HankMoody Posted November 25, 2016 Share Posted November 25, 2016 Hello, I have use JTR by the simpliest way : root@kali:~/ctf# john shadow.bak Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 4 password hashes with 4 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Press 'q' or Ctrl-C to abort, almost any other key for status Password1 (heffer) obiwan6 (minotaur) I read the notice, it seems I use the "single crack mode". Here are this mode details:This is the mode you should start cracking with. It will use the login names, "GECOS" / "Full Name" fields, and users' home directory names as candidate passwords, also with a large set of mangling rules applied. Since the information is only used against passwords for the accounts it was taken from (and against password hashes which happened to be assigned the same salt), "single crack" mode is much faster than wordlist mode. This permits for the use of a much larger set of word mangling rules with "single crack", and their use is always enabled with this mode. Successfully guessed passwords are also tried against all loaded password hashes just in case more users have the same password. Note that running this mode on many password files simultaneously may sometimes get more passwords cracked than it would if you ran it on the individual password files separately. I quite don't understand some things.. " It will use the login names, "GECOS" / "Full Name" fields, and users' home directory names as candidate passwords" What GECOS/Full Name is it refering ? What wordlist are used (if it does used some) ? Thanks Quote Link to comment Share on other sites More sharing options...
digininja Posted November 25, 2016 Share Posted November 25, 2016 All you could want to know about the GECOS field: https://en.wikipedia.org/wiki/Gecos_field For the second part: "single crack" mode is much faster than wordlist mode. i.e. it doesn't use a word list, it just uses the GECOS info Quote Link to comment Share on other sites More sharing options...
HankMoody Posted November 26, 2016 Author Share Posted November 26, 2016 I understand, it seems very few informaitons: User's full name (or application name, if the account is for a program) Building and room number or contact person Office telephone number Home telephone number Any other contact information (pager number, fax, external e-mail address, etc.) The finger command shows the information which is set in GECOS/Comment field. It does not seem the password obiwan6 for the user minotaur was in GECOS information . I can suggest, JTR has switch by itself to the Wordlist mode with its own dictionaries to find the password obiwan6. :) Quote Link to comment Share on other sites More sharing options...
digininja Posted November 26, 2016 Share Posted November 26, 2016 Had you previously cracked those two passwords using a word list? Anything already cracked is stored in the pot so it doesn't have to be cracked a second time. Quote Link to comment Share on other sites More sharing options...
HankMoody Posted November 28, 2016 Author Share Posted November 28, 2016 I mostly use rockyou dictionary. root@kali:~/ctf# more rockyou.txt | grep -w "Password1" Password1 Password1! Password1@ Password1? Password1. %Password1 !Password1 root@kali:~/ctf# more rockyou.txt | grep -w 'obiwan6' root@kali:~/ctf# So I don't where obiwan6 come from but I don't care, Thanks Quote Link to comment Share on other sites More sharing options...
digininja Posted November 28, 2016 Share Posted November 28, 2016 If you have word mangling turned on then modifications are made to the words in the list. Both Obiwan6 and obiwan are in that list so I'd assume that is where it came from. Delete the john.pot file and then rerun the command that brought you here and you should find that it doesn't find anything Quote Link to comment Share on other sites More sharing options...
HankMoody Posted November 28, 2016 Author Share Posted November 28, 2016 Yes I've just discovered what the the mangling rules are. root@kali:~/ctf# rm ./root/.john/john.pot root@kali:~/ctf# john shadow.bak Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 4 password hashes with 4 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:35 1.12% 2/3 (ETA: 08:48:42) 0g/s 391.0p/s 575.5c/s 575.5C/s samsung..santiago Password1 (heffer) obiwan6 (minotaur) Its seems there are still recovered.. Anyway tks :) Quote Link to comment Share on other sites More sharing options...
digininja Posted November 28, 2016 Share Posted November 28, 2016 The pot file will be in your current directory. $ ls -l john.pot ls: cannot access 'john.pot': No such file or directory $ ./john --format=Raw-MD5 --wordlist= /tmp/passw /tmp/md5pass Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 12x]) Warning: poor OpenMP scalability for this hash type, consider --fork=2 Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status password (?) 1g 0:00:00:00 DONE (2016-11-28 14:56) 25.00g/s 88650p/s 88650c/s 88650C/s 123456..sss Use the "--show" option to display all of the cracked passwords reliably Session completed $ ls -l john.pot -rw------- 1 robin robin 53 Nov 28 14:56 john.pot $ ./john --format=Raw-MD5 /tmp/md5pass --show ?:password 1 password hash cracked, 0 left $ rm john.pot $ ./john --format=Raw-MD5 /tmp/md5pass --show 0 password hashes cracked, 1 left Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.