PRIMARY CATEGORY → CRACKING
General Workflow
Search for the Utility
Multiple “2John” Tools
locate *john* | grep -i -- '<FILE_TYPE>'Obtain a Hash from the Provided File
<FILE>2john <FILE> > <FILE>.johnCrack the Hash with John
john --wordlist=<WORDLIST> <FILE>.johnShow the obtained Password
john --show <FILE>.johncat ~/.john/john.potZIP
Show .ZIP File Technical Metadata and Other information
7z l -slt <ZIP_FILE>Obtain a Hash/Digest from the Zip File
zip2john <ZIP_FILE> > zip.johnHash Cracking with John
john zip.john --wordlist=/usr/share/wordlists/rockyou.txtShow Cracked Hashes/Passwords
john --show zip.johncat ~/.john/john.potGZIP
Encrypted with OpenSSL
Check whether the file is encrypted or not
file <GZIP_FILE>If encrypted, the output should be similar to the following one →
GZIP.gzip: openssl enc'd data with salted passwordCracking with OpenSSL
while IFS= read -r _passwd ; do openssl enc -aes-256-cbc -d -in <GZIP_FILE> -k "$_passwd" 2> /dev/null | tar xz ; done < <WORDLIST>BitLocker Encrypted Drives
Obtain the First Hash (Bitlocker Password) from the Encrypted Virtual Drive
bitlocker2john -i Private.vhd 2> /dev/null | grep -i -- '\$bitlocker\$0' > bitlocker.hash # .VHD[X] FileImportant
The output of the above command returns four hashes
The first two correspond to the Bitlocker Password
The remaining two are related to the Bitlocker Recovery Key
Since this Recovery key is very long and randomly generated, It is generally not practial to guess
Cracking Bitlocker Hash
- Hashcat
Hashcat Mode → 22100
hashcat --force -O --attack-mode 0 --hash-type 22100 <HASH> <WORDLIST>- John the Ripper
john --wordlist=<WORDLIST> --format=bitlocker <HASH>Mounting Bitlocker-Encrypted Drives in Windows
Mount the .VHD File
Zoom In
Enter the cracked password at the Bitlocker Password Prompt
Zoom In
Zoom In
Mounting Bitlocker-Encrypted Drives in Linux
| UTILITY | PURPOSE |
|---|---|
losetup | Convert a file (.VHD, .ISO, .IMG…) into a block device |
dislocker | Decrypt and access an encrypted volume with Bitlocker |
mount | Mount the decrypted file system to access all the archives |
Dislocker Installation
apt install -y -- dislockerLoop Device Creation based on the VHD File using losetup
losetup --find --show --partscan -- <VHD>Check if the created Loop Device is available
losetup --alllsblk -fm | grep -i -- loopFolders Creation to mount the VHD File
mkdir -p -- /media/{bitlocker,bitlockermount}Drive Decryption using Dislocker
dislocker --volume /dev/loop0p1 --user-password -- /media/bitlocker
> Enter the user password: *****Check the Mounted Device (VHD)
mount | grep -i -- dislockerMount the Decrypted Volume
mount --options loop -- /media/bitlocker/dislocker-file /media/bitlockermountfind /media/bitlockermount