John The Ripper Crack Sha512 Encryption

admin

In this post I will show you how to crack Windows passwords using John The Ripper.

John the Ripper is a fast password cracker, primarily for cracking Unix (shadow) passwords.Other than Unix-type encrypted passwords it also supports cracking Windows LM hashes and many more with open source contributed patches.

Now lets talk about the password protection method used by Windows. Windows user account passwords are typically stored in SAM hive of the registry (which corresponds to %SystemRoot%system32configSAM file), in the SAM file the password is kept encrypted using the NTLM hash is very well known for its cryptanalysis weaknesses.

Sep 30, 2019 So let’s start hacking with John, the ripper. Download the free version of john from below: Download john the ripper If you have kali Linux then John the ripper is already included in it. We will review the following four tutorials with john the ripper password cracking tool: 1. Cracking Linux Passwords 2.Cracking Password Protected ZIP/RAR. I’ve encountered the following problems using John the Ripper. These are not problems with the tool itself, but inherent problems with pentesting and password cracking in general. Sometimes I stumble across hashes on a pentest, but don’t recognise the format, don’t know if it’s supported by john, or whether there are multiple.

The SAM file is further encrypted with the SysKey (Windows 2000 and above) which is stored in %SystemRoot%system32configsystem file.During the boot-time of Windows the hashes from the SAM file gets decrypted using the SysKey and the hashes are loaded to the registry is then used for authentication purpose. Both system and SAM files are unavailable (i.e, locked by kernel) to standard programs (like regedit) during Windows’ runtime .

As told earlier NTLM hash is very weak for encrypting passwords.The NTLM encryption algorithm is explained below :

  • ASCII password is converted to uppercase
  • Padding with null is done until 14 bytes
  • Split it in two 7-byte arrays
  • Pad both to make 64 bits (8-byte) which will be used to create a DES key
  • DES-encrypt the string “[email protected]#$%” using the array as key for each 7-byte array (results 8-byte stream)
  • Join 2 cipertexts which forms the NTLM hash (16-byte)
John The Ripper Crack Sha512 Encryption
Major pitfals of NTLM hash
  • ASCII is not Unicode
  • Uppercase reduce complexity
  • LM fails with passwords length more than 14 characters
  • Salting is not available
  • It is easy to determine whether the password is less than or more than 7 characters
Cracking Windows Passwords John The Ripper

John The Ripper Crack Sha512 Encryption Free

For the sake of demonstrating this I had already set a dummy account called demo and allotted a password iRock to it, which will be cracked later-on.

Baseball stats app.
User Accounts showing demo user

I booted using the Ubuntu LiveCD and mounted my Windows partition - /dev/sda1

Then copied SAM and system files to /home/prakhar

Then installed samdump2 and John The Ripper :

Then dumped the syskey and NTLM hashes from system and SAM file, respectively :

John the ripper crack sha512 encryption tool

John The Ripper Crack Sha512 Encryption Failed

NTLM hashes recovered from SAM file

John The Ripper Crack Sha512 Encryption Download

I then bruteforced the password using John The Ripper :

John The Ripper Crack Sha512 Encryption Tool

You can clearly see above, JTR has cracked the password within matter of seconds, I aborted the session in between since password was already recovered. Mission accomplished !