I’m attending the SANS SEC542 course this week in Boston, and during one of the exercises I managed to extract some MySQL password hashes via a SQL injection.
Needless to say, I wanted to get the password for the database users, so I thought I’d feed it to my trusty friend John the Ripper for some serious cracking. But since version 4.1, MySQL has started to use significantly more secure hashes, namely (raw) SHA-1. And, John does not support these out of the box.
So here’s how you recompile John with the socalled “jumbo patch” to enable cracking of MySQL >= 4.1 password hashes (and loads of other hashing algorithms as well) on Ubuntu:
First, make sure that you have the necessary build tools, header source and libraries:
sudo apt-get install build-essential linux-headers-$(uname -r) libssl-dev
Now, we need to fetch the latest source code for John (at the time of writing, 1.7.6), so switch into a suitable working directory and get it by fetching it from openwall.com as shown here:
cd mkdir src cd src/ mkdir john-bigpatch cd john-bigpatch/ wget http://openwall.com/john/g/john-1.7.6.tar.gz tar xvf john-1.7.6.tar.gz
The last command will expand the fetched archive and create a folder called john-x, cd into it and get the corresponding “jumbo patch“:
cd john-1.7.6/ wget http://openwall.com/john/contrib/john-1.7.6-jumbo-6.diff.gz gunzip john-1.7.6-jumbo-6.diff.gz
Now we’ll patch John up and compile the patched version:
patch -p1 < john-1.7.6-jumbo-6.diff cd src/ make clean linux-x86-any
If you’re on a 64-bit platform, you can use the
linux-x86-64 option instead, this fixed compiling for me on my laptop:
make clean linux-x86-64
That’s it. Now John is ready to chew on password files with SHA-1 hashes:
cd ../run/ ./john hashes.txt
The simple command over is just the start, it will try “single crack” mode first, then use a wordlist with rules, and finally go for “incremental” mode. Check out these great tutorials or the documentation to learn more on how to utilize John at his full potential. Happy cracking!