I’ve been struggling to find the best working version of John so that it can crack MS Cache outputs from Cachedump (of course, this functionality is now included in fgdump). Running fgdump gives two files host.pwdump and hostname.cachedump. I’ve found 127.0.0.1.pwdump and 127.0.0.1.cachedump files upon using fgdump without any parameters.
So now you have the Cached credentials but then comes the big problem of cracking those. So there’s the jumbo patch for john-1.7.2.
Following commands need to be executed to get this patch going:


$ tar zxvf john-1.7.2.tar.gz
$ cd john-1.7.2/
$ wget http://www.openwall.com/john/contrib/john-1.7.2-all-9.diff.gz
$ gzip -d john-1.7.2-all-9.diff.gz
$ patch -p1 <john-1.7.2-all-9.diff
$ cd src/
$ make linux-x86-sse2


You get some warnings upon compilations but the executable works very well.

Go ahead and get cracking:
$ cd run/
$ ./john –format=mscash