Government Security
Network Security Resources

Jump to content

Photo

How To Use Jtr?

- - - - - md5 password cracking dictionary
  • Please log in to reply
1 reply to this topic

#1 quicksilk

quicksilk

    Private First Class

  • Members
  • 26 posts

Posted 06 April 2006 - 12:51 AM

Tools you will need:
====================

1. Goldeneye written by Madmax. old or the latest versions..it doesnt matter!!

2. John the Ripper version 1.6w or later (in other words, you need the win32 port
of the classic unix cracker. Make sure your copy has cygwin*.dll, since I've
seen some archives lacking it. I will list urls for all tools at the end
of this document.) In this example I am using 1.6w - mmx build.

3. A text editor such as notepad or ultraedit.

4. A decent repository of wordlists in single-list format.
Links for excellent wordlists are included in the BOOKMARKS section of this text.

5. A wordlist manipulation tool, such as Raptor.

6. A browser: I will use a well known example site to demonstrate, since there's
no way to get the hang of this without an actual real world example.

7. Anonymous proxies. Equip your browser with a proxy before trying the examples.
This is very important, since not only will it protect you from logging, if
the webmaster decides to set a deny on your ip's subnet or domain, it is
the proxy that will be banned, and you can always find another.


What exactly is JTR?
====================

JTR is John the Ripper, a brute force password cracker originally developed
using Linux. Today, builds exist for Dos, Win9x/NT, Linux x86, FreeBSD x86,
OpenBSD x86, Solaris 2.x SPARC & Solaris 2.x x86, Digital's UNIX, AIX, IRIX
and HP Unix (HP-UX).

The Win32 port is usually available in three seperate builds, normal, MMX optimized,
and AMD-K6 optimized and was compiled with CYGWIN (Cygnus Developer's Kit), a common
library for porting linux/unix software to DOS/Windows.

Many people have the misconception that JTR has something to do with your inet
connection. It doesn't. It works simply by attacking encrypted passwords
stored in a plain-ascii text file with various methods, one of them
is the wordlist mode, which is primarily what I will be demonstrating. It is
your best bet (along with -single of course) to Adult password cracking.
JTR runs in a dos window, and doesn't really use much resources
at all. If you prefer to run it off your box, as you can see you may, using
practically any flavour of x86 or SPARC Unix.

To run JTR you need to feed it a wordlist and a saved htpasswd-style file. Optionally
you can suply a ruleset, change the order of it's cracking modes, and alter it's
operation in various other ways.

JTR accepts an htpasswd-style encrypted file saved as plain ascii text as input
and produces plain ascii output which can be redirected to a file. It doesn't
have a gui, other than the VCU (Velocity Cracking Utilities) addon gui, but
I've never tried/needed that tool, and it's very easy to use in it's native
command line mode.


What exactly is htaccess?
=========================

.htaccess is a file which reveals to you the location of the password
file, and the limitations on what ips, user accounts, groups of users,
or types of accounts may access it. The filename is usually ".htaccess"
or "~htaccess." - It most often can be found at /members/.htaccess
of many sites. However, just because you see an htaccess file on your
browser's screen doesn't mean you will get access to the password file.
Often you won`t, but by further reading you can considerably improve
your odds by reading more on the topic of webserver daemons and htaccess.
I will include a few links for your further reading at the end of the text.

Lets call our fictitous example site "vivozzz".

This is from: http://userass@www.v...mbers/.htaccess

[note- Chances are by the time this file gets to you, the security of vivozzz will
be so compromised that the admin is bound to notice something wrong and hopefully
correct the misconfigured server. Fictitious.. Uh, yeah, thats the ticket ]


http://userass@www.v...mbers/.htaccess


The file most often looks like this, but it`s appearance varies:
==================================================================
AuthUserFile /opt/usr/vivozzz/html/members/.htpasswd
AuthName "VivoZZZ Members Only"
AuthType Basic

<Limit GET>
require valid-user
</Limit>

ErrorDocument 401 /redirect.html
ErrorDocument 404 /redirect.html
ErrorDocument 500 /redirect.html
===================================================================


Remember, .htaccess is accessed by YOUR BROWSER. No special utility "gets" these files. The same applies to htpasswd. You simply visit the site with your browser and save the files as plain ascii text (not html!).

