Comprehensive Guide to John the Ripper. Part 2: Utilities for extracting hashes

Table of contents

1. Introducing and Installing John the Ripper

2. Utilities for extracting hashes

2.1 How to Crack Password in John the Ripper

2.2 How to convert a file to John the Ripper hash

2.3 Where to see examples of hashes

2.4 Reference for all scripts to generate hashes for John the Ripper and Hashcat

2.5 Other utilities to extract hashes

2.6 What you need to know when posting hashes

3. How to start cracking passwords in John the Ripper (how to specify masks, dictionaries, hashes, formats, modes)

4. Practical examples of John the Ripper usage

5. Rule-based attack

6. 

7,


How to Crack Password in John the Ripper

John the Ripper can only crack hashes – it cannot work with encrypted files. The program cannot open, for example, an office document, enter a password there, etc.

This is a solvable problem – we need to compute (extract) the hash for the file of interest. John itself does not know how to do this. We need auxiliary utilities. You can view their list, for example, by typing the command:

locate *2john*

This is how the list looks like on the machine where I installed John from source:

Agree, the list is impressive!

On Kali Linux, these files are located in two directories:

  • script files in /usr/share/john/
  • and binaries in /usr/sbin/

These files are located in BlackArch:

  • script files in /usr/lib/john/ directory
  • binaries in /usr/bin/

If you compiled John the Ripper from source, then all of these files are collected in the run directory.

To find the file you need, use a command like this:

locate FILENAME

To find all files at once by extracting hashes, run:

locate *2john*

If you cannot find some file on your system (this can be done with the locate command), then download them from the source codes: https://github.com/magnumripper/JohnTheRipper.

How to convert a file to John the Ripper hash

The scripts have been collected from a wide variety of places and written by many researchers, often based on research by other researchers. Therefore, they are written in different programming languages.

In general, the usage is pretty standard – you need to specify the program to run and, separated by a space, the file for which you want to calculate the hash.

The good news is that these hashes are shared by both Hashcat and John the Ripper. That is, you can use this table and these files to crack passwords in John the Ripper or Hashcat.

You can specify several files at once to extract their hashes – for example, several ZIP archives or several office documents.

An example of extracting a hash from a passwords.zip file, that is, from a ZIP archive:

./zip2john '/home/mial/test/passwords.zip'

Output example:

The first line contains the properties of the archive:

ver 2.0 passwords.zip/passwords.txt PKZIP Encr: cmplen=339, decmplen=490, crc=F872015C type=8

The hash itself goes further:

passwords.zip/passwords.txt:$pkzip2$1*1*2*0*153*1ea*f872015c*0*2b*8*153*f872*3dc8*8cfe495658baa3b5650d212831700dbefbf0c95bbc2831d287121ca64f0a0b7f468c9d3ab88fdce90c7c7e0f9f8978a2d3496661af8dc24e2702398612c927d5f33c243c892bdd11a39f7ecd6c375c7da5df205f6ced61c9d7629d4253f98c01257d45be64f936eeb4bf06060b5e3b2bd286f9322c130d07f88d15af4e6b9a107f0dd2f6c48dc05b4aa81f7f1a9306b5070b7e3414d687a011a73d4a903568e3559c590f2d720542e686d2d6cf70d11d0b60728415ff147263d26f994a73328aad1f204ff2d38c89acbba101e3aff5a0850ef016c64cee400fb5f01834ee37ddedf8051618802547120f52e2c8b2aa4f6d161807aa8d76fd11992e30abd712710da1e238ed17f57ee5af00117016dbd4ae673d6aa9ae694da53c578a0ff6d2af00ebb0dded84cf1f2a966d441b03e22338b4a287d364faa41bea9bc72d0454c0aa654a2e9bb13567aafd5e7043fb6c2289c244*$/pkzip2$:passwords.txt:passwords.zip::/home/mial/test/passwords.zip

An example of a command that saves the hash to the passwords.zip.hash file:

./zip2john '/home/mial/test/passwords.zip' > passwords.zip.hash

An example of extracting a hash from a .7z archive:

./7z2john.pl '/mnt/disk_d/Arch/from_kali.7z'

Output example:

The first line warns that hashes can contain encrypted sensitive data and you need to be careful if you share the hash with someone or publish it online.

The second line is the hash itself:

from_kali.7z:$7z$2$19$0$$8$a09335e006fc03b20000000000000000$2687817801$144$144$47a0c3138667a3727b8db3f9aa10362c8a9739192d9e55d8c052f16965cd1360100f1b17764c07101a9088eb5e965129c245647e3597e2182dee769db99ab2a5d07716f78867a9f5e5b4198f8e3bc9a4bc019006f95c613006cbecf9bda18a865cde0279cce92e060bdeb31ca50983f1d6363fb626651b706dc44838294b250ad53a6ce02a2a49eeb8523be9fee28dbc$374$00

Extract hash from MS Word 2019 file:

./office2john.py '/mnt/disk_d/Share/Secret.docx' 2>/dev/null

If you do not specify 2>/dev/null, then a warning about an outdated Python function in the script will be displayed – I hope this will be fixed in the future.

An example of extracting a hash from a handshake to hack Wi-Fi password:

./wpapcap2john ~/RT-725140.pcap

The wpapcap2john utility supports the -v option, so you can see more information if you like:

./wpapcap2john -vv ~/RT-725140.pcap

An example of extracting the VNC hash of a handshake from captured network traffic – this hash allows you to crack the VNC server password.

