Professional Documents
Culture Documents
- Stefan Petrucha -
Table of Contents
Goal 3
Tutorial 4
First intro with John: “Hello John”! 4
Our first ‘ripperderip’, Yeah! 5
In meanwhile, some stuff to think about … 6
And what about a good password? 8
Encrypted PDF cracking - Method 1 9
Getting the hash 9
Brute Force 10
Encrypted PDF cracking - Method 2 11
Getting the hash 11
The dictionary attack 12
Challenge 13
Strong password? 13
Alternatives 13
Addendum 14
References 15
Goal
In this challenge you will learn how to crack passwords using Kali Linux and John The Ripper.
Why? So you’ll know the importance of choosing a strong password.
Don’t forget that a lot of data that’s been lost by a breach is unencrypted or ‘useful’ by brute forcing
…
http://breachlevelindex.com/
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Tutorial
First intro with John: “Hello John”!
Luckily John The Ripper is already installed on Kali. But if you want to use it on another distro,
mostly it can be installed from the repos, for example on Debian/Ubuntu, just apt-get it.
So, “Hello John! Are you ok?” We’ll know it by testing its performance.
Hereby we did some benchmarks on John's capabilities, expressed in c/s, or cracks per second.
What was your speed?
TIP Remember this number, you’ll need it later in this document.
If you have no idea what Kerberos, MD5, DES or Blowfish is, we recommend you to follow the
class of J. Janssen, our crypto-specialist of Thomas More.
Now, let’s give this John a try! By the way, press 'q' or Ctrl-C to abort the cracking, and almost any
other key for a status update.
After some minutes, you’ll get a result? The found password is quite obvious, but hé .. it’s just an
example! Now it’s your turn.
CTF $1, your first part of the flag can be found here. Happy CPU-cycling!
In meanwhile, some stuff to think about …
As you can see, this type of attack is less interesting, it will take too long. How could you speed up
this attack?
If a password contained just capital letters, lowercase and numbers, you have a total of 62 possible
characters from which the password can exist. The longer the password, the more possible
permutations will occur.
Permuwhat?!?
As you can see, it will take too much time to capture the first flag! How could you speed up this
attack?
Expect to ... CPU more!
A first hint:
Oh, and by the way, don’t write a password down on a sticky note:
http://www.thegatewaypundit.com/2018/01/hawaiian-emergency-management-officials-hold-
interview-post-notes-passwords-computer-screens/
Encrypted PDF cracking - Method 1
Download the PDF file (simple.pdf). When you open the file, a password is requested. This
password we will try to crack using John The Ripper.
Get the hash (encrypted password) from the pdf, by using a tool from John The Ripper Jumbo,
more info can be found on Github https://github.com/magnumripper/JohnTheRipper/.
So first we’ll need to get the Jumbo version of JTR and unzip it
# wget https://github.com/magnumripper/JohnTheRipper/archive/bleeding-jumbo.zip
# unzip bleeding-jumbo.zip
But, as you can see, there is more than only the hash. So let's clean this up a bit.
# cat simple.hash.step1 | sed "s/::.*$//" | sed "s/^.*://" > simple.hash.step2
Nice, we have now a pure hash, Hooray!
LOL Q: What do you get when you eat too much hash brownies?
A: A pot belly
Brute Force
Start a brute force attack on simple.hash.step2. John The Ripper will try all possible ‘combinations’
to guess the password. The more complex the password is, the longer this type of attack takes.
Exciting!
CTF $2, the second part of the flag, can be found within the pdf-file.
Encrypted PDF cracking - Method 2
A second way to find passwords is by comparing a pre-calculated list of passwords with the hash
that you obtained from a pdf, for example. This way of cracking passwords may have more
success because these dictionaries are based on really used passwords.
Of course, you need a list or dictionary. In Kali linux, some are included (in /usr/share/wordlist). Or
you can find them online, like http://weakpass.com/lists. Really complete and up-to-date lists are
also offered for sale on the deep web through illegal channels.
As you will see later, the password for this pdf has 14 characters and is a combination of
lowercase letters and numbers. Due to its length there are 6 140 942 214 464 820 000 000
combinations possible. With a computer that can guess 1 000 000 000 passwords / second it
would still take several tens of millions of years before all combinations are checked. A brute force
attack has little meaning here.
OLA This type of attack only works if the password is part of the list.
# cp /usr/share/wordlists/rockyou.txt.gz ./
# gunzip -q rockyou.txt.gz
# john complex.hash.step2 --wordlist=<locatie van rockyou.txt>
CTF $3, the last part of the flag, can be found within the pdf-file.
CTF
This is the flag:
flag{$1_$2_$3}
Challenge
Strong password?
Do you use a strong password?
http://lifehacker.com/four-methods-to-create-a-secure-password-youll-actually-1601854240
http://webwereld.nl/security/101346-4-wachtwoordmythes-om-uit-te-bannen/
Alternatives
An alternative for JTR is HashCat.
Addendum
We feel that it might be best we end this article with a little word on ethics. Although it very well
might not be your case, there are those few who've seen Hackers too many times and think of
cracking (as opposed to hacking) as a cool activity. We only suggest you try and use your
knowledge for good, not for something that has 99.8% of failing and getting you a nice criminal
record. Have fun.
References
https://linuxconfig.org/password-cracking-with-john-the-ripper-on-linux
http://bcrypthashgenerator.apphb.com/
https://countuponsecurity.files.wordpress.com/2016/09/jtr-cheat-sheet.pdf
https://www.mathsisfun.com/combinatorics/combinations-permutations-calculator.html
https://betterexplained.com/articles/easy-permutations-and-combinations/
https://superuser.com/questions/1300501/john-the-ripper-old-hash-format
https://hashc.co.uk/pdf2john