I am getting ready for a password contest at Defcon that Alex and I and a few other guys from the Hashcat team are going to enter and I decided to install John the Ripper on a Cent OS box in case I needed it for anything. John is in the yum repos however the version is pretty old and it is not compiled with NTLM support so I decided to build it from source so that i could apply the Jumbo patch which adds support for a whole lot of different algorithms which are normally only available in the pro version of John the Ripper.
Below I show the steps I took to get it compiled and working on Cent OS 64 bit:
First off figure out where you want to keep the source of john, I like /usr/local/src but you may have a different preference:
- [root@tools ~]# cd /usr/local/src/
- [root@tools src]#
Next lets grab the latest tarball of john:
- [root@tools src]# wget http://www.openwall.com/john/g/john-1.7.6.tar.gz
- --2010-07-13 11:34:53-- http://www.openwall.com/john/g/john-1.7.6.tar.gz
- Resolving www.openwall.com... 195.42.179.202
- Connecting to www.openwall.com|195.42.179.202|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 832790 (813K) [application/x-tar]
- Saving to: `john-1.7.6.tar.gz'
- 100%[===================================================================================================================>] 832,790 272K/s in 3.0s
- 2010-07-13 11:34:56 (272 KB/s) - `john-1.7.6.tar.gz' saved [832790/832790]
- [root@tools src]#
Extract the tarball:
- [root@tools src]# tar xzvf john-1.7.6.tar.gz
- john-1.7.6/
- john-1.7.6/doc/
- john-1.7.6/doc/EXAMPLES
- .
- .
- .
- john-1.7.6/src/DES_vec.pl
- john-1.7.6/README
- [root@tools src]#
Change into our working directory:
- [root@tools src]# cd john-1.7.6
- [root@tools john-1.7.6]#
Now lets download the Jumbo patch with ntlm support:
- [root@tools john-1.7.6]# wget http://www.openwall.com/john/contrib/john-1.7.6-jumbo-4.diff.gz
- --2010-07-13 11:36:46-- http://www.openwall.com/john/contrib/john-1.7.6-jumbo-4.diff.gz
- Resolving www.openwall.com... 195.42.179.202
- Connecting to www.openwall.com|195.42.179.202|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 206601 (202K) [text/plain]
- Saving to: `john-1.7.6-jumbo-4.diff.gz'
- 100%[===================================================================================================================>] 206,601 99.8K/s in 2.0s
- 2010-07-13 11:36:48 (99.8 KB/s) - `john-1.7.6-jumbo-4.diff.gz' saved [206601/206601]
- [root@tools john-1.7.6]#
Unzip the archive which holds the patch file:
- [root@tools john-1.7.6]# gunzip john-1.7.6-jumbo-4.diff.gz
- [root@tools john-1.7.6]#
Patch the source files:
- [root@tools john-1.7.6]# patch -p1 <john-1.7.6-jumbo-4.diff
- patching file doc/EPi.patch.README
- patching file doc/HDAA_README
- .
- .
- .
- patching file src/x86-mmx.h
- patching file src/x86-sse.S
- patching file src/x86-sse.h
- [root@tools john-1.7.6]#
In order to build we need to change into the src directory:
- [root@tools john-1.7.6]# cd src/
- [root@tools src]#
Up until now these instructions will work on any Linux system but when you make the binary there are flags which need to be givin for each individual system.