Since htaccess is often in the members section of the site, you will need a valid login. The same applies to htpasswd.

Lets break down some of the fields:

AuthUserFile: This is the ABSOLUTE path to the password file - the htpasswd file does not necessarily always have the filename ".htpasswd" - infact, it most often doesn`t. Admins may use any names they like for this file. Without seeing the htaccess, you really have no clue as to what the file is called, except for a few common well known defaults.

AuthGroupFile: Usually this field isn't used, but you may notice it. A webmaster has the choice of setting access in terms of groups, and this would define the .htgroup definition file path. In my example groups are not used. This path is also absolute, just like AuthUserFile.

AuthName: The area to be protected by this particular htaccess file, in this example it is the vivozzz members area.

AuthType: Basic - This field is irrelevant for the purposes of this txt.

<Limit GET>
require valid-user
</Limit>

The above sets up the limits as to WHO can access the password file!

The limits on who can access a given site's file vary. Usually sites may allow or deny access to their password file by setting allow/deny fields. Access may be restricted by IP, username, group of users, or domain. Other schemes are possible.

However, in vivozzz's case, the only restriction at the time I wrote this text happens to be "require valid-user", meaning, all you need is a members password.
The webmaster could have easily set deny all, and allow to only certain key accounts, or deny every ip except his own isp's range, or any number or other protective measures. So far, this particular webmaster hasn't done that, thereby compromising his/her entire security scheme with one simple act of negligence.

A few lines like this would have secured vivozzz's password file! I truly hope the webmaster of this site reads this file, because that webmaster is either spanking off to his site's own content, or needs a new pair of glasses, since he isn't reading his webserver's docs at
all it seems.

<Limit GET>
require user sysadmin
require user webmaster
require user salesrep
</Limit>


This would severely limit the possibilities of gaining access, requiring cracking the passwords of one of the above accounts.

ErrorDocument 401 /redirect.html : Self explanatory. This defines the "wrong password" url that the site redirects a user who has entered an invalid password to.


What exactly is .htpasswd?
==========================

An .htpasswd is a file generated by the "htpasswd create" command. It may be
one of any number of ciphertext format schemes. The ones supported by
JTR are DES, BSDi, MD5, BF, AFS and LM. Read the faq to JTR for more info
on which httpd packages/operating systems commonly use which cipher format. You will
rarely need to adjust this, since most sites use DES. JTR cannot decrypt
a file which contains different encryption formats in the same file. You will
need to split such a beast. JTR also cannot decrypt .db files directly, altough
decryption is possible by using the UNAFS utility and redirecting it's output.

JTR can decrypt shadowed password files, considering you have both the passwd
and shadow files. Obtaining and UNSHADOWing shadow files is beyond the scope of this text.

JTR performs ciphertext format detection when beginning to crack, so again,
don't change the -format unless you have a reason to.

It even decrypts eggie .user files with a bit of work since Eggdrop uses Blowfish
encryption. I will demonstrate eggdrop password decryption later.


Why bother?
===========

Good wordlists turning to crap is really the reason I learned this method in
the first place. It's a reliable, neverending supply of valid combos. What can
be more useful?

Also, lets get another opinion from an expert. Here`s what Aloha Wally has to say
in his updated wordlist grooming guide:


"...You could crack Stanley Security who uses the login zildot:crepe; how many people do you
figure have that on their list? The problem is; who in the world is going to think up that
login off the top of their head? Only one guy... and it is his account...
So how do you get those passes on your list? Well, this may come as a shock to some of you,
but cracking is not the only way to get accounts from a site. A number of people use a
program called John the Ripper to get the actual passfile from a site and decrypt it into
useable account logins. While I don't do this myself (at least not yet), I know several folks
who do and those files are mana from heaven. If you remember Cracking 101, I said that the
average person uses the same login on every site he buys into (format permitting)....
that being the case, if one of those logins is zildot:crepe, then you should be able to use
it to access pretty much every site that Stanley Security is a member of. Multiply that effect
by a hundred or more and you have a treasure trove for the cracking ace. The really great thing
is, the file need not be new/current and you don't even need to know what site is from, all
you need are the valid ID/pass combinations."

Uh-uh.. Well said dude!