./vncpcap2john '/home/mial/VNC.pcapng'

Considering that the MAXIMUM (not the minimum) password length is 8 (!) Characters, and the algorithm itself is calculated very quickly, such hashes are doomed to be hacked:

192.168.0.101-5900 to 192.168.0.89-57454:$vnc$*894443629F4A9675809CFF5DA2E84651*271D94EB610B5C42588DC53506419E6A

Where to see examples of hashes

As you can imagine, hashes are quite long and (at a glance) meaningless datasets. To understand that you got the hash correctly, sometimes you need to compare it with a similar type.

On this page you will find examples of all hashes: https://hashcat.net/wiki/doku.php?id=example_hashes

But you can see examples of any hash offline, without third-party resources.

You need to start by finding out how your format is correctly named in John the Ripper. To do this, you can find it in the full list of supported formats:

john --list=format

Examples of format names:

  • Office
  • ODF
  • ZIP
  • VNC
  • wpapsk
  • etc.

Now, to see an example of a hash, run one of the following commands, in which replace the word FORMAT with the name of the format:

john --list=format-details --format=FORMAT
john --list=format-all-details --format=FORMAT

I prefer the second version of the command, which displays more information.

For example, getting information about password properties and an example of a VNC hash:

john --list=format-all-details --format=VNC

I highlighted the hash example with a red border.

Here you can also find other interesting information – the maximum and minimum password length, whether the password is case-sensitive, and so on.

Another example – this time a hash of MS Office files:

john --list=format-all-details --format=Office

Reference for all scripts to generate hashes for John the Ripper and Hashcat

For myself, I have collected all the available information about these files. If you notice inaccuracies in my data or want to supplement them – then write in the comments to this section.

Use Ctrl+f to search this page.


1password2john.py

Extracts hash for cracking 1Password password.

Usage:

./1password2john.py <1Password Agile Keychain(s) / Cloud Keychain(s)> / OnePassword.sqlite

7z2john.pl

Extract hashes from encrypted 7-Zip archives

The dependency is the Perl Compress::Raw::Lzma module. To install it on Debian, Kali Linux and derivatives:

sudo apt install libcompress-raw-lzma-perl

To install on Arch Linux, BlackArch and derivatives with pikaur:

pikaur -S perl-compress-raw-lzma

Usage:

./7z2john.pl <7-Zip file>...

adxcsouf2john.py

This utility extracts ADXCRYPT password hashes from IBM / Toshiba 4690 OS ADXCSOUF.DAT (better known, hence the utility name) and SHA-1 hashes from ADXEPW0F.DAT files.

Usage:

./adxcsouf2john.py <ADXCSOUF.DAT / ADXEPW0F.DAT file(s)>

aem2john.py

JtR utility to convert native Adobe AEM (Adobe Experience Manager) hashes to existing JtR hash format.

Usage:

./aem2john.py <File(s)-with-Adobe-AEM-hashes>

aix2john.pl and aix2john.py

This script converts AIX etc/security/passw.

Usage:

aixpasswd2john.pl <FILE>

If no password is given, then aixpasswd2john.pl will read from standard input.


andotp2john.py

andOTP

Usage:

./andotp2john.py [andOTP backup .json.aes file(s)]

androidbackup2john.py

Android backup files that can be created with the following command:

adb backup -f freeotp-backup.ab -apk org.fedorahosted.freeotp # valid for freeotp app

Usage:

./androidbackup2john.py [Android Backup .ab file(s)]

androidfde2john.py

Program for “converting” Android FDE images / disks into JtR friendly format.

Usage:

./androidfde2john.py <data partition / image> <footer partition / image>

Note: This script only works for old Android <= 4.3 disk images and only aes256/cbc-essiv:sha256 images are supported!


ansible2john.py

ansible-vault

Usage:

./ansible2john.py [Ansible Vault .yml file(s)]

apex2john.py

Dump hashes of APEX.

Usage:

./apex2john.py <apex-hashes.txt file(s)>

applenotes2john.py

Script to extract “hashes” from password protected Apple Notes databases. Typical database location: ~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite

Usage:

./applenotes2john.py [Apple Notes .sqlite files]

aruba2john.py

ArubaOS password hashing algorithm.

Usage:

./aruba2john.py <ArubaOS hashes file>

atmail2john.pl

 


axcrypt2john.py

Script to extract hash from AxCrypt encrypted file or self-decrypting binary.

Usage:

./axcrypt2john.py <axxfile> [KEY-FILE]

Optional arguments:

  KEY-FILE			 path to optional key-file provided

bestcrypt2john.py

Usage:

./bestcrypt2john.py [Jetico BestCrypt Containers, .jbc file(s)]

bitcoin2john.py

Retrieves hash from Bitcon wallets to guess password.

Usage:

./bitcoin2john.py [Bitcoin/Litecoin/PRiVCY wallet (.dat) files]

You need to install the bsddb3 package, which is a dependency:

sudo pip3 install bsddb3

bitlocker2john

BitLocker

Usage:

./bitlocker2john -i <Image of encrypted memory unit>

Options:

  -h		Show this help
  -i		Image path of encrypted memory unit encrypted with BitLocker

bitshares2john.py

Script for extracting hashes from BitShares databases.

