In the previous recipe and in Chapter 6, Exploitation – Low Hanging Fruits, we extracted password hashes from databases. Sometimes, this is the only way of finding password information when performing penetration tests. In order to find the real password, we need to decipher them and as hashes are generated through irreversible algorithms we have no way of decrypting the password directly, hence it is necessary to use slower methods like brute force and dictionary cracking.
In this recipe, we will use John the Ripper (JTR or simply John), the most popular password cracker, to recover passwords from the hashes extracted in the Step by step basic SQL Injection recipe in Chapter 6, Exploitation – Low Hanging Fruits.
hashes_6_7.txt
containing one name and hash per line, separated by a colon (username:hash
), as illustrated:john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 hashes_6_7.txt
We are using one of the word lists preloaded into Kali Linux. We can see that there are five out of six passwords in the word list. We can also see that John checked 10,336,000 comparisons per second (10,336 KC/s).
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 hashes_6_7.txt –rules
We can see that the rules worked and we found the last password.
John (and every other offline password cracker) works by hashing the words in the list (or the ones it generates) and comparing them to the hashes to be cracked and, when there is a match, it assumes the password has been found.
The first command uses the --wordlist
option to tell John what words to use. If it is omitted, it generates its own list to generate a brute force attack. The --format
option tells us what algorithm was used to generate the hashes and if the format has been omitted, John tries to guess it, usually with good results. Lastly, we put the file that contains the hashes we want to crack.
We can increase the chance of finding passwords by using the --rules
option because it looks at common modifications people make to words when trying to create harder passwords to crack. For example, for the word "password", John will also try the following, among others:
Password
PASSWORD
password123
Pa$$w0rd
18.227.72.15