If you can't see the possibilities of improving your word lists with 20,000 valid
username/password combinations within a 24-48 hour period, then this guide isn't for you!


Preparation of JTR for Windows
==============================

Once you have obtained JTR ver 1.6w or higher, unzip it. The zip should
contain two directories: \doc and \run. The files in \doc are obviously
the documentation. Your work will take place in the \run directory.
I suggest you dont use paths and just extract everything into one directory,
i will use c:\john in this example.

JTR can be unzipped from dos using PKZIP 2.04g or any Windows unzipper on
the windows platform.

Once unzipped, you should see two more zip files:

john-k6 zip 58,747 12-03-98 4:19a JOHN-K6.ZIP
john-mmx zip 54,656 12-03-98 4:19a JOHN-MMX.ZIP

Notice also that there is a john.exe file.

JTR for w32 comes in three flavours:

Regular Build (the john.exe file that already exists: it is a non-optimized version for any intel cpu, 486dx or higher)

AMD-K6 Build (the john-k6.zip file contains a john.exe file that is optimized
for the AMD K6 cpu. If your pc uses an AMD K6, use this build. I've also
heard that people use this build on AMD Athlons rather than the mmx build,
but Athlon owners should try it for themselves.

Pentium-MMX Build (the john-mmx.zip file contains a john.exe file that is
optimized for any cpu higher than the original P166-non mmx. In other
words, if you own a Celeron, a Pentium Pro, P2 or a P3, JTR will run
a bit faster if you use the MMX build.)

Is this necessary? No. You can use the plain john.exe file that is
included in the original archive. Does it help? You bet! JTR is the
type of program you run for hours. You can shave an hour from a 5 hour decryption
process by using the mmx build on an MMX equipped cpu.

Notice the following two files:

password lst 18,447 12-03-98 4:19a PASSWORD.LST

The above is the default single word list that is included with JTR. A cracker is only
as good as it's wordlist, and since JTR is a brute force cracker. You will need
large wordlists. By large, i am talking at least 500k at the smallest. I use
5 megabyte segmented wordlists and a simple batch file to run through them all.

You aren't going to get very far with the 18k default wordlist. But more on
that later.

john ini 10,294 12-03-98 4:19a JOHN.INI

The above is JTR's ini file. If you're feeling adventurous, play with it,
but back it up. I suggest you don't change anything at the start. It
contains a ton of options which may be useful to you later.

At this point you should have unzipped JTR and have it in a directory.


===========================
Finding your htaccess file:
===========================

You can, of course, after cracking a site, go to your browser and try to surf to "/members/.htaccess", "/members/.htpasswd", "/members/~htaccess", "/members/admin",
etc but this is very time consuming and pointless. This can be automated:

GOLDENEYE and other such proggies have a feature called "security checker" or
"server security test". This searches for 250-300 common "weak directories"
(improperly set read access rights.) and informs you of any that are found. You need
to posess a valid login to a site to run the security tester. Your best bet is either
to paste a valid http://userass@site.com/members/ url to the security tester in Goldeneye,
or to use an icon in the HISTORY section which is what I will demonstrate:

1. Run Goldeneye 1.0.5 bld 125 or later

2. Go to "history"

3. Locate the ">>" icon in the middle row of small icons. It is to the right of the "print
access history" and "save access history" icons. What this does is paste the history
entry you have highlighted directly to the security tester and pops up the security
checking screen. Lets select a valid vivozzz account from your history and click the
>> icon.

4. A new screen will pop up. This is the security checker. On the bottom, the leftmost
icon looks like a LOCK. By clicking it, you begin the process of finding weak
directories.

You should immediately find "http://userass@www.v...mbers/.htaccess as "WEAK".
Surf to the weak paths it finds with your browser. You should now see the .htaccess file!


5. Once in your browser, you should be looking at the weak path
http://userass@www.v...mbers/.htaccess, and you should have an
htaccess file on your screen. It should look something like this, of course
the admin will probably change the security scheme on vivozzz once this
guide is in the public domain, so this may no longer work by the time
you read this. It works on o2.o8.2ooo, and the method is the important
thing. On o2.o8.2ooo the htaccess file looked like this:

====================================================
AuthUserFile /opt/usr/vivozzz/html/members/.htpasswd
AuthName "VivoZZZ Members Only"
AuthType Basic

<Limit GET>
require valid-user
</Limit>

ErrorDocument 401 /redirect.html
ErrorDocument 404 /redirect.html
ErrorDocument 500 /redirect.html
=====================================================


Congradulations, you have found what I call the "map". Imagine the htpasswd file as your
prize. Imagine the htaccess file as the map showing you where your prize is hidden and
what you need to get at it!


