1

I want to crack a specific hash password with JTR:

48bb6e862e54f2a795ffc4e541caed4d

I put this hash in a txt file like this:

echo '48bb6e862e54f2a795ffc4e541caed4d' > hash.txt

and I run JTR in this way:

john hash.txt --format=md5crypt --wordlist=/Users/ludo/Documents/TryHackMe/Dizionari/rockyou.txt

The result of John is:

ludo@MinidiLudovico CrackTheHash % ls hash.txt 
ludo@MinidiLudovico CrackTheHash % john hash.txt --format=md5crypt --wordlist=/Users/ludo/Documents/TryHackMe/Dizionari/rockyou.txt        
No password hashes loaded (see FAQ) 
ludo@MinidiLudovico CrackTheHash %

I'm sure that the password is in the rockyou.txt file because it is easy, and I'm sure that the password was hashed in MD5.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Ludovico Latini
  • 11
  • 4
  • And you looked up the FAQ and tried the things there? Like `--show` and adding a line break to the hash? – schroeder Dec 30 '21 at 11:24
  • 2
    If you want to crack raw md5, shouldn't the format be `raw-md5` instead of `md5crypt`? – Steffen Ullrich Dec 30 '21 at 11:44
  • @schroeder that's all the output you get, apart from possibly a line saying that it's using UTF-8 for input encoding. Much as I like John, it's output is not very helpful when you're trying to work out this kind of issue. – Gh0stFish Dec 30 '21 at 14:51
  • `No password hashes loaded (see FAQ)` is the ***full*** output? I seriously doubt that ... john tends to pump out quite a lot of text as it runs. If I am wrong, then you need to run it in a more verbose mode ... – schroeder Dec 30 '21 at 16:03
  • I posted a couple things 4 hours ago and I'm still wondering if you've tried them. `--show`, in case the hash has already been cracked, and adding a line break to the hash file. – schroeder Dec 30 '21 at 16:15
  • it does not accept --show. John answer that --show does not exist – Ludovico Latini Dec 30 '21 at 17:49
  • What machine are you using for this? Are you on a CTF box? What's the version of john? Can you run it in a more verbose mode? That is not the normal output of john. Something is going on. – schroeder Dec 30 '21 at 18:48
  • I'm using a mac mini m1 with macOS 12.1, my john version is 1.9.0 and I installed it with homebrew and I can't run it in verbose mode cause there isn't any parmeter to do it. (--verbosity=6) does not work. – Ludovico Latini Dec 30 '21 at 20:02

2 Answers2

0

That's not the correct format for an md5crypt hash. They typically start with $1$ - you can see examples of the various md5crypt formats that John accepts in the source code. When John reads your input file (hash.txt), you're telling it to only look for hashes in the md5crypt format - so it ignores the line in the file because it's not formatted correctly.

Your hash is just plain MD5, so you need to use --format=raw-md5 instead of --format=md5crypt

Gh0stFish
  • 4,664
  • 14
  • 15
  • If I put --format=raw-md5 the result is: Unknown ciphertext format name requested – Ludovico Latini Dec 30 '21 at 15:21
  • Also if I run 'john hash.txt', and I don't put the md5crypt format it gives me the same output. 'No password hashes loaded (see FAQ)' – Ludovico Latini Dec 30 '21 at 15:25
  • If your version of John doesn't support `raw-md5` it must be a strange or broken build. Use the version on [GitHub](https://github.com/openwall/john), or check what formats your version supports. – Gh0stFish Dec 30 '21 at 15:36
  • You don't need to go to the source code to see the correct inputs for the hashes. They are in the documentation: https://openwall.info/wiki/john/hash-formats – schroeder Dec 30 '21 at 16:05
  • @schroeder that page hasn't been updated since 2012, and is missing many of the currently supported formats (and also several variants of md5crypt, such as the `$apr1$` or `{smd5}` formats). – Gh0stFish Dec 30 '21 at 16:10
  • `raw-md5` may not be in the version the OP is using. "As of John the Ripper version 1.8.0, valid "format names" are descrypt, bsdicrypt, md5crypt, bcrypt, LM, AFS, tripcode, dummy, and crypt" From the FAQ: "That is, you normally only need to use "--format" when John would otherwise misdetect your hash/cipher type (e.g., when it says LM and you know that your hashes are in fact raw MD5, you'd use "--format=raw-md5" with -jumbo)" – schroeder Dec 30 '21 at 16:11
  • Granted, and yet, it has the md5crypt format. And it is easier to read than source code ... – schroeder Dec 30 '21 at 16:11
0

I don't know why but there is a sort of problem with John the Ripper, I uninstalled it with:

brew uninstall john

And I install another version of it named john-jumbo.

brew install john-jumbo

Now it works perfectly.

Ps. --format=md5crypt doesn't work with my hash so I used --format=raw-md5.

Ludovico Latini
  • 11
  • 4
  • Yes, this was in the FAQ. raw-md5 format is in the larger, more complete version of john, but it should have worked without specifying the format, too. – schroeder Jan 01 '22 at 12:24
  • I still think you had oriiginally installed a strange version because it was behaving in a non-standard manner. – schroeder Jan 01 '22 at 13:41