1
00:00:06,910 --> 00:00:09,340
- [Instructor] So let's start
off with password cracking

2
00:00:09,340 --> 00:00:10,630
with John the Ripper.

3
00:00:10,630 --> 00:00:12,830
John the Ripper is one

4
00:00:12,830 --> 00:00:15,880
of the longtime favorite
password cracking programs.

5
00:00:15,880 --> 00:00:17,670
It comes with Kali Linux,

6
00:00:17,670 --> 00:00:19,390
and is one of the standards

7
00:00:19,390 --> 00:00:21,350
that we use for password cracking.

8
00:00:21,350 --> 00:00:23,090
Very easy to crack.

9
00:00:23,090 --> 00:00:24,500
And we're gonna show a demo

10
00:00:24,500 --> 00:00:26,953
of how to use John the Ripper in depth.

11
00:00:28,020 --> 00:00:31,330
So let's take a look at a
demo of John the Ripper.

12
00:00:31,330 --> 00:00:33,160
If you just type john at the command line

13
00:00:33,160 --> 00:00:37,810
of your Kali box, you'll see
John the Ripper's help menu.

14
00:00:37,810 --> 00:00:42,410
And basically just type
john, have some options,

15
00:00:42,410 --> 00:00:45,483
and then the password file
that you're trying to crack.

16
00:00:46,480 --> 00:00:48,170
So one of the options is a word list.

17
00:00:48,170 --> 00:00:49,810
So if you wanna use a dictionary list

18
00:00:49,810 --> 00:00:52,500
to crack passwords, you can use that.

19
00:00:52,500 --> 00:00:56,370
Use the rule switch to
do some mangling rules

20
00:00:56,370 --> 00:01:01,300
for the word list, so it'll
switch all O's to zeros

21
00:01:01,300 --> 00:01:05,160
all I's to ones, and
those types of things.

22
00:01:05,160 --> 00:01:07,403
It'll change uppercase to lowercase.

23
00:01:08,320 --> 00:01:11,090
And it'll try to manipulate the words

24
00:01:11,090 --> 00:01:12,670
for several different combinations

25
00:01:12,670 --> 00:01:15,940
in order to crack more passwords.

26
00:01:15,940 --> 00:01:17,360
There's also the show command,

27
00:01:17,360 --> 00:01:19,700
where if you run that against
the password hash list,

28
00:01:19,700 --> 00:01:23,070
it'll show all the passwords
you have cracked so far.

29
00:01:23,070 --> 00:01:25,670
And there's the pot switch,

30
00:01:25,670 --> 00:01:29,760
which basically, the pot
file in John the Ripper

31
00:01:29,760 --> 00:01:33,760
is a file that's used to
list all the passwords

32
00:01:33,760 --> 00:01:36,070
that have been cracked so far.

33
00:01:36,070 --> 00:01:37,770
There's also the format switch,

34
00:01:37,770 --> 00:01:40,660
which will tell John the Ripper

35
00:01:40,660 --> 00:01:42,780
which hash format you're trying to crack.

36
00:01:42,780 --> 00:01:45,100
So by default, John the Ripper will try

37
00:01:45,100 --> 00:01:48,280
to pick the hash format based off

38
00:01:48,280 --> 00:01:51,320
of the hash that you have listed.

39
00:01:51,320 --> 00:01:54,560
It'll automatically try to
detect what format it's in,

40
00:01:54,560 --> 00:01:57,230
but for some cases, like one
we're gonna show you now,

41
00:01:57,230 --> 00:01:59,250
it has two different hash formats in it.

42
00:01:59,250 --> 00:02:00,530
So you can specifically say

43
00:02:00,530 --> 00:02:03,100
which format you're trying to crack.

44
00:02:03,100 --> 00:02:06,420
So let's look at this password
file that we're gonna crack.

45
00:02:06,420 --> 00:02:10,050
So in here, this is a standard
Windows password file.

46
00:02:10,050 --> 00:02:11,570
You can see the username,

47
00:02:11,570 --> 00:02:15,210
you can see the LM hash first,

48
00:02:15,210 --> 00:02:19,540
and then the second after
the colon is the NT hash.

49
00:02:19,540 --> 00:02:21,690
So like we mentioned before,

50
00:02:21,690 --> 00:02:26,150
the LM hash is kind of an
outdated way of storing passwords

51
00:02:26,150 --> 00:02:29,310
which older versions of Windows used.

