john
Cracked password hashes and ssh passphrases.
Link
How I used it
Whenever I dump password hashes from a database, John is my go-to for cracking them. Tag-teaming with rockyou.txt, hopefully like a hurricane.
| Category | What I did | Why I did it |
|---|---|---|
| Recovering an id_rsa Passphrase | Offline cracking of an OpenSSH private key (id_rsa) passphrase using wordlists and GPU tools. | I needed the passphrase to be able to authentice via SSH. |
| Dictionary Attack | Wordlist-based recovery of password hashes (fast, offline dictionary cracking). | Trying to get those sweet cleartext passwords. |
Proof
- HTB OpenAdmin - Recovering an id_rsa Passphrase.
- HTB Cronos - Wordlist-based recovery of raw MD5 password hashes.
- HTB Greenhorn - Wordlist-driven cracking of SHA‑512 password hashes.
- HTB Passage - SHA‑256 Password Cracking.
Commands I Use Most
Crack SSH Passphrase
Crack SSH Passphrase
┌──(kali㉿kali)-[~/Documents/htb/openadmin] └─$ ssh2john id_rsa > id_rsa.hash ┌──(kali㉿kali)-[~/Documents/htb/openadmin] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Dictionary Attack on Hashes
Crack Password Hashes
┌──(kali㉿kali)-[~/Documents/htb/cronos] └─$ john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
What I Learned the Hard Way
Learning the hash type helps
If you forget, you get a bunch of warnings about the hash type. So, now I run it through hash-identifier so I can pass it the format switch.
Overly relying on john
Sometimes, I get so excited to try crack the password, I don’t realize that I already have the password or can get it from somewhere else. It blinds me.
When john Let Me Down
I had to crack a password with a salt and hashcat was just simply easier to use to set-up to consider the salt value.