Usage:

./bitshares2john.py BitShares SQLite file(s)
./bitshares2john.py Backup Wallet .bin file(s)
./bitshares2john.py ~/BitShares/wallets/<wallet-name>/*.ldb file(s)

Database location: %APPDATA%\BitShares2-light\databases\file__0\{1,2…}

"Local Wallet" at https://wallet.bitshares.org for Google Chrome: ~/.config/google-chrome/Default/databases/https_wallet.bitshares.org_0

Extracting metadata:

sqlite3 Databases.db
sqlite> select * from Databases;
1|file__0|__sysdb__|System Database|4194304
2|file__0|graphene_db_4018d7|graphene_db_4018d7|4194304
3|file__0|graphene_v2_4018d7_default|graphene_v2_4018d7_default|4194304
4|file__0|graphene_v2_4018d7_openwall|graphene_v2_4018d7_openwall|4194304

Extracting hashes:

sqlite3 file__0/4
sqlite> select * from wallet;
3-openwall|{"public_name":"openwall", ..., "encryption_key":"ec4...", ...}

bitwarden2john.py

Utility to extract “hashes” from local data Google Chrome / Firefox / Android.

The plyvel module must be installed as a dependency (the script uses Python 2):

sudo pip2 install plyvel

Usage:

./bitwarden2john.py <Bitwarden storage.js
./bitwarden2john.py com.x8bit.bitwarden_preferences.xml
./bitwarden2john.py Google Chrome's 'nngceckbap...' path

On Linux with Firefox, “storage.js” can be found at the following location: ~/.mozilla/firefox/YOUR-PROFILE/browser-extension-data/\{446900e4-71c2-419f-a6a7-df9c091e268b\}/

On Android with bitwarden 1.14.1, the “hash” can be retrieved from the following location: /data/data/com.x8bit.bitwarden/shared_prefs/com.x8bit.bitwarden_preferences.xml


bks2john.py

Converts BKS keystores to JtR compatible format.

Usage:

bks2john.py [options] <.bks / .uber file(s)>

Options:

  -h, --help            show this help message and exit
  -t TYPE, --type=TYPE  BKS keystore type (bks / uber)

blockchain2john.py

Blockchain wallet files.

Usage:

./blockchain2john.py [blockchain wallet files]

optional arguments:

  -h, --help  show this help message and exit
  --json      is the wallet using v2 format?
  --base64    does the wallet contain only a base64 string?

ccache2john.py

This script extracts a crackable hash from the krb5 credential cache files (e.g. /tmp/krb5cc_1000).

Note: This attack method only works against MS Active Directory servers.

Usage:

./ccache2john.py <input credential cache file>

Example:

./ccache2john.py /tmp/krb5cc_1000

cisco2john.pl

Initial Cisco type 4 password decoder.

Usage:

./cisco2john.pl [cisco config file(s)] >>hashfile 2>>seed.txt
./john -format:md5 -wordlist:seed.txt -rules hashfile

Example:

./cisco2john.pl cisco.config >cisco.in
#!comment: Found type 7 passwords:
   companysecret
   test

Because of that output, we re-run it and save stderr to its own file.

./cisco2john.pl cisco.conf >cisco.in 2>cisco.seed
cat cisco.in
   enable_secret_level_2:5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
   enable_secret:$1$4C5N$JCdhRhHmlH4kdmLz.vsyq0

./john -wo:cisco.seed -rules cisco.in   

cracf2john.py

Processes CRACF.TXT files (generated by the CRACF program) into a format suitable for JtR.

Usage:

./cracf2john.py <CRACF.TXT>

dashlane2john.py

Retrieves hashes from Dashlane .aes and .dash files.

Usage:

./dashlane2john.py <.aes or .dash files from Dashlane for Windows Desktop / macOS>

Note: This only works with data from Windows and macOS Desktop version of Dashlane.

The required .aes files can be found inside %AppData%\Dashlane\profiles directory tree on Windows.

The required .aes files can be found inside ~/Library/Application\ Support/Dashlane/profiles/ directory tree on macOS.


deepsound2john.py

deepsound2john extracts password hashes from audio files containing encrypted data steganographically embedded by DeepSound (http://jpinsoft.net/deepsound/).

This method is known to work with files generated by DeepSound 2.0.

Input files must be in .wav format. Hashes can be recovered from audio files even after converting from other formats like:

ffmpeg -i INPUT output.wav

Usage:

deepsound2john.py [-h] [--verbose] file [file ...]

Options:

positional arguments:
  file

optional arguments:
  -h, --help     show this help message and exit
  --verbose, -v

Usage example:

python3 deepsound2john.py carrier.wav > hashes.txt
john hashes.txt

diskcryptor2john.py

Retrieves hash from DiskCryptor.

Usage:

./diskcryptor2john.py [DiskCryptor Encrypted Device / Raw Disk Image]

Example:

./diskcryptor2john.py /dev/sdb1

Example:

./diskcryptor2john.py partition_image.raw

Tip: Use kpartx to access partitions within raw disk images on Linux.

Example:

kpartx -av disk_image.raw;
fdisk -l disk_image.raw;
./diskcryptor2john.py /dev/mapper/loop0p1

ATTENTION: Cascaded ciphers are NOT supported yet!


dmg2john and dmg2john.py

Apple Disk Samples (DMG).

Usage:

dmg2john [DMG files]

1. Run dmg2john on the .dmg file (s).

For example:

./dmg2john test.dmg > hash

2. Run john on the dmg2john output.

For example:

./john hash

You can use any file of your choice: dmg2john or dmg2john.py, but dmg2john is recommended.


DPAPImk2john.py

The program uses Python 2.

