Skip to content

Instantly share code, notes, and snippets.

@blub0hr

blub0hr/john_the_ripper.md

Last active March 14, 2021 21:00
Show Gist options
  • Save blub0hr/b84fbd8f3486d14ed2c7130e41fe58ee to your computer and use it in GitHub Desktop.
Save blub0hr/b84fbd8f3486d14ed2c7130e41fe58ee to your computer and use it in GitHub Desktop.
Download ZIP
Raw
john_the_ripper.md

https://www.openwall.com/john/

/run/john .\zip.hash

Incremental Mode

read https://www.openwall.com/john/doc/MODES.shtml

This is the most powerful cracking mode, it can try all possible character combinations as passwords. However, it is assumed that cracking with this mode will never terminate because of the number of combinations being too large (actually, it will terminate if you set a low password length limit or make it use a small charset), and you'll have to interrupt it earlier.

That's one reason why this mode deals with trigraph frequencies, separately for each character position and for each password length, to crack as many passwords as possible within a limited time.

To use the mode you need a specific definition for the mode's parameters, including password length limits and the charset to use. These parameters are defined in the configuration file sections called [Incremental:MODE], where MODE is any name that you assign to the mode (it's the name that you will need to specify on John's command line). You can either use a pre-defined incremental mode definition or define a custom one.

As of version 1.8.0, pre-defined incremental modes are "ASCII" (all 95 printable ASCII characters), "LM_ASCII" (for use on LM hashes), "Alnum" (all 62 alphanumeric characters), "Alpha" (all 52 letters), "LowerNum" (lowercase letters plus digits, for 36 total), "UpperNum" (uppercase letters plus digits, for 36 total), "LowerSpace" (lowercase letters plus space, for 27 total), "Lower" (lowercase letters), "Upper" (uppercase letters), and "Digits" (digits only). The supplied .chr files include data for lengths up to 13 for all of these modes except for "LM_ASCII" (where password portions input to the LM hash halves are assumed to be truncated at length 7) and "Digits" (where the supplied .chr file and pre-defined incremental mode work for lengths up to 20). Some of the many .chr files needed by these pre-defined incremental modes might not be bundled with every version of John the Ripper, being available as a separate download.

/run/john --incremental=Alnum .\zip.hash

Using masks

/run/john --mask=?d?d?d?d?d?d?d?d-?d?d?d?d[a-zA-Z] .\zip.hash

read https://github.com/magnumripper/JohnTheRipper/blob/bleeding-jumbo/doc/MASK

Checking for GPU support

https://openwall.info/wiki/john/GPU

Cracking ZIP and RAR protected files

read https://dfir.science/2014/07/how-to-cracking-zip-and-rar-protected.html

How-to - Cracking ZIP and RAR protected files with John the Ripper

After seeing how to compile John the Ripper to use all your computer's processors now we can use it for some tasks that may be useful to digital forensic investigators: getting around passwords. Today we will focus on cracking passwords for ZIP and RAR archive files. Luckily, the JtR community has done most of the hard work for us. For this to work you need to have built the community version of John the Ripper since it has extra utilities for ZIP and RAR files.

For this exercise I have created password protected RAR and ZIP files, that each contain two files.

test.rar: RAR archive data, v1d, os: Unix
test.zip: Zip archive data, at least v1.0 to extract

The password for the rar file is 'test1234' and the password for the zip file is 'test4321'.

In the 'run' folder of John the Ripper community version (I am using John-1.7.9-jumbo-7), there are two programs called 'zip2john' and 'rar2john'. Run them against their respective file types to extract the password hashes:

./zip2john ../test.zip > ../zip.hashes
./rar2john ../test.rar > ../rar.hashes

This will give you files that contain the password hashes to be cracked... something like this:

../test.zip:$pkzip$2*2*1*0*0*1b*a80c*95e4e9547dcfcde4b8b2f05a80aaeb9d15dd76e7526b81803c8bf7*2*0*1b*f*72051312*0*44*0*1b*a808*cbafdd390bf49ea54064ab3ff9f486e6260b9854e37d1ee3a41c54*$/pkzip$

After, that you can run John the Ripper directly on the password hash files:

./john ../zip.hashes

You should get a message like: Loaded 1 password hash (PKZIP [32/64]). By using John with no options it will use its default order of cracking modes. See the examples page for more information on modes.

Notice, in this case we are not using explicit dictionaries. You could potentially speed the cracking process up if you have an idea what the password may be. If you look at your processor usage, if only one is maxed out, then you did not enable OpenMP when building. If you have a multi-processor system, it will greatly speed up the cracking process.

Now sit back and wait for the cracking to finish. On a 64bit quad-core i7 system, without using GPU, and while doing some other CPU-intensive tasks, the password was cracked in 6.5 hours.

Loaded 1 password hash (PKZIP [32/64])
guesses: 0  time: 0:00:40:29 0.00% (3)  c/s: 2278K  trying: eDTvw - ekTsl
guesses: 0  time: 0:01:25:10 0.00% (3)  c/s: 1248K  trying: ctshm#ni - ctshfon9
guesses: 0  time: 0:02:56:40 0.00% (3)  c/s: 1499K  trying: BR489a - BR48jf
guesses: 0  time: 0:03:56:04 0.00% (3)  c/s: 1703K  trying: fjmis5od - fjmidia0
guesses: 0  time: 0:04:46:09 0.00% (3)  c/s: 1748K  trying: Difg1ek - DifgbpS
guesses: 0  time: 0:05:21:22 0.00% (3)  c/s: 1855K  trying: btkululp - btkulene
guesses: 0  time: 0:06:02:43 0.00% (3)  c/s: 1857K  trying: ghmnymik - ghmnyasd
test4321         (../test.zip)
guesses: 1  time: 0:06:32:34 DONE (Mon Jul 28 17:50:22 2014)  c/s: 1895K  trying: telkuwhy – test43ac

Now if you want to see the cracked passwords give john the following arguments:

./john ../zip.hashes --show

It should output something like:

../test.zip:test4321 
1 password hash cracked, 0 left

Note: the hash file should have the same type of hashes. For example, we cannot put the rar AND zip hashes in the same file. But this means you could try to crack more than one zip/rar file at a time.

For the rar file it did not take nearly as long since the password was relatively common. If you take a look at john.conf in the run directory, it has a list of the patterns it checks (in order). The pattern 12345 is much more likely than 54321, so it is checked first resulting in a quick crack.

Loaded 1 password hash (RAR3 SHA-1 AES [32/64]) 
guesses: 0  time: 0:00:00:10 1.38% (1) (ETA: Mon Jul 28 18:23:58 2014)  c/s: 24.86  trying: rar.tsett - ttests 
guesses: 0  time: 0:00:02:12 13.40% (1) (ETA: Mon Jul 28 18:28:19 2014)  c/s: 25.98  trying: Test29 - Test2rar9 
test1234         (test.rar) 
guesses: 1  time: 0:00:17:03 DONE (Mon Jul 28 18:28:56 2014)  c/s: 24.01  trying: test1234 - testrar1234 
Use the "--show" option to display all of the cracked passwords reliably
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment