Denial of Service (DoS) and distributed Denial of Service (DDoS) attacks involve an attempt to make a computer resource unavailable to its intended users. This may simply be for malicious purposes as is often the case when big commercial or famous web sites undergo a DDoS attack. However, it is also possible to exploit the system’s response to such an attack to break system firewalls, access virtual private networks, and to access other private resources. A DoS attack can also be used to affect a complete network or even a whole section of the Internet.

Commonly, attack involves simply saturating the target machine with external internet requests. In the case of a DDoS attack the perpetrator recruits other unwitting computers into a network and uses a multitude of machines to mount the attack. The result is that the resource, whether it is a website, an email server, or a database, cannot respond to legitimate traffic in a timely manner and so essentially becomes unavailable to users.

Methods for configuring a network to filter out known DoS attack software and to recognize some of the traffic patterns associated with a mounting DoS attack are available. However, current filters usually rely on the computer being attacked to check whether or not incoming information requests are legitimate or not. This consumes its resources and in the case of a massive DDoS can compound the problem.

Now, computer engineers John Wu, Tong Liu, Andy Huang, and David Irwin of Auburn University have devised a filter to protect systems against DoS attacks that circumvents this problem by developing a new passive protocol that must be in place at each end of the connection: user and resource.

Their protocol – Identity-Based Privacy-Protected Access Control Filter (IPACF) – blocks threats to the gatekeeping computers, the Authentication Servers (AS), and so allows legitimate users with valid passwords to access private resources.

The user’s computer has to present a filter value for the server to do a quick check. The filter value is a one-time secret that needs to be presented with the pseudo ID. The pseudo ID is also one-time use. Attackers cannot forge either of these values correctly and so attack packets are filtered out.

One potential drawback of the added layer of information transfer required for checking user requests is that it could add to the resources needed by the server. However, the researchers have tested how well IPACF copes in the face of a massive DDoS attacks simulated on a network consisting of 1000 nodes with 10 gigabits per second bandwidth. They found that the server suffers little degradation, negligible added information transfer delay (latency) and minimal extra processor usage even when the 10 Gbps pipe to the authentication server is filled with DoS packets. Indeed, the IPACF takes just 6 nanoseconds to reject a non-legitimate information packet associated with the DoS attack.

Cross Site Scripting (XSS) is a code injection vulnerability found in web applications and is generally used by malicious hackers to hijack a legitimate user’s session with the website. XSS vulnerabilities are caused because of improper validation of user input by the Server and then sending this invalidated input back to the user in some exploitable form. A great resource to track the latest XSS vulnerable software, websites and latest research is XSSed.com

In this 4 part video series Arne from Aachen Method gives a detailed primer on XSS.

1. Quick Overview: This video explains the basics of XSS, kinds of XSS – Persistent, Non-Persistent and DOM based.

3. Finding XSS weaknesses in websites: Pointer to Rsnake’s website http://ha.ckers.org/xss.html

4. Protecting yourself from XSS attacks as a user: By turning off scripts, not clicking on untrusted links etc.

Basic Netcat Usage from John Strand on Vimeo.

Below is most common used wireless routers admin password list, and at the bottom i have a link to a huge db of passwords for wireless routers.

MORE HUGE LIST

Hackers lie. Skillful hackers lie well. And well-rounded hackers can lie both to people and to machines.

Lying to people, known as "social engineering," involves tactics (detailed at length by convicted hacker Kevin Mitnick) such as posing as a company’s employee so the company’s real employees will blab secrets freely. Lying to machines involves lots of different techniques, and a commonly used one — ARP Cache Poisoning — is the focus of this article. ARP poisoning enables local hackers to cause general networking mayhem. Because it’s mostly "incurable," every administrator should be aware of how this attack works.

ARP Refresher

In Foundations: What Are NIC, MAC, and ARP?, we explained that Address Resolution Protocol (ARP) is how network devices associate MAC addresses with IP Addresses so that devices on the local network can find each other. ARP is basically a form of networking roll call.