Finding htpasswd file
=====================

By now you should have done the following:

1. Unzipped and prepared JTR
2. Cracked a password to VIVOZZZ (or the site you're security testing, remember you will
ALWAYS need a valid login to the site you are testing.)
3. Used the "Security Checker" feature of Goldeneye to find any weak directories.
and subsequently found the path to htaccess as weak.
4. Used your browser to view the htaccess file.

5. Now let's get to the prize!

6. Examine the htaccess you see in your browser again and carefully notice the AuthUserFile
path:

AuthUserFile /opt/usr/vivozzz/html/members/.htpasswd

What do we know about vivozzz now?

a. The ABSOLUTE path of the file is "~/vivozzz/html/members/.htpasswd"
b. The RELATIVE path of the members section on vivozzz is
"http://userass@www.v...z.com/members/"

So lets try to view it! Lets surf to the following path:

http://userass@www.v...mbers/.htpasswd

Did we get the file? Nope.

Why not? Our relative path and the absolute path of the file were not matching. Lets remove
"html/" and try again.

Alter the url slightly and surf to: http://userass@www.v...mbers/.htpasswd

Your browser's screen should begin to fill up with text that looks like this:

login1:QHWvF81xuCX[7
login2:taxEXKdSpFM7M
login3:nGhPcWOUxTlJJ
messenger:x8u8488dux
offear:08x74jbe9.e88
insight:858mcu875995U
Dark:mij4[OHcHpT5C
Deception:zX/bxvROTX82c
KillsThe:WOPhSETlNUiVh
LIGHT:1VlLRHB4xID8i
Admin:Im0nlY15.5YrsolDx
:rF9847hxtt65
hybrid:2s57XPmIMR4d2
children:EdPuXPXU5KkL7
watch:5iyIgHD44Md[K
thesea:XI3oXnVgXzshY
Pray:kemkIyPFnt6TY
For:jesUXoWHstlUg
Father:Yu/MXQbqBr85A
Roaming:10xP.ZKQxHLrQ
Free:TKb6UdHRMvfJh
Webmaster:9ucj599ikoj4
DrainYOU:1JXObdBwNYPcF
ofyour:fuQ7PldDSMH2g
Sanity:shUdHckWwykhs
Face:3qD4YNX2bh7pJ
TheThing:mBPanh9/Y//Lg
ThatShouldNot:jK3.fHwhExb9A
be!:xY4a7ix873.[84
sean:90948xnu85yhZKq

Hey did you notice how this site's users all use Metallica lyrics for their logins? Wow man,
this must be that new billing system.. Like.. Metallibill.. Or something.. cough...

* Note: The format of the htpasswd file is always:

userid:ENCRYPTEDPASSWORD
userid:ENCRYPTEDPASSWORD

When you hit the password file of a site, and get the url and everything right, the above is what you will see. If so, your efforts have paid off bigtime! Smile, and hope your proxy is anonymous.

Now wait for the entire file to load. It may take a bit of time for a large site. Go to your browser's file menu and save this as .TXT (not HTML!) - You must always have a plain text (plain-vanilla ascii) saved passwd file in order for JOHN to decrypt it. The text must NOT contain any html tags, or anything other than the encrypted passwords.

Lets save this file as file type TEXT with the filename C:\john\vivo.txt

You no longer need your browser, since the password file you have been hunting down is now safely stored on your hard disk.


CONGRADULATIONS, you have obtained your first htpasswd file!


Decrypting the htpasswd file you just found and saved

You will need several large single-format wordlists. I suggest you do this to start:

a. Take every combolist you use and append them to one large file (copy them together)
b. Use a wordlist utility like Raptor to convert the combination list into a single
wordlist (one word per line)
c. Use a wordlist utility like Raptor to dupe-check the resulting huge single wordlist,
this is an important step since when you convert combo lists to single lists, there
will always be many dupes. Remember that dupes in your list slow down decryption.
It is important to have a clean wordlist for JTR, without any blank lines, dupes,
colons, tabs, etc. Otherwise the program may and does crash.
d. Save the resulting single wordlist as "huge1.lst" in your JTR directory.

