[Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

[don]

I'm totally jazzed about our newest contributing writer. If all goes well, hopefully we can convince to be a more regular contributor. In order to do so, please suggest other tutorials you'd like from Mr. Wilhelm.

Also, there is an assignment at the end of this tutorial. Please feel free to discuss it, but don't give away the answers. Let's not make it too easy for others. 

Permanent link: [Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

By Thomas Wilhelm, ISSMP, CISSP, SCSECA, SCNA

Many people are familiar with John the Ripper (JTR), a tool used to conduct brute force attacks against local passwords. The application itself is not difficult to understand or run... it is as simple as pointing JTR to a file containing encrypted hashes and leave it alone. In a professional penetration test, we don't always have the time to allow JTR to run to completion, and we must rely on some additional techniques to speed things up including the use of wordlists or dictionaries. JTR comes with its own wordlist containing supposedly common passwords, and we can use that dictionary to identify some low-hanging fruit. However, in most cases, the supplied JTR wordlist is woefully inadequate in identifying a wide-range of commonly-used passwords, especially when people prefer to select passwords that have some meaning to them (e.g. hobbies, partner names, child names, and pet names). So how can we improve our use of JTR to catch passwords that have relevancy to the users of our target system? It may be a bit more complicated than it seems.

The Information Systems Security Assessment Framework (ISSAF) provides an adequate methodology when focusing on password attacks and includes the suggestion of using dictionaries. For those who conduct penetration testing, the use of dictionaries is only one of two prongs used in attacking a local, encrypted password list; brute force attacks are conducted after we have attempted to break passwords using dictionaries. In this fashion, we can (hopefully) obtain weak passwords to work against during the pentest; anything discovered during the brute force attack (assuming it is too late in our pentest to use then) can simply be added to our wordlist for future penetration test projects.

Thanks Tom,
Don

[ziggy_567]

I'm curious...

All the wordlists I currently have and can find for foreign languages do not contain "special characters." (i.e. they use u" instead of ü) Where can one find a wordlist with special characters?

EDIT: edited for clarity

[chrisj]

This was great. I love the "Homework".

It's over my head, have always sucked at password cracking, and spent more time at work learning, than doing my job today.

Grendel I both bow at your feet and course your name.

*Added*

After trying this for several hours on 2 different boxes I can't figure out what I'm doing wrong.

All that I can get JTR to do is say no password hash loaded. I've tried on my xubuntu box, and with bt4 r2 (ok it worked 1 time, before adding a test account).

Pointers?  (This is why I can't wait for the noob class at hacking dojo).

*Edited to add more.

[Grendel]

Ziggy / Wordlists:
Not sure where I got mine; I know they came from the Interwebs

Chris / JTR not working:
There are numerous reasons why jtr might not recognize your hash. It is in situations like this where I like to use Skype for my hacking dojo students, so I can see what they're doing (via desktop sharing plugin).

[ziggy_567]

@Grendel

I found a wordlist on one of my VMs that has done the trick for all of the hashes except the Oracle one...

This is fun...

[Grendel]

Maybe one of my students will jump in and give a hint about the oracle password.

[bitserve]

Won't we need the username for the Oracle one?

[Grendel]

Won't we need the username for the Oracle one?

Who says it's oracle (earlier, I just repeated ziggy's words)?

Rule #1) Always be cynical, and don't trust your tools.
(I'm sure my students are getting tired of hearing me say that, but it's true)

[hayabusa]

Sounds like folks like this one.  Soon as I have some time (maybe the weekend??) I'll find my wordlists, and see if I can crack these.  In the meantime, I wrote a bash script and quickly did the 5th item...   

[bitserve]

Ah. Thanks for the tip. Solved.

[chrisj]

Ok, I know my problem.

I just don't know how to read. I was reading the hashes as 2 hashes split across lines to make it harder. Not as what is really there.

I suck at crypto (hoping that will change soon).

[hayabusa]

Yep... these weren't bad at all, but thanks to Tom for his 'homework,' and for the reminder to look at other things (like base64 and foreign character interpretation / calculation / encryption.)  I used JTR for 4 of the 5, and a quick bash script for the last...

[chrisj]

Yeah, I've only been able to decrypt hash 3 so far. Bitserve gave me a lot of help on that. He's the one that explained I was reading them wrong, and that I would need the jumbo patch for JTR.

I keep saying I'm going to try them again later in BT4r2. Just not sure when I'll have the time

[hayabusa]

Yeah.  If you have it, BT4 works well.  In fact, I used BT4-r1 BlackHat edition, and it had all the necessary patches installed, already, for jtr.  So that, and my slightly tweaked French wordlist, and it was a fast crack session.

Good luck, and if you need further help, feel free to PM me on here, or heck, even ask grendel, himself!   

[chrisj]

took a lot of help from bitserv, like learning how to convert uni-code to ascii numbers.

But I finally got back to this today, and solved it. I know bitserv did the "oracle" hash one way, Grendel said to do it a different way, and I did it a third way.

Used BT4r2.

although, more fun was doing the gawker hash for my account. I found interesting stuff there. Like, how it was an old password, not my current one.