Information Systems Auditing

9.19.2011 – Updated for latest openssl and john jumbo patch on Ubuntu Natty Narwhal 11.4

Password cracking Windows hashes on Linux using John the Ripper (JtR). If you prefer the Linux operating system JtR is the password cracking utility to use. By default JtR does not support the hashes that we are interested in cracking. See below for installation and patching instructions for JtR.   Applying the patch to JtR adds the functionality to crack NTLM and MS-Cache passwords.  NOTE:  This install was done on Ubuntu 10.4 LTS but should work on any Linux system since we are compiling from source.

$./john --format=mscash --rules --wordlist=<PASSWORD_LIST> <CACHE_HASH_FILE>
$./john --format=nt --rules --wordlist==<PASSWORD_LIST> <NTLM_HASHE_FILE>

For additional information you can read the JtR documentation and wiki from Openwall.

OpenSSL is needed. This can be installed through your package manager or may already be installed.   Remember to install the development package (libssl-dev or libssl-devel).  Instructions on download and compile are included below.

JtR 1.7.8

$ wget http://www.openssl.org/source/openssl-1.0.0e.tar.gz
$ tar zxvf openssl-1.0.0e.tar.gz
$ cd openssl-1.0.0e
$ ./config --openssldir=/usr/local
$ make
$ sudo make install
$ wget http://www.openwall.com/john/g/john-1.7.8-jumbo-5.tar.gz
$ tar zxvf john-1.7.8-jumbo-5.tar.gz
$ cd john-1.7.8-jumbo-5/
$ cd src/
$ make linux-x86-64
$ sudo make install

JtR 1.7.7

$ wget http://www.openssl.org/source/openssl-1.0.0d.tar.gz
$ tar zxvf openssl-1.0.0d.tar.gz
$ cd openssl-1.0.0d
$ ./config --openssldir=/usr/local
$ make
$ sudo make install
$ cd ..
$ wget http://download.openwall.net/pub/projects/john/1.7.7/john-1.7.7.tar.gz
$ tar zxvf john-1.7.7.tar.gz
$ cd john-1.7.7/
$ wget http://download.openwall.net/pub/projects/john/1.7.7/john-1.7.7-jumbo-6.diff.gz
$ gzip -d john-1.7.7-jumbo-6.diff.gz
$ patch -p1 < john-1.7.7-jumbo-6.diff
$ cd src/
$ make linux-x86-sse2

John will be found in the run directory.