A complete list of flags can be seen by issuing the make command with no arguments:
- [root@tools src]# make
- To build John the Ripper, type:
- make clean SYSTEM
- where SYSTEM can be one of the following:
- linux-x86-64 Linux, x86-64 with SSE2 (best)
- linux-x86-sse2 Linux, x86 with SSE2 (best if 32-bit)
- linux-x86-mmx Linux, x86 with MMX
- linux-x86-any Linux, x86
- linux-alpha Linux, Alpha
- linux-sparc Linux, SPARC 32-bit
- linux-ppc32-altivec Linux, PowerPC w/AltiVec (best)
- linux-ppc32 Linux, PowerPC 32-bit
- linux-ppc64 Linux, PowerPC 64-bit
- linux-ia64 Linux, IA-64
- freebsd-x86-64 FreeBSD, x86-64 with SSE2 (best)
- freebsd-x86-sse2 FreeBSD, x86 with SSE2 (best if 32-bit)
- freebsd-x86-mmx FreeBSD, x86 with MMX
- freebsd-x86-any FreeBSD, x86
- freebsd-alpha FreeBSD, Alpha
- openbsd-x86-64 OpenBSD, x86-64 with SSE2 (best)
- openbsd-x86-sse2 OpenBSD, x86 with SSE2 (best if 32-bit)
- openbsd-x86-mmx OpenBSD, x86 with MMX
- openbsd-x86-any OpenBSD, x86
- openbsd-alpha OpenBSD, Alpha
- openbsd-sparc64 OpenBSD, SPARC 64-bit (best)
- openbsd-sparc OpenBSD, SPARC 32-bit
- openbsd-ppc32 OpenBSD, PowerPC 32-bit
- openbsd-ppc64 OpenBSD, PowerPC 64-bit
- openbsd-pa-risc OpenBSD, PA-RISC
- openbsd-vax OpenBSD, VAX
- netbsd-sparc64 NetBSD, SPARC 64-bit
- netbsd-vax NetBSD, VAX
- solaris-sparc64-cc Solaris, SPARC V9 64-bit, cc (best)
- solaris-sparc64-gcc Solaris, SPARC V9 64-bit, gcc
- solaris-sparcv9-cc Solaris, SPARC V9 32-bit, cc
- solaris-sparcv8-cc Solaris, SPARC V8 32-bit, cc
- solaris-sparc-gcc Solaris, SPARC 32-bit, gcc
- solaris-x86-64-cc Solaris, x86-64 with SSE2, cc (best)
- solaris-x86-64-gcc Solaris, x86-64 with SSE2, gcc
- solaris-x86-sse2-cc Solaris 9 4/04+, x86 with SSE2, cc
- solaris-x86-sse2-gcc Solaris 9 4/04+, x86 with SSE2, gcc
- solaris-x86-mmx-cc Solaris, x86 with MMX, cc
- solaris-x86-mmx-gcc Solaris, x86 with MMX, gcc
- solaris-x86-any-cc Solaris, x86, cc
- solaris-x86-any-gcc Solaris, x86, gcc
- sco-x86-any-gcc SCO, x86, gcc
- sco-x86-any-cc SCO, x86, cc
- tru64-alpha Tru64 (Digital UNIX, OSF/1), Alpha
- aix-ppc32 AIX, PowerPC 32-bit
- macosx-x86-64 Mac OS X 10.5+, Xcode 3.0+, x86-64 with SSE2 (best)
- macosx-x86-sse2 Mac OS X, x86 with SSE2
- macosx-ppc32-altivec Mac OS X, PowerPC w/AltiVec (best)
- macosx-ppc32 Mac OS X, PowerPC 32-bit
- macosx-ppc64 Mac OS X 10.4+, PowerPC 64-bit
- macosx-universal Mac OS X, Universal Binary (x86 + x86-64 + PPC)
- hpux-pa-risc-gcc HP-UX, PA-RISC, gcc
- hpux-pa-risc-cc HP-UX, PA-RISC, ANSI cc
- irix-mips64-r10k IRIX, MIPS 64-bit (R10K) (best)
- irix-mips64 IRIX, MIPS 64-bit
- irix-mips32 IRIX, MIPS 32-bit
- dos-djgpp-x86-mmx DOS, DJGPP, x86 with MMX
- dos-djgpp-x86-any DOS, DJGPP, x86
- win32-cygwin-x86-sse2 Win32, Cygwin, x86 with SSE2 (best)
- win32-cygwin-x86-mmx Win32, Cygwin, x86 with MMX
- win32-cygwin-x86-any Win32, Cygwin, x86
- win32-mingw-x86-sse2 Win32, MinGW, x86 with SSE2 (best)
- win32-mingw-x86-mmx Win32, MinGW, x86 with MMX
- win32-mingw-x86-any Win32, MinGW, x86
- beos-x86-sse2 BeOS, x86 with SSE2 (best)
- beos-x86-mmx BeOS, x86 with MMX
- beos-x86-any BeOS, x86
- generic Any other Unix-like system with gcc
- [root@tools src]#
Since we are on Cent OS 64 bit we will issue the following command:
- [root@tools src]# make clean linux-x86-64
Once the build is finished the binary will be located in the run directory inside the john folder:
- [root@tools run]# cd ../src/
- [root@tools src]# cd ../run/
- [root@tools run]# ls | grep john
- john
- john.conf
