.

[Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Dec 01, 2010 2:05 am

[Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

I'm totally jazzed about our newest contributing writer. If all goes well, hopefully we can convince to be a more regular contributor. In order to do so, please suggest other tutorials you'd like from Mr. Wilhelm.

Also, there is an assignment at the end of this tutorial. Please feel free to discuss it, but don't give away the answers. Let's not make it too easy for others.  ;)

Permanent link: [Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong


Image


By Thomas Wilhelm, ISSMP, CISSP, SCSECA, SCNA

Many people are familiar with John the Ripper (JTR), a tool used to conduct brute force attacks against local passwords. The application itself is not difficult to understand or run... it is as simple as pointing JTR to a file containing encrypted hashes and leave it alone. In a professional penetration test, we don't always have the time to allow JTR to run to completion, and we must rely on some additional techniques to speed things up including the use of wordlists or dictionaries. JTR comes with its own wordlist containing supposedly common passwords, and we can use that dictionary to identify some low-hanging fruit. However, in most cases, the supplied JTR wordlist is woefully inadequate in identifying a wide-range of commonly-used passwords, especially when people prefer to select passwords that have some meaning to them (e.g. hobbies, partner names, child names, and pet names). So how can we improve our use of JTR to catch passwords that have relevancy to the users of our target system? It may be a bit more complicated than it seems.

The Information Systems Security Assessment Framework (ISSAF) provides an adequate methodology when focusing on password attacks and includes the suggestion of using dictionaries. For those who conduct penetration testing, the use of dictionaries is only one of two prongs used in attacking a local, encrypted password list; brute force attacks are conducted after we have attempted to break passwords using dictionaries. In this fashion, we can (hopefully) obtain weak passwords to work against during the pentest; anything discovered during the brute force attack (assuming it is too late in our pentest to use then) can simply be added to our wordlist for future penetration test projects.



Thanks Tom,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Wed Dec 01, 2010 11:48 am

Re: [Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

I'm curious...

All the wordlists I currently have and can find for foreign languages do not contain "special characters." (i.e. they use u" instead of ü) Where can one find a wordlist with special characters?

EDIT: edited for clarity
Last edited by ziggy_567 on Wed Dec 01, 2010 12:13 pm, edited 1 time in total.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Dec 01, 2010 2:34 pm

Re: [Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

This was great. I love the "Homework".

It's over my head, have always sucked at password cracking, and spent more time at work learning, than doing my job today.

Grendel I both bow at your feet and course your name. :)

*Added*

After trying this for several hours on 2 different boxes I can't figure out what I'm doing wrong.

All that I can get JTR to do is say no password hash loaded. I've tried on my xubuntu box, and with bt4 r2 (ok it worked 1 time, before adding a test account).

Pointers?  (This is why I can't wait for the noob class at hacking dojo).

*Edited to add more.
Last edited by rattis on Wed Dec 01, 2010 5:22 pm, edited 1 time in total.
OSWP, Sec+
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Wed Dec 01, 2010 7:39 pm

Re: [Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

Ziggy / Wordlists:
Not sure where I got mine; I know they came from the Interwebs

Chris / JTR not working:
There are numerous reasons why jtr might not recognize your hash. It is in situations like this where I like to use Skype for my hacking dojo students, so I can see what they're doing (via desktop sharing plugin).
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Wed Dec 01, 2010 8:22 pm

Re: [Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

@Grendel

I found a wordlist on one of my VMs that has done the trick for all of the hashes except the Oracle one...

This is fun...
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Wed Dec 01, 2010 8:27 pm

Re: [Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

Maybe one of my students will jump in and give a hint about the oracle password.
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

bitserve

Newbie
Newbie

Posts: 2

Joined: Thu Dec 02, 2010 5:21 am

Post Thu Dec 02, 2010 5:24 am

Re: [Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

Won't we need the username for the Oracle one?
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Thu Dec 02, 2010 1:27 pm

Re: [Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

bitserve wrote:Won't we need the username for the Oracle one?


Who says it's oracle (earlier, I just repeated ziggy's words)?

Rule #1) Always be cynical, and don't trust your tools.
(I'm sure my students are getting tired of hearing me say that, but it's true)
Last edited by Grendel on Thu Dec 02, 2010 1:30 pm, edited 1 time in total.
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Dec 02, 2010 2:25 pm

Re: [Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

Sounds like folks like this one.  Soon as I have some time (maybe the weekend?????) I'll find my wordlists, and see if I can crack these.  In the meantime, I wrote a bash script and quickly did the 5th item...  ;D
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

bitserve

Newbie
Newbie

Posts: 2

Joined: Thu Dec 02, 2010 5:21 am

Post Thu Dec 02, 2010 2:43 pm

Re: [Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

Ah. Thanks for the tip. Solved.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu Dec 02, 2010 4:12 pm

Re: [Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

Ok, I know my problem.

I just don't know how to read. I was reading the hashes as 2 hashes split across lines to make it harder. Not as what is really there.

I suck at crypto (hoping that will change soon).
OSWP, Sec+
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Dec 03, 2010 10:52 pm

Re: [Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

Yep... these weren't bad at all, but thanks to Tom for his 'homework,' and for the reminder to look at other things (like base64 and foreign character interpretation / calculation / encryption.)  I used JTR for 4 of the 5, and a quick bash script for the last...
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sat Dec 04, 2010 12:17 pm

Re: [Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

Yeah, I've only been able to decrypt hash 3 so far. Bitserve gave me a lot of help on that. He's the one that explained I was reading them wrong, and that I would need the jumbo patch for JTR.

I keep saying I'm going to try them again later in BT4r2. Just not sure when I'll have the time
OSWP, Sec+
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat Dec 04, 2010 1:47 pm

Re: [Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

Yeah.  If you have it, BT4 works well.  In fact, I used BT4-r1 BlackHat edition, and it had all the necessary patches installed, already, for jtr.  So that, and my slightly tweaked French wordlist, and it was a fast crack session.

Good luck, and if you need further help, feel free to PM me on here, or heck, even ask grendel, himself!  ;D
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Mon Dec 20, 2010 3:16 pm

Re: [Article]-Tutorial: John the Ripper - Why You Are Doing It Wrong

took a lot of help from bitserv, like learning how to convert uni-code to ascii numbers.

But I finally got back to this today, and solved it. I know bitserv did the "oracle" hash one way, Grendel said to do it a different way, and I did it a third way.

Used BT4r2.

although, more fun was doing the gawker hash for my account. I found interesting stuff there. Like, how it was an old password, not my current one.
OSWP, Sec+

Return to /root

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software