OSX Jumbo JtR Installation – More Mac Password Cracking

I recently went through the OSX Jumbo JtR installation, so I figured I’d share some tips and information.

OSX Jumbo JtR – Introduction

I am not sure if it matters, but I did all of this on macOS Sierra.

OSX Jumbo JtR - macOS Sierra

First, I cloned the GitHub repository to my machine.

Unfortunately, I ran into a few issues when I attempted a simple configure/make/install.

Issues

My only issue stemmed from OpenSSL and Homebrew.

First, I received a few errors about undefined symbols that looked suspiciously like OpenSSL calls.

Configure finished.  Now 'make -s clean && make -sj8' to compile.
Rays-MacBook-Pro:src doyler$ make -s clean && make -sj8
pomelo_plug.c:106:62: warning: comparison of unsigned expression < 0 is always false [-Wtautological-compare]
    if (inlen > 256 || saltlen > 64 || outlen > 256 || inlen < 0 || saltlen < 0 || outlen < 0) return 1;
                                                       ~~~~~ ^ ~

...

Undefined symbols for architecture x86_64:
  "_CMAC_CTX_free", referenced from:
      _crypt_all in wpapmk_fmt_plug.o
      _crypt_all in wpapsk_fmt_plug.o
  "_CMAC_CTX_new", referenced from:
      _crypt_all in wpapmk_fmt_plug.o
      _crypt_all in wpapsk_fmt_plug.o

...

ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[1]: *** [../run/john] Error 1
make: *** [default] Error 2

After a bit of research, I found a GitHub issue describing exactly what I was running into.

Compilation

Using the recommended command, I was able to link the Homebrew OpenSSL headers with the system install.

Rays-MacBook-Pro:tools doyler$ cd JohnTheRipper/
Rays-MacBook-Pro:JohnTheRipper doyler$ cd src/
Rays-MacBook-Pro:src doyler$ ./configure LDFLAGS=-L/usr/local/opt/openssl/lib CPPFLAGS=-I/usr/local/opt/openssl/include
checking build system type... x86_64-apple-darwin16.6.0
checking host system type... x86_64-apple-darwin16.6.0

...

Configured for building John the Ripper jumbo:

Target CPU ................................. x86_64 AVX2, 64-bit LE
AES-NI support ............................. depends on OpenSSL
Target OS .................................. darwin16.6.0
Cross compiling ............................ no
Legacy arch header ......................... x86-64.h

Optional libraries/features found:
Fuzzing test ............................... no
Experimental code .......................... no
OpenMPI support (default disabled) ......... no
Fork support ............................... yes
OpenMP support ............................. no
OpenCL support ............................. yes
Generic crypt(3) format .................... yes
librexgen (regex cracking mode) ............ no
libgmp (PRINCE mode and faster SRP formats)  yes
libpcap (vncpcap2john and SIPdump) ......... yes
libz (pkzip format, gpg2john) .............. yes
libbz2 (gpg2john extra decompression logic)  yes
128-bit integer (faster PRINCE mode) ....... yes
Memory map (share/page large files) ........ yes
ZTEX USB-FPGA module 1.15y support ......... no

Development options (these may hurt performance when enabled):
Memdbg memory debugging settings ........... disabled
AddressSanitizer ("ASan") .................. disabled
UndefinedBehaviorSanitizer ("UbSan") ....... disabled

Install missing libraries to get any needed features that were omitted.

Configure finished.  Now 'make -s clean && make -sj8' to compile.

Once the configure finished, I was able to successfully run make.

Rays-MacBook-Pro:src doyler$ make -s clean && make -sj8
ar: creating archive aes.a
ar: creating archive secp256k1.a
pomelo_plug.c:106:62: warning: comparison of unsigned expression < 0 is always false [-Wtautological-compare]
    if (inlen > 256 || saltlen > 64 || outlen > 256 || inlen < 0 || saltlen < 0 || outlen < 0) return 1;
                                                       ~~~~~ ^ ~
pomelo_plug.c:106:77: warning: comparison of unsigned expression < 0 is always false [-Wtautological-compare]
    if (inlen > 256 || saltlen > 64 || outlen > 256 || inlen < 0 || saltlen < 0 || outlen < 0) return 1;
                                                                    ~~~~~~~ ^ ~
pomelo_plug.c:106:91: warning: comparison of unsigned expression < 0 is always false [-Wtautological-compare]
    if (inlen > 256 || saltlen > 64 || outlen > 256 || inlen < 0 || saltlen < 0 || outlen < 0) return 1;
                                                                                   ~~~~~~ ^ ~
3 warnings generated.
clang: warning: argument unused during compilation: '-pthread' [-Wunused-command-line-argument]
clang: warning: argument unused during compilation: '-pthread' [-Wunused-command-line-argument]
clang: warning: argument unused during compilation: '-pthread' [-Wunused-command-line-argument]
clang: warning: argument unused during compilation: '-pthread' [-Wunused-command-line-argument]
clang: warning: argument unused during compilation: '-pthread' [-Wunused-command-line-argument]
clang: warning: argument unused during compilation: '-pthread' [-Wunused-command-line-argument]
clang: warning: argument unused during compilation: '-pthread' [-Wunused-command-line-argument]
clang: warning: argument unused during compilation: '-pthread' [-Wunused-command-line-argument]