I suggest using the extension ".lst" for wordlists, and ".txt" for htpasswd files but
this is up to you. Remember to stick to short filenames!! (8.3) you're working with dos.

I also suggest you visit some wordlist collections on the web and obtain a lists like:

female names
male names
celebrity names
english words
spanish words
unusual words (illnesses, bacteria, etc)
a list of places
a list of common last names
foreign languages in low-ascii text (discussed below)
common unix terms


Save all of these in your JTR directory.

Make sure every one of these lists is single format, no spaces in between the words.
Your wordlists should look something like this:

abuse
abut
aby11
abyss
abz
ac
ac^dc
acacia
academia
academic
academy
acadia25
acadian
acampbell
acannavino
acapt
acapulco
acaraf
acartia
acat
acaxaz
acbacb
acbb
accept
accer233


Starting and Running JTR

1. Open a dos window
2. Switch to the directory containing your john.exe and all your wordlists and saved htpasswd files. Say this is c:\john
3. JTR has several modes of operation. My example uses the "-w:" wordlist mode. This is best for cracking xxx sites with multiple passes. If you were decrypting say ONE password, you would probably use other modes also, such as incremental. Read "MODES" in the John DOC dir for more details.
4. Lets assume your filenames are something like this:

Your saved htpasswd file is named: vivo.txt
Your wordlist is named: huge1.lst

The command to start JTR's cracking engine in the wordlist mode is:

john -w:wordlist.lst myhtpass.txt

So for my example, the command would be:

C:/john> john -w:huge1.lst vivo.txt

You should now see JTR load and begin to crack. It's output will look something like this:

7:36:36.17 Tue 02-08-2000 [w2k] C:\john>john -w:huge1.lst vivo.txt
Loaded 2879 passwords with 1343 different salts (Standard DES [24/32 4K])
qwertyasdf (login1)
hardon (login2)
myadminisonly15 (login3)
imanidiot (Webmaster)
iwantmymommy (Admin)
timeforlust (hybrid)
timeforlies (children)
timetokiss (watch)
yourlife (thesea)
GoodBye (Pray)
BOW (For)
TO (Father)
LEPPER (Roaming)
MeSsIaH (Free)
chixdighim! (Sean)

While cracking, JTR always "reverses" the login and password. So its output is to be interpreted as:

password (userid)
password (userid)


This is only while it's cracking. If you want to test a combination while it's cracking, always remember that the stuff in the () is the login, not the password!
For example, if you were to build a combolist of the above logins, it would look like this:

login1:qwertyasdf
login2:hardon
login3:myadminisonly15
Webmaster:imanidiot
hybrid:timeforlust
children:timeforlies
watch:timetokiss
thesea:yourlife
Pray:GoodBye
For:BOW
Father:TO
Roaming:LEPPER
Free:MeSsIaH
Admin:iwantmymommy
Sean:chixdighim!


Let it run through. It will take some time. Your screen will continue to display passwords
every time it cracks one. When it's done, you will return to the DOS prompt.

You can interrupt your cracking session with a ^C. Since JTR stores hashes in the JOHN.POT file every time it cracks one, you won't loose any gained passwords. Also, JTR
has a session save/resume function which you may want to experiment with.


Progress indicator:

If you hit the space bar while JTR is cracking, you will see a "progress" line:

guesses: 43 time: 0:00:05:20 0% c/s: 66797 trying: 5786 - 6288

...........................................................................
GUESSES: This is the amount of passwords cracked so far. Sometimes this number will be 2x the amount of passwords cracked. JTR has an ability to split certain long passwords into halves and crack them separately. The formats which support this feature are double length DES crypt(3) passes and Windows NT LM passes. Someone asked me if JTR is accurate recently. It is 110% accurate. If a lot of passes cracked with it don't work, the htpasswd file is probably an old list of expired passwords.

TIME: the amount of time JTR has been running.