ARP, a very simple protocol, consists of merely four basic message types:

1. An ARP Request. Computer A asks the network, "Who has this IP address?"

2. An ARP Reply. Computer B tells Computer A, "I have that IP. My MAC address is [whatever it is]."

3. A Reverse ARP Request (RARP). Same concept as ARP Request, but Computer A asks, "Who has this MAC address?"

4. A RARP Reply. Computer B tells Computer A, "I have that MAC. My IP address is [whatever it is]"

All network devices have an ARP table, a short-term memory of all the IP addresses and MAC addresses the device has already matched together. The ARP table ensures that the device doesn’t have to repeat ARP Requests for devices it has already communicated with.

Here’s an example of a normal ARP communication. Jessica, the receptionist, tells Word to print the latest company contact list. This is her first print job today. Her computer (IP address 192.168.0.16) wants to send the print job to the office’s HP LaserJet printer (IP address 192.168.0.45). So Jessica’s computer broadcasts an ARP Request to the entire local network asking, "Who has the IP address, 192.168.0.45?" as seen in Diagram 1.

All the devices on the network ignore this ARP Request, except for the HP LaserJet printer. The printer recognizes its own IP in the request and sends an ARP Reply: "Hey, my IP address is 192.168.0.45. Here is my MAC address: 00:90:7F:12:DE:7F," as in Diagram 2.

Now Jessica’s computer knows the printer’s MAC address. It sends the print job to the correct device, and it also associates the printer’s MAC address of 00:90:7F:12:DE:7F with the printer’s IP address of 192.168.0.45 in its ARP table.

Hey ARP, Did You Know Gullible Is Not in the Dictionary?

The founders of networking probably simplified the communication process for ARP so that it would function efficiently. Unfortunately, this simplicity also leads to major insecurity. Know why my short description of ARP doesn’t mention any sort of authentication method? Because in ARP, there is none.

ARP is very trusting, as in, gullible. When a networked device sends an ARP request, it simply trusts that when the ARP reply comes in, it really does come from the correct device. ARP provides no way to verify that the responding device is really who it says it is. In fact, many operating systems implement ARP so trustingly that devices that have not made an ARP request still accept ARP replies from other devices.

OK, so think like a malicious hacker. You just learned that the ARP protocol has no way of verifying ARP replies. You’ve learned many devices accept ARP replies before even requesting them. Hmmm. Well, why don’t I craft a perfectly valid, yet malicious, ARP reply containing any arbitrary IP and MAC address I choose? Since my victim’s computer will blindly accept the ARP entry into its ARP table, I can force my victim’s gullible computer into thinking any IP is related to any MAC address I want. Better yet, I can broadcast my faked ARP reply to my victim’s entire network and fool all his computers. Muahahahahaa!

Back to reality. Now you probably understand why this common technique is called ARP Cache Poisoning (or just ARP Poisoning): the attacker lies to a device on your network, corrupting or "poisoning" its understanding of where other devices are. This frighteningly simple procedure enables the hacker to cause a variety of networking woes, described next.

All Your ARP Are Belong To Us!

The ability to associate any IP address with any MAC address provides hackers with many attack vectors, including Denial of Service, Man in the Middle, and MAC Flooding.

Denial of Service

A hacker can easily associate an operationally significant IP address to a false MAC address. For instance, a hacker can send an ARP reply associating your network router’s IP address with a MAC address that doesn’t exist. Your computers believe they know where your default gateway is, but in reality they’re sending any packet whose destination is not on the local segment, into the Great Bit Bucket in the Sky. In one move, the hacker has cut off your network from the Internet.

Man in the Middle

A hacker can exploit ARP Cache Poisoning to intercept network traffic between two devices in your network. For instance, let’s say the hacker wants to see all the traffic between your computer, 192.168.0.12, and your Internet router, 192.168.0.1. The hacker begins by sending a malicious ARP "reply" (for which there was no previous request) to your router, associating his computer’s MAC address with 192.168.0.12 (see Diagram 3).

Now your router thinks the hacker’s computer is your computer.

Next, the hacker sends a malicious ARP reply to your computer, associating his MAC Address with 192.168.0.1 (see Diagram 4).

Now your machine thinks the hacker’s computer is your router.

Finally, the hacker turns on an operating system feature called IP forwarding. This feature enables the hacker’s machine to forward any network traffic it receives from your computer to the router (shown in Diagram 5).

Now, whenever you try to go to the Internet, your computer sends the network traffic to the hacker’s machine, which it then forwards to the real router. Since the hacker is still forwarding your traffic to the Internet router, you remain unaware that he is intercepting all your network traffic and perhaps also sniffing your clear text passwords or hijacking your secured Internet sessions.

MAC Flooding

MAC Flooding is an ARP Cache Poisoning technique aimed at network switches. (If you need a reminder about the difference between a hub and a switch, see this sidebar.) When certain switches are overloaded they often drop into a "hub" mode. In "hub" mode, the switch is too busy to enforce its port security features and just broadcasts all network traffic to every computer in your network. By flooding a switch’s ARP table with a ton of spoofed ARP replies, a hacker can overload many vendor’s switches and then packet sniff your network while the switch is in "hub" mode.

Scared? Good, Now Calm Down!

This is scary stuff. ARP Cache Poisoning is trivial to exploit yet it can result in very significant network compromise. However, before you jump to Defcon-7, notice the major mitigating factor: only local attackers can exploit ARP’s insecurities. A hacker would need either physical access to your network, or control of a machine on your local network, in order to deliver an ARP Cache Poisoning attack. ARP’s insecurities can’t be exploited remotely.

That said, hackers have been known to gain local access to networks. Good network administrators should be aware of ARP Cache Poisoning techniques.

Since ARP Cache Poisoning results from a lack of security in a protocol that is required for TCP/IP networking to function, you can’t fix it. But you can help prevent ARP attacks using the following techniques.

For Small Networks

If you manage a small network, you might try using static IP addresses and static ARP tables. Using CLI commands, such as "ipconfig /all" in Windows or "ifconfig" in ‘NIX, you can learn the IP address and MAC address of every device in your network. Then using the "arp -s" command, you can add static ARP entries for all your known devices. "Static" means unchanging; this prevents hackers from adding spoofed ARP entries for devices in your network. You can even create a login script that would add these static entries to your PCs as they boot.

However, static ARP entries are hard to maintain; impossible in large networks. That’s because every device you add to your network has to be manually added to your ARP script or entered into each machine’s ARP table. But if you manage fewer than two dozen devices, this technique might work for you.

For Large Networks

If you manage a large network, research your network switch’s "Port Security" features. One "Port Security" feature lets you force your switch to allow only one MAC address for each physical port on the switch. This feature prevents hackers from changing the MAC address of their machine or from trying to map more than one MAC address to their machine. It can often help prevent ARP-based Man-in-the-Middle attacks.

For All Networks

Your best defense is understanding ARP Poisoning and monitoring for it. I’d highly recommend deploying an ARP monitoring tool, such as ARPwatch, to alert you when unusual ARP communication occurs. This kind of vigilance is still the greatest weapon against all kinds of attack — for, as Robert Louis Stevenson wrote, "The cruelest lies are often told in silence."

Resources:

Address Resolution Protocol Spoofing and Man-in-the-Middle Attacks

Introduction

Imagine a world without tracert/traceroute. You would be sending your precious packets out into the big wide world with no idea where they go and what they might meet when they are out there. When you set up routers with complex route statements you wouldn’t really know if everything you want is travelling the path you intend it to. When that pesky machine across the internet is "hammering" away at your mail server and you’d really like to know where it is you would be "blind". Enter traceroute, the network administrator’s personal "tracker".
Traceroute was originally conceived as a hack by Van Jacobson in about 1988. He needed to find a way to delineate the path his packets were taking through a routed network to troubleshoot some problems. There were no tools available to do this and there was no clear and easy answer. With knowledge of how the network works Van created traceroute. The solution is elegant in it’s pure simplicity. It’s all in the TTL…..
NOTE: My definition of a "hack" has always been that it is the use of the knowledge regarding how a system works to obtain results that the system was not intended to provide. As such I have always been extremely impressed by the pure simplicity of traceroute as a perfect example of a true "hack" of a system. It’s a little thing of beauty.

What’s a TTL?