- [root@tools run]#
Issue john with no arguments to see the options:
- [root@tools run]# ./john
- John the Ripper password cracker, version 1.7.6-jumbo-4
- Copyright (c) 1996-2010 by Solar Designer and others
- Homepage: http://www.openwall.com/john/
- Usage: john [OPTIONS] [PASSWORD-FILES]
- --config=FILE use FILE instead of john.conf or john.ini
- --single[=SECTION] "single crack" mode
- --wordlist=FILE --stdin wordlist mode, read words from FILE or stdin
- --rules[=SECTION] enable word mangling rules for wordlist mode
- --incremental[=MODE] "incremental" mode [using section MODE]
- --markov[=LEVEL[:START:END[:MAXLEN]]] "Markov" mode (see documentation)
- --external=MODE external mode or word filter
- --stdout[=LENGTH] just output candidate passwords [cut at LENGTH]
- --restore[=NAME] restore an interrupted session [called NAME]
- --session=NAME give a new session the NAME
- --status[=NAME] print status of a session [called NAME]
- --make-charset=FILE make a charset, FILE will be overwritten
- --show[=LEFT] show cracked passwords [if =LEFT, then uncracked]
- --test[=TIME] run tests and benchmarks for TIME seconds each
- --users=[-]LOGIN|UID[,..] [do not] load this (these) user(s) only
- --groups=[-]GID[,..] load users [not] of this (these) group(s) only
- --shells=[-]SHELL[,..] load users with[out] this (these) shell(s) only
- --salt-list=SALT[,SALT,..] load just the specified salt(s)
- --salts=[-]COUNT[:MAX] load salts with[out] at least COUNT passwords only
- (or in range of COUNT to MAX)
- --pot=NAME pot file to use
- --format=NAME force hash type NAME:
- DES/BSDI/MD5/BF/AFS/LM/NT/XSHA/PO/raw-MD5/MD5-gen/
- IPB2/raw-sha1/md5a/hmac-md5/phpass-md5/KRB5/bfegg/
- nsldap/ssha/openssha/oracle/oracle11/MYSQL/
- mysql-sha1/mscash/lotus5/DOMINOSEC/
- NETLM/NETNTLM/NETLMv2/NETNTLMv2/NETHALFLM/
- mssql/mssql05/epi/phps/mysql-fast/pix-md5/sapG/
- sapB/md5ns/HDAA/DMD5/crypt
- --subformat=NAME Some formats such as MD5-gen have subformats
- (like md5_gen(0), md5_gen(7), etc).
- This allows them to be specified.
- If the name is LIST, then john will show all
- subformats (help mode), and exit
- --save-memory=LEVEL enable memory saving, at LEVEL 1..3
- --mem-file-size=SIZE max size a wordlist file will preload into memory
- (default 5,000,000 bytes)
- --field-separator-char=c Use 'c' instead of the ':' for processing fields
- (input file, pot file, etc)
- --fix-state-delay=N only determine the wordlist offset every N times
- It is a performance gain to delay a while
- (say 100 loops for a fast algorithm).
- For slow algorithms it should not be used.
- [root@tools run]#
Every thing looks pretty good so lets load up a few ntlm hash’s and make sure the patch worked:
- Unknown ciphertext format name requested
- [root@tools run]# john --wordlist=/wordlists/wordlist.lst --rules ntlm.txt
- Loaded 31196 password hashes with no different salts (LM DES [128/128 BS SSE2-16])
- ZXCVBNM (?)
- ZOLDER0 (?:1)
- ZHONGGU (?:1)
- ZAPHOD1 (?:1)
- YOTTABY (?:1)
- YOKOHAM (?:1)
- YESIAM1 (?)
- YESHEYD (?:1)
- YAMAHA6 (?:1)
- XINGXIN (?:1)
- XAIDXAI (?:1)
- WOOLGOO (?:1)
- WOAIWOD (?:1)
- WINDOWS (?:1)
- WINDHUN (?:1)
- WILMOTS (?)
- WILMANA (?:1)
- WHODINI (?)
- WHATABU (?:1)
- WH1T3RU (?:1)
- WERTY89 (?)
- WELCOME (?)
- WELC0ME (?:1)
- WEBSTAT (?:1)
- WEBPLAN (?:1)
- WEBMAST (?:1)
- WEBADMI (?:1)
- WASHING (?:1)
- WANNABE (?:1)
- WALKMAN (?:1)
- W0LFH0U (?:1)
Looks like it is all working fine and as expected so get some coffee and wait for the hash’s to crack!
