fix jtr cracking #20897
Merged
fix jtr cracking #20897
+253
−357
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Author
|
@zeroSteiner I nominate you to review this PR since you break it you bought it :) (and we discussed it a few days ago). |
Contributor
|
Well On a related note, would it be beneficial to migrate this script to run as part of our tests? I could see it being problematic to run hashcat / jtr but we may be able to work around that. |
Contributor
Author
|
when originally implemented, i didn't think running this script would be a good idea as part of the tests.
However, I was naive thinking either reviewers would remember this script, or that I'd see each hash/crack change and jump in to run/mention this script. In hindsight, I think it may be a good idea to run this script, especially if it would be possible to only run it when theres changes to certain files (thus preventing it running all the time). |
Contributor
Author
|
looks like i have some cross branch pollution as well |
Contributor
Author
|
@smcintyre-r7 good find, that seemed to fix it. |
smcintyre-r7
approved these changes
Jan 28, 2026
Contributor
smcintyre-r7
left a comment
There was a problem hiding this comment.
Confirmed John is working again and the formatting for the gMSA work is still in place. The validator is passing for John tests but failing for hashcat tests on my system which is expected due to my hardware.
A little bit of the Kerberos work bled over, but we can leave that as is for now.
msf auxiliary(gather/ldap_passwords) > run
[+] Successfully bound to the LDAP server!
[*] Discovered base DN: DC=msflab,DC=local
[*] Checking if the target LDAP server is an Active Directory Domain Controller...
[*] The target LDAP server is an Active Directory Domain Controller.
[*] Searching base DN: DC=msflab,DC=local
[+] Credential found in msds-managedpassword: Jabberwock$::aad3b435b51404eeaad3b435b51404ee:069fcd75eeae528d2af483eacd4671eb:::
[+] Credential found in msds-managedpassword: Jabberwock$:aes256-cts-hmac-sha1-96:31904bdb5b41c9ef232c9356fe65fa01d45e89202ac993f5e6ed2057665ec78a
[+] Credential found in msds-managedpassword: Jabberwock$:aes128-cts-hmac-sha1-96:fb7c36c9890a0d800172764060dcd29b
[*] Found 1 entries and 1 credentials in 'DC=msflab,DC=local'.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(gather/ldap_passwords) > use auxiliary/analyze/crack_windows
[*] Setting default action auto - view all 3 actions with the show actions command
msf auxiliary(analyze/crack_windows) > creds -d
Credentials
===========
id host origin service public private realm private_type JtR Format cracked_password
-- ---- ------ ------- ------ ------- ----- ------------ ---------- ----------------
235 192.168.159.10 192.168.159.10 636/tcp (ldap) Jabberwock$ aad3b435b51404eeaad3b435b51404ee:069fcd75eeae528d2af483eacd4671eb msflab.local NTLM hash nt,lm
236 192.168.159.10 192.168.159.10 636/tcp (ldap) Jabberwock$ aes256-cts-hmac-sha1-96:31904bdb5b41c9ef232c9356fe65fa01d45e89202ac993f5e6ed (TRUNCATED) msflab.local Krb enc key
237 192.168.159.10 192.168.159.10 636/tcp (ldap) Jabberwock$ aes128-cts-hmac-sha1-96:fb7c36c9890a0d800172764060dcd29b:4d53464c41422e4c4f4 (TRUNCATED) msflab.local Krb enc key
[*] Deleted 3 creds
msf auxiliary(analyze/crack_windows) > creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm
msf auxiliary(analyze/crack_windows) > run
[+] john Version Detected: 1.9.0-jumbo-1+bleeding-7a62a41acc 2026-01-18 00:02:24 +0100 OMP
[*] No nt found to crack
[*] No mscash found to crack
[*] No mscash2 found to crack
[*] No netntlm found to crack
[*] No netntlmv2 found to crack
[*] Wordlist file written out to /tmp/jtrtmp20260128-27850-cak5ud
[*] Checking lm hashes already cracked...
[*] Cracking lm hashes in single mode...
[*] Cracking Command: /home/smcintyre/Repositories/john/run/john --session=Gj2z7YGo --no-log --config=/home/smcintyre/Repositories/metasploit-framework.pr/data/jtr/john.conf --pot=/home/smcintyre/.msf4/john.pot --format=lm --wordlist=/tmp/jtrtmp20260128-27850-cak5ud --rules=single /tmp/hashes_lm_20260128-27850-u2cdf0
Using default input encoding: UTF-8
Using default target encoding: CP850
Warning: poor OpenMP scalability for this hash type, consider --fork=16
Will run 16 OpenMP threads
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
Enabling duplicate candidate password suppressor using 256 MiB
2g 0:00:00:00 DONE (2026-01-28 09:28) 14.29g/s 702171p/s 702171c/s 1404KC/s 1QWERTY..TITLIS
Warning: passwords printed above might be partial
Use the "--show --format=LM" options to display all of the cracked passwords reliably
Session 'Gj2z7YGo' completed
[*] Auxiliary module execution completed
msf auxiliary(analyze/crack_windows) > creds
Credentials
===========
id host origin service public private realm private_type JtR Format cracked_password
-- ---- ------ ------- ------ ------- ----- ------------ ---------- ----------------
238 lm_password e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c NTLM hash nt,lm password
msf auxiliary(analyze/crack_windows) >
PATH="/home/smcintyre/Repositories/john/run:$PATH" tools/dev/hash_cracker_validator.rb
[WARNING] WARNING: All credentials will be deleted as part of this script execution!
