After password cracking examples with hashcat, I want to show you how to crack passwords with John the Ripper (remember we also produced hashes for John the Ripper: lm.john.out and nt.john.out).
First we use the rockyou wordlist to crack the LM hashes:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=rockyou.txt --pot=john-rockyou-lm.pot lm.john.out
Option –wordlist specifies the wordlist to use, and option –pot specifies the pot file I want to create/use.
Output:
Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4" Use the "--format=HAVAL-128-4" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "lotus5" Use the "--format=lotus5" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "MD2" Use the "--format=MD2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mdc2" Use the "--format=mdc2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mscash" Use the "--format=mscash" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mscash2" Use the "--format=mscash2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "NT" Use the "--format=NT" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4" Use the "--format=Raw-MD4" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5" Use the "--format=Raw-MD5" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u" Use the "--format=Raw-MD5u" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "ripemd-128" Use the "--format=ripemd-128" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Snefru-128" Use the "--format=Snefru-128" option to force loading these as that type instead Loaded 47 password hashes with no different salts (LM [DES 128/128 SSE2]) Warning: poor OpenMP scalability for this hash type Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) RACHELL (user03:1) AMOROSA (user07:1) BEAUFOR (user10:1) GIRLISH (user06:1) 2020 (user06:2) 1 (user09:2) 007 (user12:2) THURLOW (user09:1) OVEJA (user07:2) EANNE (user03:2) AS (user22) MAISIE2 (user12:1) F (user29:2) ZORDIC7 (user04) YELIZ6 (user14) TADOB (user15) R (user28:2) LM11819 (user16:1) KURT!!! (user05) CUNINGO (user17) LZAC08@ (user19) FEPARAG (user20:1) 4537584 (user08:1) 24g 0:00:00:00 DONE (2016-07-15 23:57) 27.39g/s 16374Kp/s 16374Kc/s 461233KC/s "WHENIC..♦*♥7▒VA Warning: passwords printed above might be partial Use the "--show" option to display all of the cracked passwords reliably Session completed
And then we use option –show to display the (partially) recovered passwords:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-rockyou-lm.pot lm.john.out
Output:
user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106:: user03:RACHELLEANNE:S-1-5-21-3188177830-2933342842-421106997-1108:: user04:ZORDIC7:S-1-5-21-3188177830-2933342842-421106997-1109:: user05:KURT!!!:S-1-5-21-3188177830-2933342842-421106997-1110:: user06:GIRLISH2020:S-1-5-21-3188177830-2933342842-421106997-1111:: user07:AMOROSAOVEJA:S-1-5-21-3188177830-2933342842-421106997-1112:: user08:4537584???????:S-1-5-21-3188177830-2933342842-421106997-1113:: user09:THURLOW1:S-1-5-21-3188177830-2933342842-421106997-1114:: user10:BEAUFOR???????:S-1-5-21-3188177830-2933342842-421106997-1115:: user12:MAISIE2007:S-1-5-21-3188177830-2933342842-421106997-1117:: user14:YELIZ6:S-1-5-21-3188177830-2933342842-421106997-1119:: user15:TADOB:S-1-5-21-3188177830-2933342842-421106997-1120:: user16:LM11819???????:S-1-5-21-3188177830-2933342842-421106997-1121:: user17:CUNINGO:S-1-5-21-3188177830-2933342842-421106997-1122:: user19:LZAC08@:S-1-5-21-3188177830-2933342842-421106997-1124:: user20:FEPARAG???????:S-1-5-21-3188177830-2933342842-421106997-1125:: user22:AS:S-1-5-21-3188177830-2933342842-421106997-1127:: user28:???????R:S-1-5-21-3188177830-2933342842-421106997-1133:: user29:???????F:S-1-5-21-3188177830-2933342842-421106997-1134:: 24 password hashes cracked, 23 left
Cracking NTLM hashes is done with a similar command, it’s just the name of the files that changes:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=rockyou.txt --pot=john-rockyou-nt.pot nt.john.out
Output:
Warning: detected hash type "NT", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32]) Warning: no OpenMP support for this hash type Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) mychemicalromance (user02) beautifulprincess (user11) beaufort1 (user10) thurlow1 (user09) rachelleanne (user03) maisie2007 (user12) maiseythorne2007 (user13) zordic7 (user04) yeliz6 (user14) tadob (user15) lm1181992 (user16) kurt!!! (user05) girlish2020 (user06) cuningo (user17) amorosaoveja (user07) Lzac08@ (user19) Horselover1493@hotmail.com (user18) FEPARAGON (user20) 453758487l (user08) 20g 0:00:00:01 DONE (2016-07-16 00:06) 19.15g/s 13739Kp/s 13739Kc/s 411618KC/s 000..♦*♥7▒Vamos!♥ Use the "--show" option to display all of the cracked passwords reliably Session completed
And then we use option –show to display the recovered passwords:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-rockyou-nt.pot nt.john.out
Output:
user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106:: user02:mychemicalromance:S-1-5-21-3188177830-2933342842-421106997-1107:: user03:rachelleanne:S-1-5-21-3188177830-2933342842-421106997-1108:: user04:zordic7:S-1-5-21-3188177830-2933342842-421106997-1109:: user05:kurt!!!:S-1-5-21-3188177830-2933342842-421106997-1110:: user06:girlish2020:S-1-5-21-3188177830-2933342842-421106997-1111:: user07:amorosaoveja:S-1-5-21-3188177830-2933342842-421106997-1112:: user08:453758487l:S-1-5-21-3188177830-2933342842-421106997-1113:: user09:thurlow1:S-1-5-21-3188177830-2933342842-421106997-1114:: user10:beaufort1:S-1-5-21-3188177830-2933342842-421106997-1115:: user11:beautifulprincess:S-1-5-21-3188177830-2933342842-421106997-1116:: user12:maisie2007:S-1-5-21-3188177830-2933342842-421106997-1117:: user13:maiseythorne2007:S-1-5-21-3188177830-2933342842-421106997-1118:: user14:yeliz6:S-1-5-21-3188177830-2933342842-421106997-1119:: user15:tadob:S-1-5-21-3188177830-2933342842-421106997-1120:: user16:lm1181992:S-1-5-21-3188177830-2933342842-421106997-1121:: user17:cuningo:S-1-5-21-3188177830-2933342842-421106997-1122:: user18:Horselover1493@hotmail.com:S-1-5-21-3188177830-2933342842-421106997-1123:: user19:Lzac08@:S-1-5-21-3188177830-2933342842-421106997-1124:: user20:FEPARAGON:S-1-5-21-3188177830-2933342842-421106997-1125:: 20 password hashes cracked, 23 left
Didier Stevens 
[…] Part 6 shows examiners how to crack passwords with a wordlist using John the Ripper and the hashes extracted in Part 2. Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist […]
Pingback by Week 29 – 2016 – This Week In 4n6 — Sunday 24 July 2016 @ 13:14
[…] Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist […]
Pingback by Practice ntds.dit File Overview | Didier Stevens — Monday 25 July 2016 @ 9:15
[…] Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist […]
Pingback by Overview of Content Published In July | Didier Stevens — Monday 1 August 2016 @ 0:01
[…] These can be cracked, for example with John The Ripper: […]
Pingback by Quickpost: Using My Bash Bunny To “Snag Creds From A Locked Machine” | Didier Stevens — Thursday 6 April 2017 @ 23:25