Usage:

DPAPImk2john.py [-h] [-S SID] [-mk MASTERKEY] [-d]
                       [-c {domain,domain1607+,domain1607-,local}]
                       [-P PREFERRED] [--password PASSWORD]

Optional arguments:

  -h, --help            show this help message and exit
  -S SID, --sid SID     SID of account owning the masterkey file.
  -mk MASTERKEY, --masterkey MASTERKEY
                        masterkey file (usually in %APPDATA%\Protect\<SID>).
  -d, --debug
  -c {domain,domain1607+,domain1607-,local}, --context {domain,domain1607+,domain1607-,local}
                        context of user account. 1607 refers to Windows 10
                        1607 update.
  -P PREFERRED, --preferred PREFERRED
                        'Preferred' file containing GUID of masterkey file in
                        use (usually in %APPDATA%\Protect\<SID>). Cannot be
                        used with any other command.
  --password PASSWORD   password to decrypt masterkey file.

eapmd5tojohn

Usage:

./eapmd5tojohn -r <pcap file>

ecryptfs2john.py

 


efs2john.py

UPD: this script may have been removed.

Encrypting File System (EFS) is a data encryption system that implements file-level encryption in Microsoft Windows NT operating systems.

For additional functionality, it is recommended to install the python-m2crypto package:

sudo apt install python-m2crypto

Usage:

efs2john.py --masterkey=samples/openwall.efs/92573301-74fa-4e55-bd38-86fc558fa25e --sid="S-1-5-21-1482476501-1659004503-725345543-1003"
efs2john.py --masterkey=samples/openwall.efs.2/21d67870-8257-49e0-b2de-c58324271c42 --sid="S-1-5-21-1482476501-1659004503-725345543-1005"
efs2john.py --masterkey=samples/Win-2012-non-DC/1b52eb4f-440f-479e-b84a-654fdccad797 --sid="S-1-5-21-689418962-3671548705-686489014-1001" --password="openwall@123"

ejabberd2john.py

Extract hashes from files created by the command:

ejabberdctl dump output.txt

parsimonious module is required dependency, to install it type:

sudo pip install parsimonious

Usage:

./ejabberd2john.py [file(s) generated by 'ejabberdctl dump' command]

electrum2john.py

Generates a hash of the Ethereum crypto wallet file.

Usage:

./electrum2john.py [Ethereum Wallet files (default_wallet)]

encfs2john.py

The encfs2john.py utility processes EncFS files into a format suitable for use with JtR.

Usage:

./encfs2john.py <EncFS folder>

enpass2john.py

Retrieves hashes from Enpass Password Manager version 6.x databases.

Usage:

./enpass2john.py <Enpass .enpassdb files>

enpass5tojohn.py

Retrieves hashes from Enpass Password Manager version 5.x databases.

Usage:

./enpass2john.py <Enpass .enpassdb files>

ethereum2john.py

Retrieves hash from Ethereum Wallets (Geth / Mist / MyEtherWallet).

Usage:

./ethereum2john.py [Ethereum Wallet files (Geth/Mist/MyEtherWallet)]

filezilla2john.py

Retrieves hashes from “FileZilla Server.xml” files.

Usage:

./filezilla2john.py <FileZilla Server.xml file(s)>

geli2john.py

Links:

Usage:

./geli2john.py [disk image]

gpg2john

Utility to prepare for cracking private (secret) PGP Desktop / OpenPGP / GnuPG key.

PGP (English Pretty Good Privacy) is a computer program, also a library of functions that allows you to perform encryption and digital signature of messages, files and other information presented in electronic form, including transparent data encryption on storage devices, for example, on a hard disk.

Usage:

./gpg2john [-d] [-S] <GPG Secret Key File(s)>
  • if -d is used, then debugging of the object types decoded is written
  • if -S is used, then subkeys will also be output

hccap2john

HCCAP is a custom format specially designed for oclHashcat.

The data itself does not differ from the usual tcpdump format. In fact, they are exactly the same. They are just reorganized a little.

A valid hashcat cap file (file extension: .hccap) contains one or more instances of the structure.

Usage:

./hccap2john <hccap and/or hccapx file[s]>

hccapx2john.py

hccapx2john, process hccapx file into a format suitable for use with JtR.

Usage:

ccapx2john.py [-h] [-nc NC] [--no-mp] hccapx

Options:

positional arguments:
  hccapx      hccapx file to process

optional arguments:
  -h, --help  show this help message and exit
  -nc NC      AP nonce correction to be used, 0 to disable, default 8
  --no-mp     disable message_pair BE/LE/nc detection

htdigest2john.py

This utility processes htdigest files into a format suitable for use with JtR.

Usage:

./htdigest2john.py <htdigest file(s)>

ibmiscanner2john.py

Converts files in the userid:hash format (for example, files created by an older version of the ibmiscanner tool) to the as400-sha format, which can be processed by JtR. Multiple files can be specified.

The output is sent to stdout. Use standard output redirection to generate the JtR file.

Usage:

python2 ./ibmiscanner2john.py file [file ...]

ikescan2john.py

Processes ike-scan output files in a format suitable for use with JtR.

Usage:

./ikescan2john.py <psk-parameters-file> [norteluser]

ios7tojohn.pl

Script generate the hash to brute-force IOS 7 security PIN.

Input example (with com.apple.restrictionspassword.plist):

   <key>RestrictionsPasswordKey</key>
   <data>
   J94ZcXHm1J/F9Vye8GwNh1HNclA=
   </data>
   <key>RestrictionsPasswordSalt</key>
   <data>
   /RHN4A==
   </data>

Output example:

$pbkdf2-hmac-sha1$1000.fd11cde0.27de197171e6d49fc5f55c9ef06c0d8751cd7250

1. Get the com.apple.restrictionspassword.plist file from your phone. How to do this is outside of this document, just google it.

