Passwords are used to authenticate an account owner to a given system. The characters that are typed in by the user are encrypted with a one-way form of encryption called hashing. It is considered one-way as it is mathematically “impossible” to reverse the encrypted ciphertext hash back into the original plaintext password.
If hash algorithms are one-way, how am I supposed to “crack” a hash encrypted password? Astute readers must be rocking in their chairs at this point. The common means to accomplish password cracking is to guess every single possible plaintext input, run it through the hashing encryption algorithm, and then compare the result to the hashes collected from the target. Yes, your poor computer will be breaking a sweat to accomplish this as fast as it can.
This quick guide will focus on password cracking using John the Ripper, an open source password cracking tool. There is actually a paid version which provides precompiled and optimized binaries for Linux or OS X, quite convenient. We will be patching and compiling the free version of john ourselves.
Shopping List
- A linux system (physical or virtual) - Ubuntu is a good place to start.
- john-1.7.3.4.gz
- The Jumbo patch for 1.7.3.4, revision 3
- pwdump6 or fgdump - Use either to dump hashes from the SAM database on the target Windows box.
Unpack and make
Start by opening a terminal on your linux box that you downloaded the john files to. You will notice they end in a .gz extension which means these files are compressed using GNU zip (or gzip for short.) To uncompress john, run these commands:
tar xvzf john-1.7.3.4.tar.gz
cd john-1.7.3.4
Let's get this started...
If you are performing a password audit on systems that still have LanMan (LM) hashing enabled, for the win! Your job is nearly done as john supports this format with no patches and can guess them at blazing speed! My 2.6Ghz Core 2 Duo MacBook Pro running john 1.7.3.4 with no optimizations easily hits 22 million hash generations per second! Since LM is case insensitive and splits passwords into two 7 character strings and then hashes them, here's the default john.conf setting for LM hashes:
[Incremental:LanMan]
File = $JOHN/lanman.chr
MinLen = 0
MaxLen = 7
CharCount = 69
So, what if LanMan hashing has been disabled on your target or you need to crack a different hash algorithm? First of all, you will need to patch john to support the desired hash format (we'll assume md4) by following this guide to coaxing john to do your dirty work.
Windows Password Hash Extraction
Windows stores user passwords in the SAM (Security Account Manager) database. This file is locked by the operating system to prevent a user from extracting it’s contents. Yet, it still needs a working copy placed in memory somewhere, so we will exploit this design by copying the contents of the “locked” file directly from memory. I recommend two utilities for the job: pwdump and fgdump.
pwdump has been around for quite some time and has become the defacto choice. Unfortunately, as new features are added into Windows, so much the tool. The current version is pwdmp6 which adds support for 64bit systems and remote hash collection (with appropriate administrator credentials.)
fgdump is a fork of pwdump, aiming to add features such as the ability to automatically stop the Symantec Anti-Virus service, collect the hashes and then restart AV. This is required as Symantec has (quite accurately) categorized pwdump and fgdump as “hacker tools.” In practice however, this feature rarely works and even if it does successfully stop the AV service, I have seen instances where it was unable to re-enable the service, potentially leaving your server without it. For this reason, I highly recommend telling fgdump to not disable AV (by using the –n switch) and instead disable and re-enable AV yourself. Packers are another solution but I won’t discuss them here.
Patch ‘er up!
John does not support the hashing algorithm (NTLM or md4) used by Windows XP and up out of the box. We will need to apply a source code patch to add this functionality. Don’t worry if you don’t know what I’m talking about yet, as the command (from the john-1.7.3.4 directory) to accomplish it is simply:
gzip -dc ../john-1.7.3.4-jumbo-3.diff.gz | patch -p1
If you are on Ubuntu, the patch command and the required openssl library are likely not installed. You can get them by running:
sudo apt-get install patch libssl-dev
Finally, we just need to compile john from source to get our binary.
cd src
make linux-x86-sse2
If you are on a 64bit linux computer, use this make option:
make linux-x86-64
If you are on a modern OS X 10.5+ computer, use this make option instead:
make macosx-x86-64
Done? Test john out with:
cd ../run
./john -test
If you are targeting a Windows system, make sure you see a line with output similar to the following:
Benchmarking: NT MD4 [128/128 X2 SSE2-16]... DONE
Raw: 25628K c/s real, 25628K c/s virtual
Great, now it’s time to punish your box! I mean, start up john. Don't forget to change the last argument to your hash file.
...
./john --format=NT ~/my-windows-hashes-file.pw
Loaded 10 password hashes with no different salts (NT MD4 [128/128 X2 SSE2-16])
...
Run john, Run! See passwords fly! We can now walk away and come back in a few days to check progress! Or you could just go grab a beer... Or a dozen, as you'll be waiting for quite some time (possibly infinitely.)
Hope that helped. Please feel free to email me with any questions.
