1
00:00:00,850 --> 00:00:07,330
‫John the Ripper is a fast password cracker currently available for many flavors of Unix windows, doors

2
00:00:07,330 --> 00:00:08,680
‫and open VMS.

3
00:00:09,460 --> 00:00:14,590
‫Initially developed for the Unix operating system, it now runs on 15 different platforms.

4
00:00:15,700 --> 00:00:22,160
‫It's one of the most popular password testing and breaking programs as it combines a number of password

5
00:00:22,160 --> 00:00:23,770
‫crackers into one package.

6
00:00:24,490 --> 00:00:28,960
‫Auto detects password hash types and includes a customizable cracker.

7
00:00:29,950 --> 00:00:35,920
‫John the Ripper is free and open source software distributed primarily in source code form.

8
00:00:36,970 --> 00:00:42,280
‫If you'd rather use a commercial product tailored for your specific operating system, please consider

9
00:00:42,280 --> 00:00:43,360
‫John the Ripper Pro.

10
00:00:44,370 --> 00:00:50,280
‫Which is distributed primarily in the form of native packages for the target operating systems and in

11
00:00:50,280 --> 00:00:56,100
‫general, it's meant to be easier to install and use while delivering optimal performance.

12
00:00:58,160 --> 00:01:03,110
‫Now there is another version of John, which is the community enhanced version.

13
00:01:04,010 --> 00:01:13,640
‫This version integrates lots of contributed patches, adding GPU support, OpenCL and CUDA for 100 additional

14
00:01:13,640 --> 00:01:20,720
‫hash and cipher types, including popular ones such as native limb, raw MD5, etc. and even things

15
00:01:20,720 --> 00:01:28,430
‫such as encrypted openness that's age, private key ZIP and RJR archives, PDF files, etc..

16
00:01:29,520 --> 00:01:32,070
‫As well as some optimizations and features.

17
00:01:33,420 --> 00:01:35,580
‫So let's see, John the river in action.

18
00:01:38,670 --> 00:01:43,560
‫Official, free and open source version of John the Ripper is embedded in Kiwi.

19
00:01:44,450 --> 00:01:51,440
‫If you type John with no parameter, you'll see the manual page of the tool, you see the usage and

20
00:01:51,440 --> 00:01:52,790
‫all the options of John.

21
00:01:53,930 --> 00:01:56,970
‫Let's build an offline dictionary attack with John.

22
00:01:58,140 --> 00:02:00,720
‫The first parameter is the word list.

23
00:02:01,410 --> 00:02:04,560
‫Don't forget to put the equals sign after the parameter.

24
00:02:05,690 --> 00:02:09,170
‫Name of the dictionary file with the full path comes here.

25
00:02:10,810 --> 00:02:16,180
‫So I'll open another terminal screen and search for a password list using the fine command.

26
00:02:22,430 --> 00:02:26,840
‫Now there is a folder called word lists under the Metasploit Framework folder.

27
00:02:27,380 --> 00:02:29,330
‫Let's go to that folder to see its content.

28
00:02:32,070 --> 00:02:35,310
‫And there are a lot of word lists here for different purposes.

29
00:02:35,940 --> 00:02:40,470
‫Right now, I want to look at the length of the password list file.

30
00:02:41,470 --> 00:02:46,930
‫Cat password, dot less tip pipe w c four word count.

31
00:02:47,200 --> 00:02:53,070
‫The first one is the number of lines and the second one is a number of words, which is the same with

32
00:02:53,080 --> 00:02:53,830
‫a line numbers.

33
00:02:54,100 --> 00:02:56,560
‫And the third one is the number of characters.

34
00:02:56,800 --> 00:02:59,620
‫So there are about 90000 passwords in this list.

35
00:03:00,580 --> 00:03:03,470
‫I visit a file with less command.

36
00:03:04,550 --> 00:03:09,440
‫You can search a word inside the last command by pressing the slash button.

37
00:03:10,250 --> 00:03:12,620
‫So I'll search for the password of the administrator.

38
00:03:13,130 --> 00:03:13,670
‫No result.

39
00:03:14,900 --> 00:03:17,060
‫MSF admin, no result.

40
00:03:18,190 --> 00:03:24,800
‫So note here that these steps are just to have successful result in a typical penetration test.

41
00:03:24,820 --> 00:03:27,850
‫You won't know the passwords of the victim systems.

42
00:03:28,850 --> 00:03:33,380
‫Beyond that, if you already know the password of the victim, well, what's the reason for adding it

43
00:03:33,380 --> 00:03:35,030
‫to a dictionary and then finding it again?

44
00:03:36,020 --> 00:03:41,000
‫Suppose that these steps never happen, and the words were already in the list were used, right?

45
00:03:42,340 --> 00:03:48,250
‫Now I'll open the dictionary and add a few words, so I'll repeat that we're just supposing that the

46
00:03:48,250 --> 00:03:52,120
‫process never happened and the words were already in the list.

