# Files - Encrypted ### John - Files `$ > file.hash` | **Tool** | **Description** | | ----------------------- | --------------------------------------------- | | `pdf2john` | Converts PDF documents for John | | `ssh2john` | Converts SSH private keys for John | | `mscash2john` | Converts MS Cash hashes for John | | `keychain2john` | Converts OS X keychain files for John | | `rar2john` | Converts RAR archives for John | | `pfx2john` | Converts PKCS#12 files for John | | `truecrypt_volume2john` | Converts TrueCrypt volumes for John | | `keepass2john` | Converts KeePass databases for John | | `vncpcap2john` | Converts VNC PCAP files for John | | `putty2john` | Converts PuTTY private keys for John | | `zip2john` | Converts ZIP archives for John | | `hccap2john` | Converts WPA/WPA2 handshake captures for John | | `office2john` | Converts MS Office documents for John | | `wpa2john` | Converts WPA/WPA2 handshakes for John | ```shell-session $ locate *2john* /usr/bin/bitlocker2john /usr/bin/dmg2john /usr/bin/gpg2john /usr/bin/hccap2john /usr/bin/keepass2john /usr/bin/putty2john /usr/bin/racf2john /usr/bin/rar2john /usr/bin/uaf2john /usr/bin/vncpcap2john /usr/bin/wlanhcx2john /usr/bin/wpapcap2john /usr/bin/zip2john /usr/share/john/1password2john.py /usr/share/john/7z2john.pl /usr/share/john/DPAPImk2john.py /usr/share/john/adxcsouf2john.py /usr/share/john/aem2john.py /usr/share/john/aix2john.pl /usr/share/john/aix2john.py /usr/share/john/andotp2john.py /usr/share/john/androidbackup2john.py ...SNIP... ``` ### SSH private key {% content-ref url="/pages/5HMI5x51XIr5GBqw1pWM" %} [Hashes](/0xss0rz/pentest/cracking/hashes.md) {% endcontent-ref %} {% embed url="" %} ```shell-session $ ssh2john.py SSH.private > ssh.hash $ cat ssh.hash ssh.private:$sshng$0$8$1C258238FD2D6EB0$2352$f7b...SNIP... ``` ```shell-session $ john --wordlist=rockyou.txt ssh.hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 2 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status 1234 (SSH.private) 1g 0:00:00:00 DONE (2022-02-08 03:03) 16.66g/s 1747Kp/s 1747Kc/s 1747KC/s Knightsing..Babying Session completed ``` ```shell-session $ john ssh.hash --show SSH.private:1234 1 password hash cracked, 0 left ``` ### PDF {% embed url="" %} ```shell-session cry0l1t3@htb:~$ pdf2john server_doc.pdf > server_doc.hash cry0l1t3@htb:~$ john server_doc.hash # OR cry0l1t3@htb:~$ john --wordlist= server_doc.hash ``` ```shell-session $ john pdf.hash --show ``` ### Microsoft Office Documents #### Docx ```shell-session $ office2john.py Protected.docx > protected-docx.hash $ cat protected-docx.hash $office$*2007*20*128*16*7240...SNIP...8a69cf1*98242f4da37d916305d8e2821360773b7edc481b ``` ```shell-session $ john --wordlist=rockyou.txt protected-docx.hash Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES]) Cost 1 (MS Office version) is 2007 for all loaded hashes Cost 2 (iteration count) is 50000 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 1234 (Protected.docx) 1g 0:00:00:00 DONE (2022-02-08 01:25) 2.083g/s 2266p/s 2266c/s 2266C/s trisha..heart Use the "--show" option to display all of the cracked passwords reliably Session completed ``` ```shell-session $ john protected-docx.hash --show Protected.docx:1234 ``` #### Xlsx With hashcat ``` python3 office2john.py backup.xlsx > hash.txt # backup.xlsx:$office$*2013*100000*256*16*5e8372<-SNIP->9ef177230fc*c7367d060cc<-SNIP->992fbe2b*a997b2bfbbf996e1b76b1d4f<-SNIP->01904 # Remove the filename backup.xlsx: from the hash and save it. # $office$*2013*100000*256*16*5e8372<-SNIP->9ef177230fc*c7367d060cc<-SNIP->992fbe2b*a997b2bfbbf996e1b76b1d4f<-SNIP->01904 ``` ``` hashcat -a 0 -m 9600 hash.txt rockyou.txt ``` ### Access db ``` # office2john.py staff.accdb > staff.pwd # cat staff.pwd staff.accdb:$office$*2013*100000*256*16*5736cfcbb054e749a8f303570c5c1970*1ec683f4d8c4e9faf77d3c01f2433e56*7de0d4af8c54c33be322dbc860b68b4849f811196015a3f48a424a265d018235 ``` ### 7zip protected files {% embed url="" %} {% embed url="" %} ``` $ 7z2john archive.7z > hash.txt $ john hash.txt -w=/usr/share/wordlists/passwords/rockyou.txt --format=7z ``` With hashcat ``` $ 7z2john archive.7z > hash.txt $ cut -d ':' -f 2 hash.txt > hash-hc.txt $ hashcat -m 11600 hash-hc.txt /usr/share/wordlists/passwords/rockyou.txt ``` {% embed url="" %} ### Zip protected files {% embed url="" %} ```shell-session zip2john