2. Run ios7tojohn on this file, Redirect the output to another file. For instance:

./ios7tojohn com.apple.restrictionspassword.plist > ioshash

3. Run john on a new file using only four digits (this is a PIN code):

./john ioshash -inc:digits -min-len=4 -max-len=4

4. Hacking will take half a second. And not because Apple uses a very poor hash mechanism, but because the PIN code space is extremely small.

itunes_backup2john.pl

Generates a hash for cracking IOS backups.

Explanation of the output format:

1.all binary data is output in hexadecimal form

2.in fact, there are 2 formats, one for IOS backups < 10.0 and one for backups starting from 10.x

Hashes of versions lower than 10:

$itunes_backup$*9*wpky*iter*salt**

Hashes of versions higher than 10.x:

$itunes_backup$*10*wpky*iter*salt*dpic*dpsl

Usage:

./itunes_backup2john.pl <Manifest.plist file>...

iwork2john.py

Generates a hash for cracking iWork files.

Usage:

./iwork2john.py [.key files]

kdcdump2john.py

Kdcdump patch output translation for JtR.

Usage:

./kdcdump2john.py [dump]

keepass2john

Generate hashes for cracking master password from KeePass password managers and forks.

Usage:

./keepass2john [-k ] <DATABASES .kdbx>

keychain2john.py

Reworks Mac OS X keychain files into John the Ripper-friendly format.

Usage:

keychain2john [keychain files]

keyring2john.py

Hack GNOME Keyring files, converts Gnome Keyring files to john format.

Usage:

python2 keyring2john.py [-h] KEYRING_FILE

Options:

positional arguments:
  KEYRING_FILE  Input Gnome Keyring file

optional arguments:
  -h, --help    show this help message and exit

keystore2john.py

Currently, only Sun “JKS” files are supported.

Usage:

./keystore2john.py <.keystore / .jks file(s)>

kirbi2john.py

Retrieves Kerberos tickets from the kirbi file and parses them to JtR format.

Usage:

./kirbi2john.py exported mimikatz kerberos tickets
./kirbi2john.py extracttgsrepfrompcap.py output

known_hosts2john.py

Processes known_hosts files in a format suitable for use with JtR.

Usage:

python2 ./known_hosts2john.py [known_hosts files]

krb2john.py

This file used to be called krbpa2john.py.

Retrieves AS-REQ and TGS-REP hashes.

Usage:

./krb2john.py <.pdml files>

To create .pdml files using tshark:

tshark -r sample.pcap -T pdml > sample.pdml; ./krb2john.py sample.pdml

Examples of usage. To extract the hashes “AS-REQ (krb-as-req)”:

tshark -r AD-capture-2.pcapng -T pdml > data.pdml
tshark -2 -r test.pcap -R "tcp.dstport==88 or udp.dstport==88" -T pdml >> data.pdml
./run/krb2john.py data.pdml

To extract the “TGS-REP (krb-tgs-rep)” hashes:

tshark -2 -r test.pcap -R "tcp.srcport==88 or udp.srcport==88" -T pdml >> data.pdml
./run/krb2john.py data.pdml

kwallet2john.py

Retrieves the KWALLET hash.

Usage:

./kwallet2john.py <.kwl file(s)>

lastpass2john.py

This script converts LastPass input into a format suitable for JtR.

Output format:

filename:$lp$email(salt)$iterations$hash

The file “*_key.itr” just contains the number of calculations (eg 5000). For Firefox on Linux, this file is located in the ~/.lastpass directory.

Read https://lastpass.com/support.php?cmd=showfaq&id=425 before using this script on data from the Windows version of LastPass. Remember that on Windows, CryptProtectData is used to further encrypt data, so this encryption won't work out of the box. For Windows version of LastPass, additional processing (decryption) of data is required.

This script only works for LastPass 3.x for Firefox. The last supported version is LastPass is 3.3.4, released on March 17, 2017.

Older versions of LastPass can be installed from the following link https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-manager/versions/.

LastPass version 4.x uses a very different mechanism that is not yet supported.

It stores data in the following location: ~/.mozilla/firefox/<profile>/storage/permanent/index…/idb/<something>lp.sqlite

Also interesting: https://lastpass.com/js/enc.php

Usage:

./lastpass2john.py <email address> <LastPass *_lpall.slps file> <LastPass *_key.itr file>

OR for lastpass-cli:

./lastpass2john.py <path to .local/share/lpass directory>

ldif2john.pl

 


libreoffice2john.py

The utility processes OpenOffice / LibreOffice files into a format suitable for JtR.

This utility was previously called odf2john.py.

Output format:

filename:$odf*cipher type*checksum type*iterations*key-size*checksum*iv length*iv*salt length*salt*unused*content.xml data

Usage:

./libreoffice2john.py <OpenOffice / LibreOffice files>

lion2john-alt.pl

This script converts Apple OS X Lion plist file to “shadow” format compatible with John the Ripper.

The Data::Plist module must be installed as a dependency.

To do this, use any of the following methods:

1. CPAN shell:

perl -MCPAN -e shell
install Data::Plist

2.cpanm

cpanm Data::Plist

Usage:

./lion2john-alt.pl <plist file> ...

lion2john.pl

Retrieves SHA-512 salted hashes from Mac OS X 10.7 Lion.

The Data::Plist module must be installed as a dependency.

To do this, use any of the following methods:

1. CPAN shell:

perl -MCPAN -e shell
install Data::Plist

2.cpanm

cpanm Data::Plist

Usage:

./lion2john.pl PLIST-FILES > PASSWORD-FILE

lotus2john.py

Generates a hash for Lotus Notes.

