Didier Stevens

Wednesday 20 July 2016

Practice ntds.dit File Part 7: Password Cracking With John the Ripper – Brute-force

Filed under: Encryption — Didier Stevens @ 0:00

Brute-force cracking with John the Ripper is done with incremental mode. Incremental mode is not just trying out the full key space, it follows an order based on trigraph frequencies to recover passwords asap.

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --incremental --pot=john-bruteforce-lm.pot lm.john.out

Working through the complete LM hash key space will take many days:

Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4"
Use the "--format=HAVAL-128-4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "lotus5"
Use the "--format=lotus5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "MD2"
Use the "--format=MD2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mdc2"
Use the "--format=mdc2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash"
Use the "--format=mscash" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash2"
Use the "--format=mscash2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4"
Use the "--format=Raw-MD4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5"
Use the "--format=Raw-MD5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u"
Use the "--format=Raw-MD5u" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "ripemd-128"
Use the "--format=ripemd-128" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Snefru-128"
Use the "--format=Snefru-128" option to force loading these as that type instead

Loaded 47 password hashes with no different salts (LM [DES 128/128 SSE2])
Warning: poor OpenMP scalability for this hash type
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
1                (user09:2)
2020             (user06:2)
AS               (user22)
F                (user29:2)
R                (user28:2)
LM11819          (user16:1)
V                (user21)
EANNE            (user03:2)
T1               (user10:2)
CUNINGO          (user17)
AMOROSA          (user07:1)
12g 0:00:00:14 0.00% (ETA: 2016-08-17 08:26) 0.8329g/s 2887Kp/s 2887Kc/s 104518KC/s HSV29S..HS3A18
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

You use option –show to display recovered passwords:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-bruteforce-lm.pot lm.john.out
user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106::
user03:???????EANNE:S-1-5-21-3188177830-2933342842-421106997-1108::
user06:???????2020:S-1-5-21-3188177830-2933342842-421106997-1111::
user07:AMOROSA???????:S-1-5-21-3188177830-2933342842-421106997-1112::
user09:???????1:S-1-5-21-3188177830-2933342842-421106997-1114::
user10:???????T1:S-1-5-21-3188177830-2933342842-421106997-1115::
user16:LM11819???????:S-1-5-21-3188177830-2933342842-421106997-1121::
user17:CUNINGO:S-1-5-21-3188177830-2933342842-421106997-1122::
user21:V:S-1-5-21-3188177830-2933342842-421106997-1126::
user22:AS:S-1-5-21-3188177830-2933342842-421106997-1127::
user28:???????R:S-1-5-21-3188177830-2933342842-421106997-1133::
user29:???????F:S-1-5-21-3188177830-2933342842-421106997-1134::

The command for NT hashes is almost the same:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --incremental --pot=john-bruteforce-nt.pot nt.john.out

This will never end (unless all passwords are recovered), because the password length is not limited like for LM hashes:

Warning: detected hash type "NT", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32])
Warning: no OpenMP support for this hash type
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
1g 0:00:00:11  0.08373g/s 13795p/s 13795c/s 579415C/s melace1..meremia
V                (user21)
cuningo          (user17)
aS               (user22)
4g 0:00:01:17  0.05132g/s 3317Kp/s 3317Kc/s 132700KC/s ihxhl..ihxfg
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

 

Blog at WordPress.com.