ZIP.zip > zip.hash ver 2.0 efh 5455 efh 7875 ZIP.zip/flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=42, decmplen=30, crc=490E7510 ``` ```shell-session john --wordlist=rockyou.txt zip.hash Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 1234 (ZIP.zip/customers.csv) 1g 0:00:00:00 DONE (2022-02-09 09:18) 100.0g/s 250600p/s 250600c/s 250600C/s 123456..1478963 Use the "--show" option to display all of the cracked passwords reliably Session completed ``` ```shell-session john zip.hash --show ZIP.zip/customers.csv:1234:customers.csv:ZIP.zip::ZIP.zip 1 password hash cracked, 0 left ``` #### fcrackzip {% embed url="" %} ``` fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt sample.zip ``` #### bkcrack - Crack legacy zip encryption with Biham and Kocher's known plaintext attack. {% embed url="" %} {% embed url="" %} ``` $ bkcrack -C archive.zip -c 'logo_acceis.svg' -p plain.bin -x -1 19 bkcrack 1.3.5 - 2022-03-20 [15:07:25] Z reduction using 12 bytes of known plaintext 100.0 % (12 / 12) [15:07:25] Attack on 573157 Z values at index 6 Keys: 18996980 070e64a5 38e61fb0 86.6 % (496251 / 573157) [15:31:27] Keys 18996980 070e64a5 38e61fb0 # Create a copy archive with a chosen password. bkcrack -C archive.zip -k 18996980 070e64a5 38e61fb0 -U cracked.zip noraj ``` Or bruteforce on the key (no wordlist) ``` $ bkcrack -k 18996980 070e64a5 38e61fb0 -r 8 \?a bkcrack 1.3.5 - 2022-03-20 [16:16:01] Recovering password length 0-6... length 7... length 8... [16:16:01] Password as bytes: 6d 6f 72 70 68 65 75 73 as text: morpheus ``` Or concatenating the three keys gives us the PKZIP Master Key that we can try to crack with Hashcat and a wordlist. ``` $ haiti '18996980070e64a538e61fb0' CRC-96 (ZIP) PKZIP Master Key [HC: 20500] PKZIP Master Key (6 byte optimization) [HC: 20510] Crypt16 $ hashcat -m 20500 hash-hc.txt /usr/share/wordlists/passwords/rockyou.txt ``` ## RAR Files {% embed url="" %} ``` 1. rar2john rarfile.rar > rar_hash.txt 2. john --wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txt ``` With Hashcat: ``` $ rar2john archive.rar > hash.txt $ cut -d ':' -f 2 hash.txt > hash-hc.txt $ hashcat -m 13000 hash-hc.txt /usr/share/wordlists/passwords/rockyou.txt ``` ### OpenSSL Encrypted Archives - gzip ```shell-session $ file GZIP.gzip GZIP.gzip: openssl enc'd data with salted password ``` ```shell-session $ for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null| tar xz;done gzip: stdin: not in gzip format tar: Child returned status 1 tar: Error is not recoverable: exiting now gzip: stdin: not in gzip format tar: Child returned status 1 tar: Error is not recoverable: exiting now ``` ```shell-session $ ls customers.csv GZIP.gzip rockyou.txt ``` ### BitLocker Encrypted Drives VHD ```shell-session $ bitlocker2john -i Backup.vhd > backup.hashes $ grep "bitlocker\$0" backup.hashes > backup.hash ``` ```shell-session $ hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked hashcat (v6.1.1) starting... $bitlocker$0$16$02b329c0453b9273f2fc1b927443b5fe$1048576$12$00b0a67f961dd80103000000$60$d59f37e70696f7eab6b8f95ae93bd53f3f7067d5e33c0394b3d8e2d1fdb885cb86c1b978f6cc12ed26de0889cd2196b0510bbcd2a8c89187ba8ec54f:1234qwer Session..........: hashcat Status...........: Cracked Hash.Name........: BitLocker Hash.Target......: $bitlocker$0$16$02b329c0453b9273f2fc1b927443b5fe$10...8ec54f Time.Started.....: Wed Feb 9 11:46:40 2022 (1 min, 42 secs) Time.Estimated...: Wed Feb 9 11:48:22 2022 (0 secs) Guess.Base.......: File (/opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 28 H/s (8.79ms) @ Accel:32 Loops:4096 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests Progress.........: 2880/6163 (46.73%) Rejected.........: 0/2880 (0.00%) Restore.Point....: 2816/6163 (45.69%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1044480-1048576 Candidates.#1....: chemical -> secrets Started: Wed Feb 9 11:46:35 2022 Stopped: Wed Feb 9 11:48:23 2022 ``` ```shell-session $ cat backup.cracked $bitlocker$0$16$02b329c0453b9273f2fc1b927443b5fe$1048576$12$00b0a67f961dd80103000000$60$d59f37e70696f7eab6b8f95ae93bd53f3f7067d5e33c0394b3d8e2d1fdb885cb86c1b978f6cc12ed26de0889cd2196b0510bbcd2a8c89187ba8ec54f:1234qwer ``` Mount .vhd on linux {% embed url="" %}
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/cracking/files-encrypted.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.