How to crack MD5 passwords with John the Ripper – a live example exploiting TYPO3

Earlier I told you how to crack MD5 passwords in general. This article tells how to get the passwords out of a TYPO3 installation, which are MD5-hashed, and crack them using John the Ripper.

Preparations step 1: lurk the data!

Okay, assuming that you’re an TYPO3 administrator that wants to check the password strength of your backend users (good guy). Or you have gained access to the database of a TYPO3 installation and want to access the content management system (bad guy). No, you wouldn’t do that…
Well, in both cases you may want to to execute the following SQL query to assemble the account names and their respective passwords.


SELECT `username` , `password`
FROM `be_users`
INTO OUTFILE '/tmp/typo3passwords.txt'
FIELDS TERMINATED BY ':'
LINES TERMINATED BY '\n'


Now you have a well-formatted file containing all username/password combos of the specific TYPO3 setup.

Preparations step 2: fetch your tools!

Go and get John the Ripper (JtR) first. As required by the German law I can not tell how or where to get it. I guess you query your favourite search engine and will find it instantly. John the Ripper does come with a few cipher formats compiled in, but for MD5 you need more formats. These come in patches provided by third parties.

For Linux you have to compile JtR yourself, including the so called “big patch”.

<fetch john-1.7.2.tar.gz from a source near you>
tar xvf john-1.7.2.tar.gz
wget http://www.openwall.com/john/contrib/john-1.7.2-all-12.diff.gz
gunzip john-1.7.2-all-12.diff.gz
patch -p1 < john-1.7.2-all-12.diff
cd src/
make clean linux-x86-any
<notice: if you get errors missing des.h, you should install the libssl-dev (debian) package and re-run the make statement>


Sorry to say I have no idea how to get John the Ripper & the big patch running on windows. You better use Cain & Abel for that, i guess.

So, if the compiling went through you can test if everything went well:

~/jtr/john-1.7.2/src$ ../run/john

It should contain the following list of cipher formats:

--format=NAME force ciphertext format NAME: DES/BSDI/MD5/BF/AFS/LM/NT/PO/raw-MD5/IPB2/raw-sha1/macosx-sha1/md5a/hmac-md5/KRB5/bfegg/nsldap/ssha/oracle/MYSQL/mysql-sha1/mscash/lotus5/DOMINOSEC/NETLM/NETNTLM/NETLMv2/NETHALFLM/mssql/mssql05/epi/phps/mysql-fast

raw-MD5 is the cipher of choice and it is available right now – so let’s rock!

Go go gadget: starting to crack

The actual cracking process is quite simple: run John the Ripper using the format parameter stating that you want to use raw-MD5 and input the file you have created using the SQL statement above:

~/jtr/john-1.7.2/src$ ../run/john --format=raw-MD5 /tmp/typo3passwords.txt
Loaded 2 password hashes with no different salts (Raw MD5 [raw-md5])

The application then runs for a different amount of time – depending on your CPU power, your wordfiles and the weakness of the chosen passwords. In my example there are very weak passwords, as they are cracked nearly instantly. Let me show you using the –show parameter of JtR:

~/jtr/john-1.7.2/src$ ../run/john --format=raw-MD5 --show /tmp/typo3passwords.txt
jane.simpson:jane
admin:way2go
2 password hashes cracked, 0 left

That’s it! I can now approach the users and tell them how stupid their passwords are. You should do the same and check the passwords – especially your own.

Did this article help you out? Please leave a comment, i appreciate them. You can subscribe to my RSS-Feed as well – it’s free! And last but not least do not forget to Digg me!