52
00:02:29,310 --> 00:02:31,820
And it's very easy to crack passwords

53
00:02:31,820 --> 00:02:34,130
using this hashing algorithm.

54
00:02:34,130 --> 00:02:37,110
It's because it stores it
in such an insecure manner.

55
00:02:37,110 --> 00:02:39,580
It converts all of your
passwords to uppercase,

56
00:02:39,580 --> 00:02:43,780
then splits it in two, so
it is very easy to crack.

57
00:02:43,780 --> 00:02:46,060
But then second, on later
versions of Windows,

58
00:02:46,060 --> 00:02:49,310
they stored only the NT hash.

59
00:02:49,310 --> 00:02:52,210
Still has a spot for the LM hash,

60
00:02:52,210 --> 00:02:54,040
just in case you're storing both.

61
00:02:54,040 --> 00:02:56,800
But the NT hash is the one
that you'll need to crack

62
00:02:56,800 --> 00:02:59,063
in order to log into the account.

63
00:03:00,370 --> 00:03:04,470
So you'll see a whole list
of users and their hashes.

64
00:03:04,470 --> 00:03:08,350
So if we just do john, and do
it against the password hash,

65
00:03:08,350 --> 00:03:11,793
you see instantly we
start cracking passwords,

66
00:03:13,520 --> 00:03:16,270
and you can see there all the passwords

67
00:03:16,270 --> 00:03:18,580
that are getting cracked are uppercase,

68
00:03:18,580 --> 00:03:23,580
which means that it's automatically
doing the LM hash first.

69
00:03:25,310 --> 00:03:28,120
And you can see over on the left side

70
00:03:28,120 --> 00:03:29,740
are all the passwords
that you're cracking.

71
00:03:29,740 --> 00:03:32,460
On the right side, are the users

72
00:03:32,460 --> 00:03:35,713
that it's cracking the passwords for.

73
00:03:36,660 --> 00:03:39,750
If you notice, all the user
accounts have a number after it,

74
00:03:39,750 --> 00:03:41,203
either one or two,

75
00:03:43,180 --> 00:03:47,250
and that also shows you
that this is an LM hash.

76
00:03:47,250 --> 00:03:49,770
Let's look up above at the very top

77
00:03:49,770 --> 00:03:53,510
to show you that it is cracking LM hashes,

78
00:03:53,510 --> 00:03:56,410
and we'll go into more details
on what those numbers mean.

79
00:03:58,200 --> 00:04:00,553
So you can see, detected type, LM,

80
00:04:01,560 --> 00:04:02,790
and that's what it's cracking,

81
00:04:02,790 --> 00:04:06,580
but it also says that it also
recognized NT hashes in there.

82
00:04:06,580 --> 00:04:09,190
We're starting off by cracking the LM,

83
00:04:09,190 --> 00:04:13,303
but it also has NT in there as well.

84
00:04:14,880 --> 00:04:19,810
So the numbers after the
passwords are telling you

85
00:04:19,810 --> 00:04:22,040
which part of the password it's cracking.

86
00:04:22,040 --> 00:04:25,330
Remember LM hashes, by default,

87
00:04:25,330 --> 00:04:27,590
they split the password in two sections,

88
00:04:27,590 --> 00:04:29,230
two seven-character sections.

89
00:04:29,230 --> 00:04:33,350
So the word password, since
it's more than seven characters,

90
00:04:33,350 --> 00:04:36,170
it'll split everything
up until the last D,

91
00:04:36,170 --> 00:04:39,190
and put it into one side of the password,

92
00:04:39,190 --> 00:04:42,100
and then the D will be in the
second side of the password.

93
00:04:42,100 --> 00:04:43,510
So it splits it in two.

94
00:04:43,510 --> 00:04:46,100
And so the number on the side there

95
00:04:46,100 --> 00:04:48,860
shows you which side of
the password it's cracking.

96
00:04:48,860 --> 00:04:50,300
If it shows one, that means

97
00:04:50,300 --> 00:04:52,100
it cracked the first half of the password.

98
00:04:52,100 --> 00:04:53,340
If it shows two, that means

99
00:04:53,340 --> 00:04:55,320
it cracked the second
half of the password.

100
00:04:55,320 --> 00:04:58,400
And that's really because
LM hash has split those two.

101
00:04:58,400 --> 00:05:02,650
So if you hit any key while
John the Ripper is running,

102
00:05:02,650 --> 00:05:04,730
it'll pop up a little status menu.

