Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CANWtx01Q9K2TsMywfMRx0FTza-_Efo1O5WDozd74OqaPCwU6bw@mail.gmail.com>
Date: Thu, 19 May 2016 06:46:29 -0400
From: Rich Rumble <richrumble@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: JtR Jumbo 1.79 on Win7, md5hash matching does not work

On Tue, May 17, 2016 at 12:17 PM, Michael Mckenna-Mattiaccio
<mckennammj@...il.com> wrote:
> Hello all,
>
> I have a folder containing .doc .xls .pdf .ppt .zip files that are
> encrypted and I need to recover their passwords. I have a custom wordlist
> that I know contains at least some correct passwords, but I never get a
> single correct guess.
>
> The Windows binary doesn't ship with office2john but it does ship with
> pdf2john and zip2john as you can see here https://paste.debian.net/686868/
Try the custom builds section of the John wiki:
http://openwall.info/wiki/john/custom-builds
The office2john requires python not PowerShell, I wrapped the py into
an exe and included it in the custom build for windows users.
A search of "office2john windows" turns up the same result
https://www.google.com/search?q=office2john+windows&ie=utf-8&oe=utf-8
> So I used a random tool my company uses called Karen's Directory Printer. I
> fed in the directory with all the files and selected the output of a .txt
> file with just a list of all the md5hashes created by Karen's...
> https://paste.debian.net/686908/
That program, after googling, give you an md5 checksum of the file,
not the encryption of the file.
> Here is some sample output from Johnny
> https://paste.debian.net/hidden/4cf6b99d/
John thinks these are 11 different hash types
HAVAL-128-4, lotus5, MD2, mdc2, mscash, mscash2, NT, Raw-MD5u,
ripemd-128, Snefru-128, NT-old
I don't think Karens tool is needed here.
> I don't think the md5crypt script is included in the Windows binaries for
> Jumbo 1.79 because when I try to run  --format=md5crypt  I get Unknown
> ciphertext format name requested
md5crypt appears to refer to FreeBSD hashes, thanks google
https://www.google.com/search?q=md5crypt&ie=utf-8&oe=utf-8#q=md5crypt+%22john+the+ripper%22
The md5 checksum that Karens tool was outputting won't be of use to you.
http://xinn.org/blog/choosing-the-right-encryption.html
http://xinn.org/blog/password-security.html
> How do I copy the md5 functionality from the github sources so it works in
> JtR?
Office formats are CRC16 (pst's), RC4 (old office) and SHA1+AES these days
https://blogs.msdn.microsoft.com/david_leblanc/2008/12/04/new-improved-office-crypto/
Again the md5 checksum's aren't needed here.
> Also, it doesn't seem to really be using the custom wordlist correctly.
> Whenever I link to the custom wordlist, JtR runs quickly and with no
> results. If I don't use Wordlist mode then at least JtR seems to be trying.
> I even made a .bu of the default wordlist and put my custom wordlist in its
> place in the JTr Jumbo folder and I'm still not seeing results.
john.exe -w wordlist_here.txt -format=office hashes.txt    (could also
be old-office)
That should do it (shouldn't need the format if only office hashes are
in the file), I recommend using rules
john.exe -w wordlist_here.txt hashes.txt -rules=jumbo
> I have tried the *2john feature of Johnny but it doesn't seem to work well
> for me. I was once able to get a pdf password out and removed the prefix
> info for https://paste.debian.net/hidden/1eeeaffd/ but the feature is no
> longer working, it just hangs on Conversion in progress..... I tried with a
> pdf The following command in PowerShell doesn't get me any results either,
> regardless of whether the output file exists at the time the command is
> run: PS C:\Program Files (x86)\john179j5w\john179j5\run> .\office2john.py
> C:\Users\tdmnyadmin\Desktop\Password_Cracking\SampleFiles\001\Doc3.doc
> C:\Users\tdmnyadmin\Desktop\Password_Cracking\office.lst
Again PS isn't going to run python scripts, they do look similar.
> What's the correct command format for these *2john scripts? I can't find
> that in the docs.
We can try to do better, there are tutorials out there for many hash types
http://xinn.org/blog/JtR-AD-Password-Auditing.html
https://countuponsecurity.files.wordpress.com/2015/06/jtr-cheat-sheet.pdf
-rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.