Open in app

Sign in

Write

Sign in

THM: John The Ripper

kenken17
6 min readJan 24, 2021

--

John The Ripper, a room for learning about cracking hashes. Since I am a beginner in the field. Will try journal down the process if possible. Let’s crack it!

John who?

#Read and understand the basic concepts of hashing and hash cracking

answer: No answer needed

Setting up John the Ripper

#What is the most popular extended version of John the Ripper?

answer: Jumbo John

Read the information given and get the answer. Assume John is setup correctly before continue. Will be using the “John the Ripper 1.9.0-jumbo-1 OMP” and I am on Parrot OS.

Wordlists

#What website was the rockyou.txt wordlist created from a breach on?

answer: rockyou.com

Read the information given and get the answer. Assume using the rockyou.txt wordlist and set environment variable to $W_PASSWORD.

Cracking Basic Hashes

Before starting this section, we will need to download the zip file that contains 4 hashes text file.

#What type of hash is hash1.txt?

answer: MD5

Using the hash-identifier, we are able to guess the hash type.

$ cat hash1.txt | hash-identifier

#What is the cracked value of hash1.txt?

answer: [NO SPOILER]

Let’s John do the work!

$ john --format=raw-md5 --wordlist=$W_PASSWORD hash1.txt

#What type of hash is hash2.txt?

answer: SHA1

Same as before, run through hash-identifier and get the result.

$ cat hash2.txt | hash-identifier

#What is the cracked value of hash2.txt

answer: [NO SPOILER]

$ john --format=raw-sha1 --wordlist $W_PASSWORD hash2.txt

#What type of hash is hash3.txt?

answer: SHA256

Same drill.

$ cat hash3.txt | hash-identifier

#What is the cracked value of hash3.txt

answer: [NO SPOILER]

$ john --format=raw-sha256 --wordlist=$W_PASSWORD hash3.txt

#What type of hash is hash4.txt?

answer: Whirlpool

This time is slightly different, the second guess is the actual answer.

$ cat hash4.txt | hash-identifier

#What is the cracked value of hash4.txt

answer: [NO SPOILER]

$ john --format=whirlpool --wordlist=$W_PASSWORD hash4.txt

Cracking Windows Authentication Hashes

Before starting this section, we will need to download a hash file named ntlm.txt.

#What do we need to set the “format” flag to, in order to crack this?

answer: NT

Since we know this is for Windows OS. When checking the hash identifier. I use the lease possible hashs — NTML as assumption.

$ cat ntlm.txt | hahs-identifier

Then I try run the listing of formats to match John naming format.

$ jonh --list=formats | grep -i nt

Look at the answer format — XX. And there is only NT in John format. The answer is straight forward.

#What is the cracked value of this password?

answer: [NO SPOILER]

Straigh forward.

$ john --format=NT --wordlist=$W_PASSWORD ntlm.txt

Cracking /etc/shadow Hashes

Another download for /ect/shadow hashes. Named etchashes.txt.

#What is the root password?

answer: [NO SPOILER]

Read the information given about unsahdow and examine the file.

$ cat etchashes.txt

Looks like is a message from someone

So I split the password and shadow into local_passwd and local_shadow files and run unshadow:

$ unshadow local_passwd local_shadow > unshadowed.txt

Then followed by:

$ john --wordlist=$W_PASSWORD unshadowed.txt

Single Crack Mode

Another download for Single Crack Mode section. Named hash7.txt.

#What is Joker’s password?

answer: [NO SPOILER]

In order to run the Single Crack Mode, we will need 2 pieces of the puzzle:

  1. the format of the hash; and
  2. prepend the username, i.e. joker before the hash, and separate them with colon (:)

$ cat hash7.txt | hash-identifier

MD5 it is

$ john --single --format=raw-md5 hash7.txt

Custom Rules

Read the information given and know more about custom rules.

#What do custom rules allow us to exploit?

answer: password complexity predictability

Read the section and answer is right there.

#What rule would we use to add all capital letters to the end of the word?

answer: Az"[A-Z]"

The section already have information about appending. So

Az - append

[A-Z]- Only capital letters

#What flag would we use to call a custom rule called “THMRules”

answer: --rule=THMRules

The flag name is --rule

Cracking Password Protected Zip Files

This section is about zip cracking, so download the zipped file, secure.zip for practice.

#What is the password for the secure.zip file?

answer: [NO SPOILER]

We will first need to use zip2john to get the hash:

$zip2john secure.zip > secure.hash

Then just pass it to John.

$john secure.hash

Password found!

#What is the contents of the flag inside the zip file?

answer: [NO SPOILER]

The remaining is straight forward. Unzip the file and get the flag.

$unzip secure.zip

Cracking Password Protected RAR Archives

Same as the zip section, we will need the rar file, secure.rar for practice.

#What is the password for the secure.rar file?

answer: [NO SPOILER]

No brainer, just run rar2john to get the hash.

$ rar2john secure.rar > secure.rar.hash

Then crack it open:

$ john secure.rar.hash

#What is the contents of the flag inside the zip file?

answer: [NO SPOILER]

In order extract (e) the content of the rar and get the flag, just use unrar.

$ unrar e secure.rar

Cracking SSH Keys with John

This time is SSH. Download the SSH private key, idras.id_rsa to get go.

#What is the SSH private key password?

answer: [NO SPOILER]

In order to use ssh2john, we will need to tap into /usr/share/ssh2john.py

$ python /usr/share/john/ssh2john.py idrsa.id_rsa > id_rsa.hash

The pass in to John and call it a day!

$ john --wordlist=$W_PASSWORD id_rsa.hash

Further Reading

#Update me..

answer: No answer needed

Thm
Tryhackme

--

--

kenken17
kenken17

Written by kenken17

55 Followers
151 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams