Infrastructure penetration testing notes
  • Initial page
  • Table Of Content
  • Infrastructure testing
    • Enumeration
      • Packet Capture
      • Host Discovery
      • Services / Ports
        • 21 - FTP
        • 22 - SSH
        • 25 - SMTP
        • 53 - DNS
        • 67 - DHCP
        • 69 - TFTP
        • 79 - Finger
        • 88 - Kerberos
        • 111 - RPC
        • 113 - ident
        • 135 - MSRPC
        • 137 - Netbios
        • 139/445 - SMB
        • 161 - SNMP
        • 177 - XDMCP
        • 363 - LDAP
        • 443 - HTTPS
        • 500 - IKE (IPSEC)
        • 512/513/514 - R Services
        • 623 - IPMI
        • 873 - RSYNC
        • 1099 - Java RMI
        • 1433 - Microsoft SQL
        • 1521 - Oracle DB
        • 2049 - NFS
        • 3306 - MySQL
        • 3389 - RDP
        • 5432 - PostgresSQL
        • 5900 - VNC
        • 5985 - WinRM
        • 6000 - X11
        • 6379 - Redis
        • 8080 - Jenkins
        • 11211 - Memcached
        • RDS
        • SQLite
        • Docker
      • IPV6
        • Scanning
        • Enumeration
        • Transfering files
        • Pivoting and routes
        • THC IPv6
    • Gaining Access
      • IP Forwarding
      • VLAN Information
      • Psexec
      • Upgrading shell
      • Reverse Shells One-Liners
      • Bruteforce
      • MITM cleartext protocols
      • Null session
      • LLMNR / NBT NS Spoofing
      • Port knocking
      • Downloading/Transfer files
      • Remote Desktop
      • NAC Bypass
      • Pass-The-Hash
    • Exploitation
      • Solaris
      • IPv6
      • Windows
        • Compiling Code
        • SMB Vulnerabilities
        • Kerberos Attacks
    • Privilege Escalation
      • Situational Awareness
        • Linux
        • Windows
          • Registry
          • PowerView
          • FSMO Roles
      • Windows
        • Disable Apps and Firewall
        • Add user script
        • UAC Bypass
        • icacls
        • Running services
        • Common Exploits
      • Linux
        • SUID Shell script
        • CVE-2019-14287
        • Kernel exploit
      • Solaris
      • FreeBSD
      • Automated tools
      • Metasploit Modules
      • Password Dumping
    • Breakout
      • LOLBas
      • powershell constrained language byass
      • Alternatives to command prompt
      • Windows utilities
      • Applocker
      • Restricted shells
      • Environmental Variables / Bypassing Path Restrictions
      • Docker escape
      • Just Enough Administration (JEA)
    • Presistance
      • Windows
    • Pivoting
      • Adding routes
    • Password Cracking
      • Hashcat
      • John
      • Cisco Passwords
      • Passwords Lists
      • Generating wordlist
    • Tools
      • Nishang
      • UACME
      • Bypass-UAC
      • MSBuildAPICaller
      • Impacket
      • SharpPersist
      • Terminals
      • IP Calculation
      • pwsh
      • psTools / Sysinternals
      • Unlock applocker
      • enum4linux
      • Bloodhound
        • aclpwn
      • mitm6
      • Enyx
      • nfsshell
      • PowerUpSQL
      • Metasploit
        • msfvenom
    • Others
Powered by GitBook
On this page
  • Simple usage
  • Type and mask:
  • mask
  • Windows
  • Formats
  • Common formats:
  • All Formats:
  • Cracking examples
  • Cracking /etc/shadow
  • Cracking pdf protected password
  • Cracking ssh key
  • MD5 wordlist
  • John cheat sheet

Was this helpful?

  1. Infrastructure testing
  2. Password Cracking

John

John (aka John the Ripper) is a fast password cracker, currently available for many flavors of Unix, macOS, Windows, DOS, BeOS, and OpenVMS

PreviousHashcatNextCisco Passwords

Last updated 4 years ago

Was this helpful?

Link:

Simple usage

JTR password cracking

john --wordlist=/usr/share/wordlists/rockyou.txt hashes

JTR forced descrypt cracking with wordlist

john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt

JTR forced descrypt brute force cracking

john --format=descrypt hash --show

Display formats:

john --list=formats

Type and mask:

iron@kali2:/tmp$ sudo john lm.txt --mask=?l?l?l?l --format=lm

mask

Create a mask:

example: 

root@attackdefense:~# john pdfhash --mask=?d?d?d?d?d?d?d?d?l 
?d = digit 
?l = lower-case ASCII letters 
?u = upper-case ASCII letters

example with numbers in the middle: 

root@attackdefense:~# john pdfhash --mask=?d?d?d?d19?d?d?u 
Using default input encoding: UTF-8 
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64]) 
Press 'q' or Ctrl-C to abort, almost any other key for status 
01021980D        (/root/encrypted.pdf) 
1g 0:00:00:05 DONE (2019-10-31 10:10) 0.1721g/s 530466p/s 530466c/s 530466C/s 01021980D 
Use the "--show" option to display all of the cracked passwords reliably 
Session completed

A mask may consist of: 

- Static letters. 
- Ranges in [aouei] or [a-z] syntax. Or both, [0-9abcdef] is the same as 
     [0-9a-f]. 
- Placeholders that are just a short form for ranges, like ?l which is 
     100% equivalent to [a-z]. 
- ?l lower-case ASCII letters 
- ?u upper-case ASCII letters 
- ?d digits 
- ?s specials (all printable ASCII characters not in ?l, ?u or ?d) 
- ?a full 'printable' ASCII. Note that for formats that don't recognize case 
     (eg. LM), this only includes lower-case characters which is a tremendous 
     reduction of keyspace for the win. 
- ?B all 8-bit (0x80-0xff) 
- ?b all (0x01-0xff) (the NULL character is currently not supported by core). 
- ?h lower-case HEX digits (0-9, a-f) 
- ?H upper-case HEX digits (0-9, A-F) 
- ?L lower-case non-ASCII letters 
- ?U upper-case non-ASCII letters 
- ?D non-ASCII "digits" 
- ?S non-ASCII "specials" 
- ?A all valid characters in the current code page (including ASCII). Note 
     that for formats that don't recognize case (eg. LM), this only includes 
     lower-case characters which is a tremendous reduction of keyspace. 
- Placeholders that are custom defined, so we can e.g. define ?1 to mean [?u?l] 
  ?1 .. ?9 user-defined place-holder 1 .. 9 
 Placeholders for Hybrid Mask mode: 
  ?w is a placeholder for the original word produced by the parent mode in 
     Hybrid Mask mode. 
  ?W is just like ?w except the original word is case toggled (so PassWord 
     becomes pASSwORD).

Windows

C:\Users\David\Documents\Tools\john-1.9.0-jumbo-1-win64\run>john.exe ..\test.txt --format=raw-MD5

Formats

Common formats:

Type

John Format

Hash Example

MD5

raw-md5

fc16ea469c37da07bac3ddbbdbfb3945

LM

lm

299BD128C1101FD6

NTLM

nt

B4B9B02E6F09A9BD760F388B67351E2B

NTLMv1

netntlm

netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c

NTLMv2

netntlmv2

admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030

Cisco Type 5

Md5crpy

enable_secret_level_2:$1$WhZT$YYEI3f0wwWJGAXtAayK/Q.

All Formats: 

descrypt, bsdicrypt, md5crypt, md5crypt-long, bcrypt, scrypt, LM, AFS,  
tripcode, AndroidBackup, adxcrypt, agilekeychain, aix-ssha1, aix-ssha256,  
aix-ssha512, andOTP, ansible, argon2, as400-des, as400-ssha1, asa-md5,  
AxCrypt, AzureAD, BestCrypt, bfegg, Bitcoin, BitLocker, bitshares, Bitwarden,  
BKS, Blackberry-ES10, WoWSRP, Blockchain, chap, Clipperz, cloudkeychain,  
dynamic_n, cq, CRC32, sha1crypt, sha256crypt, sha512crypt, Citrix_NS10,  
dahua, dashlane, diskcryptor, Django, django-scrypt, dmd5, dmg, dominosec,  
dominosec8, DPAPImk, dragonfly3-32, dragonfly3-64, dragonfly4-32,  
dragonfly4-64, Drupal7, eCryptfs, eigrp, electrum, EncFS, enpass, EPI,  
EPiServer, ethereum, fde, Fortigate256, Fortigate, FormSpring, FVDE, geli,  
gost, gpg, HAVAL-128-4, HAVAL-256-3, hdaa, hMailServer, hsrp, IKE, ipb2,  
itunes-backup, iwork, KeePass, keychain, keyring, keystore, known_hosts,  
krb4, krb5, krb5asrep, krb5pa-sha1, krb5tgs, krb5-17, krb5-18, krb5-3,  
kwallet, lp, lpcli, leet, lotus5, lotus85, LUKS, MD2, mdc2, MediaWiki,  
monero, money, MongoDB, scram, Mozilla, mscash, mscash2, MSCHAPv2,  
mschapv2-naive, krb5pa-md5, mssql, mssql05, mssql12, multibit, mysqlna,  
mysql-sha1, mysql, net-ah, nethalflm, netlm, netlmv2, net-md5, netntlmv2,  
netntlm, netntlm-naive, net-sha1, nk, notes, md5ns, nsec3, NT, o10glogon,  
o3logon, o5logon, ODF, Office, oldoffice, OpenBSD-SoftRAID, openssl-enc,  
oracle, oracle11, Oracle12C, osc, ospf, Padlock, Palshop, Panama,  
PBKDF2-HMAC-MD4, PBKDF2-HMAC-MD5, PBKDF2-HMAC-SHA1, PBKDF2-HMAC-SHA256,  
PBKDF2-HMAC-SHA512, PDF, PEM, pfx, pgpdisk, pgpsda, pgpwde, phpass, PHPS,  
PHPS2, pix-md5, PKZIP, po, postgres, PST, PuTTY, pwsafe, qnx, RACF,  
RACF-KDFAES, radius, RAdmin, RAKP, rar, RAR5, Raw-SHA512, Raw-Blake2,  
Raw-Keccak, Raw-Keccak-256, Raw-MD4, Raw-MD5, Raw-MD5u, Raw-SHA1,  
Raw-SHA1-AxCrypt, Raw-SHA1-Linkedin, Raw-SHA224, Raw-SHA256, Raw-SHA3,  
Raw-SHA384, ripemd-128, ripemd-160, rsvp, Siemens-S7, Salted-SHA1, SSHA512,  
sapb, sapg, saph, sappse, securezip, 7z, Signal, SIP, skein-256, skein-512,  
skey, SL3, Snefru-128, Snefru-256, LastPass, SNMP, solarwinds, SSH, sspr,  
Stribog-256, Stribog-512, STRIP, SunMD5, SybaseASE, Sybase-PROP, tacacs-plus,  
tcp-md5, telegram, tezos, Tiger, tc_aes_xts, tc_ripemd160, tc_ripemd160boot,  
tc_sha512, tc_whirlpool, vdi, OpenVMS, vmx, VNC, vtp, wbb3, whirlpool,  
whirlpool0, whirlpool1, wpapsk, wpapsk-pmk, xmpp-scram, xsha, xsha512, ZIP,  
ZipMonster, plaintext, has-160, HMAC-MD5, HMAC-SHA1, HMAC-SHA224,  
HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, dummy, crypt

Cracking examples

Cracking /etc/shadow

sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db 
john /tmp/crack.password.db 
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])

Cracking pdf protected password

pdf2john encrypted.pdf >> hash 
john hash --mask=?d?d?d?d?d?d?d?d?l 
pdftotext -upw PASSWORD encrypted.pdf

Cracking ssh key

root@attackdefense:~# ssh2john id_rsa >> hash 
root@attackdefense:~# cat hash 
id_rsa:$ssh2$2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a50726f632d547970653a20342c454e435259505445440a44454b2d496e666f3a204145532d3132382d4342432c33333746334342463743413243453338413837383243464632453735423446440a0a4843694443447343745856372b2b49683178544971376b73467a375549517858796f45754f6d395a43516d416541736a7961535973634e42654b536974526d490a41423947586a7a7a796f336249584f47706e2f46695535312b784b4c45575678484261797856424e502f4d2b7237306b374869594766556571573064324c2b630a3749705633505865656e2b77455831314963316859683265696179716b6b384572626c6579616e386f63714d345331486d456642744d39356b395135714535310a5a6233686e585853304a44586774467134545147395538336b764b59596a5849546f4849474f34746e4f30754a4f57653670634b334e62517a47316a696c55350a774d5279545a796b2b36696a524f516565685a374b6c68644a373339446e494a5169675a3669706837585a666f65467a6e6533626975434f79514d76677349790a476b7750514a6b65454b2b6a424f6573536b592b6850546242576a3738316b553576436b5477666b64546b3979726d526a615433586375346532636d51456a430a6d6679375154773152475666595769505933304b64695841366e3652594550355149566544352b54363356473636357030734a45717952366479616f35436d480a78552f65586c47326f7a3135616c69647a373268776a4a454d706a4a374369727075667135355466527231465570365a535a325573754b7355503958707a4c670a62547a3846796c50434c62426942795665696d434d4a75456b6d6a2b4731615242414a2b444f626c54544d393150594f5245582b2b6744466c6b504230564e750a6d77412b32635a466b675537524a6b683653354e773141793957774b48454a2f6c754f4942555a4d4b586439316d56514c6853794755385146316f663861794b0a36696a6871315a6253353067427036556f2b746d3075515776444a596d417a764b4b717571414f533633693378666a684171626e626b4259527462316b73597a0a745a6d356f744a4f5668386d4335664663636f4c69743049645948773868563847696454754844546c69344c6164504a4c3166494a3777555552467a434667710a74357743486467664a447832794d785131754c4e65515364614742573758656a6355446f303669314a6a2f39586c734b537556574766524c6e6155636b41364b0a666a4b6f6f3877394c6842474f464653737257735533453543482b613674724655356761594d384a4f366132576b6c714155394f6f436548324f506854656d6f0a797a704e4344323744384543786e3474335049726a4c697a4b717245536e77595077323731725a47752f2b634c38554a4c6d46316234782b6f4e2b67616741350a694769544a54586470302f706d372f4a59376977344f71592f5675793248317559554d5357444367586f45766479326a64503653696f564d485654484f6c72370a6369643762322b546877697578326e304f393855684d563832434e5639527438364b6774774f322f4c37694c54417459487a4a75442f4a48474634543630446e0a766977755068627339774d2b326f2f6b6f6631503932716d376c614e355634426f78706c7174303273776c4d43346279683778657475346b633952686b4733510a366970726f6c6e465a4c712b4867546a47626a6751624c514734784372616470626870774f43427876547667434a5075592f487578393874725244535845744c0a586f76486b4a48482f452f762b495768734c7637784a724c396d575068646a507157654d4c3536634e537a34394e7653624e593647656c4b786d3566517772380a75334c4e6e7236363030763069774a7461323467506e766e71572b6c517176777a36396f45502b65653252756734717369433433784d304233316f584d5363510a4539684c345a5a5a6e4d666642377a2f704239644d2f4b5755325477746c736762576d6d6f4a34674e50544c455372344959707141546a3451634c72616b6d610a765048684e6b504a4d77544a78487431623159384b42652b486c796273364e325430695171636f714443373070635a754c4b447037532f6c325553536776522f0a4a7a474355704532584d6b4a336a2f4371724f483143785477594b525a4445432b2b70564576582f65563765707647566e74614d48697032776f52536378654d0a2f597267515830536a4f573261774667575347564537764e383167544a567462756841736b754e657a5355734a4d71745848456473435677654256766d61546b0a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a*1766*0

MD5 wordlist

root@attackdefense:~# for x in $(cat wordlists/100-common-passwords.txt); do echo -n $x | md5sum >> wordlist.txt; done 
root@attackdefense:~# cat wordlist.txt | cut -d' ' -f1 >> new 
root@attackdefense:~# john hash --wordlist=new

John cheat sheet

https://github.com/magnumripper/JohnTheRipper
https://countuponsecurity.files.wordpress.com/2016/09/jtr-cheat-sheet.pdf