John the Ripper w/ Jumbo Patch (Updated for 1.7.5)
Password cracking Windows hashes on Linux using John the Ripper (JtR). If you prefer the Linux operating system JtR is the password cracking utility to use. By default JtR does not support the hashes that we are interested in cracking. See below for installation and patching instructions for JtR. Applying the patch to JtR adds the functionality to crack NTLM and MS-Cache passwords. NOTE: This install was done on Ubuntu 10.4 but should work on any Linux system since we are compiling from source.
$./john --format=mscash --rules --wordlist=<PASSWORD_LIST> <CACHE_HASH_FILE>
$./john --format=nt --rules --wordlist==<PASSWORD_LIST> <NTLM_HASHE_FILE>
For additional information you can read the JtR documentation and wiki from Openwall.
OpenSSL is needed. This can be installed through your package manager or may already be installed. Remember to install the development package (libssl-dev or libssl-devel). Instructions on download and compile are included below.
$ wget http://www.openssl.org/source/openssl-1.0.0a.tar.gz
$ tar zxvf openssl-1.0.0a.tar.gz
$ cd openssl-1.0.0a
$ ./config --openssldir=/usr/local
$ make
$ sudo make install
$ wget http://www.openwall.com/john/g/john-1.7.5.tar.gz
$ tar zxvf john-1.7.5tar.gz
$ cd john-1.7.5/
$ wget http://www.openwall.com/john/contrib/john-1.7.5-jumbo-3.diff.gz
$ gzip -d john-1.7.3-jumbo-3.diff.gz
$ patch -p1 < john-1.7.5-jumbo-3.diff
$ cd src/
$ make linux-x86-sse2
John will be found in the run directory.
I am not having any luck with the “make” part after I patch the JTR source. I keep getting errors during the XSHA make part (or if I remove it from the make statement other sections that got patched in)
Any ideas?
gcc -c -Wall -O2 -fomit-frame-pointer -I/usr/local/include -L/usr/local/lib -funroll-loops XSHA_fmt.c
XSHA_fmt.c:7:25: openssl/sha.h: No such file or directory
XSHA_fmt.c:43: error: syntax error before “ctx”
XSHA_fmt.c:43: warning: type defaults to `int’ in declaration of `ctx’
XSHA_fmt.c:43: warning: data definition has no type or storage class
XSHA_fmt.c: In function `crypt_all’:
I have openssl installed (I double checked)
SH
25 Nov 09 at 9:45 am
What OS are you using and how did you install openssl? I ask about how you installed openssl because if it was as an OS package you would need the lib-dev version of the package. If you installed openssl from source like I’ve described above you may need to run ldconfig and make sure that the path to your libraries is updated. The openssl library may be installed in /usr/local/lib and not be in the library path.
If you are looking for the functionality of cracking MS-Cache passwords you can try myjohn.tgz which has been floating around the Internet. It can be downloaded from my site and is already pre-patched for MS-Cache passwords. Try all these things and let me know how it goes.
Download myjohn.tgz from http://www.jedge.com/utilities/myjohn.tgz
James
25 Nov 09 at 10:00 am
I was using RHEL 4 U4. Thank you so much for pointing out the fact I was missing the openssl-devel. After installing that it worked just fine. Boy do I feel dumb.
Happy thanksgiving and thanks for the quick reply!
SH
25 Nov 09 at 11:21 am
Hi there, this may seem a little old to asking questions but i’m also having probs on my John build after patching.
I also have openssl installed (from scratch) and updated my path on ubuntu 10.04 to /usr/local/ssl/bin/openssl
then did a ldconfig
XSHA_fmt.c:7:25: error: openssl/sha.h: No such file or directory
XSHA_fmt.c:43: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘ctx’
but I still get the error after I try to build
any suggestions?
Andy
31 May 10 at 7:52 am
Andy,
I’ve recently upgraded to Ubuntu 10.04 and I will try to get John patched, installed, and update the tutorial. If I encounter any problems myself I will let you know.
-James
Update 1: I’m getting the same error as you and I’m using the latest OpenSSL and John stable source code.
Update 2: I still want to figure out why installing openssl from source is causing a problem but if this will help you I got John to compile when I installed libssl-dev from the Ubuntu repositories (0.9.8k).
Final Update: I’ve had the chance to figure out why John wasn’t finding the openssl headers when they were installed from source. The latest openssl installs the headers in /usr/local/ssl/include/openssl and the John make file only looks in /usr/local/include and /usr/local/lib. I created a symlink (#ln -s /usr/local/ssl/include/openssl /usr/local/include/openssl). You can also specify where openssl will be installed when you configure before compiling.
admin
3 Jun 10 at 2:59 pm