search

Cracking Files

hashtag
Protected Files

Many different file extensions can identify these types of encrypted/encoded files. For example, a useful list can be found on FileInfoarrow-up-right.

Hunting for Files

A oneliner to search for SOME extensions:

for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

Hunting for SSH Keys

grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"

Encrypted SSH Keys

cat /home/cry0l1t3/.ssh/SSH.private

hashtag
Cracking with John

John The Ripper has many different scripts to generate hashes from files that we can then use for cracking. We can find these scripts on our system using the following command.

locate *2john*
ssh2john.py SSH.private > ssh.hash
john --wordlist=rockyou.txt ssh.hash
john ssh.hash --show

hashtag
Cracking Documents

Cracking PDFs

hashtag
Using Hashcat for *2john files

As an example, we have a KeePass database file. We can extract the hash using:

but if we try feeding this to Hashcat, it will not recognize it. Looking at the output it should look something like this:

If we remove the first part of it and leave anything after the : then Hashcat will recognize it (and give us possible modes to use, in this case hashcat -m 13400 hashcat.hash mut_password.list)

Or possible oneliner to extract the hash:

PreviousWindows Lateral MovementNextAttacking Common Services

Last updated