103
00:05:04,730 --> 00:05:05,970
So just hit Space Bar,

104
00:05:05,970 --> 00:05:08,660
and it pops up the status
menu at the bottom.

105
00:05:08,660 --> 00:05:10,290
So if you look at the bottom,

106
00:05:10,290 --> 00:05:14,940
it says we have cracked 456 passwords,

107
00:05:14,940 --> 00:05:16,600
or at least parts of passwords.

108
00:05:16,600 --> 00:05:20,220
And it's done that within
one minute and 21 seconds.

109
00:05:20,220 --> 00:05:22,870
This is running within a virtual machine,

110
00:05:22,870 --> 00:05:25,250
so it's slower than it probably would be

111
00:05:25,250 --> 00:05:28,030
if you're running it right
on your main machine.

112
00:05:28,030 --> 00:05:29,913
And you see the percentage it's cracked,

113
00:05:29,913 --> 00:05:34,913
0.02% of the password combinations so far.

114
00:05:35,820 --> 00:05:37,180
It tells you when it believes

115
00:05:37,180 --> 00:05:39,490
it'll finish the password cracking,

116
00:05:39,490 --> 00:05:41,730
and it tells you how fast
it's cracking as well.

117
00:05:41,730 --> 00:05:44,730
You can see it's cracking
thousands of passwords per second.

118
00:05:45,920 --> 00:05:47,090
Over to the way right,

119
00:05:47,090 --> 00:05:50,303
it shows what password
it's currently guessing.

120
00:05:51,630 --> 00:05:54,460
And you can see it goes pretty quickly.

121
00:05:54,460 --> 00:05:58,660
So, as it says, passwords
printed above might be partial,

122
00:05:58,660 --> 00:06:01,270
and that's because it is the LM hash,

123
00:06:01,270 --> 00:06:03,323
which does split passwords into two.

124
00:06:05,120 --> 00:06:08,593
And that's just because of how
Microsoft's algorithm works.

125
00:06:10,490 --> 00:06:14,430
So if we do john, the show
command, and the password hashes,

126
00:06:14,430 --> 00:06:18,390
it'll show you all the passwords
that it's cracked so far.

127
00:06:18,390 --> 00:06:22,230
So if you look at the bottom
one, the user name, greg,

128
00:06:22,230 --> 00:06:24,380
it has cracked part of the password.

129
00:06:24,380 --> 00:06:26,270
You can tell that because the first half

130
00:06:26,270 --> 00:06:28,000
of the password is all question marks,

131
00:06:28,000 --> 00:06:30,270
so it doesn't know what
that password is yet.

132
00:06:30,270 --> 00:06:32,360
The second half of the password is ACME.

133
00:06:32,360 --> 00:06:37,360
So it has fully cracked that,
and this is only the LM side.

134
00:06:37,450 --> 00:06:40,743
We did not try to crack the
NT side of the hash yet.

135
00:06:41,820 --> 00:06:45,130
So once again, Windows
stores the passwords in both.

136
00:06:45,130 --> 00:06:47,800
So let's say you have a password.

137
00:06:47,800 --> 00:06:51,120
Your actual password
is, let's say, password,

138
00:06:51,120 --> 00:06:53,040
and it's all lowercase.

139
00:06:53,040 --> 00:06:55,640
The LM side of it will make it appear

140
00:06:55,640 --> 00:06:57,140
like it's all uppercase,

141
00:06:57,140 --> 00:07:01,810
and the NT side will show
the correct all lowercase.

142
00:07:01,810 --> 00:07:03,580
And to actually log into that account,

143
00:07:03,580 --> 00:07:04,790
you'll have to type it in

144
00:07:04,790 --> 00:07:07,300
exactly how it is on
the NT side to log in.

145
00:07:07,300 --> 00:07:09,950
So you would have to understand
that it is lowercase.

146
00:07:12,480 --> 00:07:16,690
So you can see it's still
working on Greg's password there.

147
00:07:16,690 --> 00:07:18,320
And it's just cracked that first half,

148
00:07:18,320 --> 00:07:20,980
which is that LM side.

149
00:07:20,980 --> 00:07:23,240
The NT side, which we're
highlighting right now,

150
00:07:23,240 --> 00:07:25,040
that is the side it will crack next.

151
00:07:26,020 --> 00:07:29,850
You can see there's a lot of
people with the same password.

152
00:07:29,850 --> 00:07:32,240
You see those accounts
that are just highlighted

153
00:07:32,240 --> 00:07:34,110
all have the same password.