C/S: The effective cracking speed. C/S means combinations per second. Now you can see how on a 56k line, it would take appx an hour to run 67,000 combinations. JTR is doing this amount of tries EVERY SECOND on the 450mhz Pentium3 I used for this demonstation. You can benchmark JTR by typing "john -test" - Here are benchmarks from a non-optimized 166mhz P1 laptop:

C:\john2>john -test
Benchmarking: Standard DES [24/32 4K]... DONE
Many salts: 13668 c/s
Only one salt: 11825 c/s

Benchmarking: BSDI DES (x725) [24/32 4K]... DONE
Many salts: 535 c/s
Only one salt: 523 c/s

Benchmarking: FreeBSD MD5 [32/32]... DONE
Raw: 402 c/s

Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw: 26.6 c/s

Benchmarking: Kerberos AFS DES [24/32 4K]... DONE
Short: 13273 c/s
Long: 24603 c/s

Benchmarking: NT LM DES [24/32 4K]... DONE
Raw: 73451 c/s


TRYING: displays the current combination JTR is trying.
.........................................................................


Saving an output of cracked passwords in JTR
============================================

Once JTR has run through the huge1.lst file, you will want a standard combination
list (combo list) of the passwords it found. Here's the command you will need:

john -show mypasswd.txt

So for our example, we will use:

c:\john\> john -show vivo.txt

At this point your screen will fill up with combinations. It will look like this:

================================
hybrid:timeforlust
children:timeforlies
watch:timetokiss
thesea:yourlife
Pray:GoodBye
For:BOW
Father:TO
Roaming:LEPPER
Free:MeSsIaH

1929 passwords cracked, 2837 left
=================================

You want to save these to a file. So using simple dos redirection, use the command:

c:\john> john -show vivo.txt > output.txt

The above command will redirect stdout (screen) to the filename "output.txt" - remember, ONLY while cracking are the pass (login) reversed. In the -show command, the output is a standard combination list, with loginassword as expected.

You may want to sort the output file. Again using simple dos redirection:

c:\john> john -show vivo.txt | sort > sorted.txt


Viewing the cracked passwords

Use any editor to open and view "output.txt" - if you've followed my directions, it should contain the same type of output as above, but saved to a file.


Squeezing more passwords out

You may notice that JTR has cracked a good number of passwords, but also left a lot uncracked. This is because one wordlist is never enough. I use 5 megabyte segmented lists, and a batch file which runs through them. I customize the batch file order, putting JTR to work on the common passwords, then progressively trying more obscure dictionaries and possibly a few languages. When it's not giving up any more passes for a while, you can ctrl-c it and just be happy with what you found.

After running through a passwd file, always take the combinations it finds and use them
a. to enhance your standard combo lists and b. always take the -show command output, convert it into a single list, merge it into your main john wordlist, and dupecheck the results.
You are in other words feeding yet more valid USERIDs and PASSWORDs into your main john dictionary, thereby increasing the chances that on your next attempt, one of these will be a hit combination. Since JTR is so quick, a few thousand additional lines will
not take much time at all. It will also show you that a lot of users do subscribe to more
than one site, and use basically the same combination on all of them. If you've played
with grabbing RAS passwords remotely, you probably know that most peeps have a handful
of words which they continously reuse as their password for various inet pursuits.


Possible problems:
==================

Sites often change servers, providers, server software, or leave expired password
files laying around. One well known example is the expired passwd file on hotbox.
Expired files do have their use, they can be used for combinations, but I'm sure
you'd rather spend 5 hours decrypting a valid file than an expired one. How can
you tell if the file you've just grabbed and are about to decrypt is potentially
an "expired" (or left over/old) file? Well here's one easy way:

Say you cracked the combo edisonj:electricity1 to gain access to the site's password
file. One way you can quickly check is by searching for that particular username
(in this case edisonj) in the passwd file you just found and saved. Say you search
for "edisonj" and see a line like this in the passwd file:

edisonj:xY038io.hj8[ui8r

Since the account is IN the passwd file, chances are this is a valid passwd file. However,
there is one caveat. If this is an expired/changed passwords file (ala hotbox), the login
may exist, but the password is probably old and has been changed. How do you know?
You don't. But you can very quickly find out. Start JTR and try some of the combos
it cracks. If after trying 4 or 5 random ones they're all bad, chances are your file is
an expired passwords file. It's only use is for combinations. However, I suggest you
test your accounts once you've finished decrypting anyway by using output.txt as
your combo list on the site in question.

