Blog: How-Tos

More on tuning John the Ripper

Jamie Riden 15 Sep 2014

JtR

In my previous post I covered how you can tune the search space of a password cracker IF you suspect a password is going to be following a particular form or style. Since then I’ve had some interesting feedback, and one cool recommendation, to expand on sha512crypt:
“Thanks. For sha512crypt, you could also demo –fork (in bleeding-jumbo) or OpenMP.” – SD.

Well, alrighty then, let’s look at what else we can do with sha512crypt. I’ll also talk a little bit about how to get the most out of the machine you’re running John The Ripper (JtR) on. For historical reasons, I tend to use oclhashcat as my GPU cracker and JtR as my CPU-based cracker, even though JtR now supports CUDA.

In this post we’ll also see another benefit of having the latest, greatest code tree: Being able to import Pre-Shared Keys into oclhashcat or JtR that you might have gathered in ike-scan- where previously you would have had been using “psk-crack” to crack.

First off, we get the bleeding-edge jumbo code from where it lives in git. I’m doing this on Kali – any Debian-based distribution should be very similar, and other Linuxes should be fairly easy to build on too.

git clone https://github.com/magnumripper/JohnTheRipper.git
cd JohnTheRipper/
cd src/
make clean # if you already had a previous version built.

BTW use git fetch instead of git clone if you have already checked out this code in the past

Then make the following changes (if you can’t read diffs uncomment OMPFLAGS = -fopenmp -msse2 in Makefile), and add the custom incremental section into john.conf:

git diff
diff –git a/run/john.conf b/run/john.conf
index b71c7db..1e88970 100644
— a/run/john.conf
+++ b/run/john.conf
@@ -675,6 +675,12 @@ MinLen = 1
MaxLen = 13
CharCount = 26+[Incremental:Jamie]
+File = $JOHN/lower.chr
+MinLen = 4
+MaxLen = 6
+CharCount = 26
+

[Incremental:Upper]
File = $JOHN/upper.chr
MinLen = 1
diff –git a/src/Makefile b/src/Makefile
index fc09d18..8e8b277 100644
— a/src/Makefile
+++ b/src/Makefile
@@ -34,7 +34,7 @@ OMPFLAGS =
# gcc with OpenMP
#OMPFLAGS = -fopenmp
# gcc with OpenMP on 32-bit x86 with SSE2
-#OMPFLAGS = -fopenmp -msse2
+OMPFLAGS = -fopenmp -msse2

# Mac OS X (llvm-gcc) with OpenMP
#OMPFLAGS = -fopenmp -D_FORTIFY_SOURCE=0
# Sun Studio with OpenMP (set the OMP_NUM_THREADS env var at runtime)

Then build it:

Make

This spits out a big list of platforms. I happen to be using kali 32 bit, just because I had a VM handy. I did give it 2 virtual CPUs, or else there’d be no point :) I think the best target for my platform is:

make linux-x86-sse2

At this point I got an error about a missing pcap header file, so

apt-get install libpcap-dev

…and try again:

make linux-x86-sse2
cd ../run/
unshadow /etc/passwd /etc/shadow | head -1 > test.crack

It appears to default to the “correct” number of threads, saving me typing OMP_NUM_THREADS=2 in front of the command. However, we’ll give an example of that later just to compare.

./john test.crack –incremental:Jamie
Warning: detected hash type “sha512crypt”, but the string is also recognized as “crypt”
Use the “–format=crypt” option to force loading these as that type instead
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 32/32 OpenSSL])
Will run 2 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
0g 0:00:00:02 0.00% 0g/s 460.7p/s 460.7c/s 460.7C/s steane..stalos

And just to see how much faster it is with two CPUs, we’ll try with one. Two cores work out roughly twice as fast as one, which is what you’d expect. (NB. This is in a VM, so I’m not sure how it maps the 2 CPUs I asked for onto my physical 2 CPU, 4 core rig).

OMP_NUM_THREADS=1 ./john test.crack –incremental:Jamie
Warning: detected hash type “sha512crypt”, but the string is also recognized as “crypt”
Use the “–format=crypt” option to force loading these as that type instead
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 32/32 OpenSSL])
Warning: OpenMP is disabled; a non-OpenMP build may be faster
Press ‘q’ or Ctrl-C to abort, almost any other key for status
0g 0:00:00:04 0.00% 0g/s 238.8p/s 238.8c/s 238.8C/s momal..sarls

And since we’ve got the bleeding-edge version, you can also do other cool stuff like take the PSK file that ike-scan can output, and use one of your favourite cracking tools to do that, instead of psk-crack.

# ./ikescan2john.py ike-scan-output-psk > john-compat-psk

./john john-compat-psk –incremental:Jamie
Loaded 1 password hash (IKE, PSK [HMAC MD5/SHA1 32/32])
Will run 2 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 0.53% (ETA: 13:46:58) 0g/s 869370p/s 869370c/s 869370C/s cyclsd..janudt

Or you can swap the “*” separator to “:” within the file “john-compat-psk” and use oclhashcat. ( -m 5300 is for MD5, -m 5400 is for SHA1 ).

cp john-compat-psk ocl-compat-psk
sed -i s/\*/:/g ocl-compat-psk

…and then copy and paste the new file into your oclhashcat command:

C:\oclHashcat-1.01>cudaHashcat64.exe -m 5400 $ike$:0:f08a:9710:4 -a 3 ?l?l?l?l?l?l -i
cudaHashcat v1.01 starting…[s]tatus [p]ause [r]esume [b]ypass [q]uit =<
Session.Name…: cudaHashcat
Status………: Running
Input.Mode…..: Mask (?l?l?l?l?l?l) [6]
Hash.Type……: IKE-PSK SHA1
Speed.GPU.#1…: 14042.8 kH/s