John

Common Formats

Type

Mode

$krb5asrep$23$

krb5asrep

$krb5tgs$23$

krb5tgs

NTLMv2

netntlmv2

NTLM

netntlm

Usage

john --format=<FORMAT> --wordlist=/usr/share/wordlists/rockyou.txt --fork=4 hash

Rules

To be able to use the previously created rules in JtR, we need to add a name for the rules and append them to the /etc/john/john.conf configuration file.

$ cat ssh.rule
[List.Rules:sshRules]
c $1 $3 $7 $!
c $1 $3 $7 $@
c $1 $3 $7 $#

Files

The id_rsa file is the default private key generated by OpenSSH when creating an RSA key pair for authentication. It is stored under ~/.ssh/ on Unix-like systems and must be kept strictly confidential, as it grants access to any system where the corresponding public key (id_rsa.pub) has been authorized. Possession of this file is equivalent to possessing the login credentials for the associated accounts.

# Convert file to a john-suitable format
$ ssh2john id_rsa > ssh.hash

# Remove the username (id_rsa) from the resulting file
$ cat ssh.hash
$sshng$6$16$7059e78a8d3764ea1e883fcdf592feb7$1894$6f70656e737<SNIP>

# Crack the file
$ john --wordlist=ssh.passwords ssh.hash

# Assing the required permissions
$ chmod 600 id_rsa

# Connect to SSH using the private key
$ ssh -i id_rsa -p 2222 x7331@192.168.50.201

A KDBX file is the encrypted database format used by KeePass to store usernames, passwords, and other secrets. Access requires the master password (and optionally a key file), but if compromised, it exposes all stored credentials.

# Convert file to a john-suitable format
$ keepass2john Database.kdbx > keepass.hash

# Remove the username (Database) from the resulting file
$ cat keepass.hash
$keepass$*2*60*0*d74...<SNIP>...6c1

# Crack the file
$ hashcat -m13400 keepass.hash /usr/share/wordlists/rockyou.txt

Interaction with the database can be done via GUI:

# Interact with the database (GUI)
keepassxc database.kdbx

or CLI:

# Interact with the database (CLI)
keepassxc-cli open database.kdbx
Enter password to unlock database.kdbx:

# List the database's contents
DMZ Login Creds> ls
General/
...

DMZ Login Creds> ls General
LOGIN local admin
User Password

# Show the entries' details
DMZ Login Creds> show -s "General/LOGIN local admin"
Title: LOGIN local admin
UserName: dmzadmin
Password: SlimGodhoodMope

A PFX file (PKCS#12) is a password-protected container that holds private keys, certificates, and sometimes full certificate chains. Compromise of this file enables impersonation or unauthorized authentication to systems using those certificates.

# Convert file to a john-suitable format
$ pfx2john legacyy_dev_auth.pfx > pfx_hash

# Crack the file
john pfx_hash --wordlist=/usr/share/wordlists/rockyou

The extraction and decryption process from a .pfx file can be found here. The PEM pass phrase is set by us and later used to decrypt the key. It can be anything as long as it is more than 3 characters.

# Extract the key
$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key-enc
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

# Set a PEM pass phrase
$ openssl rsa -in legacyy_dev_auth.key-enc -out legacyy_dev_auth.key
Enter pass phrase for legacyy_dev_auth.key-enc:
writing RSA key

# Extract the certificate
$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt
Enter Import Password:

# Check that everything is there
$ ls legacyy_dev_auth.*
legacyy_dev_auth.crt  legacyy_dev_auth.key  legacyy_dev_auth.key-enc  legacyy_dev_auth.pfx

The .crt and .key files can be used to access a Windows host via WinRM:

evil-winrm -i 10.10.11.152 -S -k legacyy_dev_auth.key -c legacyy_dev_auth.crt

A ZIP file is an archive format used to compress and bundle one or more files and folders into a single file. It can optionally be password-protected, but if the password is weak or compromised, all contents of the archive can be accessed.

# Convert file to a john-suitable format
$ zip2john example.zip > zip.hash

# Crack the file
$ john --wordlist=rockyou.txt zip.hash

# Unzip
$ unzip example.zip

PreviousHashcat NextDomainPasswordSpray

Last updated 2 months ago

Was this helpful?