The TTL, or Time To Live, is a field in the structure of an Internet Protocol, (IP), packet. Without a TTL a misrouted or mis-addressed packet sent out onto a network would forever travel cyberspace using up bandwidth for no good reason. The TTL is placed in the packets so that each router can check it and act accordingly. If a router that is not the destination of a packet receives one that has a TTL of 1 or 0 it must drop the packet, (not forward it onwards), and send an Internet Control Message Protocol, (ICMP), Time_Exceeded, (Type 11), packet to the originating IP address informing it that, to all intents and purposes, the destination IP address is "too far away" to be contacted. If a packet is received by a router that is not the destination of the packet then the router must decrement the TTL by one and forward the packet on to the next router, (or the destination IP address if that is the next "hop"). In this way control is maintained over messed up addresses or routes and the packets cannot wander forever.
Van’s Hack.
Knowing that the TTL is there for a reason and that a given response must occur if the number of hops required to reach the destination exceeds the TTL in the packet Van saw that this could be utilized to determine each router the packet passed through on it’s way to the destination address. This can be demonstrated manually and you can try this as you go if you like. Open a command/DOS prompt and type:-
ping yahoo.com <ENTER>

The response will be:-

Pinging yahoo.com [66.218.71.114] with 32 bytes of data:
Reply from 216.109.127.30: bytes=32 time=40ms TTL=49
Reply from 216.109.127.30: bytes=32 time=40ms TTL=49
Reply from 216.109.127.30: bytes=32 time=40ms TTL=49
Reply from 216.109.127.30: bytes=32 time=50ms TTL=49

Good, Yahoo is up…. But we have no idea how the packet got there. We can see that 32 bytes were sent, that it took an average of 42 milliseconds to get there and there’s that TTL thing set at 49. Knowing that most systems set the TTL at certain set points I can make a guess that the original TTL was 64 and, based on that assumption, I can guess that Yahoo is some 16 hops away from me…… But where? Try this:-
Ping -i 1 yahoo.com <ENTER>

The -i switch allows you to set the TTL in the packet to anything you please between 1 and 255. Knowing that, we know that the first router should drop the packet if we set the TTL to 1 and send and ICMP Type 11 packet in return, (Time_Exceeded).
The response will be:-
Pinging yahoo.com [66.218.71.114] with 32 bytes of data:
Reply from 207.XXX.XXX.1: TTL expired in transit.
Reply from 207.XXX.XXX.1: TTL expired in transit.
Reply from 207.XXX.XXX.1: TTL expired in transit.
Reply from 207.XXX.XXX.1: TTL expired in transit.
Well…. That’s the first router in the chain, (it’s actually my firewall. Your result will differ but it will be the first hop on the route to Yahoo from your computer). If we now set the TTL to 2 then the next router will send our Time_Exceeded packet back to us. Try:-
ping -i 2 yahoo.com <ENTER>
The response is:-
Pinging yahoo.com [66.218.71.114] with 32 bytes of data:
Reply from 207.XXX.XXX.17: TTL expired in transit.
Reply from 207.XXX.XXX.17: TTL expired in transit.
Reply from 207.XXX.XXX.17: TTL expired in transit.
Reply from 207.XXX.XXX.17: TTL expired in transit.
Nice… Thats my border router. Now I have two steps in the route. As long as I keep incrementing the TTL in the -i switch of the ping command I can manually tracert as far along the route to Yahoo as I get the Time_Exceeded responses from the routers. When you hit a firewall that will not respond to ping requests you will receive a "Request timed out" message. Usually this is the point you would give up, but it’s worth going another step or two because sometimes the firewall is set to not respond to pings themselves and not to allow them to the first internal router but they may allow them to the specific host you are trying to contact so it is worth going the extra mile.
Am I restricted to ICMP Pings?
Not at all. Just because your target has a firewall in place that stops pings doesn’t mean you can’t enumerate internal devices on the target network. Let’s say it’s a web server and the end of the traceroute looks like this:- (NOTE: It doesn’t for Yahoo and at this point do not continue to experiment with Yahoo or any other domain you don’t have rights or permission to do this against.)
14 70 ms 70 ms 80 ms unknown.level3.net [64.152.69.30]
15 70 ms 70 ms 80 ms unknown-66-218-82-226.yahoo.com [66.218.82.226]
16 * * * Request timed out.
17 * * * Request timed out.
18 70 ms 70 ms 80 ms www.yahoo.com [66.218.71.114]
We know that www.yahoo.com accepts HTTP requests on port 80 so we know that the firewall will let them in and we are really curious to see what those two "Request timed out" devices are. So you can fire up your favorite packet crafter, make up a packet that is a simple SYN request on port 80 to www.yahoo.com and set the TTL to 16 and send it out. With your trusty packet sniffer running you will receive the Time_Expired on your HTTP SYN packet. With some research as to the make-up of that packet you might be able to determine the operating system of the device, (Cisco IOS etc.). This works because even though HTTP is a TCP protocol the packets themselves are "wrapped" in the Internet Protocol, (IP), containing the TTL information and the required response to a packet that has "run out of hops" is the ICMP Time_Exceeded.
Conclusion
As you can see a very simple and innocuous looking part of a packet that has a simple function has been "subverted" into being a more powerful tool than it was ever intended. Today, every network administrator uses traceroute/tracert daily and most have no idea they are using a "hacking tool". Others have taken Van’s original concept and improved upon it and found other ways to "exploit" the principle quite successfully but in my opinion his "hack" is still the most elegant.

