Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BAY101-F37BA99343625524FEE79A1DCC80@phx.gbl>
Date: Thu, 06 Apr 2006 12:11:13 +0000
From: "jay rubin" <cjride@...mail.com>
To: john-users@...ts.openwall.com
Subject: Re: new at this cracker business

>
>Jay,
>
>Have you been able to crack some of your passwords after the explanation
>in my last response?


So far 6 out of 7.  John has been running since last night.  I didn't even 
know I had these other passwords and of what use they are.


>
>On Thu, Apr 06, 2006 at 01:26:36AM +0000, jay rubin wrote:
> > Solar Designer-  Thank you, you've been a big help and I am beginning to
> > get a better undestanding of how to crack a password.  There is still a 
>lot
> > I have to learn such as salt,
>
>Windows systems don't use salts.  Unix systems do.
>
> > and hash rules.  Hash rules looks like some kind of password format.
>
>I have no idea what you're referring to with "hash rules".


One of the option parameters for running john was rules.  I thought that 
these rules were possible hashing algorithms or possible password formats. 
Or as I said hash rules.


>
> > I also ran john -test and don't understnad the benchmark output ...
>
>Feel free to post it in a separate message for me to comment.  If you
>do, please post it anew, not by hitting "reply" to some other message,
>as this affects threading in web-based archives of the mailing list.
>
> > I've been keeping track of what I done
> > and am going to repeat everything here up to my current execution of 
>john.
> >
> > Jay's adventures as he tries to crack his Windows XP passwords.
>
>Thanks.  This may help make the documentation easier to understand.
>
> > 1.	Downloaded John the Ripper 1.7.0.1 (Win32 - binaries, ZIP, 1360 KB)
>
>OK.
>
> > 2.	Found that I needed the SAM database file.
>
>What made you think so?
>


Good question I wish I could recall what caused me to think that.  Found the 
answer.  I book marked several web sites on windows security.  I'm including 
the urls here even though you may know more about the subject than the 
authors.  But they led me to the conclusion that the windows passwords were 
stored in the SAM file.

http://www.microsoft.com/technet/archive/winntas/tips/winntmag/storpass.mspx?mfr=true
http://www.iss.net/security_center/advice/Intrusions/2002702/default.htm



>If you would proceed to read the EXAMPLES, you would notice this:
>
>| Similarly, if you're going to be cracking Windows passwords, use any of
>| the many utilities that dump Windows password hashes (LM and/or NTLM) in
>| Jeremy Allison's PWDUMP output format.  Some of these utilities may be
>| obtained here:
>|
>| 	http://www.openwall.com/passwords/nt.shtml
>
>So you would have downloaded pwdump2 (the first such utility listed on
>that page) and used it to obtain the password hashes to feed into John.


I guess I had to go through some learning process to understand.  It makes 
sense now but didn't the first time I read it.  I eventually did download 
pwdump2 but it was because of what I read in the documentation from my 
second download of john.  Going back now I see it was included in my first 
download.


>
> > 3.	Could not copy the SAM file since on being booted the operating
> > system accessed it locking the resource.
> > 4.	Tried a safe boot to see if I could copy it.  Didn?t work.
> > 5.	Tried an MS/DOS boot to see if I could copy it.  Didn?t work.
> > 6.	Found an unlocked copy of the SAM database file in a repair
> > subfolder of the windows folder.
>
>Yes, that's one way to do it.  But SAM files are not easy to process.
>
> > 7.	Ran john (forgot command string) and got an error, no hashes.
>
>Indeed - John does not support SAM files directly.
>
> > 8.	According to documentation I discovered that I needed to merge the
> > SAM database file with its shadow file.
>
>That's wrong.  The documentation does not say that.  I'll try to guess
>why/how you arrived at this conclusion.  There's this FAQ entry:
>
>| Q: Why doesn't John load my password file?  It says "No password hashes
>| loaded".
>| A: Your password file might be shadowed.  You need to get both
>| /etc/passwd and the shadow file, and combine them into one file for use
>| with John.  Please refer to EXAMPLES.  As the system administrator,
>| you're supposed to know the name and location of your shadow file.
>
>That's one out of five possible answers to this question - but it's the
>first one listed - because this cause of the problem is very common when
>using John to crack Unix passwords (which is its primary purpose).
>Perhaps this answer should be re-worded such that it would be apparent
>that it applies to Unix password files only (doesn't the mention of
>"/etc/passwd" make it obvious, though? OK, perhaps not to Windows users
>who have never worked with Unix).
>
>Another answer included on the FAQ is:
>
>| A: Your password file format or hash type(s) might not be supported ...
>
>This is the last answer on the list - but it applied in your case -
>because SAM files are not supported.


Just a little familiar with unix.  Not enough that "/etc/passwd" should have 
made it obvious that it was Unix pasword files only.  I just thought it was 
some subfolder I couldn't find.  But you're correct on your questions.  It 
might have also led me to think that I had a version of john that didn't 
support windows passwords since SAM files are not supported.


>
> > 9.	Could not find any shadow file.
> > 10.	Found a system utility vssadmin (volume shadow copy service) in the
> > windows/system32 folder which when run stated that I had no shadow files 
>on
> > my system.
>
>"Password shadowing" is a concept specific to Unix, where the system
>originally did not protect password hashes from being accessed by
>regular users, but such protection was later introduced (by moving
>users' passwords into a separate "shadow" file with different access
>permissions).
>
>This does not apply to Windows systems.  The utility which you found is
>completely irrelevant.
>
> > 11.	Finally decided I had the wrong version of john.
>
>No, the version of John was fine.  (Well, unless you would want to crack
>the case-sensitive NTLM hashes - but you did not get this far and you
>might not need that.)