Usage:

./lotus2john.py [Lotus Notes ID file(s)]

luks2john.py

Generates a hash for cracking LUKS password.

Usage:

./luks2john.py [LUKS file(s) / disk(s)]

mac2john-alt.py

This program helps in extracting password hashes from OS X / macOS systems (>= Mountain Lion -> 10.8+).

Run this program against .plist file(s) obtained from /var/db/dslocal/nodes/Default/users/<username>.plist location.

Usage:

./mac2john-alt.py <OS X / macOS .plist files>

mac2john.py

This program helps in extracting password hashes from OS X / macOS systems (>= Mountain Lion -> 10.8+).

Run this program against .plist file(s) obtained from /var/db/dslocal/nodes/Default/users/<username>.plist location.

Usage:

./mac2john.py <OS X / macOS .plist files>

mcafee_epo2john.py

Converts McAfee ePO password files to John format.

ePO configuration is stored in the database server. Authentication can be based on AD or SHA1 hash stored in the database.

This script converts the CSV output of the dbo.OrionUsers table to the format for john.

The CSV output must at least match the following schema:

   - column #1 -> Name   (not really used)
   - column #2 -> AuthURI
   - column separator must be "," 

Example:

cat orion_users.csv     # (extracted from dbo.OrionUsers)

Output:

 Name,AuthURI
 system,auth:pwd?pwd=kDv1oBRuGOU3MnpIDbyBJEmJZ%2FauS1zf  <-- SHA1 based
 adminepo,auth:ntlm?domain=XYZ&user=adminepo             <-- AD based      

Hash generation and attack launch:

./mcafee_epo2john.py orion_users.csv > orion_hashes.txt

john -single orion_hashes.txt
 Loaded 1 password hashes with 1 different salts (dynamic_24 [sha1($p.$s) 128/128 AVX 10x4x1])
 Press 'q' or Ctrl-C to abort, almost any other key for status
 system           (system)         

Usage:

./mcafee_epo2john.py [dbo.OrionUsers CSV extracts]

monero2john.py

Retrieves hashes from Monero databases.

Usage:

./monero2john.py [Monero .keys file(s)]

WARNING: Only modern (> January, 2016) Monero JSON wallets are supported!


money2john.py

Generates a hash from MS Money files.

Usage:

./money2john.py [MS Money 2002-2007 / Money Plus file(s)]

mongodb2john.js

Retrieves hashes from Mongo databases.

Usage:

mongo admin mongodb2john.js
mongo [hostname]:[port]/[database_name] mongodb2john.js

mozilla2john.py

Mozilla Database Password Cracker Assistant (key3.db password master).

Mozilla stores credentials in the signons.sqlite file using base64 encoding, 3DES in CBC encryption mode, and standard block alignment. The decryption key is stored in the key3.db file whose entries are encrypted with a master password.

To check the master password, decrypt the password-check entry and it should be equal to the fixed string “check-password\x00\x00”.

Usage:

mozilla2john [FILES key3.db]

multibit2john.py

Generates a hash for cracking MultiBit Classic and HD wallets.

Usage:

./multibit2john.py [MultiBit Classic or HD wallets files (.key, mbhd.wallet.aes, .wallet)]

MultiBit Classic -> for a wallet named 'xyz', we need the xyz-data/key-backup/xyz*.key OR xyz-data/wallet-backup/xyz*.wallet file.


neo2john.py

It seems the utility generates hash from the Neo Blockchain wallet, but there is no documentation.

Usage:

./neo2john.py [.db3 files]

network2john.lua

Extracts from .pcap files:

  • Hashes RADIUS CHAP
  • RADIUS authentication hashes
  • EAP-MD5 hashes
  • SNMPv3 USM hashes
  • DHCPv6 authentication hashes
  • DHCPv4 authentication hashes
  • ISCSI CHAP hashes
  • DHCP OMAPI hashes

To work, you need Wireshark with Lua enabled.

Usage:

tshark -q -Xlua_script:network2john.lua -r selected.pcap

Use this for development:

tshark -r selected.pcap -T pdml > data.pdml

office2john.py

Extracts hash from MS Office files for cracking in John the Ripp. Supported files MS Office 2003/2007/2010/2013.

olefile (formerly OleFileIO_PL), version 0.42 2015-01-25. A module for reading / writing Microsoft OLE2 files (also called structured storage or Microsoft compound document file format) such as Microsoft Office 97-2003 documents, Image Composer and FlashPix files, Outlook messages, …

Usage:

./office2john.py <encrypted Office file(s)>

openbsd_softraid2john.py

In OpenBSD 6.1, softraid crypto switched to bcrypt PBKDF instead of PKCS5 PBKDF2.

./openbsd_softraid2john [disk image]

openssl2john.py

This utility helps in cracking files encrypted using "openssl enc" command.

openssl aes-256-cbc -in secret.txt -out secret.txt.enc
openssl aes-256-cbc -a -in secret.txt -out secret.txt.enc
openssl enc -aes-256-cbc -in secret.txt -out secret.txt.enc

Usage:

./openssl2john.py [-c cipher] [-m md] [-p plaintext] [-a ascii_pct] <OpenSSL encrypted files>

cipher can be: 0 => aes-256-cbc, 1 => aes-128-cbc

md can be: 0 => md5, 1 => sha1, 2 => sha256

ascii_pct: minimum ascii percent (1-100) on decrypted output (ignored if plaintext present)

OpenSSL 1.1.0e uses aes-256-cbc with sha256.


padlock2john.py

Extracts hashes for the Padlock Android cracking.

Usage:

./padlock2john.py [Padblock file(s)]

pcap2john.py

Combines several pcap conversion utilities.