154
00:07:34,110 --> 00:07:37,950
And because these password
hashes are not salted,

155
00:07:37,950 --> 00:07:39,660
you could see the password hash

156
00:07:39,660 --> 00:07:42,670
to the right of all those
look exactly the same.

157
00:07:42,670 --> 00:07:45,120
That's because they have
the same exact password.

158
00:07:46,010 --> 00:07:49,300
Good number of passwords
that we have cracked so far.

159
00:07:49,300 --> 00:07:51,220
It says there's 20 passwords left.

160
00:07:51,220 --> 00:07:54,583
We have cracked 492 passwords.

161
00:07:55,750 --> 00:07:58,750
So let's look at John's
files that it creates.

162
00:07:58,750 --> 00:08:01,850
If you look on your home directory,

163
00:08:01,850 --> 00:08:05,370
in the hidden directory called .john,

164
00:08:05,370 --> 00:08:06,560
there are three files.

165
00:08:06,560 --> 00:08:08,620
There's the john.log file,

166
00:08:08,620 --> 00:08:12,430
the john.pot file and the john.rac file.

167
00:08:12,430 --> 00:08:15,590
john.pot file is where it
stores all of the passwords

168
00:08:15,590 --> 00:08:16,970
that have been cracked.

169
00:08:16,970 --> 00:08:21,010
The john.rec file is where it monitors

170
00:08:21,010 --> 00:08:24,290
exactly where you
stopped a password crack.

171
00:08:24,290 --> 00:08:26,220
You see we stopped the password cracking

172
00:08:26,220 --> 00:08:28,840
in the middle of it, so
if we start it up again,

173
00:08:28,840 --> 00:08:30,950
it'll pick it up right
back where it left off,

174
00:08:30,950 --> 00:08:33,850
because of the john.rec file.

175
00:08:33,850 --> 00:08:37,403
So let's take a look
at this john.pot file.

176
00:08:40,950 --> 00:08:44,950
So you can see here, it shows
LM hashes, and show the hash,

177
00:08:44,950 --> 00:08:48,020
and then it'll show the
password that was cracked.

178
00:08:48,020 --> 00:08:50,323
And we have cracked a
lot of passwords so far.

179
00:08:51,290 --> 00:08:53,570
So let's change the format to NT.

180
00:08:53,570 --> 00:08:56,870
So it's the --format=nt.

181
00:08:56,870 --> 00:08:59,600
And so now, instead of cracking LM hashes,

182
00:08:59,600 --> 00:09:02,600
we're gonna crack NT hashes.

183
00:09:02,600 --> 00:09:04,600
And you see really quickly,

184
00:09:04,600 --> 00:09:06,920
just brute forcing the passwords,

185
00:09:06,920 --> 00:09:10,683
it has quickly cracked a
good number of passwords.

186
00:09:11,520 --> 00:09:13,730
It's loaded 289 password hashes,

187
00:09:13,730 --> 00:09:17,530
and within seconds cracked
many of the passwords.

188
00:09:17,530 --> 00:09:19,700
And this is strictly through brute force.

189
00:09:19,700 --> 00:09:22,920
So it's just guessing
many password combinations

190
00:09:22,920 --> 00:09:24,513
and hoping to hit one of those.

191
00:09:25,600 --> 00:09:28,500
You can see that it cracked 96 passwords

192
00:09:28,500 --> 00:09:30,203
within a few seconds.

193
00:09:32,970 --> 00:09:36,180
We just stop the scan so we can show you

194
00:09:36,180 --> 00:09:37,870
what passwords were cracked.

195
00:09:37,870 --> 00:09:42,060
So if we just do john --show

196
00:09:42,060 --> 00:09:44,240
and then the password file,

197
00:09:44,240 --> 00:09:47,570
it'll only show the LM
hashes that were cracked.

198
00:09:47,570 --> 00:09:49,630
We have to specifically say format=nt

199
00:09:50,600 --> 00:09:53,103
to show the NT passwords
that were cracked.

200
00:09:54,730 --> 00:09:56,840
So now we can see the corrected case.

201
00:09:56,840 --> 00:09:59,640
You see password is actually capital P,

202
00:09:59,640 --> 00:10:02,800
and then the rest of the
characters are lowercase.

203
00:10:02,800 --> 00:10:07,770
And we are cracking the second
half, which is the NT hash.

204
00:10:07,770 --> 00:10:10,370
Some of the accounts don't
have any password at all.

205
00:10:13,839 --> 00:10:15,460
Some of the accounts have
really easy passwords.

