3 INFRA – Cyber Security

Cybersecurity threat and risk and

Cybersecurity defence and forensic

TUTORIAL, EXERCISE AND CHALLENGE

John The Ripper

“Really, boy, unless you're ready to deal with the monster,

you shouldn't go looking under the bed.”

- Stefan Petrucha -
Table of Contents
Goal 3
Tutorial 4
First intro with John: “Hello John”! 4
Our first ‘ripperderip’, Yeah! 5
In meanwhile, some stuff to think about … 6
And what about a good password? 8
Encrypted PDF cracking - Method 1 9
Getting the hash 9
Brute Force 10
Encrypted PDF cracking - Method 2 11
Getting the hash 11
The dictionary attack 12
Challenge 13
Strong password? 13
Alternatives 13
Addendum 14
References 15
Goal
In this challenge you will learn how to crack passwords using Kali Linux and John The Ripper.
Why? So you’ll know the importance of choosing a strong password.

Don’t forget that a lot of data that’s been lost by a breach is unencrypted or ‘useful’ by brute forcing
…
http://breachlevelindex.com/
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Tutorial
First intro with John: “Hello John”!
Luckily John The Ripper is already installed on Kali. But if you want to use it on another distro,
mostly it can be installed from the repos, for example on Debian/Ubuntu, just apt-get it.

So, “Hello John! Are you ok?” We’ll know it by testing its performance.

Hereby we did some benchmarks on John's capabilities, expressed in c/s, or cracks per second.
What was your speed?
TIP Remember this number, you’ll need it later in this document.

If you have no idea what Kerberos, MD5, DES or Blowfish is, we recommend you to follow the
class of J. Janssen, our crypto-specialist of Thomas More.

Our first ‘ripperderip’, Yeah!

First, let’s create a file in your home-directory, containing the username and hash
“myuser:AZl.zWwxIh15Q", like this:

Now, let’s give this John a try! By the way, press 'q' or Ctrl-C to abort the cracking, and almost any
other key for a status update.

After some minutes, you’ll get a result? The found password is quite obvious, but hé .. it’s just an
example! Now it’s your turn.

CTF $1, your first part of the flag can be found here. Happy CPU-cycling!
 In meanwhile, some stuff to think about …
As you can see, this type of attack is less interesting, it will take too long. How could you speed up
this attack?

If a password contained just capital letters, lowercase and numbers, you have a total of 62 possible
characters from which the password can exist. The longer the password, the more possible
permutations will occur.

Permuwhat?!?

LOL A "combination lock" should really be called a "permutation lock"!

This table shows how this evolves:

length password (r) # possible characters (n) formula # possible permutations

3 62 n
r 238 328
4 62 n
r 14 776 336
5 62 n
r 916 132 832
6 62 n
r 56 800 235 584
7 62 n
r 3 521 614 606 208
8 62 n
r 218 340 105 584 896
9 62 n
r 13 537 086 546 263 600
10 62 n
r 839 299 365 868 340 000
11 62 n
r 52 036 560 683 837 100 000
12 62 n
r 3 226 266 762 397 900 000 000
How long would it take to try out any combination, with the speed you measured above
(attempts/second)?

length # possible permutations time needed to brute force

password
3 238 328
4 14 776 336
5 916 132 832
6 56 800 235 584
7 3 521 614 606 208
8 218 340 105 584 896
9 13 537 086 546 263 600
10 839 299 365 868 340 000
11 52 036 560 683 837 100 000
12 3 226 266 762 397 900 000 000

As you can see, it will take too much time to capture the first flag! How could you speed up this
attack?
Expect to ... CPU more!

A first hint:

A second hint: you only have to do it 238 328 times.

And what about a good password?
Do you use a good password? Test it yourself at this website:
https://www.betterbuys.com/estimating-password-cracking-times/

Oh, and by the way, don’t write a password down on a sticky note:

http://www.thegatewaypundit.com/2018/01/hawaiian-emergency-management-officials-hold-
interview-post-notes-passwords-computer-screens/
Encrypted PDF cracking - Method 1

This is an encrypted pdf-file:

https://drive.google.com/open?id=0BzMIrzDJVfo3X3R1WVE1Umtobnc
Curious what’s inside? Maybe a flag? Who knows ...