Linksys Wireless Router

WRT54G Authentication Bypass vulnerability Exploitation Tool. Once your wifi card has detected the WRT54G, you can simply click connect; even if this router asks for a password, it will still provide you with “Local Only” access in order to authenticate your key against the router. Once this “Local Access” is obtained, you can use the WRT54G Raper to disable the security and change the admin password.The rest is up to you.

poof (To Fool)

A Spoofing attack basically means pretending to be someone you are not. There are a wide range of different spoofing attacks however we are only interested in a very simple form (HTTP Spoofing). For a detailed definition of spoofing see http://www.absoluteastronomy.com/topics/Spoofing_attack

In a HTTP Spoof you are pretending to be a logged on user, when infact you are a cheap skate trying to get porn for free biggrin.gif

Http Spoof

HTTP is a pretty simple protocol. It is a simple request/response architecture. HTTP contains a set of headers, these headers are set by your browser when making a request and by the server making a response.

A basic HTTP Request looks like:

GET / HTTP/1.1
Host: www.google.com
Port: 80
Connection: close

However your browser will also typically add the following headers:

User-Agent: The browser model you are using
Http-Referer: The last page you visited
Accept: The content (file) types your browser/PC can accept
Cookie: A cookie header, this is how cookies are passed between client and server

The header we are obviously interested in is the Http-Referer header. Lets have a look at it being used; you will have noticed that some sites will highlight terms that you searched for on google. This is done using the Http-Referer header: When you search google you will have a URL that looks like:

http://www.google.co.uk/search?q=hacking

This will be in the Http-referer header when you click on a link. All the owner of the site has to do to find what you searched for is to look at the Http-Referer header, see if it came from google and look at the q parameter. From this the owner can see that you searched for porn and highlight porn in their text before displaying the page. Neat!

Here is a simple example
http://suda.co.uk/ala/example.php

Http-Referer used for security:

Often adult sites are grouped together and owned by a single site. The administrators like to allow a user to login once to the site and then let them access all of the sites in the group without the user having to log on again. Typically this is done by checking the HTTP-Referer header. You may think that Cookies would be a better way to do this but cookies are domain specific, a browser will not allow a site hosted on one domain to see cookies placed by another domain.

Consider the following:

Visit site A without logging on.
Site A redirects you to Site B to log on
You login
Site B redirects you to site A
You can view the content on Site A.

This is very typical usage of the Http-Referer header for security. How this is working is that site A is checking to HTTP-Referer tag to make sure you have come from a secure location i.e. either the members area of Site B or the members area of Site A.

So how do you spot a HTTP Spoof?

When you login on to a site using your username and password check out the other sites you get free with your username and password. Try accessing these. If you can access them without having to login again you have found a potential spoof.

How to verify a potential HTTP Spoof?

Go to the site that was linked from the main site directly, i.e. copy a link from some content into a new browser window. If it does not let you access the content then we have passed test 1.

Next copy URL of the page with the link to the free site, this will be our HTTP-Referer Header. Copy the link to the free site, this will be our target URL. Enter these two URLs into your favourite spoofing tool and have a go. If it works then post your newly found Spoof at Sammys smile.gif (Note it is worth deleting your cookies before this test, just to make sure).

