John the Ripper in Exploitation

Using John the Ripper during the exploitation phase of penetration testing

During the exploitation phase of penetration testing, John the Ripper becomes a primary tool for cracking captured credentials, enabling lateral movement, and escalating privileges within target systems.

Credential Cracking

John the Ripper excels at cracking various types of captured hashes:

  • Password hashes from compromised databases
  • Authentication tokens and session data
  • Encrypted files and archives

Exploitation Techniques

Database Hash Cracking

# Crack MySQL database hashes
john --format=mysql-sha1 mysql_hashes.txt

# Crack PostgreSQL hashes
john --format=postgres mysql_hashes.txt

# Crack Oracle hashes
john --format=oracle mysql_hashes.txt

Service Authentication Exploitation

# Crack SSH keys
ssh2john id_rsa > ssh_hash.txt
john --wordlist=wordlist.txt ssh_hash.txt

# Crack RDP credentials
john --format=netntlmv2 rdp_hashes.txt

File Access Exploitation

# Crack ZIP files
zip2john protected.zip > zip_hash.txt
john --wordlist=wordlist.txt zip_hash.txt

# Crack PDF files
pdf2john document.pdf > pdf_hash.txt
john --wordlist=wordlist.txt pdf_hash.txt

Lateral Movement Strategies

Once credentials are cracked, they can be used for lateral movement:

  1. Account Pivoting

    • Use cracked credentials to access other systems
    • Test credential reuse across different services
    • Leverage single sign-on vulnerabilities

  2. Privilege Escalation

    • Target administrative and service accounts
    • Use cracked credentials to access higher privilege contexts
    • Exploit password patterns to guess related credentials

  3. Access Expansion

    • Use cracked credentials to access additional resources
    • Leverage password patterns for related systems
    • Extract additional credentials from newly accessed systems

Operational Considerations

When using John the Ripper during exploitation:

  • Prioritize high-value targets for efficient resource use
  • Balance speed vs. stealth based on engagement requirements
  • Document all cracked credentials for reporting purposes

Next Steps

After successful exploitation with John the Ripper, proceed to:

  • Post-exploitation activities to further leverage access
  • Credential harvesting from compromised systems
  • Documentation of exploitation paths for reporting