Usage:

python2 ./pcap2john.py [.pcap files]

pdf2john.pl

Extracts hash from encrypted PDF files.

Usage:

pdf2john.pl <.pdf file(s)>

pem2john.py

Generating hashes from .pem files using the PCKS #8 format.

Usage:

./pem2john.py <.pem files using PCKS #8 format>

pfx2john.py

Generate a hash to crack password-protected PKCS12 files.

Usage:

./pfx2john.py <.pfx file(s)>

pgpdisk2john.py

It generates hashes for PGP Virtual Disk FILE (s) .pgd.

Usage:

./pgpdisk2john.py [PGP Virtual Disk .pgd file(s)]

pgpsda2john.py

Calculates a hash for cracking self-decrypting archive (SDA), Symantec Encryption Desktop (SED) PGP archive files.

Usage:

./pgpsda2john.py [PGP self-decrypting archive (SDA) file(s)]

pgpwde2john.py

Retrieves a hash from fully encrypted PGP WDE / Symantec Encryption Destop disk images.

Usage:

./pgpwde2john.py [PGP WDE / Symantec Encryption Destop encrypted whole disk images]

Example:

./pgpwde2john.py hdd.raw

Example:

./pgpwde2john.py /dev/sdb

prosody2john.py

Extracts hashes from Prosody IM's .dat files which can be found under the /var/lib/prosody/<domain>/accounts location.

Usage:

./prosody2john.py [prosody .dat files]

pse2john.py

This script can be used to parse PSE files and extract encrypted material and data in a format that John the Ripper or other cracking tools can use to look for the decryption PIN.

Usage:

python2 ./pse2john.py <.pse file(s)>

ps_token2john.py

Parser Oracle PS_TOKEN token.

Usage:

python2 ps_token2john.py [-h] -c COOKIE

Options:

  -h, --help  show this help message and exit
  -c COOKIE   Set a victim's PS_TOKEN cookie for parsing

putty2john

Key types supported: RSA, DSA, ECDSA, ED25519

Usage:

putty2john [.ppk PuTTY-Private-Key-File(s)]

pwsafe2john.py

Processes Password Safe files and generates a JtR cracking hash.

Usage:

./pwsafe2john.py [.psafe3 files]

racf2john

Usage:

./racf2john [RACF binary files]

radius2john.pl

Utility to extract hash and brute force RADIUS shared-secret.

The Net::Pcap module must be installed as a dependency.

In Debian, Kali Linux and their derivatives, this is done with the command:

sudo apt install libnet-pcap-perl

On Arch Linux, BlackArch and their derivatives, this can be done with the command:

sudo pacman -S perl-net-pcap

A number of PERL modules are also required, to install them in any system run:

perl -MCPAN -e shell
install CPAN::DistnameInfo
install NetPacket::IP
install Net::Radius::Dictionary

Usage:

./radius2john.pl <pcap FILES>

radius2john.py

Utility to extract hash and brute force RADIUS shared-secret.

Usage:

./radius2john.py <pcap files>

rar2john

Retrieves hash from encrypted RAR archives.

Usage:

./rar2john <rar file(s)>

The -v option increases the verbosity of the output.

Output string format:

For type = 0 for files encrypted with the "rar -hp …" option

archive_name:$RAR3$*type*hex(salt)*hex(partial-file-contents):type::::archive_name

For type = 1 for files encrypted with the "rar -p …" option

archive_name:$RAR3$*type*hex(salt)*hex(crc)*PACK_SIZE*UNP_SIZE*0*archive_name*offset-for-ciphertext*method:type::file_name

or

archive_name:$RAR3$*type*hex(salt)*hex(crc)*PACK_SIZE*UNP_SIZE*1*hex(full encrypted file)*method:type::file_name

sap2john.pl

This Perl script converts password hashes downloaded from SAP systems into a format suitable for John the Ripper (outputs to stdout).

Usage:

./sap2john.pl <input-file> [A|B|D|E|F|H]

To read from standard input:

./sap2john.pl - [A|B|D|E|F|H]

A detailed description of the options is given in the source code of the script.


signal2john.py

Hash extraction for cracking the Signal messenger password.

Modern versions of Signal do not support passphrase.

The script has only been tested with Signal 4.13.5.

Run with the file /data/data/org.thoughtcrime.securesms/shared_prefs/SecureSMS-Preferences.xml.

In the modern version of the Signal Android app (e.g. 4.19.3), the screen lock code is stored as clear text in the SecureSMS-Preferences.xml file!

Usage:

./signal2john.py [SecureSMS-Preferences.xml files]

sipdump2john.py

Processes sipdump output files (dump files) into a format suitable for use with JtR.

Usage:

./sipdump2john.py <sipdump dump files>

ssh2john.py

Retrieves hashes from RSA/DSA/EC/OpenSSH private keys.

Usage:

python2 ./ssh2john.py <RSA/DSA/EC/OpenSSH private key file(s)>

sspr2john.py

Utility to retrieve NetIQ SSPR hashes from a LDAP server.

Usage:

sspr2john.py [-h] -H HOST [-p PORT] -b BASEDN [-s] [-D BINDDN] [-w PASSWORD]

Optional arguments:

  -h, --help            show this help message and exit
  -H HOST, --host HOST  Format like ad.example.net or 192.168.124.10
  -p PORT, --port PORT  Format like 389 or 636
  -b BASEDN, --basedn BASEDN
                        Format like CN=Users,DC=EXAMPLE,DC=NET
  -s, --secure          Use LDAPS (LDAP OVER SSL), recommended
  -D BINDDN, --binddn BINDDN
                        Format like CN=<username>,CN=Users,DC=EXAMPLE,DC=NET or
                        <username>
  -w PASSWORD, --password PASSWORD
                        Password for LDAP bind

staroffice2john.py

The staroffice2john.py utility converts StarOffice files into a format suitable for use with JtR.

