Tools Archives | VK9 Security

Create a wordlist using hashcat

by Vry4n_ | Jun 15, 2021 | Tools

This publication is intended to guide you through to create a custom wordlist using hashcat.

1. First create or have already a word list. (I created a 4 words list)

cat mylist.txt

2. if you want to add dates next to the work you cant create a wordlist

for i in $(cat mylist.txt); do echo $i; echo ${i}2020; echo ${i}2021; done >> mylist2.txt
cat mylist2.txt

3. Now we will apply hashcat rules to this word list, the rules are located at /usr/share/hashcat/rules

ls /usr/share/hashcat/rules

4. I’d use best64 rule

hashcat --force --stdout mylist2.txt -r /usr/share/hashcat/rules/best64.rule > mylist3.txt
wc -l mylist3.txt

Note: Now we got a 924 lines

5. Read the file & inspect it

cat mylist3.txt

Droopescan – How to use

by Vry4n_ | Mar 15, 2021 | Tools

A plugin-based scanner that aids security researchers in identifying issues with several CMS. (https://github.com/droope/droopescan)

Supported CMS are:

SilverStripe
WordPress
Drupal

Partial functionality for:

Joomla (version enumeration and interesting URLs only)
Moodle (plugin & theme very limited, watch out)

How to use

1. Download the application

git clone https://github.com/droope/droopescan.git
cd droopescan
ls

2. Install all dependencies

pip3 install -r requirements.txt

3. You may also need to install dscan

pip3 install dscan

4. Run the application now. Display basic help

-h, --help = show this help message and exit

python3.9 droopescan -h

5. Show scan options

droopescan scan --help

python3.9 droopescan scan --help

6. Run a basic scan

python3.9 droopescan scan drupal -u http://192.168.0.119

Fcrackzip – BruteForce ZIP protected files

by Vry4n_ | Feb 14, 2021 | Tools

fcrackzip is a third-party tool for cracking zip files passwords. It tries to brute force using a list of passwords.

Installation

sudo apt install fcrackzip

Before using fcrackzip we need a password protected zip file.

zip --password <password><filename.zip> <data>
zip --password vk9security new_file.zip data.txt

How to use

1. Show help

fcrackzip -h

-b: for using brute force algorithms.
-D: for using a dictionary.
-B: execute a small benchmark.
-c: use characters from charset.
-h: show the help message.
--version: show the version of this program.
-V: validate or check the algorithm.
-v: for verbose mode.
-p: for using a string as a password.
-l: for providing a specific length to password.
-u: for weed out wrong passwords.
-m: to specify the method number.

2. Define charsets to brute force

fcrackzip -b -c ‘Aa1’ new_file.zip
fcrackzip -b -c ‘Aa1’ -u new_file.zip

3. Using numeric password, verbose, and length -l <min><max>

fcrackzip -b -c ‘1’ -v-l 1-9 new_file.zip

4. Providing an initial password

fcrackzip -b -v -c 'a' -p vk9security new_file.zip

5. always use -u to point out the match

fcrackzip -b -v -c 'a' -p vk9security -u new_file.zip

6. Using a dictionary list file

fcrackzip -D -p ./pass.txt -u new_file.zip

Ssh2john how to

by Vry4n_ | Feb 3, 2021 | Tools

Ssh2john is part of John The Reaper suite. This is a script that basically transforms [RSA/DSA/EC/OPENSSH (SSH private keys) ] private key to john format for later cracking using JtR

How to

1. Having an RSA private key already

cat id_rsa

2. locate the ssh2john script using find

find / -iname *ssh2john* > /dev/null
locate *ssh2john*

3. Run the script against the RSA private key ‘id_rsa’, and create a new file with the content of the output

/usr/share/john/ssh2john.py
/usr/share/john/ssh2john.py id_rsa > id_rsa.john
cat id_rsa.john

4. Now that we created the new file named id_rsa.john, we need to run john against it. We will use rockyou.txt as the wordlist. The result is secretz101 as the password.

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.john

5. Knowing already the username of the owner of this private key. We can try to SSH to our target machine. We will use an uncommon port (4655)

ssh -i id_rsa stefano@192.168.0.7 -p 4655
Password: secretz101

WPScan is an open source WordPress security scanner. You can use it to scan your WordPress website for known vulnerabilities within the WordPress core, as well as popular WordPress plugins and themes.