HTTP Spoofing Tools

Http Spoofing tools are very simple, all they are doing is altering the HTTP-Referer header in your browser. Better tools will also provide a way to manage and store all of your favourite spoofs.

Personally I like to use firefox so I use the following extension:
https://addons.mozilla.org/en-US/firefox/addon/3829

This allows me to alter any HTTP Header that firefox sends. So I just set the HTTP-Referer header to be the correct value and then browser as usual. The only problem is that I have to manage my own spoofs list.

John the Ripper is a decrypting program for passwords. Although it has many

functions we will be looking at using it as a decryper for password files
you possess.

We will be looking at Password Files which you have put on your Hard Disk
- PREPARATION
SHORTCUT TIP FOR WINDOWS 95
PASSWORD FILES
- DECRYPTING
JTR MODES
SINGLE MODE
WORDFILE MODE
INCREMENTAL MODE
ALPHA
DIGITS
ALL
SHOW MODE – Saving the Decrypted Files
- ADVANCED COMMANDS
STOPPING JTR
RULES
SESSION and RESTORE
- JTR QUICK REFERENCE

——————–

. ———–
PREPARATION
———–
1. Download the correct version of JTR, use win32 for Win 95/98
2. Extract the zip File into a Directory
3. Make sure you have your Password Files in the same directory

—————————
SHORTCUT TIP FOR WINDOWS 95
—————————
1. Right Click on the [Start] Button, and choose Open
2. Double Click on [Programs] Folder
3. Right Click and Copy, [MS-DOS Prompt]
4. Close the [Programs] Folder
5. Right Click and Paste on the Desktop, a [MS-DOS Prompt] should appear
6. Right Click on the [MS-DOS Prompt] icon and choose Properties
7. Click on the Program Tab
8. In the box next to Working (It should have C:WINDOWS in there) Change
it to the Directory of where-ever the Program JOHN.EXE has been
extracted
9. Click on the [OK] button
10. Test what you have done by Double Clicking on the Icon, If you wish to
rename [MS-DOS Prompt] to JTR, then do so

————–
PASSWORD FILES
————–
A. Naming
I personally name my files with a p extension, some people use txt
eg If i had the password file to Dannis’, I would name it danni.p
The reason is that p stands for password file, I then name my decrypted
password files with a txt extension
It is really up to you what you name your password files, just remember
that the names should be less than 8 characters
eg likethis.p
B. Where should I put them?
Always have the password files you have found in the same directory as
JOHN.EXE, Its just easier to handle them that way

———-
DECRYPTING
———-
Depending on what JTR version you have downloaded, you have to change into
the directory JOHN.EXE is

———
JTR MODES
———
There are 3 main modes we will be dealing with
-single, -wordfile, -incremental

[KEYS]
[passfile] – this is the name of your password file
[wordlist] – this is the name of your wordlist
[output] – this is the name of the file you will name when you want to
save your decrypted passwords

———–
SINGLE MODE
———–
Single Mode attempts to find the weakest of all the passwords. This is one
of the fastest methods.

SINGLE MODE SYNTAX
john -single [passfile]
or you could use
john -si [passfile]

Example:
If you found a [passfile] and named it danni.p then you would type
john -si danni.p

Take a look at SCREEN SHOT OF A JTR SESSION

————-
WORDFILE MODE
————-
Wordfile Mode is the next quickest method. It requires the use of a wordlist
The wordlist must be in a single wordlist and not a combo list

WORDFILE SYNTAX
john -wordfile:[wordlist] [passfile]
or
john -w:[wordlist] [passfile]

Example:
If you found a [passfile] and named it danni.p and you had a [wordlist]
named mydict.txt then you would type

john -w:mydict.txt danni.p

Take a look at SCREEN SHOT OF A JTR SESSION

—————-
INCREMENTAL MODE
—————-
Incremental mode is the slowest mode and will try to decrypt every pass in
your passfile, as this can take days, months even years, I would use it as
a last resort

There are 4 basic commands we will be dealing with
digits, alpha, all, and leaving it blank

DIGITS mode
This will try to decrypt all the Passwords that are in numbers

ALPHA mode
This will try to decrypt all the Passwords that are letters only

ALL mode
This will try to decrypt all the Passwords, whether they are in numbers, in
letters or some special characters (@!^&…etc)

