John The Ripper- TryHackMe Walkthrough

Task 2: Setting up John the Ripper

What is the most popular extended version of John the Ripper?

>> jumbo john

Task 3: Wordlists

What website was the rockyou.txt wordlist created from a breach on?

>> rockyou.com

Task 4 Cracking Basic Hashes

What type of hash is hash1.txt?

>> md5

What is the cracked value of hash1.txt?

john — format=Raw-md5 — wordlist=/usr/share/wordlists/rockyou.txt /root/Downloads/first_task_hashes/hash1.txt

What type of hash is hash2.txt?

What is the cracked value of hash2.txt?

john — format=Raw-sha1 — wordlist=/usr/share/wordlists/rockyou.txt /root/Downloads/first_task_hashes/hash2.txt

What type of hash is hash3.txt?

What is the cracked value of hash3.txt?

john — format=Raw-sha256 — wordlist=/usr/share/wordlists/rockyou.txt /root/Downloads/first_task_hashes/hash3.txt

What type of hash is hash4.txt?

What is the cracked value of hash4.txt?

john — format=whirlpool — wordlist=/usr/share/wordlists/rockyou.txt /root/Downloads/first_task_hashes/hash4.txt

Task 5 Cracking Windows Authentication Hashes

NTHash / NTLM

You can acquire NTHash/NTLM hashes by dumping the SAM database on a Windows machine, by using a tool like Mimikatz or from the Active Directory database: NTDS.dit.

What do we need to set the “format” flag to, in order to crack this?

>> NT

What is the cracked value of this password?

john — format=NT — wordlist=/usr/share/wordlists/rockyou.txt /root/Downloads/ntlm.txt

Task 6 Cracking /etc/shadow Hashes

Unshadowing

tool built into the John suite of tools called unshadow. The basic syntax of unshadow is as follows:

unshadow [path to passwd] [path to shadow]

unshadow - Invokes the unshadow tool

[path to passwd] - The file that contains the copy of the /etc/passwd file you've taken from the target machine

[path to shadow] - The file that contains the copy of the /etc/shadow file you've taken from the target machine

Example Usage:

unshadow local_passwd local_shadow > unshadowed.txt

What is the root password?

Task 7 Single Crack Mode

Single Crack Mode

So far we’ve been using John’s wordlist mode to deal with brute forcing simple., and not so simple hashes. But John also has another mode, called Single Crack mode. In this mode, John uses only the information provided in the username, to try and work out possible passwords heuristically, by slightly changing the letters and numbers contained within the username.

To use single crack mode, we use roughly the same syntax that we’ve used to so far, for example if we wanted to crack the password of the user named “Mike”, using single mode, we’d use:

john --single --format=[format] [path to file]

--single - This flag lets john know you want to use the single hash cracking mode.

Example Usage:

john — single — format=raw-sha256 hashes.txt

A Note on File Formats in Single Crack Mode:

If you’re cracking hashes in single crack mode, you need to change the file format that you’re feeding john for it to understand what data to create a wordlist from. You do this by prepending the hash with the username that the hash belongs to, so according to the above example- we would change the file hashes.txt

From:

1efee03cdcb96d90ad48ccc7b8666033

To

mike:1efee03cdcb96d90ad48ccc7b8666033

What is Joker’s password?

Task 8 Custom Rules

How to create Custom Rules

Custom rules are defined in the john.conf file, usually located in /etc/john/john.conf if you have installed John using a package manager or built from source with make and in /opt/john/john.conf on the TryHackMe Attackbox.

Let’s go over the syntax of these custom rules, using the example above as our target pattern. Note that there is a massive level of granular control that you can define in these rules, I would suggest taking a look at the wiki here in order to get a full view of the types of modifier you can use, as well as more examples of rule implementation.

The first line:

[List.Rules:THMRules] - Is used to define the name of your rule, this is what you will use to call your custom rule as a John argument.

We then use a regex style pattern match to define where in the word will be modified, again- we will only cover the basic and most common modifiers here:

Az - Takes the word and appends it with the characters you define

A0 - Takes the word and prepends it with the characters you define

c - Capitalises the character positionally

These can be used in combination to define where and what in the word you want to modify.