206
00:10:15,460 --> 00:10:17,200
The username is the same as the password.

207
00:10:17,200 --> 00:10:18,800
So those cracked really quickly.

208
00:10:20,890 --> 00:10:22,920
So let's look at some dictionary attacks.

209
00:10:22,920 --> 00:10:24,963
So John comes with its own dictionary,

210
00:10:27,570 --> 00:10:29,490
and it has a lot of passwords in here.

211
00:10:29,490 --> 00:10:30,940
We're not gonna scroll through all them.

212
00:10:30,940 --> 00:10:34,630
A lot of the passwords have
some file language in there,

213
00:10:34,630 --> 00:10:36,810
'cause people end up
using a lot of swear words

214
00:10:36,810 --> 00:10:37,820
with their passwords.

215
00:10:37,820 --> 00:10:40,730
So when John the Ripper picks
the most common passwords

216
00:10:40,730 --> 00:10:43,590
that people use and it puts
it into a password file,

217
00:10:43,590 --> 00:10:46,613
so you'll end up seeing a
lot of crazy words in there.

218
00:10:49,440 --> 00:10:50,520
So you can edit the file

219
00:10:50,520 --> 00:10:53,920
if you want to add your
own passwords to it,

220
00:10:53,920 --> 00:10:56,300
or you can just create
your own password file

221
00:10:56,300 --> 00:10:58,870
and use that as your own word list.

222
00:10:58,870 --> 00:11:03,870
We're just gonna add
mypassword to the John list,

223
00:11:05,440 --> 00:11:07,393
just for demonstration purposes.

224
00:11:08,610 --> 00:11:11,350
Let's see how it looks
to actually crack it.

225
00:11:11,350 --> 00:11:13,670
So if we're using the --rules,

226
00:11:13,670 --> 00:11:18,660
so it'll mango each password
to crack more passwords,

227
00:11:18,660 --> 00:11:20,840
use the word list switch,

228
00:11:20,840 --> 00:11:24,200
and then show the path to the
word list that we're using,

229
00:11:24,200 --> 00:11:26,950
and then you put the password
file that we're cracking.

230
00:11:29,010 --> 00:11:32,670
Let's do format LM just so you can see

231
00:11:32,670 --> 00:11:35,007
that we're specifically using LM hashes,

232
00:11:35,007 --> 00:11:38,540
and that finished within seconds.

233
00:11:38,540 --> 00:11:42,880
We did the NT and that also
finished within seconds.

234
00:11:42,880 --> 00:11:43,930
Within less than a second,

235
00:11:43,930 --> 00:11:45,720
it went through the entire password list

236
00:11:45,720 --> 00:11:47,840
and guessed, did not find anything.

237
00:11:47,840 --> 00:11:49,410
I mean, we already cracked a good number

238
00:11:49,410 --> 00:11:50,530
of the passwords already.

239
00:11:50,530 --> 00:11:53,090
So it doesn't show you which passwords

240
00:11:53,090 --> 00:11:54,470
would've been cracked through this

241
00:11:54,470 --> 00:11:58,250
if it's already has the
password in the john.pot file.

242
00:11:58,250 --> 00:12:02,350
So we just added a new password, winter14,

243
00:12:02,350 --> 00:12:07,350
a common password, just to see
if this is in the word list.

244
00:12:07,480 --> 00:12:10,660
So within a second, you
could see that one account

245
00:12:10,660 --> 00:12:13,570
used winter14 as their password.

246
00:12:13,570 --> 00:12:17,880
And so dictionary cracking is
highly recommended as well.

247
00:12:17,880 --> 00:12:20,530
You could see how quick it
goes through a dictionary.

248
00:12:22,350 --> 00:12:26,350
So the john.pot file is where
it's storing all of these.

249
00:12:26,350 --> 00:12:29,043
So if we remove this john.pot file,

250
00:12:30,410 --> 00:12:33,640
then it has no record of the
passwords we've already cracked

251
00:12:33,640 --> 00:12:35,610
and we can run the dictionary again

252
00:12:35,610 --> 00:12:39,560
and see how quickly it
finds those passwords.

253
00:12:39,560 --> 00:12:41,430
So you saw within less than a second,

254
00:12:41,430 --> 00:12:43,630
it guessed 71 passwords,

255
00:12:43,630 --> 00:12:46,593
just strictly based off the
dictionary that we were using.

256
00:12:48,212 --> 00:12:49,913
And that is John the Ripper.