47
00:03:52,210 --> 00:03:54,040
‫But I just want to show you the mechanics of it.

48
00:03:58,290 --> 00:04:02,190
‫So now we can use this list as the word list in John.

49
00:04:03,190 --> 00:04:05,530
‫So, right, the file name with the full power.

50
00:04:13,160 --> 00:04:15,320
‫The second parameter is the hash file.

51
00:04:17,830 --> 00:04:21,000
‫Now I'll run the command, adding no more parameters for.

52
00:04:23,450 --> 00:04:31,130
‫So if you don't specify the hash pipe, John, to tax itself, it detected the hash type as elm and

53
00:04:31,130 --> 00:04:32,960
‫warns us about the anti hash.

54
00:04:33,930 --> 00:04:34,950
‫And here are the result.

55
00:04:36,000 --> 00:04:37,650
‫Guest password is empty.

56
00:04:38,280 --> 00:04:44,760
‫It also shows the first part of the administrators hash and the second part of Cyber Labs Hash.

57
00:04:45,240 --> 00:04:47,910
‫And as you see here in all uppercase letters.

58
00:04:49,620 --> 00:04:55,980
‫Now, I'll recall the latest command and add the format parameter is in this time and hit enter.

59
00:04:57,100 --> 00:04:57,850
‫Here are the results.

60
00:04:59,030 --> 00:05:03,950
‫Now we see all the letters in their own format, uppercase or lowercase.

61
00:05:05,280 --> 00:05:08,850
‫So now I want to try to crack the Windows eight hashes.

62
00:05:09,780 --> 00:05:12,690
‫So I'll give it a hash file of the Windows eight system this time.

63
00:05:13,770 --> 00:05:16,560
‫I remove the format parameter and run the command.

64
00:05:17,310 --> 00:05:21,180
‫John reckons the hashes as ILM and got no result.

65
00:05:22,170 --> 00:05:24,570
‫So let's give the hash format.

66
00:05:29,340 --> 00:05:30,420
‫Now we have a result.

67
00:05:31,420 --> 00:05:34,360
‫Password of a Udemy user is Udemy 12.

68
00:05:35,030 --> 00:05:35,770
‫But wait a sec.

69
00:05:36,760 --> 00:05:43,330
‫When it was eight, as a user with the password, one two three four QQQ uppercase Q and Dot, which

70
00:05:43,660 --> 00:05:47,620
‫is the same with the password of the administrator user of Windows XP.

71
00:05:48,670 --> 00:05:53,140
‫We know that the word is in the dictionary, so why couldn't John crack it?

72
00:05:54,610 --> 00:05:58,030
‫Well, the answer is inside the John Scott pot file.

73
00:05:58,450 --> 00:06:01,630
‫So let's find his location using the Find Linux command.

74
00:06:02,690 --> 00:06:05,510
‫And let's see the content of the file with a cat command.

75
00:06:09,580 --> 00:06:15,220
‫So, John stores the findings in John Port Potty File with the hash format.

76
00:06:15,610 --> 00:06:20,230
‫And if it finds the same hash with the same format, it doesn't try to crack it again.

77
00:06:20,500 --> 00:06:27,250
‫So you should look at the John Potti file for the hashes you try to crack with John, right?

78
00:06:28,450 --> 00:06:33,730
‫So if we were on the latest command again, it won't crack any hash because they've all been cracked

79
00:06:33,730 --> 00:06:34,210
‫before.

80
00:06:36,000 --> 00:06:38,790
‫So if you delete the jackpot file.

81
00:06:41,420 --> 00:06:46,370
‫And run the latest command again, you'll see all the crack results of the hash file.

82
00:06:48,540 --> 00:06:54,990
‫Good, so let's move on and try to crack the hashes of the Metasploit about Linux VM now the hash file

83
00:06:54,990 --> 00:06:57,100
‫is hash M2 text.

84
00:06:58,050 --> 00:06:59,910
‫And don't give the format parameter.

85
00:07:00,150 --> 00:07:03,690
‫I'll let John detect the hash type and hit enter.

86
00:07:04,780 --> 00:07:08,050
‫So it detected the harsh type as MD5 crypt.

87
00:07:08,260 --> 00:07:09,130
‫And that's correct.

88
00:07:10,440 --> 00:07:11,010
‫So look at that.

89
00:07:11,190 --> 00:07:16,380
‫We crack passwords, the passwords of the Metasploit, all users are not so complicated, aren't they?

90
00:07:17,370 --> 00:07:19,530
‫So look at the John Pott file once more.

91
00:07:20,670 --> 00:07:26,730
‫And now you see the new hash is stored with hash pipe, one where one stands for MD5.

92
00:07:27,650 --> 00:07:28,090
‫Excellent.