HDM recently added password cracking functionality to Metasploit through the inclusion of John-the-Ripper in the Framework. The 'auxiliary/analyze/jtr_crack_fast' module was created to facilitate JtR's usage in Framework and directly into Express/Pro's automated collection routine. The module works against known Windows hashes (NTLM and LANMAN). It uses hashes in the database as input, so make sure you've run hashdump with a database connected to your Framework instance (Pro does this automatically) before running the module. The module collects the hashes in the database and passes them to the john binaries that are now (r13135) included in Framework via a generated PWDUMP-format file.
Several JtR modes are utilized for quick and targeted cracking. First, wordlist mode: The generated wordlist consists of the standard john wordlist with known usernames, passwords, and hostnames appended. A ruleset based on the Korelogic mutation rules is then used to generate mutations of these words. You can find the msf version of these rules here.
Once the initial wordlist bruting is complete, incremental bruting rules, aptly named All4 & Digits5, are used to brute force additional combinations. These rulesets are shown below and can be found in the same john.conf configuration file in the Framework.
Cracked values are appended to the wordlist as they're found. This is beneficial :
- Previously-cracked hashes are pulled from the john.pot at the start of a run and these passwords are used as seed values for subsequent runs.
- Mutation rules are applied to cracked passwords, possibly enabling other previously-uncracked hashes to be broken.
Finally, discovered username/password combinations are reported to the database and associated with the host / service.
--wordlist=<ourgenerated wordlist> --rules single --format=lm
--wordlist=<ourgenerated wordlist> --rules single --format=ntlm
File = $JOHN/all.chr
MinLen = 0
MaxLen = 4
CharCount = 95
MinLen = 1
MaxLen = 5
CharCount = 10
As with everything in the framework, it's subject to patches and improvement, so make sure to check the code. Thanks to mubix for several edits. This info is current as of July 27, 2011.
UPDATE: Check out KoreLogic's upcoming Defcon 19 password cracking contest if you're interested in this stuff!