This tool is available at: https://github.com/wpscanteam/wpscan, this comes installed in most security distributions.

How to use

1. Display help

wpscan --help
wpscan -h

2. Show tool version

wpscan --version

3. Don’t display banner

wpscan --nobanner --version

4. Update the database

wpscan --update

Scanning

1. Basic scan, you need to set the site that runs WordPress, it will run vulnerability scan

wpscan --url http://pinkydb

2. You can also run a more stealthy scan

wpscan --url http://pinkydb --stealthy

3. Scan for vulnerable plugins using --enumerate

wpscan --url http://pinkydb --enumerate vp

4. Check for vulnerable theme

wpscan --url http://pinkydb --enumerate vt

5. Enumerate users

wpscan --url http://pinkydb --enumerate u
wpscan --url http://pinkydb--enumerate u1-1000

6. Use a custom user agent

wpscan --url http://pinkydb --user-agent ‘Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15’

7. Use a random user agent

wpscan --url http://pinkydb --random-user-agent

8. Set the threats to run the scan faster default 5

wpscan --url http://pinkydb -t 10

9. Send through a proxy, in BurpSuite we can also confirm our spoofed user agent.

wpscan --url http://pinkydb --user-agent ‘Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15’ --proxy http://127.0.0.1:8080

10. You can also set a cookie, if the page requires any

wpscan --url http://pinkydb --cookie-string <cookie>

11. Scan API

api-token <token>

12. If WordPress doesn’t locate the page automatically you can set the location, also, plugins have a similar option

wpscan --url http://pinkydb --wp-content-dir <DIR>
wpscan --url http://pinkydb --wp-plugin-dir <DIR>

13. Run a more aggressive scan (mixed, passive, aggressive)

wpscan --url http://pinkydb --detection-mode aggressive

14. Run a more aggressive plugin detection mode (mixed, passive, aggressive)

wpscan --url http://pinkydb --plugins-detection aggressive
wpscan --url http://pinkydb --plugins-version-detection aggressive

15. Define a URI if the WordPress login page is different than /wp-login.php

wpscan --url http://pinkydb --login-uri /wordpress/login.php

16. Supply usernames for enumeration

wpscan --url http://pinkydb -U user_list.txt --enumerate u

Cracking Password John The Ripper

by Vry4n_ | Apr 1, 2020 | Tools

John the Ripper is a fast password cracker, currently available for many flavors of Unix, macOS, Windows, DOS, BeOS, and OpenVMS (the latter requires a contributed patch). Its primary purpose is to detect weak passwords.

It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, auto-detects password hash types, and includes a customizable cracker

It comes preinstalled in most security distributions. you just need to supply it a password file and the desired options. If no mode is specified, john will try "single" first, then "wordlist" and finally "incremental". (see later)

Getting started

1. Run john to see some options

john --help

2. Listing help

john --list=help

3. Check the supported formats

john –list=formats

4. List the supported subformats

john –list=subformats

5. List rules

john --list=rules

6. It is good practice to test hardware and resources before using john

john --test

Modes

John the Ripper works in 3 distinct modes to crack the passwords, if none is specified it will go through each one of them

Single Crack Mode
Wordlist Crack Mode
Incremental Mode

Single Crack Mode (GECOS)

When running in "single crack" mode, JtR itself takes the login name, the home directory name, extracts "words" from the GECOS field, and it uses all of these as input to "single crack" mode rules. Since the information is only used against passwords for the accounts it was taken from (and against password hashes which happened to be assigned the same salt), "single crack" mode is much faster than wordlist mode.

This permits for the use of a much larger set of word mangling rules with "single crack", and their use is always enabled with this mode. Successfully guessed passwords are also tried against all loaded password hashes just in case more users have the same password.

GECOS

username:password:userid:groupid:gecos:home-dir:shell
:FullName,RoomAddress,WorkPhone,HomePhone,Others:

Rules information syntax

https://www.openwall.com/john/doc/RULES.shtml

Rules config

https://www.openwall.com/lists/john-users/2010/04/05/4
https://openwall.info/wiki/_media/john/korelogic-rules-20100801.txt
/etc/john/john.conf

Rule syntax explained

l	convert to lowercase
u	convert to uppercase
c	capitalize
C	lowercase the first character, and uppercase the rest
l r	lowercase the word and reverse it
r	reverse: "Fred" -> "derF"
l Az"2015"	lowercase the word and append at end of the word (Az) the number 2015
d	duplicate: "Fred" -> "FredFred"
l A0"2015"	lowercase the word and prepend at beggining of the word (A0) the number 2015
A0"#"Az"#"	Add # to the beginning and end of the word
t	toggle case of all characters in the word
TN	toggle case of the character in position N
f	reflect: "Fred" -> "FredderF"
{	rotate the word left: "jsmith"-> "smithj"
}	rotate the word right: "smithj" -> "jsmith
$X	append character X to the word
^X	prefix the word with character X
[	Remove the first char from the word
]	Remove the last char from the word
DN	delete the character in position N
xNM	extract substring from position N for up to M characters
iNX	insert character X in position N and shift the rest right
oNX	overstrike character in position N with character X
s	shift case: "Crack96" -> "cRACK(^"
V	lowercase vowels, uppercase consonants: "Crack96" -> "CRaCK96"
R	shift each character right, by keyboard: "Crack96" -> "Vtsvl07"
L	shift each character left, by keyboard: "Crack96" -> "Xeaxj85"
<N	reject the word unless it is less than N characters long
>N	reject the word unless it is greater than N characters long
'N	truncate the word at length N

Types for formats

https://openwall.info/wiki/john/hash-formats

Example Single crack

secret:dd02c7c2232759874e1c205587017bed

The hashed password is also “secret”, in case that the word is case sensitive you need to adjust the rules to fit your needs.

john --single --format=raw-md5 hash.txt

Wordlist Crack Mode (Dictionary)

This is the simplest cracking mode supported by John. All you need to do is specify a wordlist (a text file containing one word per line) and some password files.

You can enable word mangling rules (which are used to modify or "mangle" words producing other likely passwords). If enabled, all of the rules will be applied to every line in the wordlist file producing multiple candidate passwords from each source word.

Consider the following

The wordlist should not contain duplicate lines
John does not sort entries in the wordlist since that would consume a lot of resources and would prevent you from making John try the candidate passwords in the order that you define
John runs a bit faster if each candidate password it tries only differs from the previous one by a few characters
if your wordlist is sorted alphabetically, you do not need to bother about some wordlist entries being longer than the maximum supported password length for the hash type you're cracking
If no wordlist is set, john will use its default

In this mode John the ripper uses a wordlist that can also be called a Dictionary and it compares the hashes of the words present in the Dictionary with the password hash.

Example

In this case we have a custom wordlist, and a hash that we need to compare

vk9security:a4d80eac9ab26a4a2da04125bc2c096a

cat wordlist.txt
cat hash.txt
john --wordlist=wordlist.txt --format=raw-md5 hash.txt

Incremental mode (Bruteforce)

This is the most powerful cracking mode, it can try all possible character combinations as passwords. However, it is assumed that cracking with this mode will never terminate because of the number of combinations being too large

it will terminate if you set a low password length limit or make it use a small charset
To use the mode you need a specific definition for the mode's parameters, including password length limits and the charset to use

Type of incremental modes

cat /etc/john/john.conf | grep -i incremental

--incremental:Lower (26 char)
--incremental:Alpha(52 char)
--incremental:Digits(10 char)
--incremental:Alnum(62 char)

Cracking Digits only (Default numeric range is from 0 to 99999999999999999999)

Hash value is 123

john --incremental=Digits --format=raw-sha1 hash.txt

Cracking ASCII values

Has value is 123abc

john --incremental=ASCII --format=raw-sha1 has h.txt

Cracking different services example

Cracking Unix/Linux password

1. Create the file containing GECOS data

Unshadow = combines passwd and shadow files

sudo unshadow /etc/passwd /etc/shadow > hash.txt
cat hash.txt

2. run John against that, it goes through the list trying to crack each, this time it cracked 2 users

john hash.txt

Check results

3. To see the results you can point at the hash file as the name

john --show hash.txt

Cracking SSH Password Hash

1. Create a private key

ssh-keygen
<select the location of the new file>
<enter the password>
<confirm the password>

Id_rsa (private-key) & id_rsa.pub (public-key) have been created.

