# Cracking Files

## Protected Files

Many different file extensions can identify these types of encrypted/encoded files. For example, a useful list can be found on [FileInfo](https://fileinfo.com/filetypes/encoded).

**Hunting for Files**

A oneliner to search for SOME extensions:

```bash
for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done
```

**Hunting for SSH Keys**

```bash
grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"
```

**Encrypted SSH Keys**

```bash
cat /home/cry0l1t3/.ssh/SSH.private
```

### Cracking with John

`John The Ripper` has many different scripts to generate hashes from files that we can then use for cracking. We can find these scripts on our system using the following command.

```shell-session
locate *2john*
```

```bash
ssh2john.py SSH.private > ssh.hash
```

```bash
john --wordlist=rockyou.txt ssh.hash
john ssh.hash --show
```

### Cracking Documents

```bash
office2john.py Protected.docx > protected-docx.hash
john --wordlist=rockyou.txt protected-docx.hash
john protected-docx.hash --show
```

**Cracking PDFs**

```shell-session
pdf2john.py PDF.pdf > pdf.hash
john --wordlist=rockyou.txt pdf.hash
john pdf.hash --show
```

## Using Hashcat for \*2john files

As an example, we have a KeePass database file. We can extract the hash using:

```bash
keepass2john file.kdbx > hash.txt
```

but if we try feeding this to Hashcat, it will not recognize it. Looking at the output it should look something like this:

```
Logins:$keepass$*2*60000*0*048f742ba4[...]
```

If we remove the first part of it and leave anything after the : then Hashcat will recognize it (and give us possible modes to use, in this case `hashcat -m 13400 hashcat.hash mut_password.list`)

Or possible oneliner to extract the hash:

```bash
keepass2john CrackThis.kdb | grep -o "$keepass$.*" >  CrackThis.hash
```