wget http://www.openwall.com/john/g/john-1.7.3.1.tar.gz
tar zxvf *.tar.gz
cd johnny/
ls
john-1.7.3.1 john-1.7.3.1.tar.gz
cd john-1.7.3.1/src
make clean generic
cd ../run
http://www.openwall.com/john/doc/
see also
http://www.openwall.com/john/doc/INSTALL.shtml
pwdump
cain
l0phtcrack
john -session:name name_hash
nice nohup john -restore:name > screen.log &
the "name_hash" file is of the form
Admin:500:cd7bedf2b51fbaaf59940cc6013732a8:ad7bfdf3b52fbd7c59940af6013722a8:::
If you don't have the LM hash (i.e., Vista), simply substitute a hex string of the same size. Then
john -session:datetoday --incremental -format:NT adminHash
With the LM hash, use
john --incremental:LanMan name_hash
john -session:admin admin_hash
nice nohup john -restore:admin > screen.log &
NT passwords are not feasible to brute force
MSCache passwords are salted by username
http://blog.distracted.nl/2009/05/cacheebr-ms-cache-password-brute-forcer.html
See also
http://www.openwall.com/john/doc/EXAMPLES.shtml
http://www.openwall.com/john/doc/OPTIONS.shtml
The standard keyboard has the following character set:
:`1234567890-=~!@#$%^&*()_+qwertyuiop[]asdfghjkl;'zxcvbnm,./\QWERTYUIOP{}ASDFGHJKL:"ZXCVBNM<>?|
so
NTLM might take a while. 97 characters, suppose 14 characters,
97^14=10^27. Suppose 10,000 keys per second = 10^23 seconds = 10^15
years. For comparison, the universe is 10^7 years old. At this key
rate, 10,000 computers would still need 10^11 years. So having more and
faster computers is not sufficient.
JTR and
sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > localpaswds
However, JTR doesn't support SHA, which Ubuntu 9.10 uses.
http://www.linuxquestions.org/questions/linux-security-4/password-hash-721494/
https://lists.ubuntu.com/archives/ubuntu-devel/2008-August/026204.html
The "correct" way in Ubuntu is to have physical access and reboot into single user mode:
http://www.psychocats.net/ubuntu/resetpassword
and similarly for macs
http://www.macyourself.com/2009/08/03/how-to-reset-your-mac-os-x-password-without-an-installer-disc/
Multi-core: use MPI
http://www.oiepoie.nl/2007/02/11/high-speed-password-cracking-with-john-the-ripper/
MPI: http://bindshell.net/tools/johntheripper
http://www.experts-exchange.com/Security/Q_21236953.html
http://opensource.apress.com/index.php?id=57
djohn:
http://ktulu.com.ar/blog/software/djohn/
CPU per user: http://www.howtoforge.com/forums/showthread.php?p=137522
quad core with Ubuntu 9.10
$ uname -a
Linux user-desktop 2.6.31-17-generic #54-Ubuntu SMP Thu Dec 10 17:01:44 UTC 2009 x86_64 GNU/Linux
$ cat /proc/cpuinfo
Intel Core2 Quad CPU Q8200 @ 2.33GHz
with 8 Gb RAM and SATA hard drives
$ sudo hdparm -Tt /dev/sda1
/dev/sda1:
Timing cached reads: 3304 MB in 2.00 seconds = 1651.85 MB/sec
Timing buffered disk reads: 312 MB in 3.00 seconds = 104.00 MB/sec
Using John 1.7.2
$ john --test
Benchmarking: Traditional DES [64/64 BS]... DONE
Many salts: 1145K c/s real, 1147K c/s virtual
Only one salt: 1057K c/s real, 1059K c/s virtual
Benchmarking: BSDI DES (x725) [64/64 BS]... DONE
Many salts: 39233 c/s real, 39233 c/s virtual
Only one salt: 38769 c/s real, 38769 c/s virtual
Benchmarking: FreeBSD MD5 [32/64 X2]... DONE
Raw: 9989 c/s real, 9989 c/s virtual
Benchmarking: OpenBSD Blowfish (x32) [32/64]... DONE
Raw: 349 c/s real, 350 c/s virtual
Benchmarking: Kerberos AFS DES [48/64 4K]... DONE
Short: 312969 c/s real, 312969 c/s virtual
Long: 995059 c/s real, 995059 c/s virtual
Benchmarking: NT LM DES [64/64 BS]... DONE
Raw: 9532K c/s real, 9546K c/s virtual
Benchmarking: NT MD4 [Generic 1x]... DONE
Raw: 9465K c/s real, 9465K c/s virtual
Benchmarking: M$ Cache Hash [Generic 1x]... DONE
Many salts: 12955K c/s real, 12955K c/s virtual
Only one salt: 5242K c/s real, 5242K c/s virtual
Benchmarking: LM C/R DES [netlm]... DONE
Many salts: 431069 c/s real, 431069 c/s virtual
Only one salt: 420692 c/s real, 420692 c/s virtual
Benchmarking: NTLMv1 C/R MD4 DES [netntlm]... DONE
Many salts: 615903 c/s real, 615903 c/s virtual
Only one salt: 590746 c/s real, 590746 c/s virtual