Didier Stevens

Wednesday 20 July 2016

Practice ntds.dit File Part 7: Password Cracking With John the Ripper – Brute-force

Filed under: Encryption — Didier Stevens @ 0:00

Brute-force cracking with John the Ripper is done with incremental mode. Incremental mode is not just trying out the full key space, it follows an order based on trigraph frequencies to recover passwords asap.

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --incremental --pot=john-bruteforce-lm.pot lm.john.out

Working through the complete LM hash key space will take many days:

Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4"
Use the "--format=HAVAL-128-4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "lotus5"
Use the "--format=lotus5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "MD2"
Use the "--format=MD2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mdc2"
Use the "--format=mdc2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash"
Use the "--format=mscash" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash2"
Use the "--format=mscash2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4"
Use the "--format=Raw-MD4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5"
Use the "--format=Raw-MD5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u"
Use the "--format=Raw-MD5u" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "ripemd-128"
Use the "--format=ripemd-128" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Snefru-128"
Use the "--format=Snefru-128" option to force loading these as that type instead

Loaded 47 password hashes with no different salts (LM [DES 128/128 SSE2])
Warning: poor OpenMP scalability for this hash type
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
1                (user09:2)
2020             (user06:2)
AS               (user22)
F                (user29:2)
R                (user28:2)
LM11819          (user16:1)
V                (user21)
EANNE            (user03:2)
T1               (user10:2)
CUNINGO          (user17)
AMOROSA          (user07:1)
12g 0:00:00:14 0.00% (ETA: 2016-08-17 08:26) 0.8329g/s 2887Kp/s 2887Kc/s 104518KC/s HSV29S..HS3A18
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

You use option –show to display recovered passwords:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-bruteforce-lm.pot lm.john.out
user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106::
user03:???????EANNE:S-1-5-21-3188177830-2933342842-421106997-1108::
user06:???????2020:S-1-5-21-3188177830-2933342842-421106997-1111::
user07:AMOROSA???????:S-1-5-21-3188177830-2933342842-421106997-1112::
user09:???????1:S-1-5-21-3188177830-2933342842-421106997-1114::
user10:???????T1:S-1-5-21-3188177830-2933342842-421106997-1115::
user16:LM11819???????:S-1-5-21-3188177830-2933342842-421106997-1121::
user17:CUNINGO:S-1-5-21-3188177830-2933342842-421106997-1122::
user21:V:S-1-5-21-3188177830-2933342842-421106997-1126::
user22:AS:S-1-5-21-3188177830-2933342842-421106997-1127::
user28:???????R:S-1-5-21-3188177830-2933342842-421106997-1133::
user29:???????F:S-1-5-21-3188177830-2933342842-421106997-1134::

The command for NT hashes is almost the same:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --incremental --pot=john-bruteforce-nt.pot nt.john.out

This will never end (unless all passwords are recovered), because the password length is not limited like for LM hashes:

Warning: detected hash type "NT", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32])
Warning: no OpenMP support for this hash type
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
1g 0:00:00:11  0.08373g/s 13795p/s 13795c/s 579415C/s melace1..meremia
V                (user21)
cuningo          (user17)
aS               (user22)
4g 0:00:01:17  0.05132g/s 3317Kp/s 3317Kc/s 132700KC/s ihxhl..ihxfg
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

 

4 Comments »

  1. You can use the Loopback feature as well… but you want to use -rules=split to redo the cracked LM. After it’s done with that, then you would run incremental..
    john.exe -format=nt –pot=john-bruteforce-lm.pot -loop=john-bruteforce-lm.pot lm.john.out -rules=split
    john.exe -format=nt lm.john.out –pot=john-bruteforce-lm.pot -incremental

    Comment by Frick-n-frack — Thursday 21 July 2016 @ 10:47

  2. […] Part 7 covers bruteforcing the extracted hashes using John the Ripper. Practice ntds.dit File Part 7: Password Cracking With John the Ripper – Brute-force […]

    Pingback by Week 29 – 2016 – This Week In 4n6 — Sunday 24 July 2016 @ 13:14

  3. […] Practice ntds.dit File Part 7: Password Cracking With John the Ripper – Brute-force […]

    Pingback by Practice ntds.dit File Overview | Didier Stevens — Monday 25 July 2016 @ 9:15

  4. […] Practice ntds.dit File Part 7: Password Cracking With John the Ripper – Brute-force […]

    Pingback by Overview of Content Published In July | Didier Stevens — Monday 1 August 2016 @ 0:01


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: