# Files - Encrypted ### John - Files `$ > file.hash` | **Tool** | **Description** | | ----------------------- | --------------------------------------------- | | `pdf2john` | Converts PDF documents for John | | `ssh2john` | Converts SSH private keys for John | | `mscash2john` | Converts MS Cash hashes for John | | `keychain2john` | Converts OS X keychain files for John | | `rar2john` | Converts RAR archives for John | | `pfx2john` | Converts PKCS#12 files for John | | `truecrypt_volume2john` | Converts TrueCrypt volumes for John | | `keepass2john` | Converts KeePass databases for John | | `vncpcap2john` | Converts VNC PCAP files for John | | `putty2john` | Converts PuTTY private keys for John | | `zip2john` | Converts ZIP archives for John | | `hccap2john` | Converts WPA/WPA2 handshake captures for John | | `office2john` | Converts MS Office documents for John | | `wpa2john` | Converts WPA/WPA2 handshakes for John | ```shell-session $ locate *2john* /usr/bin/bitlocker2john /usr/bin/dmg2john /usr/bin/gpg2john /usr/bin/hccap2john /usr/bin/keepass2john /usr/bin/putty2john /usr/bin/racf2john /usr/bin/rar2john /usr/bin/uaf2john /usr/bin/vncpcap2john /usr/bin/wlanhcx2john /usr/bin/wpapcap2john /usr/bin/zip2john /usr/share/john/1password2john.py /usr/share/john/7z2john.pl /usr/share/john/DPAPImk2john.py /usr/share/john/adxcsouf2john.py /usr/share/john/aem2john.py /usr/share/john/aix2john.pl /usr/share/john/aix2john.py /usr/share/john/andotp2john.py /usr/share/john/androidbackup2john.py ...SNIP... ``` ### SSH private key {% content-ref url="hashes" %} [hashes](https://0xss0rz.gitbook.io/0xss0rz/pentest/cracking/hashes) {% endcontent-ref %} {% embed url="" %} ```shell-session $ ssh2john.py SSH.private > ssh.hash $ cat ssh.hash ssh.private:$sshng$0$8$1C258238FD2D6EB0$2352$f7b...SNIP... ``` ```shell-session $ john --wordlist=rockyou.txt ssh.hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 2 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status 1234 (SSH.private) 1g 0:00:00:00 DONE (2022-02-08 03:03) 16.66g/s 1747Kp/s 1747Kc/s 1747KC/s Knightsing..Babying Session completed ``` ```shell-session $ john ssh.hash --show SSH.private:1234 1 password hash cracked, 0 left ``` ### PDF {% embed url="" %} ```shell-session cry0l1t3@htb:~$ pdf2john server_doc.pdf > server_doc.hash cry0l1t3@htb:~$ john server_doc.hash # OR cry0l1t3@htb:~$ john --wordlist= server_doc.hash ``` ```shell-session $ john pdf.hash --show ``` ### Microsoft Office Documents #### Docx ```shell-session $ office2john.py Protected.docx > protected-docx.hash $ cat protected-docx.hash $office$*2007*20*128*16*7240...SNIP...8a69cf1*98242f4da37d916305d8e2821360773b7edc481b ``` ```shell-session $ john --wordlist=rockyou.txt protected-docx.hash Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES]) Cost 1 (MS Office version) is 2007 for all loaded hashes Cost 2 (iteration count) is 50000 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 1234 (Protected.docx) 1g 0:00:00:00 DONE (2022-02-08 01:25) 2.083g/s 2266p/s 2266c/s 2266C/s trisha..heart Use the "--show" option to display all of the cracked passwords reliably Session completed ``` ```shell-session $ john protected-docx.hash --show Protected.docx:1234 ``` #### Xlsx With hashcat ``` python3 office2john.py backup.xlsx > hash.txt # backup.xlsx:$office$*2013*100000*256*16*5e8372<-SNIP->9ef177230fc*c7367d060cc<-SNIP->992fbe2b*a997b2bfbbf996e1b76b1d4f<-SNIP->01904 # Remove the filename backup.xlsx: from the hash and save it. # $office$*2013*100000*256*16*5e8372<-SNIP->9ef177230fc*c7367d060cc<-SNIP->992fbe2b*a997b2bfbbf996e1b76b1d4f<-SNIP->01904 ``` ``` hashcat -a 0 -m 9600 hash.txt rockyou.txt ``` ### Access db ``` # office2john.py staff.accdb > staff.pwd # cat staff.pwd staff.accdb:$office$*2013*100000*256*16*5736cfcbb054e749a8f303570c5c1970*1ec683f4d8c4e9faf77d3c01f2433e56*7de0d4af8c54c33be322dbc860b68b4849f811196015a3f48a424a265d018235 ``` ### 7zip protected files {% embed url="" %} {% embed url="" %} ``` $ 7z2john archive.7z > hash.txt $ john hash.txt -w=/usr/share/wordlists/passwords/rockyou.txt --format=7z ``` With hashcat ``` $ 7z2john archive.7z > hash.txt $ cut -d ':' -f 2 hash.txt > hash-hc.txt $ hashcat -m 11600 hash-hc.txt /usr/share/wordlists/passwords/rockyou.txt ``` {% embed