Table of Contents

John The Ripper

Fonctionnement

bonjour -> MD5 -> f02368945726d5fc2a14eb576f7276c0
Empreinte stockée: f02368945726d5fc2a14eb576f7276c0
aaaaaaa -> MD5 -> 5d793fc5b00a2348c3fb9ab59e5ca98a != f02368945726d5fc2a14eb576f7276c0 :-(
aaaaaab -> MD5 -> 296e2138307668e7faa75e97889308f7 != f02368945726d5fc2a14eb576f7276c0 :-(
etc.
bonjous -> MD5 -> a5158583165b3fc25bfea9b9c3c1b3e1 != f02368945726d5fc2a14eb576f7276c0 :-(
bonjour -> MD5 -> f02368945726d5fc2a14eb576f7276c0 == f02368945726d5fc2a14eb576f7276c0 :-)
Bingo !
Si les deux empreintes sont identiques, les mots en clair le sont aussi.

JTR en image

Modes

Single Crack
Mode WordList
Incremental Crack
External Crack

Structure du fichier de configuration

Options
List.Rules:Single
List.Rules:Wordlist
Incremental:All
Incremental:Alpha
Incremental:Digits
Incremental:LanMan
List.External:Filter_Alpha
List.External:Filter_Digits
List.External:Filter_LanMan
List.External:LanMan
List.External:Strip
List.External:Double
List.External:Parallel

Syntaxe

-c	reject this rule unless current hash type is case-sensitive
-8	reject this rule unless current hash type uses 8-bit characters
-s	reject this rule unless some passwords were split at loading
??	le caractère  : "?"
?v	les voyelles  : "aeiouAEIOU"
?c	les consonnes : "bcdfghjklmnpqrstvwxyzBCDFGHJKLMNPQRSTVWXYZ"
?w	les espaces et tabulations
?p	les caractère de ponctuation : ".,:;'?!`", y compris les guillemets
?s	les symbôles : "$%^&*()-_+=|\<>[]{}#@/~"
?l	les lettres minuscules  : [a-z]
?u	les mettres majuscules : [A-Z]
?d	les chiffres : [0-9]
?a	les lettres minuscules et majuscules : [a-zA-Z]
?x	les caractères alphanumériques : [a-zA-Z0-9]
0...9	: désigne les emplacements de 0 à 9
A...Z	: désigne les emplacements de 10 à 35 (//a kind of// hexadécimale notation)
*	: désigne la longueur maximale du texte en clair
-	: désigne la longueur maximale du texte en clair - 1
+	: désigne la longueur maximale du texte en clair + 1

Options

[Options]
# Wordlist file name, to be used in batch mode
Wordlist = dicos/all.lst
# Use idle cycles only
Idle = N
# Crash recovery file saving delay in seconds
Save = 600
# Beep when a password is found (who needs this anyway?)
Beep = N

Données de test

joe:$1$YtHfMRd3$mRaycu/ZMsVAwQKj.74qE.:13244:0:99999:7:::
tim:$1$QiH0JSfV$MO2B7ExogiGPd8PrZ2Bjl/:13264:0:99999:7:::
tom::13264:0:99999:7:::

Test

[root@localhost jtr]# /usr/local/bin/john -single passwds 
Loaded 2 password hashes with 2 different salts (FreeBSD MD5 [32/32])
tim              (tim)
guesses: 1  time: 0:00:00:00 100%  c/s: 200  trying: tim
[root@localhost jtr]# /usr/local/bin/john -show passwds 
tim:tim:13264:0:99999:7:::
tom:NO PASSWORD:13264:0:99999:7:::

2 password hashes cracked, 1 left
[root@localhost jtr]# /usr/local/bin/john -single passwds 
Loaded 1 password hash (FreeBSD MD5 [32/32])
guesses: 0  time: 0:00:00:00 100%  c/s: 350  trying: J99999
[root@localhost jtr]# 