This utility was previously called sxc2john.py.

Usage:

./staroffice2john.py <StarOffice files (.sxc, .sdw, .sxd, .sxw, .sxi)>

strip2john.py

Processes STRIP files into a suitable format for use with JtR.

Output format:

filename:$strip$*data

Usage:

./strip2john.py <STRIP files>

telegram2john.py

A utility for extracting "hashes" from the userconfing.xml file(s) of the Telegram Android application and from the file (map) of the Telegram Desktop local storage.

Usage:

./telegram2john.py <userconfing.xml file(s) / <path to Telegram data directory>

Example (Linux):

./telegram2john.py ~/.local/share/TelegramDesktop

Example (Windows):

./telegram2john.py "C:/Users/Name/AppData/Roaming/Telegram Desktop"

tezos2john.py (and test_tezos2john.py)

Creates Tezos File For John The Ripper.

Usage:

./tezos2john.py 'mnemonic data (15 words)' 'email' 'public key'

Usage 2: 

tezos2john.py [-h] [-i] [-I]

Options:

  -h, --help            show this help message and exit
  -i, --ignoreRules, --ignorerules
                        Ignore All Rules, seed words, checksum, ...
  -I, --ignoreICORules, --ignoreicorules
                        Do Not Check To See If It Is A Valid ICO Format (15 seed words)

Example:

./tezos2john.py 'put guide flat machine express cave hello connect stay local spike ski romance express brass' 'jbzbdybr.vpbdbxnn@tezos.example.org' 'tz1eTjPtwYjdcBMStwVdEcwY2YE3th1bXyMR'

truecrypt2john.py

Utility to import TrueCrypt volume to a format crackeable by John The Ripper

Usage:

./truecrypt2john.py [-b] volume_filename [keyfiles(s)]> output_file

Options:

  -h, --help  show this help message and exit
  -b

Enable -b only when attacking TrueCrypt's boot mode.


uaf2john

Usage:

uaf2john uaf_file

vdi2john.pl

Converts *.vbox files (which contain the encryption information of the associated *.vdi file) to the correct format for JtR processing.

Reads data from STDIN.


vmx2john.py

Usage:

./vmx2john.py [.vmx files]

vncpcap2john

Extract hashes from files with VNC session handshake for password cracking in John the Ripper.

Usage:

./vncpcap2john <pcapfiles>

wpapcap2john

Converts PCAP or IVS2 files to JtR format.

Supported encapsulations: 802.11, Prism, Radiotap, PPI and TZSP over UDP.

Usage:

./wpapcap2john [ОПЦИИ] FILE(S)

Options:

-c		Show only complete auths (incomplete ones might be wrong passwords
		but we can crack what passwords were tried).
-v		Bump verbosity (can be used several times, try -vv)
-d		Do not suppress dupe hashes (per AP/STA pair)
-r		Ignore replay-count (may output fuzzed-anonce handshakes)
-f <n>		Force anonce fuzzing with +/- <n>
-e <essid:mac>	Manually add Name:MAC pair(s) in case the file lacks beacons.
		eg. -e "Magnum WIFI:6d:61:67:6e:75:6d"
-m <mac>	Ignore any packets not involving this mac adress

zed2john.py

Usage:

./zed2john.py [zed archives]

zip2john

Extract hash from encrypted ZIP archives for password cracking in John the Ripper.

Usage:

./zip2john [options] [zip file(s)]

Options:

 -s Scan archive from the beginning, looking for local file headers. This
    is less reliable than going by the central index, but might work better
    with corrupted or split archives.

Options for 'old' PKZIP encrypted files only:

 -a <filename>   This is a 'known' ASCII file. This can be faster, IF all
    files are larger, and you KNOW that at least one of them starts out as
    'pure' ASCII data.
 -o <filename>   Only use this file from the .zip file.
 -c This will create a 'checksum only' hash.  If there are many encrypted
    files in the .zip file, then this may be an option, and there will be
    enough data that false positives will not be seen.  If the .zip is 2
    byte checksums, and there are 3 or more of them, then we have 48 bits
    knowledge, which 'may' be enough to crack the password, without having
    to force the user to have the .zip file present.
 -m Use "file magic" as known-plain if applicable. This can be faster but
    not 100% safe in all situations.
 -2 Force 2 byte checksum computation.

Other utilities to extract hashes

hcxtools

hcxtools is a small set of tools for converting captured Wi-Fi packets. Able to convert between different formats and hashes for use with the latest versions of hashcat or John the Ripper.

The following hash modes are supported for John the Ripper: WPAPSK-PMK, PBKDF2-HMAC-SHA1, chap, netntlm, tacacs-plus

hcxkeys

hcxkeys is a small toolbox for generating plainmasterkeys rainbow tables (for cracking Wi-Fi) and hashes for use with the latest hashcat and the latest John the Ripper.

What you need to know when posting hashes

It is considered unethical (perhaps even illegal in some countries) to publish someone else's hashes, since decrypting them means obtaining a password and possible leakage of personal data.

You also need to understand that decrypting some hashes means getting a private key. For example, if you published a hash from a Bitcoin wallet and someone decrypted it, then a third party can manage your wallet, including transferring money.

Recommended for you:

Leave a Reply

Your email address will not be published.