💥Cyb3rBook

CRACKING

3 min read

PRIMARY CATEGORY → PASSWORD ATTACKS

Cracking Protected Files (Archives)

Fileinfo.com

General Workflow
Search for the Utility

Multiple “2John” Tools

locate *john* | grep -i -- '<FILE_TYPE>'
Obtain a Hash from the Provided File
<FILE>2john <FILE> > <FILE>.john
Crack the Hash with John
john --wordlist=<WORDLIST> <FILE>.john
Show the obtained Password
john --show <FILE>.john
cat ~/.john/john.pot
ZIP
Show .ZIP File Technical Metadata and Other information
7z l -slt <ZIP_FILE>
Obtain a Hash/Digest from the Zip File
zip2john <ZIP_FILE> > zip.john
Hash Cracking with John
john zip.john --wordlist=/usr/share/wordlists/rockyou.txt
Show Cracked Hashes/Passwords
john --show zip.john
cat ~/.john/john.pot
GZIP
Encrypted with OpenSSL
  • Check whether the file is encrypted or not
file <GZIP_FILE>

If encrypted, the output should be similar to the following one →

GZIP.gzip: openssl enc'd data with salted password
  • Cracking with OpenSSL
while IFS= read -r _passwd ; do openssl enc -aes-256-cbc -d -in <GZIP_FILE> -k "$_passwd" 2> /dev/null | tar xz ; done < <WORDLIST>
BitLocker Encrypted Drives

Reference

Obtain the First Hash (Bitlocker Password) from the Encrypted Virtual Drive
bitlocker2john -i Private.vhd 2> /dev/null | grep -i -- '\$bitlocker\$0' > bitlocker.hash # .VHD[X] File
Cracking Bitlocker Hash
  • Hashcat

Hashcat Mode → 22100

hashcat --force -O --attack-mode 0 --hash-type 22100 <HASH> <WORDLIST>
  • John the Ripper
john --wordlist=<WORDLIST> --format=bitlocker <HASH>
Mounting Bitlocker-Encrypted Drives in Windows

Reference

  • Mount the .VHD File

Zoom In

  • Enter the cracked password at the Bitlocker Password Prompt

Zoom In

Zoom In

Mounting Bitlocker-Encrypted Drives in Linux

Reference

UTILITYPURPOSE
losetupConvert a file (.VHD, .ISO, .IMG…) into a block device
dislockerDecrypt and access an encrypted volume with Bitlocker
mountMount the decrypted file system to access all the archives
  • Dislocker Installation

Dislocker

apt install -y -- dislocker
  • Loop Device Creation based on the VHD File using losetup

Losetup

losetup --find --show --partscan -- <VHD>
  • Check if the created Loop Device is available
losetup --all
lsblk -fm | grep -i -- loop
  • Folders Creation to mount the VHD File
mkdir -p -- /media/{bitlocker,bitlockermount}
  • Drive Decryption using Dislocker
dislocker --volume /dev/loop0p1 --user-password -- /media/bitlocker
> Enter the user password: *****
  • Check the Mounted Device (VHD)
mount | grep -i -- dislocker
  • Mount the Decrypted Volume
mount --options loop -- /media/bitlocker/dislocker-file /media/bitlockermount
find /media/bitlockermount

Cracking Hashes

Identifying Hash Formats
  • Hash Identifier

Hash-Identifier

hash-identifier <HASH>
John the Ripper

Reference I    •    Reference II

  • Hash ID
hashid --john '<HASH>'
Hashcat

Reference

  • Hashcat Example Hashes
hashcat --help
hashcat --example-hashes | less
hashcat --example-hashes | grep -iPA 100 --color -- '<HASH_FORMAT>'
  • Hash ID
hashcat --mode '<HASH>'
Linux System User Passwords

Hashes within /etc/shadow or /etc/security/opasswd

Generic Hash Format

$<HASH_ALGORITHM_TYPE>$<SALT>$<HASH>
Unshadow

Before cracking the hashes, just use unshadow to merge both passwd and shadow files as follows →

cp /etc/passwd /tmp/passwd.bk && cp /etc/shadow /tmp/shadow.bk
unshadow /etc/passwd.bk /etc/shadow.bk | awk -F: '!/[\*!]/ { printf "%s:%s\n", $1, $2 }' > /tmp/unshadowed.hashes
MD5
hashcat --force -O --user --hash-type 500 <HASH> <WORDLIST>
  • Show Password in Plain Text
hashcat --force -O --user --hash-type 500 <HASH> <WORDLIST> --show
SHA512
hashcat --force -O --user --hash-type 1800 <HASH> <WORDLIST>
  • Show Password in Plain Text
hashcat --force -O --user --hash-type 1800 <HASH> <WORDLIST> --show

Graph View

Backlinks