John

Common Formats

Type

Mode

$krb5asrep$23$

krb5asrep

$krb5tgs$23$

krb5tgs

NTLMv2

netntlmv2

NTLM

netntlm

Usage

john --format=<FORMAT> --wordlist=/usr/share/wordlists/rockyou.txt --fork=4 hash

john --list=formats | grep <FORMAT>

john --show passwd.txt

Rules

To be able to use the previously created rules in JtR, we need to add a name for the rules and append them to the /etc/john/john.conf configuration file.

$ cat ssh.rule
[List.Rules:sshRules]
c $1 $3 $7 $!
c $1 $3 $7 $@
c $1 $3 $7 $#

sudo sh -c 'cat /home/kali/passwordattacks/ssh.rule >> /etc/john/john.conf'

john --wordlist=ssh.passwords --rules=sshRules ssh.hash

Files

zip

zip2john <file.zip> > zip.hash

john --wordlist=rockyou.txt zip.hash

john zip.hash --show

unzip <file.zip>

pfx (File Certificate)

pfx2john legacyy_dev_auth.pfx > pfx_hash

john pfx_hash --wordlist=/usr/share/wordlists/rockyou

The extraction and decryption process from a .pfx file can be found here. The PEM pass phrase is set by us and later used to decrypt the key. It can be anything as long as it is > than 3 characters.

# extract the key and setting a PEM pass phrase
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key-enc
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

# decrypt the key using the PEM pass phrase we set before
openssl rsa -in legacyy_dev_auth.key-enc -out legacyy_dev_auth.key
Enter pass phrase for legacyy_dev_auth.key-enc:
writing RSA key

# extract the certificate
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt
Enter Import Password:

# check that everything is there
ls legacyy_dev_auth.*
legacyy_dev_auth.crt  legacyy_dev_auth.key  legacyy_dev_auth.key-enc  legacyy_dev_auth.pfx

The .crt and .key files can be used to access a Windows host via WinRM.

evil-winrm -i 10.10.11.152 -S -k legacyy_dev_auth.key -c legacyy_dev_auth.crt

kdbx (KeePass)

The KeePass databases are stored in .kdbx files.

keepass2john Database.kdbx > keepass.hash

# keepass2john adds the "Database" as the username of the hash. Since KeePass uses a master password without an associated username, we need to remove it.
$ cat keepass.hash
Database:$keepass$*2*60*0*d74e29a727e9338717d27a7d457ba3486d20dec73a9db1a7fbc7a068c9aec6bd*04b0bfd787898d8dcd4d463ee768e55337ff001ddfac98c961219d942fb0cfba*5273cc73b9584fbd843d1ee309d2ba47*1dcad0a3e50f684510c5ab14e1eecbb63671acae14a77eff9aa319b63d71ddb9*17c3ebc9c4c3535689cb9cb501284203b7c66b0ae2fbf0c2763ee920277496c1

$ nano keepass.hash
$ cat keepass.hash
$keepass$*2*60*0*d74e29a727e9338717d27a7d457ba3486d20dec73a9db1a7fbc7a068c9aec6bd*04b0bfd787898d8dcd4d463ee768e55337ff001ddfac98c961219d942fb0cfba*5273cc73b9584fbd843d1ee309d2ba47*1dcad0a3e50f684510c5ab14e1eecbb63671acae14a77eff9aa319b63d71ddb9*17c3ebc9c4c3535689cb9cb501284203b7c66b0ae2fbf0c2763ee920277496c1

$ hashcat --help | grep -i 'KeePass'
13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) | Password Manager

$ hashcat -m13400 keepass.hash /usr/share/wordlists/rockyou.txt

Interact with the database via the GUI:

# GUI-based
keepassxc database.kdbx

or via the CLI:

# CLI-based
keepassxc-cli open database.kdbx
Enter password to unlock database.kdbx:

# List the database's contents
DMZ Login Creds> ls
General/
...

DMZ Login Creds> ls General
LOGIN local admin
User Password

# Show the entries' details
DMZ Login Creds> show -s "General/LOGIN local admin"
Title: LOGIN local admin
UserName: dmzadmin
Password: SlimGodhoodMope

id_rsa (SSH)

ssh2john id_rsa > ssh.hash

$ cat ssh.hash
id_rsa:$sshng$6$16$7059e78a8d3764ea1e883fcdf592feb7$1894$6f70656e737<SNIP>

# removing the 'id_rsa' username
$ nano ssh.hash
$ cat ssh.hash
$sshng$6$16$7059e78a8d3764ea1e883fcdf592feb7$1894$6f70656e737<SNIP>

john --wordlist=ssh.passwords ssh.hash

# the id_rsa key needs restricted permissions to be accepted
$ chmod 600 id_rsa
$ ssh -i id_rsa -p 2222 dave@192.168.50.201

Resources

GitHub - openwall/john: John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAsGitHub

PreviousHashcat NextDomainPasswordSpray

Last updated 1 month ago

Was this helpful?