[INFO] [1/24] Checking Metasploit database connection...
^T[GOOD] SUCCESS: All expected outputs found.
[GOOD] Section Runtime: 2.001758045 seconds
[INFO] Wordlist file created at: /tmp/wordlist20260128-25677-yfoz77
[INFO] [2/24] Running *nix hashes in john wordlist mode...
stat[GOOD] SUCCESS: All expected outputs found.
[GOOD] Section Runtime: 8.668955484 seconds
[INFO] [3/24] Running windows hashes in john wordlist mode...
[GOOD] SUCCESS: All expected outputs found.
[GOOD] Section Runtime: 8.115931854 seconds
[INFO] [4/24] Running sql hashes in john wordlist mode...
[GOOD] SUCCESS: All expected outputs found.
[GOOD] Section Runtime: 6.940894362 seconds
[INFO] [5/24] Running osx hashes in john wordlist mode...
[GOOD] SUCCESS: All expected outputs found.
[GOOD] Section Runtime: 4.536993452 seconds
[INFO] [6/24] Running webapp hashes in john wordlist mode...
[GOOD] SUCCESS: All expected outputs found.
[GOOD] Section Runtime: 5.667919914 seconds
[INFO] [7/24] Running *nix hashes in hashcat wordlist mode...
[ERROR] FAILURE: Expected output not found for regex: /des_password\s+rEK1ecacw\.7\.c\s+Nonreplayable hash\s+des\s+password$/
[ERROR] STDOUT: INCREMENTAL => false
USE_CREDS => false
USE_DB_INFO => false
USE_DEFAULT_WORDLIST => false
USE_HOSTNAMES => false
USE_ROOT_WORDS => false
WORDLIST => true
verbose => true
SHA256 => true
SHA512 => true
BLOWFISH => true
[*] Setting default action auto - view all 3 actions with the show actions command
CUSTOM_WORDLIST => /tmp/wordlist20260128-25677-yfoz77
POT => /tmp/john_pot20260128-25677-mrbbgt
action => hashcat
[+] hashcat Version Detected: v6.2.6
[*] Wordlist file written out to /tmp/jtrtmp20260128-27162-d5r1up
[*] Checking md5crypt hashes already cracked...
[*] Cracking md5crypt hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=60pQ5zZq --logfile-disable --quiet --username --potfile-path=/tmp/john_pot20260128-25677-mrbbgt --hash-type=500 -O --attack-mode=0 /tmp/hashes_md5crypt_20260128-27162-xvf5pg /tmp/jtrtmp20260128-27162-d5r1up
[*] You are probably missing the CUDA, HIP or OpenCL runtime installation.
[*]
[*] * AMD GPUs on Linux require this driver:
[*] "AMDGPU" (21.50 or later) and "ROCm" (5.0 or later)
[*] * Intel CPUs require this runtime:
[*] "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
[*] * NVIDIA GPUs require this runtime and/or driver (both):
[*] "NVIDIA Driver" (440.64 or later)
[*] "CUDA Toolkit" (9.0 or later)
[*]
[*] Checking descrypt hashes already cracked...
[*] Cracking descrypt hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=NKCW0d4q --logfile-disable --quiet --username --potfile-path=/tmp/john_pot20260128-25677-mrbbgt --hash-type=1500 -O --attack-mode=0 /tmp/hashes_descrypt_20260128-27162-xt5ucg /tmp/jtrtmp20260128-27162-d5r1up
[*] You are probably missing the CUDA, HIP or OpenCL runtime installation.
[*]
[*] * AMD GPUs on Linux require this driver:
[*] "AMDGPU" (21.50 or later) and "ROCm" (5.0 or later)
[*] * Intel CPUs require this runtime:
[*] "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
[*] * NVIDIA GPUs require this runtime and/or driver (both):
[*] "NVIDIA Driver" (440.64 or later)
[*] "CUDA Toolkit" (9.0 or later)
[*]
[*] Checking bsdicrypt hashes already cracked...
[*] Cracking bsdicrypt hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=axSD6u5Z --logfile-disable --quiet --username --potfile-path=/tmp/john_pot20260128-25677-mrbbgt --hash-type=12400 -O --attack-mode=0 /tmp/hashes_bsdicrypt_20260128-27162-4lly88 /tmp/jtrtmp20260128-27162-d5r1up
[*] You are probably missing the CUDA, HIP or OpenCL runtime installation.