Expired password files aren't a total loss, however. They're perfect for combinations,
and remember that the users probably exist in the new password file. By examining their
old passwords, you can customize a security probe limited in scope to one or small number
of users.


Getting Good Results with JTR and examples
==========================================

Build large lists, 500k or larger. To start with, take every combo list you
can get your hands on, append it into one large combo list, convert it to
single format, DUPECHECK it, and sort it

JTR does not internally pre-sort your wordlists, as it doesn't load the
entire list into ram or temporary storage. JTR reads your wordlist from
disk as it runs. This allows you to either pre-sort your wordlist to
put frequently used words first. JTR runs a little faster when it's
operating on a pre-sorted wordlist where one word differs slightly from
the next.

The wordlist should not contain dupes. John doesn't sort the words not to use too much memory, since that would require at least loading the entire wordlist to memory or temporary space, while now it's read from disk while cracking. Also, leaving the words order as it is allows you to put frequent words first. However, if you don't place words in a reasonable order, it is better if you sort the wordlist alphabetically: John runs a bit faster if each word it tries only differs from the previous one by a few characters, this is especially noticeable when cracking only a few passwords at a time. Most wordlists that you may find on the net are already sorted anyway.

Some Examples:

If you just want a few passwords as QUICKLY as possible, use the -single crack mode:
C:\john> john -single vivo.txt
C:\john> john -show vivo.txt > output.txt


If wordlists aren't getting enough of the more obscure, but still weak passwords, try
using a wordlist with rules (word manipulations). Rules are defined in the john.ini file
and should be modified only by the advanced user. Read the "RULES" text in the doc directory.
C:\john> john -w:huge1.lst -rules vivo.txt
C:\john> john -show vivo.txt > output.txt


If you have a ton of storage, and you want faster performance:
C:\john> john -w:huge1.lst -rules -stdout:8 | unique.exe realhuge.lst
C:\john> john -w:realhuge.lst vivo.txt
C:\john> john -show vivo.txt > output.txt

(The first line will generate a HUGE wordlist based on your rules, using whatever
stdout limit you set, pipe it through the unique utility which will eliminate dupe
combos and save it to "realhuge.lst" - The second line commences normal wordlist
cracking using your newly created wordlist. This is identical to the -rules command
in the previous example except that JTR will run a little faster. Prepare a ton
of HD space though, since the dictionary will grow exponentially.)


Cracking multiple password files in synchronous order (there is no parallel processing
support in JTR) can be done this way:
C:\john> john -w:dutch.lst -rules site1.txt site2.txt site3.txt
(you may also use wildcards like site*.txt)


MODES
=====

JTR has several modes of operation. Up till now, I've been exclusively using it's
-wordlist mode which simply allows you to use a wordlist other than the one defined
in the .ini. The other modes are -single, -incremental and -external.

A mistake often made by people is asuming that -single does not use a wordlist. It
sure does, infact it uses the one you`ve defined in your ini file, by default this
is ~/password.lst.

"Incremental" mode is JTR's most powerful, and most time consuming cracking mode. It
tries all characters possible for a given password. Settings for default parameters are
defined in john.ini, specifically in the [Incremental:ALL] section. By default,
Incremental:ALL will be used which allows 95 characters to be used in creating passwords
of 0 to 8 symbols in length. This will take a year, and should be used as a last resort,
or limited in scope.

"External" mode makes use of text filters and makes use of standard functions, accessed
by a c-like compiler. Examine the .ini file for more details. I've played with filters
and they aren't for the beginner. Leave this mode for when you've used JTR for a while.


