Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Thu, 6 Apr 2006 06:34:08 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: new at this cracker business

Jay,

Have you been able to crack some of your passwords after the explanation
in my last response?

On Thu, Apr 06, 2006 at 01:26:36AM +0000, jay rubin wrote:
> Solar Designer-  Thank you, you've been a big help and I am beginning to 
> get a better undestanding of how to crack a password.  There is still a lot 
> I have to learn such as salt,

Windows systems don't use salts.  Unix systems do.

> and hash rules.  Hash rules looks like some kind of password format.

I have no idea what you're referring to with "hash rules".

> I also ran john -test and don't understnad the benchmark output ...

Feel free to post it in a separate message for me to comment.  If you
do, please post it anew, not by hitting "reply" to some other message,
as this affects threading in web-based archives of the mailing list.

> I've been keeping track of what I done 
> and am going to repeat everything here up to my current execution of john.
> 
> Jay's adventures as he tries to crack his Windows XP passwords.

Thanks.  This may help make the documentation easier to understand.

> 1.	Downloaded John the Ripper 1.7.0.1 (Win32 - binaries, ZIP, 1360 KB)

OK.

> 2.	Found that I needed the SAM database file.

What made you think so?

If you would proceed to read the EXAMPLES, you would notice this:

| Similarly, if you're going to be cracking Windows passwords, use any of
| the many utilities that dump Windows password hashes (LM and/or NTLM) in
| Jeremy Allison's PWDUMP output format.  Some of these utilities may be
| obtained here:
| 
| 	http://www.openwall.com/passwords/nt.shtml

So you would have downloaded pwdump2 (the first such utility listed on
that page) and used it to obtain the password hashes to feed into John.

> 3.	Could not copy the SAM file since on being booted the operating 
> system accessed it locking the resource.
> 4.	Tried a safe boot to see if I could copy it.  Didn?t work.
> 5.	Tried an MS/DOS boot to see if I could copy it.  Didn?t work.
> 6.	Found an unlocked copy of the SAM database file in a repair 
> subfolder of the windows folder.

Yes, that's one way to do it.  But SAM files are not easy to process.

> 7.	Ran john (forgot command string) and got an error, no hashes.

Indeed - John does not support SAM files directly.

> 8.	According to documentation I discovered that I needed to merge the 
> SAM database file with its shadow file.

That's wrong.  The documentation does not say that.  I'll try to guess
why/how you arrived at this conclusion.  There's this FAQ entry:

| Q: Why doesn't John load my password file?  It says "No password hashes
| loaded".
| A: Your password file might be shadowed.  You need to get both
| /etc/passwd and the shadow file, and combine them into one file for use
| with John.  Please refer to EXAMPLES.  As the system administrator,
| you're supposed to know the name and location of your shadow file.

That's one out of five possible answers to this question - but it's the
first one listed - because this cause of the problem is very common when
using John to crack Unix passwords (which is its primary purpose).
Perhaps this answer should be re-worded such that it would be apparent
that it applies to Unix password files only (doesn't the mention of
"/etc/passwd" make it obvious, though? OK, perhaps not to Windows users
who have never worked with Unix).

Another answer included on the FAQ is:

| A: Your password file format or hash type(s) might not be supported ...

This is the last answer on the list - but it applied in your case -
because SAM files are not supported.

> 9.	Could not find any shadow file.
> 10.	Found a system utility vssadmin (volume shadow copy service) in the 
> windows/system32 folder which when run stated that I had no shadow files on 
> my system.

"Password shadowing" is a concept specific to Unix, where the system
originally did not protect password hashes from being accessed by
regular users, but such protection was later introduced (by moving
users' passwords into a separate "shadow" file with different access
permissions).

This does not apply to Windows systems.  The utility which you found is
completely irrelevant.

> 11.	Finally decided I had the wrong version of john.

No, the version of John was fine.  (Well, unless you would want to crack
the case-sensitive NTLM hashes - but you did not get this far and you
might not need that.)

> 12.	Found 1.7 + jumbo patch build for Win32 (1664 KB), by thomas 
> springer.

OK, that would also work.

> 13.	Documentation said I needed pwdump2 which I then downloaded.

Great!

> 14.	Ran pwdump2 against SAM producing SAM.txt file.

You may _think_ that you ran it against the SAM (how?), but in reality
pwdump2 dumps the hashes from the running system, not from a SAM file.
You did not need the SAM file for that.

Calling the resulting file SAM.txt might be misleading, but of course it
shouldn't affect anything.

> 15.	Ran john against SAM.txt file using command string of john ?show 
> ?format=NT SAM.txt and got a message, 0 password hashes cracked, 7 left.

That's because you didn't have anything cracked yet.  The "--show"
option is, as the name suggests, for displaying previously cracked
usernames and passwords.  The documentation says this, too.

> 16.	Send an email to john-users@...ts.openwall.com
> 17.	Ran john using command string of john SAM.txt, still running.

Great!

> Though I read the README, FAQ and EXAMPLES documentation in my downloads I 
> found them, for myself, a little complex.

Understood.  This is in part because John runs on so many different
platforms and supports so many different hash types.  As a result, some
statements in the documentation have to be very generic and not
specific.  Also, John is a tool for systems administrators, so a certain
level of experience is assumed.

> Also with the first offical 
> download of john, to execute it I had to use either john-386 or john-mmx.  

That's correct - you should be using "john-mmx" unless your computer is
truly ancient.  I decided against including a plain "john" in the
Windows and DOS distributions to ensure that people make a conscious
decision on which build they use (MMX or not).  Maybe I was wrong as the
feedback I am receiving suggests that people don't understand this stuff
and are picking a John executable at random.

> In the documents it says just use john.

Yes, in most of the documentation it does.  However, there's this short
note (should I call it an excuse?) in the README -

| Please note that "binary" (pre-compiled) distributions of John may
| include alternate executables instead of just "john".  You may need to
| choose the executable which fits your system best, e.g. "john-mmx" to
| take advantage of MMX acceleration.

> I also on the MARC site under subject of 'does john crack xp passwords 
> correctly' I read the following:
> 
> john -show pwfile | cut -d: -f2 > cracked
> john -w=cracked -rules -format=nt pwfile
> john -show -format=nt pwfile

This was my answer to someone who wanted to crack the case-sensitive
NTLM hashes after having cracked the case-insensitive LM ones.  It does
not apply to your case since you do not have anything cracked and you
might not want/need to be cracking NTLM hashes.

These commands alone are also insufficient to accomplish the task - my
complete answer was longer.

> It did not reconize cut or f2 as options.

Indeed.  That's because these commands require Cygwin, as mentioned in
the discussion you've taken them from.  But you really don't need this.

> None of these show the final 
> command line that I used to execute john as just john SAM.txt.

The README and EXAMPLES files do show this.  A quote from README:

| To run John, you need to supply it with some password files and
| optionally specify a cracking mode, like this, using the default order
| of modes and assuming that "passwd" is a copy of your password file:
| 
| 	john passwd

And a quote from EXAMPLES:

| 2. Now, let's assume you've got a password file, "mypasswd", and want to
| crack it.  The simplest way is to let John use its default order of
| cracking modes:
| 
| 	john mypasswd

Obviously, the password file name can be arbitrary.

P.S. Please don't quote entire messages in your responses.  Only quote
the bits relevant to your response, preferably inline (like I did).

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