Actually it was the patch for the case-sensitive NTLM hashes that caused me 
to think I had the wrong version of john.  Also, and as you address later in 
this email,  this version of john ran by using the command john as I had 
read early in the documentation.


>
> > 12.	Found 1.7 + jumbo patch build for Win32 (1664 KB), by thomas
> > springer.
>
>OK, that would also work.
>
> > 13.	Documentation said I needed pwdump2 which I then downloaded.
>
>Great!


First time I read this and understood it enough to know what it meant.  As I 
said earlier didn't even see it in the first set of documentation.


>
> > 14.	Ran pwdump2 against SAM producing SAM.txt file.
>
>You may _think_ that you ran it against the SAM (how?), but in reality
>pwdump2 dumps the hashes from the running system, not from a SAM file.
>You did not need the SAM file for that.
>
>Calling the resulting file SAM.txt might be misleading, but of course it
>shouldn't affect anything.


I read the following in the pwdump2 documentation:

"and the contents of the SAM will be written to the console. To capture the 
output in a file, run, e.g. "pwdump2 > passwd.txt"


>
> > 15.	Ran john against SAM.txt file using command string of john ?show
> > ?format=NT SAM.txt and got a message, 0 password hashes cracked, 7 left.
>
>That's because you didn't have anything cracked yet.  The "--show"
>option is, as the name suggests, for displaying previously cracked
>usernames and passwords.  The documentation says this, too.
>
> > 16.	Send an email to john-users@...ts.openwall.com
> > 17.	Ran john using command string of john SAM.txt, still running.
>
>Great!
>
> > Though I read the README, FAQ and EXAMPLES documentation in my downloads 
>I
> > found them, for myself, a little complex.
>
>Understood.  This is in part because John runs on so many different
>platforms and supports so many different hash types.  As a result, some
>statements in the documentation have to be very generic and not
>specific.  Also, John is a tool for systems administrators, so a certain
>level of experience is assumed.
>
> > Also with the first offical
> > download of john, to execute it I had to use either john-386 or 
>john-mmx.
>
>That's correct - you should be using "john-mmx" unless your computer is
>truly ancient.  I decided against including a plain "john" in the
>Windows and DOS distributions to ensure that people make a conscious
>decision on which build they use (MMX or not).  Maybe I was wrong as the
>feedback I am receiving suggests that people don't understand this stuff
>and are picking a John executable at random.
>
> > In the documents it says just use john.
>
>Yes, in most of the documentation it does.  However, there's this short
>note (should I call it an excuse?) in the README -
>
>| Please note that "binary" (pre-compiled) distributions of John may
>| include alternate executables instead of just "john".  You may need to
>| choose the executable which fits your system best, e.g. "john-mmx" to
>| take advantage of MMX acceleration.


My guess is that my brain didn't carry the message over from the README file 
to the EXAMPLES or FAQ files.  I was using john-mmx in my command line for 
executing john.  I understood from looking in the run folder that it had the 
.exe file extension.


>
> > I also on the MARC site under subject of 'does john crack xp passwords
> > correctly' I read the following:
> >
> > john -show pwfile | cut -d: -f2 > cracked
> > john -w=cracked -rules -format=nt pwfile
> > john -show -format=nt pwfile
>
>This was my answer to someone who wanted to crack the case-sensitive
>NTLM hashes after having cracked the case-insensitive LM ones.  It does
>not apply to your case since you do not have anything cracked and you
>might not want/need to be cracking NTLM hashes.
>
>These commands alone are also insufficient to accomplish the task - my
>complete answer was longer.
>
> > It did not reconize cut or f2 as options.
>
>Indeed.  That's because these commands require Cygwin, as mentioned in
>the discussion you've taken them from.  But you really don't need this.


I read about the Cygwin but thought I just needed that if I was going to 
compile john form the source code.  The Cygwin dynamic link library was 
included in the second download that I made of john.


>
> > None of these show the final
> > command line that I used to execute john as just john SAM.txt.
>
>The README and EXAMPLES files do show this.  A quote from README:
>
>| To run John, you need to supply it with some password files and
>| optionally specify a cracking mode, like this, using the default order
>| of modes and assuming that "passwd" is a copy of your password file:
>|
>| 	john passwd
>
>And a quote from EXAMPLES:
>
>| 2. Now, let's assume you've got a password file, "mypasswd", and want to
>| crack it.  The simplest way is to let John use its default order of
>| cracking modes:
>|
>| 	john mypasswd
>
>Obviously, the password file name can be arbitrary.
>


I want to do some timing on how long it takes john to crack various 
passwords.  I thought I would do this by changing my password and rerunning 
john. But I don't need to rerun john against all the passwords.  It looked 
like it was possible to run john against a specific user but that format was 
a little unclear to me.


>P.S. Please don't quote entire messages in your responses.  Only quote
>the bits relevant to your response, preferably inline (like I did).
>
>--
>Alexander Peslyak <solar at openwall.com>
>GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 
>3598
>http://www.openwall.com - bringing security into open computing 
>environments
>
>Was I helpful?  Please give your feedback here: 
>http://rate.affero.net/solar
>


maybe some day when I'm again employed I can make a donation.


>--
>To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
>to the automated confirmation request that will be sent to you.
>


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.