- The two most popular tools for doing this kind of work are Hashcat and John the Ripper. The first thing to do before you try and crack a hash is to attempt to identify what type it is - and I say “ attempt ” because sometimes it can be a bit of a challenge, as we’ll see in a bit.
- John the Ripper password cracker. John the Ripper is a fast password cracker, currently available for many flavors of Unix, macOS, Windows, DOS, BeOS, and OpenVMS (the latter requires a contributed patch). Its primary p.
John the Ripper. Next we’ll need the cracking tool itself. If you’re using Kali Linux, this tool is already installed. Download John the Ripper here. In my case I’m going to download the free version John the Ripper 1.8.0 (sources, tar.gz, 5.2 MB). Once downloaded, extract it with the following linux command. One of the modes John the Ripper can use is the dictionary attack. It takes text string samples (usually from a file, called a wordlist, containing words found in a dictionary or real passwords cracked before), encrypting it in the same format as the password being examined (including both the encryption algorithm and key), and comparing the output to the encrypted string. I think there may also be a 'fat' salted sha512 format (not 100% sure). I do know that with dynamic, getting hashes like this where there is no 'real' format is pretty easy to do now. With the new on-commandline dynamic, you do not even need to write a script any more.
In this post I will show you how to crack Windows passwords using John The Ripper.
John the Ripper is a fast password cracker, primarily for cracking Unix (shadow) passwords.Other than Unix-type encrypted passwords it also supports cracking Windows LM hashes and many more with open source contributed patches.
Now lets talk about the password protection method used by Windows. Windows user account passwords are typically stored in SAM hive of the registry (which corresponds to %SystemRoot%system32configSAM file), in the SAM file the password is kept encrypted using the NTLM hash is very well known for its cryptanalysis weaknesses.
The SAM file is further encrypted with the SysKey (Windows 2000 and above) which is stored in %SystemRoot%system32configsystem file.During the boot-time of Windows the hashes from the SAM file gets decrypted using the SysKey and the hashes are loaded to the registry is then used for authentication purpose. Both system and SAM files are unavailable (i.e, locked by kernel) to standard programs (like regedit) during Windows’ runtime .
As told earlier NTLM hash is very weak for encrypting passwords.The NTLM encryption algorithm is explained below :
- ASCII password is converted to uppercase
- Padding with null is done until 14 bytes
- Split it in two 7-byte arrays
- Pad both to make 64 bits (8-byte) which will be used to create a DES key
- DES-encrypt the string “[email protected]#$%” using the array as key for each 7-byte array (results 8-byte stream)
- Join 2 cipertexts which forms the NTLM hash (16-byte)
Major pitfals of NTLM hash
- ASCII is not Unicode
- Uppercase reduce complexity
- LM fails with passwords length more than 14 characters
- Salting is not available
- It is easy to determine whether the password is less than or more than 7 characters
Cracking Windows Passwords John The Ripper
For the sake of demonstrating this I had already set a dummy account called demo and allotted a password iRock to it, which will be cracked later-on.
User Accounts showing demo user
I booted using the Ubuntu LiveCD and mounted my Windows partition - /dev/sda1
Then copied SAM and system files to /home/prakhar
Then installed samdump2 and John The Ripper :
Then dumped the syskey and NTLM hashes from system and SAM file, respectively :
NTLM hashes recovered from SAM file
I then bruteforced the password using John The Ripper :
You can clearly see above, JTR has cracked the password within matter of seconds, I aborted the session in between since password was already recovered. Mission accomplished !
Each time I teach my Security class, I give a month-long lab to crack as many passwords as possible. For this fall’s contest (opened on October 7, 2018), I used three different hash types: NTLM, MD5, and SHA-512. The password hashes (16 total):
65 total submissions. The answers:
- (MD5) yogibear:L1verpool! => 11 students cracked this
- (MD5) bigbear:unbelievable => 60 students cracked this
- (MD5) grizzlybear:zxcasdqwe123 => 56 students cracked this
- (MD5) pandabear:vulmjz => 7 students cracked this
- (MD5) yolandabear:kx7yy4 => 5 students cracked this
- (MD5) fancybear:sx708n => 7 students cracked this
- (MD5) jojobear:wmOhL3u4J => 0 students cracked this
- (SHA512) smokeybear:asdf => 60 students cracked this
- (SHA512) cocobear:meatball => 60 students cracked this
- (SHA512) yetibear:06mulesystems => 8 students cracked this
- (SHA512) blackbear:mzpixl => 3 students cracked this
- (SHA512) fozziebear:320299 => 18 students cracked this
- (SHA512) pedrobear:R6iLFUgG => 0 students cracked this
- (NTLM) cozybear:doofus => 62 students cracked this
- (NTLM) chicagobear:ihateyou => 62 students cracked this
- (NTLM) teddybear:w7zbyt => 45 students cracked this
To earn all 10 points for the lab, students had to crack 6 passwords. The final distribution:
The winners (tied) cracked 14 of the 16 passwords.
Student 1’s haul and methodology:
Student 2’s haul:
Student 2’s methodology:
To crack the majority of the passwords I’ve completed so far, I used John the Ripper and Hashcat. I began by using a series of wordlists on both the MD5 and SHA512 passwords, which I divided into two separate files consisting of only passwords hashed with the respective algorithms. To this point, I’ve used a scattering of the wordlists from the Seclists/Leaked-Databases folder, and have had the most success with rockyou.txt. Using rockyou.txt, I cracked two of the MD5 hashes and three of the SHA512 hashes.
I then applied a series of different rules to some of these wordlists, for both MD5 and SHA512 hashed passwords. For the SHA512 passwords, I have been using my computer at home (with a decent graphics card) to speed up the process. Using these rules, and Hashcat which I’ve found to be a better option for GPU cracking, I cracked another of the MD5 hashed passwords.
After using a number of wordlists with a collection of different rules, I turned to brute force incremental cracking, as well as Hashcat’s mask attack. Using these two brute force methods, I’ve cracked another three MD5 hashes, and one SHA512 hash.
John The Ripper Crack Sha512 Encryption Download
For the NTLM passwords, I ran JtR (John the Ripper) with the default settings to crack two of the hashes. I considered using wordlists with rules to crack the remaining NTLM password, but ended up using a site (hashkiller.co.uk/ntlm-decrypter.aspx) with a huge number of computed NTLM hashes (since I noticed that these hashes weren’t salted) to crack this one.