LabEx
Log InJoin Free

Crack Hashes from a John the Ripper Potfile

Kali LinuxBeginner
Practice Now

Introduction

John the Ripper (JtR) is a popular password cracking tool. When it successfully cracks a password, it stores the result in a file called john.pot, often referred to as the "potfile". This prevents JtR from wasting time trying to re-crack the same hash in the future.

In this lab, you will work in a scenario where a password cracking attempt has already been partially completed by John the Ripper. Your task is to identify which hashes were not cracked, and then use a different powerful tool, Hashcat, to try and crack the remaining ones. This workflow is common in penetration testing and security audits, where multiple tools are used to maximize results.

You will learn to:

  • Locate and understand the JtR potfile.
  • Use command-line tools to extract and compare hash lists.
  • Use Hashcat to perform a dictionary attack on the remaining hashes.

Locate an Existing John the Ripper Potfile

In this step, you will locate and inspect the john.pot file. This file is automatically created by John the Ripper to store the hashes it has successfully cracked, along with their plaintext passwords. The default location for this file is within a hidden directory named .john in the user's home directory.

Our lab environment has been pre-configured with a john.pot file from a simulated previous cracking session. Let's view its contents.

Use the cat command to display the contents of the potfile. All your work will be done in the default ~/project directory, but the potfile is located in /home/labex/.john/.

cat ~/.john/john.pot

You should see the following output, which shows the hashes and the corresponding passwords that JtR has already found.

$1$abc$gqNud23o1vjR/pYd9gH7k/:password123
$1$def$H9g2s3kLd/fG1hJkLpQ9r/:labex
$1$ghi$aB4c5dE6fG7hI8jK9lM0n/:secret

Understand the Format of a JtR Potfile

In this step, we will analyze the structure of the john.pot file. Understanding this format is crucial for processing its data.

As you saw in the previous step, each line in the potfile has a specific format:

HASH:PLAINTEXT_PASSWORD

Let's break down the first line from our file:

$1$abc$gqNud23o1vjR/pYd9gH7k/:password123

  • $1$abc$gqNud23o1vjR/pYd9gH7k/: This is the full hash string that was cracked. This format (starting with $1$) indicates it's an MD5-crypt hash, commonly used in older Linux systems.
  • :: A colon is used as a delimiter, separating the hash from the password.
  • password123: This is the plaintext password that corresponds to the hash.

Our goal is to find out which hashes from our original list (all_hashes.txt) are not present in this potfile. To do that, we first need to isolate just the hash portion from each line in john.pot. We will do this in the next step. This current step is for conceptual understanding, so there are no commands to execute.

Extract Hashes from the JtR Potfile

In this step, you'll extract only the hash values from the john.pot file. We can use the cut command, a standard Linux utility for cutting out sections from each line of a file.

We will tell cut to use the colon (:) as a delimiter and to extract the first field (-f1). We'll redirect the output to a new file named cracked_hashes.txt in your current directory (~/project).

Execute the following command in your terminal:

cut -d: -f1 ~/.john/john.pot > cracked_hashes.txt

Now, verify that the file was created correctly by viewing its contents:

cat cracked_hashes.txt

The output should contain only the hash strings:

$1$abc$gqNud23o1vjR/pYd9gH7k/
$1$def$H9g2s3kLd/fG1hJkLpQ9r/
$1$ghi$aB4c5dE6fG7hI8jK9lM0n/

Reformat the Hashes for a Hashcat Attack

In this step, you will identify the hashes that JtR failed to crack. You have a file with all the original hashes (all_hashes.txt) and a file with the hashes that have already been cracked (cracked_hashes.txt). By comparing these two files, you can create a new list containing only the uncracked hashes.

We will use the grep command to accomplish this. The flags we'll use are:

  • -v: Invert the match, selecting non-matching lines.
  • -F: Treat patterns as fixed strings, not regular expressions.
  • -f file: Obtain patterns from the specified file.

This command will read the patterns from cracked_hashes.txt and remove any matching lines from all_hashes.txt, saving the result to uncracked_hashes.txt.

grep -v -F -f cracked_hashes.txt all_hashes.txt > uncracked_hashes.txt

Now, check the contents of your new file. It should contain the three hashes that were not in the potfile.

cat uncracked_hashes.txt

You should see the following output:

user4:$1$jkl$oP1qR2sT3uV4wX5yZ6a7b/
user5:$1$mno$c8d9e0f1g2h3i4j5k6l7m/
user6:$1$pqr$n9o8p7q6r5s4t3u2v1w0x/

This file is now ready to be used with Hashcat.

Use Hashcat to Attempt Cracking on Hashes JtR Missed

In this final step, you will use Hashcat to attack the remaining hashes. Hashcat is a very fast and versatile password cracker that can leverage GPUs for massive performance gains.

The basic syntax for a dictionary attack with Hashcat is hashcat -m <mode> <hash_file> <wordlist_file>.

  • -m 500: This specifies the hash type. 500 corresponds to MD5-crypt, which is the type of hash we are working with.
  • --force: This option is often needed in virtualized or containerized environments like this lab to bypass warnings and force Hashcat to run.

Now, run Hashcat against the uncracked_hashes.txt file using the provided wordlist.txt.

hashcat -m 500 --force uncracked_hashes.txt wordlist.txt

Hashcat will start. You will see status information as it runs. Since our wordlist is small and contains the correct passwords, the process will be very fast.

...
Session..........: hashcat
Status...........: Running
Hash.Name........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Hash.Target......: uncracked_hashes.txt
...
Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Cracked
...

Once Hashcat finishes, it stores the cracked passwords in its own potfile. To view the newly cracked passwords, you can use the --show option.

hashcat -m 500 --force --show uncracked_hashes.txt

The output will display the hashes and their newly discovered plaintext passwords.

$1$jkl$oP1qR2sT3uV4wX5yZ6a7b/:dragon
$1$mno$c8d9e0f1g2h3i4j5k6l7m/:qwerty
$1$pqr$n9o8p7q6r5s4t3u2v1w0x/:sunshine

Congratulations, you have successfully used the output of one cracking tool to guide the input of another!

Summary

In this lab, you learned a practical workflow for combining the strengths of different password cracking tools. You started with a pre-existing John the Ripper potfile, which represents the results of a previous cracking session.

You successfully:

  • Located and interpreted the contents of a john.pot file.
  • Used the cut command to extract specific data fields.
  • Used the grep command to compare two lists and isolate the uncracked hashes.
  • Launched a Hashcat dictionary attack on the remaining hashes and successfully cracked them.

This process of identifying remaining work and passing it to another tool is a highly efficient strategy in real-world security assessments, allowing you to cover more ground and increase your chances of success.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux