# Cracking Files ## Protected Files Many different file extensions can identify these types of encrypted/encoded files. For example, a useful list can be found on [FileInfo](https://fileinfo.com/filetypes/encoded). **Hunting for Files** A oneliner to search for SOME extensions: ```bash for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done ``` **Hunting for SSH Keys** ```bash grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1" ``` **Encrypted SSH Keys** ```bash cat /home/cry0l1t3/.ssh/SSH.private ``` ### Cracking with John `John The Ripper` has many different scripts to generate hashes from files that we can then use for cracking. We can find these scripts on our system using the following command. ```shell-session locate *2john* ``` ```bash ssh2john.py SSH.private > ssh.hash ``` ```bash john --wordlist=rockyou.txt ssh.hash john ssh.hash --show ``` ### Cracking Documents ```bash office2john.py Protected.docx > protected-docx.hash john --wordlist=rockyou.txt protected-docx.hash john protected-docx.hash --show ``` **Cracking PDFs** ```shell-session pdf2john.py PDF.pdf > pdf.hash john --wordlist=rockyou.txt pdf.hash john pdf.hash --show ``` ## Using Hashcat for \*2john files As an example, we have a KeePass database file. We can extract the hash using: ```bash keepass2john file.kdbx > hash.txt ``` but if we try feeding this to Hashcat, it will not recognize it. Looking at the output it should look something like this: ``` Logins:$keepass$*2*60000*0*048f742ba4[...] ``` If we remove the first part of it and leave anything after the : then Hashcat will recognize it (and give us possible modes to use, in this case `hashcat -m 13400 hashcat.hash mut_password.list`) Or possible oneliner to extract the hash: ```bash keepass2john CrackThis.kdb | grep -o "$keepass$.*" > CrackThis.hash ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.rtlcopymemory.com/password-attacks/cracking-files.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.