Make process completed.

Successful Run and Testing

With the make process successful, it was time for me to see if the jumbo john would actually run.

Rays-MacBook-Pro:run doyler$ ./john
John the Ripper 1.8.0-jumbo-1-6058-g3f450bd26 [darwin16.6.0 64-bit AVX2-ac]
Copyright (c) 1996-2017 by Solar Designer and others
Homepage: http://www.openwall.com/john/

Usage: john [OPTIONS] [PASSWORD-FILES]
--single[=(SECTION[,S2,..,Sn]|:rule)] "single crack" mode
--wordlist[=FILE] --stdin  wordlist mode, read words from FILE or stdin
                  --pipe   like --stdin, but bulk reads, and allows rules
--loopback[=FILE]          like --wordlist, but extract words from a .pot file
--dupe-suppression         suppress all dupes in wordlist (and force preload)
--prince[=FILE]            PRINCE mode, read words from FILE
--encoding=NAME            input encoding (eg. UTF-8, ISO-8859-1). See also
                           doc/ENCODING and --list=hidden-options.
--rules[=(SECTION[,S2,..,Sn]|:rule)]  enable word mangling rules for
                           wordlist or PRINCE modes
--incremental[=MODE]       "incremental" mode [using section MODE]
--mask[=MASK]              mask mode using MASK (or default from john.conf)
--markov[=OPTIONS]         "Markov" mode (see doc/MARKOV)
--external=MODE            external mode or word filter
--stdout[=LENGTH]          just output candidate passwords [cut at LENGTH]
--restore[=NAME]           restore an interrupted session [called NAME]
--session=NAME             give a new session the NAME
--status[=NAME]            print status of a session [called NAME]
--make-charset=FILE        make a charset file. It will be overwritten
--show[=left]              show cracked passwords [if =left, then uncracked]
--test[=TIME]              run tests and benchmarks for TIME seconds each
--users=[-]LOGIN|UID[,..]  [do not] load this (these) user(s) only
--groups=[-]GID[,..]       load users [not] of this (these) group(s) only
--shells=[-]SHELL[,..]     load users with[out] this (these) shell(s) only
--salts=[-]COUNT[:MAX]     load salts with[out] COUNT [to MAX] hashes
--costs=[-]C[:M][,...]     load salts with[out] cost value Cn [to Mn]. For
                           tunable cost parameters, see doc/OPTIONS
--save-memory=LEVEL        enable memory saving, at LEVEL 1..3
--node=MIN[-MAX]/TOTAL     this node's number range out of TOTAL count
--fork=N                   fork N processes
--pot=NAME                 pot file to use
--list=WHAT                list capabilities, see --list=help or doc/OPTIONS
--devices=N[,..]           set OpenCL device(s) (see --list=opencl-devices)
--format=NAME              force hash of type NAME. The supported formats can
                           be seen with --list=formats and --list=subformats

When I received no errors, I ran it against a mysql hash that I had previously captured.

rays-mbp:Internal doyler$ ~/tools/JohnTheRipper/run/john mysql.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (mysqlna, MySQL Network Authentication [SHA1 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:01:20  3/3 0g/s 2138Kp/s 2138Kc/s 2138KC/s sevin1292

Unfortunately, I wasn’t able to crack this particular hash, but I already knew that would be the case.

OSX Jumbo JtR – Conclusion

While there was the one issue that will recur every time, it was worth getting this setup.

I now have hashcat and the jumbo jtr build on my testing rig, which should save some time waiting on our cracking rig.

Let me know if you have any suggestions for other cracking tools for me to use, or other example posts!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*