Tuesday, February 28, 2012

Brute Force Without a Dictionary Using John The Ripper

If you’re like me (Lance), and playing with, using professionally, or writing list requiring brute-forcing software. You don’t want to waste the hard drive space for massive all-encompassing password lists which have a limited chance of success. Luckily you don’t have to do that at all leveraging some john the ripper and (l/u)nix functionality.

When using Aircrack-ng to try and figure out the key for say WPA2 encryption, you can pipe john generated password lists into aircrack on the fly in the following manner.

#john –incremental=all –stdout | aircrack-ng -a 2 -e WirelessNetwork WirelessNetwork-01.cap -w -

There is still a bit of an issue here however. if you have to shutdown your machine and you haven’t yet retrieved the key you don’t want to have to re-run this command and restart john’s list generation, you want to pick up where you left off (I assume anyway).

Luckily for us jtr has the ability to store and resume sessions, so some tweaking will allow you to pick at the encryption at your leisure.

#john –incremental=all –session=WirelessBrute –stdout | aircrack-ng -a 2 -e WirelessNetwork WirelessNetwork-01.cap -w -

This will store your password generation index within a jtr session file called WirelessBrute.rec, to resume the brute-force at any time you can easily do so with the following command.

#john –restore=WirelessBrute | aircrack-ng -a 2 -e WirelessNetwork WirelessNetwork-01.cap -w -

Easy enough


When using a utility like Medusa you need to get a little trickier, utilising a bash utility called xargs.

We will still be leveraging jtr’s ability to store sessions, however we will not quite be directly piping john’s output into medusa, we will pipe it into xargs which will execute the command following it for each line of stdin. We can use this to brute-force utilising medusa without a stored dictionary.

In reality you most likely will not be trying to brute-force a username/password based authentication without one or the other, so you will probably have either a list, or singleton value for one or the other (moth likely username).

To preform a brute-force attack utilising medusa and jtr, you can use something similar to the following command.

#john –incremental=all –session=RouterBrute –stdout | xargs -L 1 medusa -h -u admin -M web-form -p

to restore:

#john –restore=RouterBrute | xargs -L 1 medusa -h -u admin -M web-form -p

The -L 1 flag passed to xargs means execute for every 1 line of input.

This does however slow down the brute-force, having to launch/quit medusa every attempt, also it means it will not stop when an account has been found, so it would help to pipe the output into a separate file in this way:

#john –restore=RouterBrute | xargs -L 1 medusa -h -u admin -M web-form -p >> check.txt
then later run a grep on the output file, or write a script to do a periodic grep and kill the process / alert you when it finds the string ‘FOUND’ in the medusa output

This method of course can be implemented within the Medusa-GUI utilising it’s ability to edit the command you before execution, make sure you have JTR installed, launch the medusa-gui, and append the jtr command / pipes, as well as the output appendage to a separate file, and go, the medusa-gui may add a toggle button for this in the future.

John The Ripper

No comments:

Post a Comment