Lastly, we then need to define what characters should be appended, prepended or otherwise included, we do this by adding character sets in square brackets [ ] in the order they should be used. These directly follow the modifier patterns inside of double quotes " ". Here are some common examples:

[0-9] - Will include numbers 0-9

[0] - Will include only the number 0

[A-z] - Will include both upper and lowercase

[A-Z] - Will include only uppercase letters

[a-z] - Will include only lowercase letters

[a] - Will include only a

[!£$%@] - Will include the symbols !£$%@

Putting this all together, in order to generate a wordlist from the rules that would match the example password “Polopassword1!” (assuming the word polopassword was in our wordlist) we would create a rule entry that looks like this:

[List.Rules:PoloPassword]

cAz"[0-9] [!£$%@]"

In order to:

Capitalise the first letter — c

Append to the end of the word — Az

A number in the range 0–9 — [0-9]

Followed by a symbol that is one of [!£$%@]

What do custom rules allow us to exploit?

>> Password Complexity Predictability

What rule would we use to add all capital letters to the end of the word?

>> AZ”[A-Z]”

What flag would we use to call a custom rule called “THMRules”

>> — -rule=THMRules

Task 9 Cracking Password Protected Zip Files

Cracking a Password Protected Zip File

Zip2John

Similarly to the unshadow tool that we used previously, we’re going to be using the zip2john tool to convert the zip file into a hash format that John is able to understand, and hopefully crack. The basic usage is like this:

zip2john [options] [zip file] > [output file]

[options] - Allows you to pass specific checksum options to zip2john, this shouldn't often be necessary

[zip file] - The path to the zip file you wish to get the hash of

> - This is the output director, we're using this to send the output from this file to the...

[output file] - This is the file that will store the output from

Example Usage

zip2john zipfile.zip > zip_hash.txt

What is the password for the secure.zip file?

What is the contents of the flag inside the zip file?

Task 10 Cracking Password Protected RAR Archives

Cracking a Password Protected RAR Archive

Rar2John

Almost identical to the zip2john tool that we just used, we’re going to use the rar2john tool to convert the rar file into a hash format that John is able to understand. The basic syntax is as follows:

rar2john [rar file] > [output file]

rar2john - Invokes the rar2john tool

[rar file] - The path to the rar file you wish to get the hash of

> - This is the output director, we're using this to send the output from this file to the...

[output file] - This is the file that will store the output from

Example Usage

rar2john rarfile.rar > rar_hash.txt

What is the password for the secure.rar file?

What is the contents of the flag inside the zip file?

Task 11 Cracking SSH Keys with John

Cracking SSH Key Passwords

SSH2John

Who could have guessed it, another conversion tool? Well, that’s what working with John is all about. As the name suggests ssh2john converts the id_rsa private key that you use to login to the SSH session into hash format that john can work with. Jokes aside, it’s another beautiful example of John’s versatility. The syntax is about what you’d expect. Note that if you don’t have ssh2john installed, you can use ssh2john.py, which is located in the /opt/john/ssh2john.py. If you’re doing this, replace the ssh2john command with python3 /opt/ssh2john.py or on Kali, python /usr/share/john/ssh2john.py.

ssh2john [id_rsa private key file] > [output file]

ssh2john — Invokes the ssh2john tool

[id_rsa private key file] - The path to the id_rsa file you wish to get the hash of

> - This is the output director, we're using this to send the output from this file to the...

[output file] - This is the file that will store the output from

Example Usage

ssh2john id_rsa > id_rsa_hash.txt

What is the SSH private key password?

Follow On: Linkedin | Twitter

Written By: Pratik Dhavade

--

--

--

💻 Cybersecurity Enthusiast: | 🌐 OSINT | 📈 Vulnerability Assesment | 🛠️ VAPT

Recommended from Medium

Data-Safety: Here is how to treat your E-Waste

Don’t Be Afraid of Huawei and ZTE

InfoSecSherpa’s News Roundup for Thursday, February 17, 2022

Pomegranates and grapefruit. Image by Alexandr Podvalny from Pixabay.

BlackHat Arsenal Demo — Cyber Range

Introduction to Friend Sharing Network

Power Of IDS & IPS in Cyber Security

JUST A SECOND, IS ALL IT TAKES…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Pratik Dhavade

Pratik Dhavade

💻 Cybersecurity Enthusiast: | 🌐 OSINT | 📈 Vulnerability Assesment | 🛠️ VAPT

More from Medium

Decrypting WinRM traffic from AD hashes — HTB Uni Quals 2021 “Keep the Steam Activated” Writeup

Log4shell (Knock Knock)

2. Sequel — Begginer/Learning Box

Brooklyn Nine Nine [walkthrough]