Posted by & filed under Hacking & Pentesting, Tools & Methodology.

I’m attending the SANS SEC542 course this week in Boston, and during one of the exercises I managed to extract some MySQL password hashes via a SQL injection.

Needless to say, I wanted to get the password for the database users, so I thought I’d feed it to my trusty friend John the Ripper for some serious cracking. But since version 4.1, MySQL has started to use significantly more secure hashes, namely (raw) SHA-1. And, John does not support these out of the box.

So here’s how you recompile John with the socalled “jumbo patch” to enable cracking of MySQL >= 4.1 password hashes (and loads of other hashing algorithms as well) on Ubuntu:

First, make sure that you have the necessary build tools, header source and libraries:

sudo apt-get install build-essential linux-headers-$(uname -r) libssl-dev

Now, we need to fetch the latest source code for John (at the time of writing, 1.7.6), so switch into a suitable working directory and get it by fetching it from as shown here:

mkdir src
cd src/
mkdir john-bigpatch
cd john-bigpatch/
tar xvf john-1.7.6.tar.gz

The last command will expand the fetched archive and create a folder called john-x, cd into it and get the corresponding “jumbo patch“:

cd john-1.7.6/
gunzip john-1.7.6-jumbo-6.diff.gz

Now we’ll patch John up and compile the patched version:

patch -p1 < john-1.7.6-jumbo-6.diff
cd src/
make clean linux-x86-any

If you’re on a 64-bit platform, you can use the linux-x86-64 option instead, this fixed compiling for me on my laptop:

make clean linux-x86-64

That’s it. Now John is ready to chew on password files with SHA-1 hashes:

cd ../run/
./john hashes.txt

The simple command over is just the start, it will try “single crack” mode first, then use a wordlist with rules, and finally go for “incremental” mode. Check out these great tutorials or the documentation to learn more on how to utilize John at his full potential. Happy cracking!

One Response to “Teaching John how to crack MySQL passwords”

Leave a Reply

  • (will not be published)