2

I'm pentesting for a class in Kali Linux, cracking a Windows 7 password. I mounted the windows' hard drive in Kali, ran PWDUMP7 and got the hashes saved on the desktop. It's only showing some of the users, but not any that I created for testing...that's another issue by itself. The default system admin 'IEUser' should at least work, right?

I isolated that hash into a single line .txt: IEUser:1000:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::

When I run JtR in Wordlist mode, it cracks the password easily off the word list ('1234'). When I run it in Brute force mode using the following:

 cd /usr/share/john john ~/Desktop/samhash.txt -format=nt -user=IEUser

The result is: 

 Using default input encoding: UTF-8 Rules/masks using ISO-8859-1 Loaded 1 password hash (NT [MD4 128/128 AVX 4x3]) Press 'q' or Ctrl-C to abort, almost any other key for status password (IEUser) 1g 0:00:00:00 DONE 2/3 (2018-01-31 09:47) 16.66g/s 15033p/s 15033c/s 15033C/s 123456..qwerty Use the "--show" option to display all of the cracked passwords reliably Session completed

It appears to not even run, and using "Show" even says that it wasn't cracked. I have absolutely no idea what's going on with this, and nobody else seems to have this problem that I can see...What am I missing?

====

Edit: It was working correctly, "password" was the password, I just didn't understand the UI.

Improve this question

1 Answer 1

Reset to default
1

As best as i can figure, you are mistaken about what you expect. John finished quickly because it successfully cracked the password you requested. The rest is just error in using john --show as far as i can tell. I repeated your steps as follows:

echo "IEUser:1000:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::" > ./Desktop/hash

Then we will start a normal cracking session, which will use a default wordlist.

root@oscpre:~/Desktop# john hash -format=nt -user=IEUser Using default input encoding: UTF-8 Rules/masks using ISO-8859-1 Loaded 1 password hash (NT [MD4 128/128 AVX 4x3]) Press 'q' or Ctrl-C to abort, almost any other key for status password (IEUser) 1g 0:00:00:00 DONE 2/3 (2018-01-31 14:16) 20.00g/s 18040p/s 18040c/s 18040C/s 123456..qwerty Use the "--show" option to display all of the cracked passwords reliably Session completed

The line password (IEUser) identifies a cracked password for user IEUser. The password is "password". We can check this by reversing the process using openssl to get the nt hash of "password".

root@oscpre:~/Desktop# printf '%s' "password" | iconv -t utf16le | openssl md4 (stdin)= 8846f7eaee8fb117ad06bdd830b7586c

We indeed see it matches our original input in hash.txt. Now we will show all cracked passwords for john in the format of nt using our pot file (the record john keeps of cracked passwords during sessions)

root@oscpre:~/Desktop# john hash --pot=../.john/john.pot -format=nt --show IEUser:password:1000:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c::: 1 password hash cracked, 0 left

We see IEUser listed here with the password appended before the uid. All seems to be well?

Improve this answer
2
  • 1
    You are correct -- the text file with the hash kept pulling an old password "password", even though it had been changed since. I was expecting the new password to appear next to "Password" thinking that was a label, not the password. Noob mistake. Good catch. Commented Feb 1, 2018 at 1:18
  • No problem, we all make them :D Glad you got it all cleared up! Commented Feb 1, 2018 at 2:14

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.