Using John The Ripper with LM Hashes

Although projects like Hashcat have grown in popularity, John the Ripper still has its place for cracking passwords. One of the advantages of using John is that you don’t necessarily need specialized hardware to attempt to crack hashes with it. This makes it a perfect candidate for the use on a platform like Google Cloud.

Typically I will choose to use John just for some statistical analysis once the domain has been compromised. If you find that you have a set of hashes from a Domain Controller with smart_hashdump or Mimikatz’ dcSync, I will usually run them through John in the following order on Kali:

john --format=NT --rules -w=/usr/share/wordlists/rockyou.txt hashfile.txt

This is usually quick enough to run a single pass and get some good data out of it, namely how many passwords cracked from mutating the RockYou dictionary.

john --format=NT --show hashfile.txt
<snip>
634 password hashes cracked, 2456 left

If you go through your hashes in hashdump format and you see a lot of Administrator::500:aad3b435b51404eeaad3b435b51404ee:<hash-here>:::

The first field here contains the username and the second field contains the SID, a numerical identification. If the third field has anything other than that aad3b string, you have an LM hash. This format is extremely weak for a number of different reasons, and John is very good at cracking it. To make John focus on breaking the LM hashes, use the following command:

john --format=LM

If you have LM hashes that exist, you should start to see them pop up right away. Because you can split up an LM hash into two parts, it’s relatively easy to bruteforce the entire hash with just CPU power. In order to translate these back into plaintext passwords, try the following:

john --format=LM --show hashfile.txt | cut -d: -f 2 | sed '/^\s*$/d' > mydictionary.txt
john --format=NT -w=mydictionary.txt --rules

Let’s go through this command in four parts—

1. Output the cracked LM hashes from John
2. Select the second field with the delineater being the colon character.
3. Strip out whitespace characters.
4. Output these characters to a new dictionary file.

This will take your brute forced LM strings as input and feed it into John to find out what the case-sensitive password will be. If you see ???? characters in your dictionary file, you will need for those to finish waiting to be effective.

Have another tip to share? Leave a comment below!