WITH NO MODE SELECTED
This will basically do everything to try to decrypt the password file

SYNTAX
john -i [passfile]
john -i:DIGITS [passfile]
john -i:ALPHA [passfile]
john -i:ALL [passfile]

Example:
If you found a [passfile] and named it danni.p
john -i danni.p
john -i:DIGITS danni.p
john -i:ALPHA danni.p
john -i:ALL danni.p

Take a look at SCREEN SHOT OF A JTR SESSION

When running in this mode, If you ever want to stop it push CTRL – C

————————————–
SHOW MODE – Saving the Decrypted Files
————————————–
Finally, once JTR has finished its decrypting process, you will be ready
to enjoy the results. These you will save in a file name of your choice.

SHOW SYNTAX
john -show [passfile]>[output]

Example:
If you found a [passfile] and named it danni.p, you decide you want to name the
decrypted password file or [output] to danni.txt

john -show danni.p>danni.txt

Now you can open danni.txt in a TEXT EDITOR
You will see something like this

italia:italiano
makoto:makotox
PADWICK:PADWICKH
kelley:kelleyaj
bechtel:jbechtel
mequery:queryme
seeeee:meeeee
stevewm:stevenm

8 passwords cracked, 246 left

Hopefully you will get more passwords than the example though

—————–
ADVANCED COMMANDS
—————–
Here are a few more commands which prove handy when using JTR

————
STOPPING JTR
————
If at anytime you wish to stop the decrypting process then
Hold down the [ CTRL ] key and Push the [ C ] key

—–
RULES
—–
This command is used with the Wordfile Option, without it JTR will try only
the words in your wordlist. When this is activated it will try variations as
outlined in the john.ini file. This is also quite slow

RULES SYNTAX
john w:[wordlist] -rules [passfile]

——————
SESSION & RESTORE
——————
Decrypting by now you will notice can become a long a slow process, JTR
allows you to save save and restore sessions. A session is like a snap
shot of what you are decrypting. It remembers what file you used, and
where you were at if you decide to stop it. session can be used with any
of the main modes.

SESSION & RESTORE SYNTAX
john -restore
john -restore:[session name]
john -session:[session name]

[session name] is any name you choose

EXAMPLE
——-
Lets say you want to decrypt a file named danni.p

OK you’ve used the -si mode, which was quick
With your trusty wordlist file named biglist.txt you next run the -w mode

FINAL NOTES
———–
There are many other features that JTR uses, that are Advanced, these can be
found in the DOC folder in JTR, just use a text editor to open and read them
We were only concerned with getting at least 50% of the passwords. This may
be achieved by SINGLE and WORDFILE modes
SPEED is dependant on your CPU, If you screen looks like its frozen and
doing nothing, just hit any key a couple of times, you will see a mini
progress report.
Speed is also dependant on the size of your password file and the number of
salts, A salt can be thought of as a slightly different way to encrypt a
file. As there are many ways to encrypt a single password

——————-
JTR QUICK REFERENCE
——————-
[KEYS]
[passfile] – this is the name of your password file
[wordlist] – this is the name of your wordlist
[output] – this is the name of the file you will name when you want to
save your decrypted passwords
: – whenever you see a colon then use it in the command
- – whenever you see a minus sign then use it in the command
> – whenever you see this sign then use it in the command
[] – DO NOT INCLUDE THESE IN THE COMMAND

SINGLE MODE
john -si [passfile]
WORDFILE MODE
john -w:[wordlist] [passfile]
INCREMENTAL MODES
john -i [passfile]
john -i:ALL [passfile]
john -i:DIGITS [passfile]
john -i:ALPHA [passfile]
SHOW MODES
john -show [passfile]>[output]

Loaded 254 passwords with 85 different salts (Standard DES [32/32 BS])
italia (italiano)
makoto (makotox)
PADWICK (PADWICKH)
kelley (kelleyaj)
bechtel (jbechtel)
mequery (queryme)
seeeee (meeeee)
stevewm (stevenm)
guesses: 8 time: 0:00:01:23 100% c/s: 25771 trying: zcatcatk – zcatcatz