[*]
[*] * AMD GPUs on Linux require this driver:
[*] "AMDGPU" (21.50 or later) and "ROCm" (5.0 or later)
[*] * Intel CPUs require this runtime:
[*] "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
[*] * NVIDIA GPUs require this runtime and/or driver (both):
[*] "NVIDIA Driver" (440.64 or later)
[*] "CUDA Toolkit" (9.0 or later)
[*]
[*] Checking bcrypt hashes already cracked...
[*] Cracking bcrypt hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=8d4THbc4 --logfile-disable --quiet --username --potfile-path=/tmp/john_pot20260128-25677-mrbbgt --hash-type=3200 -O --attack-mode=0 /tmp/hashes_bcrypt_20260128-27162-qluulg /tmp/jtrtmp20260128-27162-d5r1up
[*] You are probably missing the CUDA, HIP or OpenCL runtime installation.
[*]
[*] * AMD GPUs on Linux require this driver:
[*] "AMDGPU" (21.50 or later) and "ROCm" (5.0 or later)
[*] * Intel CPUs require this runtime:
[*] "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
[*] * NVIDIA GPUs require this runtime and/or driver (both):
[*] "NVIDIA Driver" (440.64 or later)
[*] "CUDA Toolkit" (9.0 or later)
[*]
[*] Checking sha256crypt hashes already cracked...
[*] Cracking sha256crypt hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=4WlAxaOG --logfile-disable --quiet --username --potfile-path=/tmp/john_pot20260128-25677-mrbbgt --hash-type=7400 -O --attack-mode=0 /tmp/hashes_sha256crypt_20260128-27162-wwqa9p /tmp/jtrtmp20260128-27162-d5r1up
[*] You are probably missing the CUDA, HIP or OpenCL runtime installation.
[*]
[*] * AMD GPUs on Linux require this driver:
[*] "AMDGPU" (21.50 or later) and "ROCm" (5.0 or later)
[*] * Intel CPUs require this runtime:
[*] "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
[*] * NVIDIA GPUs require this runtime and/or driver (both):
[*] "NVIDIA Driver" (440.64 or later)
[*] "CUDA Toolkit" (9.0 or later)
[*]
[*] Checking sha512crypt hashes already cracked...
[*] Cracking sha512crypt hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=nb0BLceD --logfile-disable --quiet --username --potfile-path=/tmp/john_pot20260128-25677-mrbbgt --hash-type=1800 -O --attack-mode=0 /tmp/hashes_sha512crypt_20260128-27162-6skzbw /tmp/jtrtmp20260128-27162-d5r1up
[*] You are probably missing the CUDA, HIP or OpenCL runtime installation.
[*]
[*] * AMD GPUs on Linux require this driver:
[*] "AMDGPU" (21.50 or later) and "ROCm" (5.0 or later)
[*] * Intel CPUs require this runtime:
[*] "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
[*] * NVIDIA GPUs require this runtime and/or driver (both):
[*] "NVIDIA Driver" (440.64 or later)
[*] "CUDA Toolkit" (9.0 or later)
[*]
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
[*] Auxiliary module execution completed
Credentials
===========
id host origin service public private realm private_type JtR Format cracked_password
-- ---- ------ ------- ------ ------- ----- ------------ ---------- ----------------
229 des_password rEK1ecacw.7.c Nonreplayable hash des
230 md5_password $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ Nonreplayable hash md5
231 bsdi_password _J9..K0AyUubDrfOgO4s Nonreplayable hash bsdi
232 sha256_password $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 Nonreplayable hash sha256,crypt
233 sha512_password $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcV (TRUNCATED) Nonreplayable hash sha512,crypt
234 blowfish_password $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe Nonreplayable hash bf
[*] Deleted 6 creds
[ERROR] Section Runtime: 4.951114145 seconds
[ERROR] STDERR: ATTENTION! No OpenCL, Metal, HIP or CUDA installation found.
ATTENTION! No OpenCL, Metal, HIP or CUDA installation found.
ATTENTION! No OpenCL, Metal, HIP or CUDA installation found.
ATTENTION! No OpenCL, Metal, HIP or CUDA installation found.
ATTENTION! No OpenCL, Metal, HIP or CUDA installation found.
ATTENTION! No OpenCL, Metal, HIP or CUDA installation found.
-------------------------------
[ERROR] Credential verification failed. Exiting.
Contributor
Release NotesThis fixes a bug that was preventing collected hash data from being formatted as input for the John the Ripper cracker. The result is that users can now once again crack passwords using John. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A previous commit attempted to make cracking work w/o a database. However, not only did this break john support in its entirety, but it wouldn't have mattered anyways. We've had to use database IDs to do proper matching of john/hashcat results back to our database entries.
This PR fixes john support, and does some cleanup on
tools/dev/hash_cracker_validator.rbby moving the hashes and de-duping them.Verification
tools/dev/hash_cracker_validator.rbworks without errors