To crack incrementally:
C:\john> john -i vivo.txt

To crack incrementally, limiting scope to digits
C:\john> john -i:digits vivo.txt

To crack incrementally, limiting scope to the english alphabet
C:\john> john -i:alpha vivo.txt

There's also an LM charset file which is predefined and can be used
C:\john> john -i:lanman vivo.txt


Roll your own charset:

Say you have a lot of unusual combos cracked which you'd like use to generate a custom
CHARSET file which you can then use in your incremental mode cracking:
1. C:\john> john -makechars:mycombos.chr htpass1.txt htpass2.txt htpass3.txt
2. Edit INI file and add a definition for mycombos.chr / filter <read below>
3. C:\john> john -i:mycombos vivo.txt

Adding your newly created charset as a definition:

Open JOHN.INI file in a text editor and add the following lines:

[Incremental:MYCOMBOS]
File = ~/mycombos.chr
MinLen = 0
MaxLen = 8


Charset files are useful for taking unusual or foreign cracked passwords and using them for
subsequent cracks.

Many more options are available including powerful predefined filters. All of this is
beyond the scope of this document.


Using multi-lingual dictionary files
====================================

JTR is fast on modern cpus, and it can easily be used for decryption of
multi-lingual passwords. The common languages of European origin use a
latin alphabet, such as Polish, as opposed to a unique alphabet, such
as Greek, Cyrillic or Japanese. Your non-english wordlists should still
use a simple english low ascii alphabet, such as this example, taken
from a file I used for a Hentai site with very good results (urls for this
and other such wordlists will accompany this document.) In other words,
use files like the one below and stay away from dictionaries requiring
a codepage or a special font to view. Chances are they will not yield
any results.

Excerpt from a low-ascii 300,000 line ( ~1mg) Japanese common phrases list:
........
kuroyaki
kuroyama
kuroyana
kurozato
kurozi
kurozu
kurozuapo
kurozumi
........


Salts
=====

You may notice I said nothing on salts. Theres nothing much to say for the beginner
Xcept that the salt is the first two characters in the encrypted hash. So the less
unique salts there are for a given password file, the less work JTR has to do.
Some password files will use the same seed for every password (or the same salt)
making them even more susceptible to cracking.

"-salts:[-]COUNT set a passwords per salt limit. This feature sometimes allows to achieve
better performance. For example you can crack only some salts using '-salts:2' faster, and
then crack the rest using '-salts:-2'. Total cracking time will be about the same, but
you will get some passwords cracked earlier." - Quoted from the JTR docs.


Finding other weaknesses
========================

Well, we're reaching the end of the scope of this document. As a webmaster,
you should review your access rights policy for such directories as ~/admin,
~/cgi-bin, ~/ccbill, ~/web900, ~/temp, et al. I hope you've enjoyed reading
this text and use your newly gained knowledge to benefit the security scheme of
your site and further protect the privacy of your users.


URL Bookmarks Section
=====================


John The Ripper Download Areas - Latest version to date: 1.6
............................................................

Homepage:

http://www.openwall.com/john/
(This is the official JTR homepage, moved from false.com. This is the new JTR homepage,
here you will find the official distribution archives with signatures)


Alternate Sites:


Version 1.6 DOS x86 Port:
http://packetstorm.s...rs/john-16d.zip
http://www.icefortre...ds/john-16d.zip


Version 1.6 w32 x86 Port including MMX & K6 Builds:
http://www.icefortre...ds/john-16w.zip
http://packetstorm.s...rs/john-16w.zip


Version 1.6 for Linux
http://www.icefortre...john-1.6.tar.gz


An archive of crackers, tools, lists, and utilities to end all archives:
http://packetstorm.s...y.com/Crackers/
http://deny.de


Wordlists, Wordlists, and MORE WORDLISTS! I believe Packetstorm hosts the net's largest
wordlist repository. You'd be most wise to take a look, grasshopper:
http://packetstorm.s...kers/wordlists/


Another excellent wordlist repository:
ftp://sable.ox.ac.uk/pub/wordlists/


Everything you always wanted but didn't know where the (filtered) to find:
http://packetstorm.s.../archives.shtml
(There's so much HP there, man you can get lost on Packetstorm's servers!)

credits goes to d4rk...

Courtesy of (P)inoy (H)acking Team

#2 Kenny

Kenny

    Former Commander In Chief

  • Retired Admin
  • 6,747 posts

Posted 06 April 2006 - 12:13 PM

here is also a basic one with images i wrote some time back

http://www.how-to-hack.org/intro1.html


thanks for the tutorial quicksilk ;)
Kenny aka ComSec

Please read the Forum Rules !!!

______________________





Also tagged with one or more of these keywords: md5, password cracking, dictionary