Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 19 May 2016 06:46:29 -0400
From: Rich Rumble <richrumble@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: JtR Jumbo 1.79 on Win7, md5hash matching does not work

On Tue, May 17, 2016 at 12:17 PM, Michael Mckenna-Mattiaccio
<mckennammj@...il.com> wrote:
> Hello all,
>
> I have a folder containing .doc .xls .pdf .ppt .zip files that are
> encrypted and I need to recover their passwords. I have a custom wordlist
> that I know contains at least some correct passwords, but I never get a
> single correct guess.
>
> The Windows binary doesn't ship with office2john but it does ship with
> pdf2john and zip2john as you can see here https://paste.debian.net/686868/
Try the custom builds section of the John wiki:
http://openwall.info/wiki/john/custom-builds
The office2john requires python not PowerShell, I wrapped the py into
an exe and included it in the custom build for windows users.
A search of "office2john windows" turns up the same result
https://www.google.com/search?q=office2john+windows&ie=utf-8&oe=utf-8
> So I used a random tool my company uses called Karen's Directory Printer. I
> fed in the directory with all the files and selected the output of a .txt
> file with just a list of all the md5hashes created by Karen's...
> https://paste.debian.net/686908/
That program, after googling, give you an md5 checksum of the file,
not the encryption of the file.
> Here is some sample output from Johnny
> https://paste.debian.net/hidden/4cf6b99d/
John thinks these are 11 different hash types
HAVAL-128-4, lotus5, MD2, mdc2, mscash, mscash2, NT, Raw-MD5u,
ripemd-128, Snefru-128, NT-old
I don't think Karens tool is needed here.
> I don't think the md5crypt script is included in the Windows binaries for
> Jumbo 1.79 because when I try to run  --format=md5crypt  I get Unknown
> ciphertext format name requested
md5crypt appears to refer to FreeBSD hashes, thanks google
https://www.google.com/search?q=md5crypt&ie=utf-8&oe=utf-8#q=md5crypt+%22john+the+ripper%22
The md5 checksum that Karens tool was outputting won't be of use to you.
http://xinn.org/blog/choosing-the-right-encryption.html
http://xinn.org/blog/password-security.html
> How do I copy the md5 functionality from the github sources so it works in
> JtR?
Office formats are CRC16 (pst's), RC4 (old office) and SHA1+AES these days
https://blogs.msdn.microsoft.com/david_leblanc/2008/12/04/new-improved-office-crypto/
Again the md5 checksum's aren't needed here.
> Also, it doesn't seem to really be using the custom wordlist correctly.
> Whenever I link to the custom wordlist, JtR runs quickly and with no
> results. If I don't use Wordlist mode then at least JtR seems to be trying.
> I even made a .bu of the default wordlist and put my custom wordlist in its
> place in the JTr Jumbo folder and I'm still not seeing results.
john.exe -w wordlist_here.txt -format=office hashes.txt    (could also
be old-office)
That should do it (shouldn't need the format if only office hashes are
in the file), I recommend using rules
john.exe -w wordlist_here.txt hashes.txt -rules=jumbo
> I have tried the *2john feature of Johnny but it doesn't seem to work well
> for me. I was once able to get a pdf password out and removed the prefix
> info for https://paste.debian.net/hidden/1eeeaffd/ but the feature is no
> longer working, it just hangs on Conversion in progress..... I tried with a
> pdf The following command in PowerShell doesn't get me any results either,
> regardless of whether the output file exists at the time the command is
> run: PS C:\Program Files (x86)\john179j5w\john179j5\run> .\office2john.py
> C:\Users\tdmnyadmin\Desktop\Password_Cracking\SampleFiles\001\Doc3.doc
> C:\Users\tdmnyadmin\Desktop\Password_Cracking\office.lst
Again PS isn't going to run python scripts, they do look similar.
> What's the correct command format for these *2john scripts? I can't find
> that in the docs.
We can try to do better, there are tutorials out there for many hash types
http://xinn.org/blog/JtR-AD-Password-Auditing.html
https://countuponsecurity.files.wordpress.com/2015/06/jtr-cheat-sheet.pdf
-rich

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.