url="" %} ### Zip protected files {% embed url="" %} ```shell-session zip2john ZIP.zip > zip.hash ver 2.0 efh 5455 efh 7875 ZIP.zip/flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=42, decmplen=30, crc=490E7510 ``` ```shell-session john --wordlist=rockyou.txt zip.hash Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 1234 (ZIP.zip/customers.csv) 1g 0:00:00:00 DONE (2022-02-09 09:18) 100.0g/s 250600p/s 250600c/s 250600C/s 123456..1478963 Use the "--show" option to display all of the cracked passwords reliably Session completed ``` ```shell-session john zip.hash --show ZIP.zip/customers.csv:1234:customers.csv:ZIP.zip::ZIP.zip 1 password hash cracked, 0 left ``` #### fcrackzip {% embed url="" %} ``` fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt sample.zip ``` #### bkcrack - Crack legacy zip encryption with Biham and Kocher's known plaintext attack. {% embed url="" %} {% embed url="" %} ``` $ bkcrack -C archive.zip -c 'logo_acceis.svg' -p plain.bin -x -1 19 bkcrack 1.3.5 - 2022-03-20 [15:07:25] Z reduction using 12 bytes of known plaintext 100.0 % (12 / 12) [15:07:25] Attack on 573157 Z values at index 6 Keys: 18996980 070e64a5 38e61fb0 86.6 % (496251 / 573157) [15:31:27] Keys 18996980 070e64a5 38e61fb0 # Create a copy archive with a chosen password. bkcrack -C archive.zip -k 18996980 070e64a5 38e61fb0 -U cracked.zip noraj ``` Or bruteforce on the key (no wordlist) ``` $ bkcrack -k 18996980 070e64a5 38e61fb0 -r 8 \?a bkcrack 1.3.5 - 2022-03-20 [16:16:01] Recovering password length 0-6... length 7... length 8... [16:16:01] Password as bytes: 6d 6f 72 70 68 65 75 73 as text: morpheus ``` Or concatenating the three keys gives us the PKZIP Master Key that we can try to crack with Hashcat and a wordlist. ``` $ haiti '18996980070e64a538e61fb0' CRC-96 (ZIP) PKZIP Master Key [HC: 20500] PKZIP Master Key (6 byte optimization) [HC: 20510] Crypt16 $ hashcat -m 20500 hash-hc.txt /usr/share/wordlists/passwords/rockyou.txt ``` ## RAR Files {% embed url="" %} ``` 1. rar2john rarfile.rar > rar_hash.txt 2. john --wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txt ``` With Hashcat: ``` $ rar2john archive.rar > hash.txt $ cut -d ':' -f 2 hash.txt > hash-hc.txt $ hashcat -m 13000 hash-hc.txt /usr/share/wordlists/passwords/rockyou.txt ``` ### OpenSSL Encrypted Archives - gzip ```shell-session $ file GZIP.gzip GZIP.gzip: openssl enc'd data with salted password ``` ```shell-session $ for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null| tar xz;done gzip: stdin: not in gzip format tar: Child returned status 1 tar: Error is not recoverable: exiting now gzip: stdin: not in gzip format tar: Child returned status 1 tar: Error is not recoverable: exiting now ``` ```shell-session $ ls customers.csv GZIP.gzip rockyou.txt ``` ### BitLocker Encrypted Drives VHD ```shell-session $ bitlocker2john -i Backup.vhd > backup.hashes $ grep "bitlocker\$0" backup.hashes > backup.hash ``` ```shell-session $ hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked hashcat (v6.1.1) starting... $bitlocker$0$16$02b329c0453b9273f2fc1b927443b5fe$1048576$12$00b0a67f961dd80103000000$60$d59f37e70696f7eab6b8f95ae93bd53f3f7067d5e33c0394b3d8e2d1fdb885cb86c1b978f6cc12ed26de0889cd2196b0510bbcd2a8c89187ba8ec54f:1234qwer Session..........: hashcat Status...........: Cracked Hash.Name........: BitLocker Hash.Target......: $bitlocker$0$16$02b329c0453b9273f2fc1b927443b5fe$10...8ec54f Time.Started.....: Wed Feb 9 11:46:40 2022 (1 min, 42 secs) Time.Estimated...: Wed Feb 9 11:48:22 2022 (0 secs) Guess.Base.......: File (/opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 28 H/s (8.79ms) @ Accel:32 Loops:4096 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests Progress.........: 2880/6163 (46.73%) Rejected.........: 0/2880 (0.00%) Restore.Point....: 2816/6163 (45.69%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1044480-1048576 Candidates.#1....: chemical -> secrets Started: Wed Feb 9 11:46:35 2022 Stopped: Wed Feb 9 11:48:23 2022 ``` ```shell-session $ cat backup.cracked $bitlocker$0$16$02b329c0453b9273f2fc1b927443b5fe$1048576$12$00b0a67f961dd80103000000$60$d59f37e70696f7eab6b8f95ae93bd53f3f7067d5e33c0394b3d8e2d1fdb885cb86c1b978f6cc12ed26de0889cd2196b0510bbcd2a8c89187ba8ec54f:1234qwer ``` Mount .vhd on linux {% embed url="" %}