Saturday, March 19, 2016

Kali Tool Series - John the Ripper

John the Ripper is a tool for getting passwords by bruteforcing. Make sure you don’t apply any of followings more others’ accounts or services. Try your own accounts or services.

Get Password of an Unix-like Machine

Followings are only work with an unix-like machine, and the user had already gained the access of files on it. That is, we need /etc/passwd and /etc/shadow (only /etc/passwd for acient machine).

> unshadow /etc/passwd /etc/shadow > ~/passwd

Use John’s default word list to crack the password:

> john ~/passwd

Use custom wordlist:

> john --wordlist=word.list ~/passwd

where word.list is your custom list.

To show the result:

> john --show ~/passwd

Crack Wifi

Use Wordlist (WPA2)

Use wireshark or airodump-ng to get .cap file of the traffic. Then:

> aircrack-ng –w wordlist.lst -b 00:0c:29:80:9a:85 my_traffic*.cap

where -b option indicates the MAC of your targetting BSSID, and input files are those .cap files.

Try All

Another solution is to try every possible password which is guaranteed to found the password, but it might also take forever.

> john -stdout -incremental | aircrack-ng -b 00:0c:29:80:9a:85 -w - my_traffic*.cap

Session Control

To run a long password testing process, we can make it run in the background:

> john --session=all_rules_session --wordlist=all.lst &

To check the session status:

> john --status=all_rules_session
0g 0:00:00:02  2/3 0g/s 411.5p/s 411.5c/s 411.5C/s

To restore the session:

> john --restore

Password Wordlist

For longer wordlist, one can find it online. However, there are some existing wordlist on Kali for users to apply.

> ls /usr/share/wordlists/
dirb  dirbuster  dnsmap.txt  fasttrack.txt  fern-wifi  metasploit  metasploit-jtr  nmap.lst  rockyou.txt.gz  sqlmap.txt  termineter.txt  wfuzz

they are wordlist files from different applications:

> file /usr/share/wordlists/*
/usr/share/wordlists/dirb:           symbolic link to /usr/share/dirb/wordlists
/usr/share/wordlists/dirbuster:      symbolic link to /usr/share/dirbuster/wordlists
/usr/share/wordlists/wfuzz:          symbolic link to /usr/share/wfuzz/wordlist

Interestingly, the best wordlist is actually hidden in the rockyou.txt.gz, so:

> gzip -dc < rockyou.txt.gz > ~/wordlist.txt

then we got wordlist.txt.