Download the PDF file (simple.pdf). When you open the file, a password is requested. This
password we will try to crack using John The Ripper.

This attack consists of two steps:

1. Get the password hash (encrypted password) from the PDF
2. Get the password from the hash by a brute force attack

Getting the hash

Get the hash (encrypted password) from the pdf, by using a tool from John The Ripper Jumbo,
more info can be found on Github https://github.com/magnumripper/JohnTheRipper/.

So first we’ll need to get the Jumbo version of JTR and unzip it

# wget https://github.com/magnumripper/JohnTheRipper/archive/bleeding-jumbo.zip
# unzip bleeding-jumbo.zip

Now we can extract the hash from the encrypted pdf-file.

# ./JohnTheRipper-bleeding-jumbo/run/pdf2john.pl ./simple.pdf > simple.hash.step1

But, as you can see, there is more than only the hash. So let's clean this up a bit.
# cat simple.hash.step1 | sed "s/::.*$//" | sed "s/^.*://" > simple.hash.step2
 Nice, we have now a pure hash, Hooray!

LOL Q: What do you get when you eat too much hash brownies?
A: A pot belly

Stop thinking of brownies …. go to the next step, hup hup!

Brute Force

Start a brute force attack on simple.hash.step2. John The Ripper will try all possible ‘combinations’
to guess the password. The more complex the password is, the longer this type of attack takes.
Exciting!

CTF $2, the second part of the flag, can be found within the pdf-file.
 Encrypted PDF cracking - Method 2
A second way to find passwords is by comparing a pre-calculated list of passwords with the hash
that you obtained from a pdf, for example. This way of cracking passwords may have more
success because these dictionaries are based on really used passwords.

Of course, you need a list or dictionary. In Kali linux, some are included (in /usr/share/wordlist). Or
you can find them online, like http://weakpass.com/lists. Really complete and up-to-date lists are
also offered for sale on the deep web through illegal channels.

Let’s try this out on a complex encrypted pdf:

https://drive.google.com/open?id=0BzMIrzDJVfo3VUV2UEVUSVpmUnM

As you will see later, the password for this pdf has 14 characters and is a combination of
lowercase letters and numbers. Due to its length there are 6 140 942 214 464 820 000 000
combinations possible. With a computer that can guess 1 000 000 000 passwords / second it
would still take several tens of millions of years before all combinations are checked. A brute force
attack has little meaning here.

We will try to guess the password by a dictionary attack.

OLA This type of attack only works if the password is part of the list.

Getting the hash

Get the hash from the second PDF:

Ready for the attack?

The dictionary attack

 Prepare the wordlist and enter the dictionary attack:

# cp /usr/share/wordlists/rockyou.txt.gz ./
# gunzip -q rockyou.txt.gz
# john complex.hash.step2 --wordlist=<locatie van rockyou.txt>

How fast! And now ladies and gents …

CTF $3, the last part of the flag, can be found within the pdf-file.
CTF
This is the flag:

flag{$1_$2_$3}
Challenge
Strong password?
Do you use a strong password?

http://lifehacker.com/four-methods-to-create-a-secure-password-youll-actually-1601854240

http://webwereld.nl/security/101346-4-wachtwoordmythes-om-uit-te-bannen/

Alternatives
An alternative for JTR is HashCat.
Addendum
We feel that it might be best we end this article with a little word on ethics. Although it very well
might not be your case, there are those few who've seen Hackers too many times and think of
cracking (as opposed to hacking) as a cool activity. We only suggest you try and use your
knowledge for good, not for something that has 99.8% of failing and getting you a nice criminal
record. Have fun.
References
https://linuxconfig.org/password-cracking-with-john-the-ripper-on-linux

http://bcrypthashgenerator.apphb.com/

https://countuponsecurity.files.wordpress.com/2016/09/jtr-cheat-sheet.pdf

https://www.mathsisfun.com/combinatorics/combinations-permutations-calculator.html

https://betterexplained.com/articles/easy-permutations-and-combinations/

https://superuser.com/questions/1300501/john-the-ripper-old-hash-format

https://hashc.co.uk/pdf2john