Sous le capot

0:00:00:00 Starting a new session
0:00:00:00 Loaded a total of 2 password hashes with 2 different salts
0:00:00:00 Remaining 2 password hashes with 2 different salts
0:00:00:00 - Hash type: FreeBSD MD5 (lengths up to 15)
0:00:00:00 - Algorithm: 32/32
0:00:00:00 - Candidate passwords may be buffered and tried in chunks of 8
0:00:00:00 Proceeding with "single crack" mode
0:00:00:00 - 5 preprocessed word mangling rules
0:00:00:00 - Allocated 2 buffers of 8 candidate passwords each
0:00:00:00 - Rule #1: ':' accepted as ''
0:00:00:00 - Rule #2: '-s x**' rejected
0:00:00:00 - Rule #3: '-c (?acQ' accepted as '(?acQ'
0:00:00:00 - Rule #4: '-c lQ' accepted as 'lQ'
0:00:00:00 - Rule #5: '-s-c x**MlQ' rejected
0:00:00:00 - Processing the remaining buffered candidate passwords
0:00:00:00 + Cracked tim
0:00:00:00 Session completed
0:00:00:00 Starting a new session
0:00:00:00 Loaded a total of 2 password hashes with 2 different salts
0:00:00:00 Remaining 1 password hash
0:00:00:00 - Hash type: FreeBSD MD5 (lengths up to 15)
0:00:00:00 - Algorithm: 32/32
0:00:00:00 - Candidate passwords may be buffered and tried in chunks of 8
0:00:00:00 Proceeding with "single crack" mode
0:00:00:00 - 5 preprocessed word mangling rules
0:00:00:00 - Allocated 1 buffer of 8 candidate passwords
0:00:00:00 - Rule #1: ':' accepted as ''
0:00:00:00 - Rule #2: '-s x**' rejected
0:00:00:00 - Rule #3: '-c (?acQ' accepted as '(?acQ'
0:00:00:00 - Rule #4: '-c lQ' accepted as 'lQ'
0:00:00:00 - Rule #5: '-s-c x**MlQ' rejected
0:00:00:00 - Processing the remaining buffered candidate passwords
0:00:00:00 Session completed
[root@localhost bin]# more john.pot
$1$QiH0JSfV$MO2B7ExogiGPd8PrZ2Bjl/:tim
[root@localhost jtr]# /usr/local/bin/john -wordlist:/usr/share/john/dico-fr.txt  passwds 
Loaded 1 password hash (FreeBSD MD5 [32/32])
guesses: 0  time: 0:00:00:04 9%  c/s: 6623  trying: blousait
guesses: 0  time: 0:00:00:07 14%  c/s: 6526  trying: avrolles
guesses: 0  time: 0:00:00:11 22%  c/s: 6482  trying: hague
guesses: 0  time: 0:00:00:14 29%  c/s: 6491  trying: féminisait
guesses: 0  time: 0:00:00:18 38%  c/s: 6519  trying: escortassent
guesses: 0  time: 0:00:00:21 45%  c/s: 6534  trying: colin-tampon
guesses: 0  time: 0:00:00:24 53%  c/s: 6570  trying: défléchiront
guesses: 0  time: 0:00:00:27 61%  c/s: 6585  trying: dosassiez
guesses: 0  time: 0:00:00:30 68%  c/s: 6592  trying: liquidasses
guesses: 0  time: 0:00:00:33 75%  c/s: 6596  trying: ponctuellement
guesses: 0  time: 0:00:00:36 83%  c/s: 6606  trying: vaticanes
guesses: 0  time: 0:00:00:39 90%  c/s: 6604  trying: repartiras
guesses: 0  time: 0:00:00:42 98%  c/s: 6607  trying: strophe
guesses: 0  time: 0:00:00:42 100%  c/s: 6608  trying: syzygie
0:00:00:00 Starting a new session
0:00:00:00 Loaded a total of 2 password hashes with 2 different salts
0:00:00:00 Remaining 1 password hash
