> For the complete documentation index, see [llms.txt](https://x7331.gitbook.io/boxes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://x7331.gitbook.io/boxes/tools/passwords/john.md). # John ## Common Formats | Type | Mode | | ---------------- | ----------- | | `$krb5asrep$23$` | `krb5asrep` | | `$krb5tgs$23$` | `krb5tgs` | | `NTLMv2` | `netntlmv2` | | `NTLM` | `netntlm` | ## Usage {% code overflow="wrap" %} ```bash # List formats john --list=formats | grep # Basic usage john --format= --wordlist=/usr/share/wordlists/rockyou.txt --fork=4 hash # Results john --show passwd.txt ``` {% endcode %} ## Rules To be able to use the previously created rules in `JtR`, we need to add a name for the rules and append them to the `/etc/john/john.conf` configuration file. {% code overflow="wrap" %} ```bash # Create rules $ cat ssh.rule [List.Rules:sshRules] c $1 $3 $7 $! c $1 $3 $7 $@ c $1 $3 $7 $# # Append them sudo sh -c 'cat /home/kali/passwordattacks/ssh.rule >> /etc/john/john.conf' # Use them john --wordlist=ssh.passwords --rules=sshRules ssh.hash ``` {% endcode %} ## Files ### ansible See [here](/boxes/tl-dr/infra/apps-x-platform/ansible.md). ### id\_rsa The `id_rsa` file is the default private key generated by OpenSSH when creating an RSA key pair for authentication. It is stored under `~/.ssh/` on Unix-like systems and must be kept strictly confidential, as it grants access to any system where the corresponding public key (`id_rsa.pub`) has been authorized. ```bash # Convert file to a john-suitable format $ ssh2john id_rsa > ssh.hash # Remove the username (id_rsa) from the resulting file $ cat ssh.hash $sshng$6$16$7059e78a8d3764ea1e883fcdf592feb7$1894$6f70656e737 # Crack the file $ john --wordlist=ssh.passwords ssh.hash # Assing the required permissions $ chmod 600 id_rsa # Connect to SSH using the private key $ ssh -i id_rsa -p 2222 x7331@192.168.50.201 ``` ### kdbx A KDBX file is the encrypted database format used by KeePass to store usernames, passwords, and other secrets. Access requires the master password (and optionally a key file), but if compromised, it exposes all stored credentials. {% code overflow="wrap" %} ```bash # Convert file to a john-suitable format $ keepass2john Database.kdbx > keepass.hash # Remove the username (Database) from the resulting file $ cat keepass.hash $keepass$*2*60*0*d74......6c1 # Crack the file $ hashcat -m13400 keepass.hash /usr/share/wordlists/rockyou.txt ``` {% endcode %} Interaction with the database can be done via GUI: ```bash keepassxc database.kdbx ``` or CLI: ```bash # Interact with the database (CLI) keepassxc-cli open database.kdbx Enter password to unlock database.kdbx: # List the database's contents DMZ Login Creds> ls General/ ... DMZ Login Creds> ls General LOGIN local admin User Password # Show the entries' details DMZ Login Creds> show -s "General/LOGIN local admin" Title: LOGIN local admin UserName: dmzadmin Password: SlimGodhoodMope ``` ### office {% code overflow="wrap" %} ```bash office2john test.xlsx > test-hash hashcat -m9600 test-hash /usr/share/rockyou.txt --username ``` {% endcode %} ### pfx A PFX file (PKCS#12) is a password-protected container that holds a private key and a certificate. ```bash pfx2john legacyy_dev_auth.pfx > pfx_hash john pfx_hash --wordlist=/usr/share/wordlists/rockyou ``` The extraction and decryption process from a `.pfx` file can be found [here](https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file). The PEM pass phrase is set by us and later used to decrypt the key. It can be anything as long as it is more than 3 characters. {% code overflow="wrap" %} ```bash # Extract the key $ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key-enc Enter Import Password: Enter PEM pass phrase: Verifying - Enter PEM pass phrase: # Set a PEM pass phrase $ openssl rsa -in legacyy_dev_auth.key-enc -out legacyy_dev_auth.key Enter pass phrase for legacyy_dev_auth.key-enc: writing RSA key # Extract the certificate $ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt Enter Import Password: # Check that everything is there $ ls legacyy_dev_auth.* legacyy_dev_auth.crt legacyy_dev_auth.key legacyy_dev_auth.key-enc legacyy_dev_auth.pfx ``` {% endcode %} The `.crt` and `.key` files can be used to access a Windows host via WinRM: ```bash evil-winrm -i 10.10.11.152 -S -k legacyy_dev_auth.key -c legacyy_dev_auth.crt ``` ### pdf {% code overflow="wrap" %} ```bash pdf2john example.pdf > hash john --wordlist=/usr/share/wordlists/rockyou.txt hash ``` {% endcode %} ### zip ```bash zip2john example.zip > zip.hash john --wordlist=rockyou.txt zip.hash unzip example.zip ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://x7331.gitbook.io/boxes/tools/passwords/john.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.