255 John the Ripper John the Ripper (JTR) is an open source password cracker; it’s one of the fastest password crack-
ers around and is installed in the /pentest/passwords/john directory of BackTrack by default. JTR
can be used to perform both bruteforce attacks and dictionary-based attacks. JTR comes with a
preinstalled wordlist, but I would not recommend you to use it as it’s outdated. You can check
packetstorm.org for some great wordlists.
Cracking LM/NTLM Passwords with JTR You are already aware of the vulnerabilities in the cryptographic function of the LM hash. As
all the passwords would be set to uppercase and divided into two 7-byte blocks, it becomes very
easy to crack LM hashes. The only problem is that we don’t know if the user is using a mixture
of uppercase and lowercase letters for the password, as when we would first crack the LM hashes,
the resultant would be inside uppercase. Most of the times you would be able to get access by just
converting them to lower case or you can use JTR to crack NTLM hashes for you.
So here is what the LM/NTLM hashes look like; we would copy the LM hash that is high-
lighted and save it in a notepad file and use JTR to crack it.
Command :
John/root/lmhash.txt
Within a few seconds JTR managed to crack the LM hash, which resolved to “PASSWORD,”
but we don’t know if our target machine is using “passWoRd” or “passWORD” and since LM will
only display the upper case passwords, it won’t be much of help.
In that case, we can use the password we found in the wordlist to crack the NTLM password.
256 ◾
Ethical Hacking and Penetration Testing Guide Command :
./john— format = NT/root/ntlm.txt
So the NTLM password is passWoRd; we can now use it to log in to the machine.