0:00:00:00 - Hash type: FreeBSD MD5 (lengths up to 15)
0:00:00:00 - Algorithm: 32/32
0:00:00:00 Proceeding with wordlist mode
0:00:00:00 - Wordlist file: /usr/share/john/dico-fr.txt
0:00:00:00 - No word mangling rules
[root@localhost jtr]# /usr/local/bin/john -wordlist:/usr/share/john/dico-fr.txt  -rules passwds 
Loaded 1 password hash (FreeBSD MD5 [32/32])
guesses: 0  time: 0:00:00:03 0%  c/s: 6666  trying: avivement
guesses: 0  time: 0:00:00:07 0%  c/s: 6451  trying: arsac
guesses: 0  time: 0:00:00:12 1%  c/s: 6454  trying: nabor
guesses: 0  time: 0:00:00:17 2%  c/s: 6499  trying: engouffrerez
guesses: 0  time: 0:00:00:21 3%  c/s: 6539  trying: collationne
guesses: 0  time: 0:00:00:27 4%  c/s: 6584  trying: dors
guesses: 0  time: 0:00:00:37 5%  c/s: 6605  trying: rainurerais
guesses: 0  time: 0:00:00:49 14%  c/s: 6489  trying: Allonnes
(...)
(...)
guesses: 0  time: 0:00:00:49 14%  c/s: 6489  trying: Allonnes
guesses: 0  time: 0:00:01:20 21%  c/s: 6446  trying: merenvielles
guesses: 0  time: 0:00:02:00 31%  c/s: 6467  trying: longea1
guesses: 0  time: 0:00:02:06 32%  c/s: 6478  trying: roqueras1
guesses: 0  time: 0:00:02:12 34%  c/s: 6487  trying: Janelle1
(...)
joejoe           (joe)
guesses: 1  time: 0:00:02:36 100%  c/s: 6489  trying: joejoe
[root@localhost jtr]# 
0:00:00:00 Starting a new session
0:00:00:00 Loaded a total of 2 password hashes with 2 different salts
0:00:00:00 Remaining 1 password hash
0:00:00:00 - Hash type: FreeBSD MD5 (lengths up to 15)
0:00:00:00 - Algorithm: 32/32
0:00:00:00 Proceeding with wordlist mode
0:00:00:00 - Wordlist file: /usr/share/john/dico-fr.txt
0:00:00:00 - 15 preprocessed word mangling rules
0:00:00:00 - Rule #1: ':' accepted as ''
0:00:00:42 - Rule #2: '-c >3!?XlQ' accepted as '>3!?XlQ'
0:00:00:42 - Rule #3: '-c >2(?a!?XcQ' accepted as '>2(?a!?XcQ'
0:00:01:12 - Rule #4: '<*>2!?Alp' accepted
0:00:01:40 - Rule #5: '<*>2!?Al$1' accepted
0:00:02:08 - Rule #6: '-c <*>2!?Ac$1' accepted as '<*>2!?Ac$1'
0:00:02:35 - Rule #7: '<7>1!?Ald' accepted
0:00:02:36 + Cracked joe
0:00:02:36 Session completed
# Duplicate reasonably short pure alphabetic words (fred -> fredfred)
<7>1!?Ald
[root@localhost jtr]# /usr/local/bin/john -show passwds 
joe:joejoe:13244:0:99999:7:::
tim:tim:13264:0:99999:7:::
tom:NO PASSWORD:13264:0:99999:7:::

3 password hashes cracked, 0 left

Single Crack Mode

[List.Rules:Single]
# Simple rules come first...
:
-s x**
-c (?acQ
-c lQ
-s-c x**MlQ

WordList

Incremental Crack Mode

External Crack Mode

john.conf

Quelques recettes

Limiter le nombre de caractères
[List.Rules:Wordlist]
<7
Je connais le début d'un mot de passe mais pas la fin
[Incremental:All5]
File = $JOHN/all.chr
MinLen = 5
MaxLen = 5
CharCount = 95

[List.External:Cs-5]
void filter()
{
	word[8] = 0;
	word[7] = '5';
	word[6] = word[4];
	word[5] = word[3];
	word[4] = word[2];
	word[3] = word[1];
	word[2] = word[0];
	word[1] = 's';
	word[0] = 'C';
}