Cracking Files

Protected Files

Many different file extensions can identify these types of encrypted/encoded files. For example, a useful list can be found on FileInfo.

Hunting for Files

A oneliner to search for SOME extensions:

for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

Hunting for SSH Keys

grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"

Encrypted SSH Keys

cat /home/cry0l1t3/.ssh/SSH.private

Cracking with John

John The Ripper has many different scripts to generate hashes from files that we can then use for cracking. We can find these scripts on our system using the following command.

locate *2john*

ssh2john.py SSH.private > ssh.hash

john --wordlist=rockyou.txt ssh.hash
john ssh.hash --show

Cracking Documents

office2john.py Protected.docx > protected-docx.hash
john --wordlist=rockyou.txt protected-docx.hash
john protected-docx.hash --show

Cracking PDFs

pdf2john.py PDF.pdf > pdf.hash
john --wordlist=rockyou.txt pdf.hash
john pdf.hash --show

Using Hashcat for *2john files

As an example, we have a KeePass database file. We can extract the hash using:

keepass2john file.kdbx > hash.txt

but if we try feeding this to Hashcat, it will not recognize it. Looking at the output it should look something like this:

Logins:$keepass$*2*60000*0*048f742ba4[...]

If we remove the first part of it and leave anything after the : then Hashcat will recognize it (and give us possible modes to use, in this case hashcat -m 13400 hashcat.hash mut_password.list)

Or possible oneliner to extract the hash:

keepass2john CrackThis.kdb | grep -o "$keepass$.*" >  CrackThis.hash