John The Ripper Crack Sha512 Encryption



On Ubuntu 12.04 I created several users and passwords, then promptly proceeded to try to crack those passwords with John the ripper. One password is very strong, but the others are in my wordlists. John is still running, but I've got two cracked so far in about 20 minutes. Everything I read talks about whether the salt is known or not. $ john unshadowed Warning: detected hash type 'sha512crypt', but the string is also recognized as 'crypt' Use the '-format=crypt' option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ SHA512 128/128 SSE2 2x) Press 'q' or Ctrl-C to. Trying to crack WPA2 WIFI. How to use the command line to list password files on a Macintosh machine. How to crack an Ubuntu user password easily with John The Ripper. Cracking a WPA2 network with aircrack-ng and Parrot. How to crack a wireless WPA2 network with aircrack on Parrot or Kali Linux. Posted: October 29, 2015. May 03, 2020 john the ripper is an advanced password cracking tool used by many which is free and open source. John the Ripper initially developed for UNIX operating system but now it works in Fifteen different platforms. John The Ripper widely used to reduce the risk of network security causes by weak passwords as well as to measure other security flaws. John the Ripper is a widely known and verified fast password cracker, available for Windows, DOS, BeOS, and OpenVMS and many flavours of Linux. It uses wordlists/dictionary to crack many different types of hashes including MD5, SHA, etc. John the Ripper: Fast Password Cracker.

In this post I will show you how to crack Windows passwords using John The Ripper.

John the Ripper is a fast password cracker, primarily for cracking Unix (shadow) passwords.Other than Unix-type encrypted passwords it also supports cracking Windows LM hashes and many more with open source contributed patches.

Now lets talk about the password protection method used by Windows. Windows user account passwords are typically stored in SAM hive of the registry (which corresponds to %SystemRoot%system32configSAM file), in the SAM file the password is kept encrypted using the NTLM hash is very well known for its cryptanalysis weaknesses.

Sha512 decrypt

John The Ripper Crack Sha512 Encryption Pdf

The SAM file is further encrypted with the SysKey (Windows 2000 and above) which is stored in %SystemRoot%system32configsystem file.During the boot-time of Windows the hashes from the SAM file gets decrypted using the SysKey and the hashes are loaded to the registry is then used for authentication purpose. Both system and SAM files are unavailable (i.e, locked by kernel) to standard programs (like regedit) during Windows’ runtime .

As told earlier NTLM hash is very weak for encrypting passwords.The NTLM encryption algorithm is explained below :

  • ASCII password is converted to uppercase
  • Padding with null is done until 14 bytes
  • Split it in two 7-byte arrays
  • Pad both to make 64 bits (8-byte) which will be used to create a DES key
  • DES-encrypt the string “[email protected]#$%” using the array as key for each 7-byte array (results 8-byte stream)
  • Join 2 cipertexts which forms the NTLM hash (16-byte)
Major pitfals of NTLM hash
  • ASCII is not Unicode
  • Uppercase reduce complexity
  • LM fails with passwords length more than 14 characters
  • Salting is not available
  • It is easy to determine whether the password is less than or more than 7 characters
Cracking Windows Passwords John The Ripper

Sha512 Crypt

For the sake of demonstrating this I had already set a dummy account called demo and allotted a password iRock to it, which will be cracked later-on.


User Accounts showing demo user

I booted using the Ubuntu LiveCD and mounted my Windows partition - /dev/sda1

Then copied SAM and system files to /home/prakhar

Then installed samdump2 and John The Ripper :

Then dumped the syskey and NTLM hashes from system and SAM file, respectively :

John the ripper crack sha512 encryption windows 10

NTLM hashes recovered from SAM file

John The Ripper Crack Sha512 Encryption Decryption

I then bruteforced the password using John The Ripper :

You can clearly see above, JTR has cracked the password within matter of seconds, I aborted the session in between since password was already recovered. Mission accomplished !

Each time I teach my Security class, I give a month-long lab to crack as many passwords as possible. For this fall’s contest (opened on October 7, 2018), I used three different hash types: NTLM, MD5, and SHA-512. The password hashes (16 total):

John the ripper crack sha512 hash

John The Ripper Crack Sha512 Hash

65 total submissions. The answers:

  • (MD5) yogibear:L1verpool! => 11 students cracked this
  • (MD5) bigbear:unbelievable => 60 students cracked this
  • (MD5) grizzlybear:zxcasdqwe123 => 56 students cracked this
  • (MD5) pandabear:vulmjz => 7 students cracked this
  • (MD5) yolandabear:kx7yy4 => 5 students cracked this
  • (MD5) fancybear:sx708n => 7 students cracked this
  • (MD5) jojobear:wmOhL3u4J => 0 students cracked this
  • (SHA512) smokeybear:asdf => 60 students cracked this
  • (SHA512) cocobear:meatball => 60 students cracked this
  • (SHA512) yetibear:06mulesystems => 8 students cracked this
  • (SHA512) blackbear:mzpixl => 3 students cracked this
  • (SHA512) fozziebear:320299 => 18 students cracked this
  • (SHA512) pedrobear:R6iLFUgG => 0 students cracked this
  • (NTLM) cozybear:doofus => 62 students cracked this
  • (NTLM) chicagobear:ihateyou => 62 students cracked this
  • (NTLM) teddybear:w7zbyt => 45 students cracked this

To earn all 10 points for the lab, students had to crack 6 passwords. The final distribution:

The winners (tied) cracked 14 of the 16 passwords.

Student 1’s haul and methodology:

John The Ripper Crack Sha512 Encryption Tool

Student 2’s haul:

John The Ripper Crack Sha512 Encryption Download

Student 2’s methodology:

Sha512 Decrypt

To crack the majority of the passwords I’ve completed so far, I used John the Ripper and Hashcat. I began by using a series of wordlists on both the MD5 and SHA512 passwords, which I divided into two separate files consisting of only passwords hashed with the respective algorithms. To this point, I’ve used a scattering of the wordlists from the Seclists/Leaked-Databases folder, and have had the most success with rockyou.txt. Using rockyou.txt, I cracked two of the MD5 hashes and three of the SHA512 hashes.

I then applied a series of different rules to some of these wordlists, for both MD5 and SHA512 hashed passwords. For the SHA512 passwords, I have been using my computer at home (with a decent graphics card) to speed up the process. Using these rules, and Hashcat which I’ve found to be a better option for GPU cracking, I cracked another of the MD5 hashed passwords.

After using a number of wordlists with a collection of different rules, I turned to brute force incremental cracking, as well as Hashcat’s mask attack. Using these two brute force methods, I’ve cracked another three MD5 hashes, and one SHA512 hash.

Decrypt sha512 salted hash password

For the NTLM passwords, I ran JtR (John the Ripper) with the default settings to crack two of the hashes. I considered using wordlists with rules to crack the remaining NTLM password, but ended up using a site (hashkiller.co.uk/ntlm-decrypter.aspx) with a huge number of computed NTLM hashes (since I noticed that these hashes weren’t salted) to crack this one.