ls -l

2. I copied the key to /tmp and try to use it wth a different user other than the owner, only being able to read, we are asked for the id_rsa key

whoami
ls -l id_rsa
ssh -i id_rsa vry4n@localhost

3. Now, convert this encrypted file to john format using ssh2john

View before

cat id_rsa

Converting to john format

/usr/share/john/ssh2john.py id_rsa > new_key
cat new_key

View after

Wait until john finishes cracking

john new_key

As well as for SSH we have scripts to convert hashes from different tools (keepass2john, pdf2john, pcap2john) to john readable. All of those are located in John binary directory /usr/share/john/

ls /usr/share/john/

Examples of HASH formats

Here is the list of encryption technologies found in JtR:

UNIX crypt(3)
Traditional DES-based
“bigcrypt”
BSDI extended DES-based
FreeBSD MD5-based (linux and Cisco IOS)
OpenBSD Blowfish-based
Kerberos/AFS
Windows LM (DES-based)
DES-based tripcodes
SHA-crypt hashes (newer versions of Fedora and Ubuntu)
SHA-crypt and SUNMD5 hashes (Solaris)

afs – Kerberos AFS DES

Supported Hash Formats

$ cat hashes.txt

$K4$a8dc8aeaa2c48a97,

$ john hashes.txt

$ john --format=afs hashes.txt

$ cat hashes.txt

username:$K4$a8dc8aeaa2c48a97,

$ john hashes.txt

$ john --format=afs hashes.txt

$ cat hashes.txt

username:$K4$a8dc8aeaa2c48a97,:::::::

$ john hashes.txt

$ john --format=afs hashes.txt

bfegg – Eggdrop

Supported Hash Formats

$ cat hashes.txt

+C/.8o.Wuph9.

$ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES".

$ john --format=bfegg hashes.txt

$ cat hashes.txt

username:+C/.8o.Wuph9.

$ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES".

$ john --format=bfegg hashes.txt

$ cat hashes.txt

username:+C/.8o.Wuph9.:::::::

$ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES".

$ john --format=bfegg hashes.txt

bf – OpenBSD Blowfish

Supported Hash Formats

$ cat hashes.txt

$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy

$ john hashes.txt

$ john --format=bf hashes.txt

$ cat hashes.txt

username:$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy

$ john hashes.txt

$ john --format=bf hashes.txt

$ cat hashes.txt

username:$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy:::::::

$ john hashes.txt

$ john --format=bf hashes.txt

bsdi – BSDI DES

Supported Hash Formats

$ cat hashes.txt

_J9..SDSD5YGyRCr4W4c

$ john hashes.txt

$ john --format=bsdi hashes.txt

$ cat hashes.txt

username:_J9..SDSD5YGyRCr4W4c

$ john hashes.txt

$ john --format=bsdi hashes.txt

$ cat hashes.txt

username:_J9..SDSD5YGyRCr4W4c:::::::

$ john hashes.txt

$ john --format=bsdi hashes.txt

crypt – generic crypt(3)

Supported Hash Formats

$ cat hashes.txt

SDbsugeBiC58A

$ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES".

$ john --format=crypt hashes.txt

$ cat hashes.txt

username:SDbsugeBiC58A

$ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES".

$ john --format=crypt hashes.txt

$ cat hashes.txt

username:SDbsugeBiC58A:::::::

$ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES".

$ john --format=crypt hashes.txt

des – Traditional DES

Supported Hash Formats

$ cat hashes.txt

SDbsugeBiC58A

$ john hashes.txt

$ john --format=des hashes.txt

$ cat hashes.txt

username:SDbsugeBiC58A

$ john hashes.txt

$ john --format=des hashes.txt

$ cat hashes.txt

username:SDbsugeBiC58A:::::::

$ john hashes.txt

$ john --format=des hashes.txt

dominosec – More Secure Internet Password

Supported Hash Formats

$ cat hashes.txt

(GVMroLzc50YK/Yd+L8KH)

$ john hashes.txt

$ john --format=dominosec hashes.txt

$ cat hashes.txt

username:(GVMroLzc50YK/Yd+L8KH)

$ john hashes.txt

$ john --format=dominosec hashes.txt

$ cat hashes.txt

username:(GVMroLzc50YK/Yd+L8KH):::::::

$ john hashes.txt

$ john --format=dominosec hashes.txt

EPiServer SID Hashes

Supported Hash Formats

$ cat hashes.txt

0x5F1D84A6DE97E2BEFB637A3CB5318AFEF0750B856CF1836BD1D4470175BE 0x4D5EFDFA143EDF74193076F174AC47CEBF2F417F

$ john hashes.txt

$ # NB: There is no --format option for this hash type

$ cat hashes.txt

username:0x5F1D84A6DE97E2BEFB637A3CB5318AFEF0750B856CF1836BD1D4470175BE 0x4D5EFDFA143EDF74193076F174AC47CEBF2F417F

$ john hashes.txt

$ # NB: There is no --format option for this hash type

$ cat hashes.txt

username:0x5F1D84A6DE97E2BEFB637A3CB5318AFEF0750B856CF1836BD1D4470175BE 0x4D5EFDFA143EDF74193076F174AC47CEBF2F417F:::::::

$ john hashes.txt

$ # NB: There is no --format option for this hash type

hdaa – HTTP Digest access authentication

Supported Hash Formats

$ cat hashes.txt

$response$679066476e67b5c7c4e88f04be567f8b$user$myrealm$GET$/$8c12bd8f728afe56d45a0ce846b70e5a$00000001$4b61913cec32e2c9$auth

$ john hashes.txt

$ john --format=hdaa hashes.txt

$ cat hashes.txt

username:$response$679066476e67b5c7c4e88f04be567f8b$user$myrealm$GET$/$8c12bd8f728afe56d45a0ce846b70e5a$00000001$4b61913cec32e2c9$auth

$ john hashes.txt

$ john --format=hdaa hashes.txt

$ cat hashes.txt

username:$response$679066476e67b5c7c4e88f04be567f8b$user$myrealm$GET$/$8c12bd8f728afe56d45a0ce846b70e5a$00000001$4b61913cec32e2c9$auth:::::::

$ john hashes.txt

$ john --format=hdaa hashes.txt

hmac-md5 – HMAC MD5

Supported Hash Formats

$ cat hashes.txt

what do ya want for nothing?#750c783e6ab0b503eaa86e310a5db738

$ john hashes.txt

$ john --format=hmac-md5 hashes.txt

$ cat hashes.txt

username:what do ya want for nothing?#750c783e6ab0b503eaa86e310a5db738

$ john hashes.txt

$ john --format=hmac-md5 hashes.txt

$ cat hashes.txt

username:what do ya want for nothing?#750c783e6ab0b503eaa86e310a5db738:::::::

$ john hashes.txt

$ john --format=hmac-md5 hashes.txt

hmailserver – hmailserver

Supported Hash Formats

$ cat hashes.txt

cc06fa688a64cdeea43d3c0fb761fede7e3ccf00a9daea9c79f7d458e06f88327f16dd

$ john hashes.txt

$ john --format=hmailserver hashes.txt

$ cat hashes.txt

username:cc06fa688a64cdeea43d3c0fb761fede7e3ccf00a9daea9c79f7d458e06f88327f16dd

$ john hashes.txt

$ john --format=hmailserver hashes.txt

$ cat hashes.txt

username:cc06fa688a64cdeea43d3c0fb761fede7e3ccf00a9daea9c79f7d458e06f88327f16dd:::::::

$ john hashes.txt

$ john --format=hmailserver hashes.txt

ipb2 – IPB2 MD5

Supported Hash Formats

$ cat hashes.txt

$IPB2$2e75504633$d891f03a7327639bc632d62a7f302604

$ john hashes.txt

$ john --format=ipb2 hashes.txt

$ cat hashes.txt

username:$IPB2$2e75504633$d891f03a7327639bc632d62a7f302604

$ john hashes.txt

$ john --format=ipb2 hashes.txt

$ cat hashes.txt

username:$IPB2$2e75504633$d891f03a7327639bc632d62a7f302604:::::::

$ john hashes.txt

$ john --format=ipb2 hashes.txt

krb4 – Kerberos v4 TGT

Supported Hash Formats

$ cat hashes.txt

$af$ENGIN.UMICH.EDU$44feffd06e68e30bc8890e253760858d

$ john hashes.txt

$ john --format=krb4 hashes.txt

$ cat hashes.txt

username:$af$ENGIN.UMICH.EDU$44feffd06e68e30bc8890e253760858d

$ john hashes.txt

$ john --format=krb4 hashes.txt

$ cat hashes.txt

username:$af$ENGIN.UMICH.EDU$44feffd06e68e30bc8890e253760858d:::::::

$ john hashes.txt

$ john --format=krb4 hashes.txt

Supported Hash Formats

$ cat hashes.txt

$1$12345678$aIccj83HRDBo6ux1bVx7D1

$ john hashes.txt

$ john --format=md5 hashes.txt

$ cat hashes.txt

username:$1$12345678$aIccj83HRDBo6ux1bVx7D1

$ john hashes.txt

$ john --format=md5 hashes.txt

$ cat hashes.txt

username:$1$12345678$aIccj83HRDBo6ux1bVx7D1:::::::

$ john hashes.txt

$ john --format=md5 hashes.txt

$ cat hashes.txt

$apr1$Q6ZYh...$RV6ft2bZ8j.NGrxLYaJt9.

$ john hashes.txt

$ john --format=md5 hashes.txt

$ cat hashes.txt

username:$apr1$Q6ZYh...$RV6ft2bZ8j.NGrxLYaJt9.

$ john hashes.txt

$ john --format=md5 hashes.txt

$ cat hashes.txt

username:$apr1$Q6ZYh...$RV6ft2bZ8j.NGrxLYaJt9.:::::::

$ john hashes.txt

$ john --format=md5 hashes.txt

mediawiki – MediaWiki MD5s

Supported Hash Formats

$ cat hashes.txt

$B$113$de2874e33da25313d808d2a8cbf31485

$ john hashes.txt

$ john --format=mediawiki hashes.txt

$ cat hashes.txt

username:$B$113$de2874e33da25313d808d2a8cbf31485

$ john hashes.txt

$ john --format=mediawiki hashes.txt

$ cat hashes.txt

username:$B$113$de2874e33da25313d808d2a8cbf31485:::::::

$ john hashes.txt

$ john --format=mediawiki hashes.txt

mscash – M$ Cache Hash

Supported Hash Formats

$ cat hashes.txt

M$test1#64cd29e36a8431a2b111378564a10631

$ john hashes.txt # Doesn't work. JTR detects hash as "HMAC MD5".

$ john --format=mscash hashes.txt

$ cat hashes.txt

username:M$test1#64cd29e36a8431a2b111378564a10631

$ john hashes.txt # Doesn't work. JTR detects hash as "HMAC MD5".

$ john --format=mscash hashes.txt

$ cat hashes.txt

username:M$test1#64cd29e36a8431a2b111378564a10631:::::::

$ john hashes.txt # Doesn't work. JTR detects hash as "HMAC MD5".

$ john --format=mscash hashes.txt

mscash2 – M$ Cache Hash 2 (DCC2)

Supported Hash Formats

$ cat hashes.txt

$DCC2$10240#test1#607bbe89611e37446e736f7856515bf8

$ john hashes.txt # Doesn't work. JTR detects hash as "M$ Cache Hash".

$ john --format=mscash2 hashes.txt

$ cat hashes.txt

username:$DCC2$10240#test1#607bbe89611e37446e736f7856515bf8

$ john hashes.txt

$ john --format=mscash2 hashes.txt

$ cat hashes.txt

username:$DCC2$10240#test1#607bbe89611e37446e736f7856515bf8:::::::

$ john hashes.txt

$ john --format=mscash2 hashes.txt

mschapv2 – MSCHAPv2 C/R MD4 DES

Supported Hash Formats

$ cat hashes.txt

$MSCHAPv2$d94e7c7972b2376b28c268583e162de7$eba25a3b04d2c7085d01f842e2befc91745c40db0f792356$0677ca7318fd7f65ae1b4f58c9f4f400$lameuser

$ john hashes.txt

$ john --format=mschapv2 hashes.txt

$ cat hashes.txt

username:$MSCHAPv2$d94e7c7972b2376b28c268583e162de7$eba25a3b04d2c7085d01f842e2befc91745c40db0f792356$0677ca7318fd7f65ae1b4f58c9f4f400$lameuser

$ john hashes.txt

$ john --format=mschapv2 hashes.txt

$ cat hashes.txt

username:$MSCHAPv2$d94e7c7972b2376b28c268583e162de7$eba25a3b04d2c7085d01f842e2befc91745c40db0f792356$0677ca7318fd7f65ae1b4f58c9f4f400$lameuser:::::::

$ john hashes.txt

$ john --format=mschapv2 hashes.txt

mskrb5 – MS Kerberos 5 AS-REQ Pre-Auth

Supported Hash Formats

$ cat hashes.txt

$mskrb5$$$98cd00b6f222d1d34e08fe0823196e0b$5937503ec29e3ce4e94a051632d0fff7b6781f93e3decf7dca707340239300d602932154

$ john hashes.txt

$ john --format=mskrb5 hashes.txt

$ cat hashes.txt

username:$mskrb5$$$98cd00b6f222d1d34e08fe0823196e0b$5937503ec29e3ce4e94a051632d0fff7b6781f93e3decf7dca707340239300d602932154

$ john hashes.txt

$ john --format=mskrb5 hashes.txt

$ cat hashes.txt

username:$mskrb5$$$98cd00b6f222d1d34e08fe0823196e0b$5937503ec29e3ce4e94a051632d0fff7b6781f93e3decf7dca707340239300d602932154:::::::

$ john hashes.txt

$ john --format=mskrb5 hashes.txt

mssql05 – MS-SQL05

Supported Hash Formats

$ cat hashes.txt

0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908

$ john hashes.txt

$ john --format=mssql05 hashes.txt

$ cat hashes.txt

username:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908

$ john hashes.txt

$ john --format=mssql05 hashes.txt

$ cat hashes.txt

username:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908:::::::

$ john hashes.txt

$ john --format=mssql05 hashes.txt

mssql – MS-SQL

Supported Hash Formats

$ cat hashes.txt

0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254

$ john hashes.txt

$ john --format=mssql hashes.txt

$ cat hashes.txt

username:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254

$ john hashes.txt

$ john --format=mssql hashes.txt

$ cat hashes.txt

username:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254:::::::

$ john hashes.txt

$ john --format=mssql hashes.txt

mysql-fast – MYSQL_fast

Supported Hash Formats

$ cat hashes.txt

60671c896665c3fa

$ john hashes.txt

$ john --format=mysql-fast hashes.txt

$ cat hashes.txt

username:60671c896665c3fa

$ john hashes.txt

$ john --format=mysql-fast hashes.txt

$ cat hashes.txt

username:60671c896665c3fa:::::::

$ john hashes.txt

$ john --format=mysql-fast hashes.txt

mysql – MYSQL

Supported Hash Formats

$ cat hashes.txt

5d2e19393cc5ef67

$ john hashes.txt # Doesn't work. JTR detects hash as "MYSQL_fast".

$ john --format=mysql hashes.txt

$ cat hashes.txt

username:5d2e19393cc5ef67

$ john hashes.txt # Doesn't work. JTR detects hash as "MYSQL_fast".

$ john --format=mysql hashes.txt

$ cat hashes.txt

username:5d2e19393cc5ef67:::::::

$ john hashes.txt # Doesn't work. JTR detects hash as "MYSQL_fast".

$ john --format=mysql hashes.txt

mysql-sha1 – MySQL 4.1 double-SHA-1

Supported Hash Formats

$ cat hashes.txt

*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19

$ john hashes.txt

$ john --format=mysql-sha1 hashes.txt

$ cat hashes.txt

username:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19

$ john hashes.txt

$ john --format=mysql-sha1 hashes.txt

$ cat hashes.txt

username:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19:::::::

$ john hashes.txt

$ john --format=mysql-sha1 hashes.txt

netlm – LM C/R DES

Supported Hash Formats

$ cat hashes.txt

$NETLM$1122334455667788$0836F085B124F33895875FB1951905DD2F85252CC731BB25

$ john hashes.txt

$ john --format=netlm hashes.txt

$ cat hashes.txt

username:$NETLM$1122334455667788$0836F085B124F33895875FB1951905DD2F85252CC731BB25

$ john hashes.txt

$ john --format=netlm hashes.txt

$ cat hashes.txt

username:$NETLM$1122334455667788$0836F085B124F33895875FB1951905DD2F85252CC731BB25:::::::

$ john hashes.txt

$ john --format=netlm hashes.txt

netlmv2 – LMv2 C/R MD4 HMAC-MD5

Supported Hash Formats

$ cat hashes.txt

$NETLMv2$USER1$1122334455667788$B1D163EA5881504F3963DC50FCDC26C1$EB4D9E8138149E20

$ john hashes.txt

$ john --format=netlmv2 hashes.txt

$ cat hashes.txt

username:$NETLMv2$USER1$1122334455667788$B1D163EA5881504F3963DC50FCDC26C1$EB4D9E8138149E20

$ john hashes.txt

$ john --format=netlmv2 hashes.txt

$ cat hashes.txt

username:$NETLMv2$USER1$1122334455667788$B1D163EA5881504F3963DC50FCDC26C1$EB4D9E8138149E20:::::::

$ john hashes.txt

$ john --format=netlmv2 hashes.txt

netntlm – NTLMv1 C/R MD4 DES [ESS MD5]

Supported Hash Formats

$ cat hashes.txt

$NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233

$ john hashes.txt

$ john --format=netntlm hashes.txt

$ cat hashes.txt

username:$NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233

$ john hashes.txt

$ john --format=netntlm hashes.txt

$ cat hashes.txt

username:$NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233:::::::

$ john hashes.txt

$ john --format=netntlm hashes.txt

Supported Hash Formats

$ cat hashes.txt

$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2

$ john hashes.txt

$ john --format=pdf hashes.txt

$ cat hashes.txt

username:$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2

$ john hashes.txt

$ john --format=pdf hashes.txt

$ cat hashes.txt

$ john hashes.txt

$ john --format=pdf hashes.txt

phpass-md5 – PHPass MD5

Supported Hash Formats

$ cat hashes.txt

$H$9aaaaaSXBjgypwqm.JsMssPLiS8YQ00

$ john hashes.txt

$ john --format=phpass-md5 hashes.txt

$ cat hashes.txt

username:$H$9aaaaaSXBjgypwqm.JsMssPLiS8YQ00

$ john hashes.txt

$ john --format=phpass-md5 hashes.txt

$ cat hashes.txt

username:$H$9aaaaaSXBjgypwqm.JsMssPLiS8YQ00:::::::

$ john hashes.txt

$ john --format=phpass-md5 hashes.txt

phps – PHPS MD5

Supported Hash Formats

$ cat hashes.txt

$PHPS$433925$5d756853cd63acee76e6dcd6d3728447

$ john hashes.txt

$ john --format=phps hashes.txt

$ cat hashes.txt

username:$PHPS$433925$5d756853cd63acee76e6dcd6d3728447

$ john hashes.txt

$ john --format=phps hashes.txt

$ cat hashes.txt

username:$PHPS$433925$5d756853cd63acee76e6dcd6d3728447:::::::

$ john hashes.txt

$ john --format=phps hashes.txt

pix-md5 – PIX MD5

Supported Hash Formats

$ cat hashes.txt

NuLKvvWGg.x9HEKO

$ john hashes.txt

$ john --format=pix-md5 hashes.txt

$ cat hashes.txt

username:NuLKvvWGg.x9HEKO

$ john hashes.txt

$ john --format=pix-md5 hashes.txt

$ cat hashes.txt

username:NuLKvvWGg.x9HEKO:::::::

$ john hashes.txt

$ john --format=pix-md5 hashes.txt

po – Post.Office MD5

Supported Hash Formats

$ cat hashes.txt

0c78bdef7d5448105cfbbc9aaa490a44550c41c11bab48f9dbd8203ed313eef0

$ john hashes.txt

$ john --format=po hashes.txt

$ cat hashes.txt

username:0c78bdef7d5448105cfbbc9aaa490a44550c41c11bab48f9dbd8203ed313eef0

$ john hashes.txt

$ john --format=po hashes.txt

$ cat hashes.txt

username:0c78bdef7d5448105cfbbc9aaa490a44550c41c11bab48f9dbd8203ed313eef0:::::::

$ john hashes.txt

$ john --format=po hashes.txt

rar – rar

Supported Hash Formats

$ cat hashes.txt

$rar3$*0*c9dea41b149b53b4*fcbdb66122d8ebdb32532c22ca7ab9ec*24

$ john hashes.txt

$ john --format=rar hashes.txt

$ cat hashes.txt

username:$rar3$*0*c9dea41b149b53b4*fcbdb66122d8ebdb32532c22ca7ab9ec*24

$ john hashes.txt

$ john --format=rar hashes.txt

$ cat hashes.txt

username:$rar3$*0*c9dea41b149b53b4*fcbdb66122d8ebdb32532c22ca7ab9ec*24:::::::

$ john hashes.txt

$ john --format=rar hashes.txt