2

I'm pentesting for a class in Kali Linux, cracking a Windows 7 password. I mounted the windows' hard drive in Kali, ran PWDUMP7 and got the hashes saved on the desktop. It's only showing some of the users, but not any that I created for testing...that's another issue by itself. The default system admin 'IEUser' should at least work, right?

I isolated that hash into a single line .txt: IEUser:1000:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::

When I run JtR in Wordlist mode, it cracks the password easily off the word list ('1234'). When I run it in Brute force mode using the following:

    cd /usr/share/john
    john ~/Desktop/samhash.txt -format=nt -user=IEUser

The result is: 

    Using default input encoding: UTF-8
    Rules/masks using ISO-8859-1
    Loaded 1 password hash (NT [MD4 128/128 AVX 4x3])
    Press 'q' or Ctrl-C to abort, almost any other key for status
    password         (IEUser)
    1g 0:00:00:00 DONE 2/3 (2018-01-31 09:47) 16.66g/s 15033p/s 15033c/s 15033C/s 123456..qwerty
    Use the "--show" option to display all of the cracked passwords reliably
    Session completed

It appears to not even run, and using "Show" even says that it wasn't cracked. I have absolutely no idea what's going on with this, and nobody else seems to have this problem that I can see...What am I missing?

====

Edit: It was working correctly, "password" was the password, I just didn't understand the UI.

schroeder
  • 123,438
  • 55
  • 284
  • 319
C-Love511
  • 123
  • 1
  • 5

1 Answers1

0

As best as i can figure, you are mistaken about what you expect. John finished quickly because it successfully cracked the password you requested. The rest is just error in using john --show as far as i can tell. I repeated your steps as follows:

echo "IEUser:1000:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::" > ./Desktop/hash

Then we will start a normal cracking session, which will use a default wordlist.

root@oscpre:~/Desktop# john hash -format=nt -user=IEUser
Using default input encoding: UTF-8
Rules/masks using ISO-8859-1
Loaded 1 password hash (NT [MD4 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (IEUser)
1g 0:00:00:00 DONE 2/3 (2018-01-31 14:16) 20.00g/s 18040p/s 18040c/s 18040C/s 123456..qwerty
Use the "--show" option to display all of the cracked passwords reliably
Session completed

The line password (IEUser) identifies a cracked password for user IEUser. The password is "password". We can check this by reversing the process using openssl to get the nt hash of "password".

root@oscpre:~/Desktop# printf '%s' "password" | iconv -t utf16le | openssl md4
(stdin)= 8846f7eaee8fb117ad06bdd830b7586c

We indeed see it matches our original input in hash.txt. Now we will show all cracked passwords for john in the format of nt using our pot file (the record john keeps of cracked passwords during sessions)

root@oscpre:~/Desktop# john hash --pot=../.john/john.pot -format=nt --show
IEUser:password:1000:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::

1 password hash cracked, 0 left

We see IEUser listed here with the password appended before the uid. All seems to be well?

Nalaurien
  • 1,614
  • 9
  • 16
  • 1
    You are correct -- the text file with the hash kept pulling an old password "password", even though it had been changed since. I was expecting the new password to appear next to "Password" thinking that was a label, not the password. Noob mistake. Good catch. – C-Love511 Feb 01 '18 at 01:18
  • No problem, we all make them :D Glad you got it all cleared up! – Nalaurien Feb 01 '18 at 02:14