21-3188177830-2933342842-421106997-1113::
user09:thurlow1:S-1-5-21-3188177830-2933342842-421106997-1114::
user10:beaufort1:S-1-5-21-3188177830-2933342842-421106997-1115::
user11:beautifulprincess:S-1-5-21-3188177830-2933342842-421106997-1116::
user12:maisie2007:S-1-5-21-3188177830-2933342842-421106997-1117::
user13:maiseythorne2007:S-1-5-21-3188177830-2933342842-421106997-1118::
user14:yeliz6:S-1-5-21-3188177830-2933342842-421106997-1119::
user15:tadob:S-1-5-21-3188177830-2933342842-421106997-1120::
user16:lm1181992:S-1-5-21-3188177830-2933342842-421106997-1121::
user17:cuningo:S-1-5-21-3188177830-2933342842-421106997-1122::
user18:Horselover1493@hotmail.com:S-1-5-21-3188177830-2933342842-421106997-1123::
user19:Lzac08@:S-1-5-21-3188177830-2933342842-421106997-1124::
user20:FEPARAGON:S-1-5-21-3188177830-2933342842-421106997-1125::

20 password hashes cracked, 23 left

 

4 Comments »

  1. […] Part 6 shows examiners how to crack passwords with a wordlist using John the Ripper and the hashes extracted in Part 2. Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist […]

    Pingback by Week 29 – 2016 – This Week In 4n6 — Sunday 24 July 2016 @ 13:14

  2. […] Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist […]

    Pingback by Practice ntds.dit File Overview | Didier Stevens — Monday 25 July 2016 @ 9:15

  3. […] Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist […]

    Pingback by Overview of Content Published In July | Didier Stevens — Monday 1 August 2016 @ 0:01

  4. […] These can be cracked, for example with John The Ripper: […]

    Pingback by Quickpost: Using My Bash Bunny To “Snag Creds From A Locked Machine” | Didier Stevens — Thursday 6 April 2017 @ 23:25


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: