metasploit-gs/documentation/modules/auxiliary/analyze/jtr_linux.md

## Vulnerable Application

  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Linux
  based password hashes, such as:

  * `DES` based passwords  
  * `MD5` based passwords
  * `BSDi` based passwords
  * With `crypt` set to `true`:
    * `bf`, `bcrypt`, or `blowfish` based passwords
    * `SHA256` based passwords
    * `SHA512` based passwords

  Sources of hashes can be found here:
  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)

  The definition of `crypt` according to JTR and waht algorithms it decodes can be found
  [here](https://github.com/magnumripper/JohnTheRipper/blob/ae24a410baac45bb36884d793c429adeb7197336/src/c3_fmt.c#L731)

## Verification Steps

  1. Have at least one user with an `des`, `md5`, `bsdi`, `crypt`, `blowfish`, `sha512`, or `sha256` password hash in the database
  2. Start msfconsole
  3. Do: ```use auxiliary/analyze/jtr_linux```
  4. Do: ```run```
  5. You should hopefully crack a password.

## Options


   **CONFIG**

   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`

   **CRYPT**

   Include `blowfish` and `SHA`(256/512) passwords.

   **CUSTOM_WORDLIST**

   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

   **ITERATION_TIMEOUT**

   The max-run-time for each iteration of cracking

   **JOHN_PATH**

   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
   `john` and `john.exe`.

   **KORELOGIC**

   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
   Default is `false`.

   **MUTATE**

   Apply common mutations to the Wordlist (SLOW).  Mutations are:

   * `'@' => 'a'`
   * `'0' => 'o'`
   * `'3' => 'e'`
   * `'$' => 's'`
   * `'7' => 't'`
   * `'1' => 'l'`
   * `'5' => 's'`

   Default is `false`.

   **POT**

   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
   Default is `~/.msf4/john.pot`.

   **USE_CREDS**

   Use existing credential data saved in the database.  Default is `true`.

   **USE_DB_INFO**

   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.

   **USE_DEFAULT_WORDLIST**

   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
   `true`.

   **USE_HOSTNAMES**

   Seed the wordlist with hostnames from the workspace.  Default is `true`.

   **USE_ROOT_WORDS**

   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
   is true.

## Scenarios

Create hashes:

```
creds add user:des_password hash:rEK1ecacw.7.c jtr:des
creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt
creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt
creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
```

Crack them:

```
msf5 > use auxiliary/analyze/jtr_linux 
msf5 auxiliary(analyze/jtr_linux) > set crypt true
crypt => true
msf5 auxiliary(analyze/jtr_linux) > run

[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-hqwf2h
[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-1ixz59k
[*] Cracking md5crypt hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracked Passwords this run:
[+] md5_password:password
[*] Cracking descrypt hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracked Passwords this run:
[+] des_password:password
[*] Cracking bsdicrypt hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracked Passwords this run:
[+] bsdi_password:password
[*] Cracking crypt hashes in normal wordlist mode...
Warning: hash encoding string length 20, type id #4
appears to be unsupported on this system; will not load such hashes.
Warning: hash encoding string length 60, type id $2
appears to be unsupported on this system; will not load such hashes.
Using default input encoding: UTF-8
[*] Cracked Passwords this run:
[+] des_password:password
[+] md5_password:password
[+] sha256_password:password
[+] sha512_password:password
[*] Cracking bcrypt hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracked Passwords this run:
[+] blowfish_password:password
[*] Auxiliary module execution completed
msf5 auxiliary(analyze/jtr_linux) > creds
Credentials
===========

host  origin  service  public             private                                                                                             realm  private_type        JtR Format
----  ------  -------  ------             -------                                                                                             -----  ------------        ----------
                       bsdi_password      password                                                                                                   Password            
                       des_password       password                                                                                                   Password            
                       sha256_password    $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5                                                    Nonreplayable hash  sha256,crypt
                       md5_password       password                                                                                                   Password            
                       md5_password       $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
                       bsdi_password      _J9..K0AyUubDrfOgO4s                                                                                       Nonreplayable hash  bsdi
                       sha512_password    password                                                                                                   Password            
                       blowfish_password  $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe                                               Nonreplayable hash  bf
                       sha512_password    $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1         Nonreplayable hash  sha512,crypt
                       sha256_password    password                                                                                                   Password            
                       des_password       rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
                       blowfish_password  password                                                                                                   Password            

```