Files & Archives Cracking

Protected Files

Importance of File Encryption

Encryption ensures confidentiality in personal and business communication.
Lack of encryption in emails containing sensitive data is negligent and potentially violates laws (e.g., GDPR in the EU).
Symmetric encryption (e.g., AES-256):
- Uses the same key for encryption and decryption.
Asymmetric encryption:
- Requires a public key (to encrypt) and a private key (to decrypt).
Common tools and passwords can crack poorly implemented encryption.

File Hunting and Identifying Sensitive Files

Command for Hunting Specific File Extensions

for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*"); do 
    echo -e "\nFile extension: $ext"; 
    find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core";
done

Purpose: Locate files with extensions that might store sensitive information.
Filtering: Avoid unnecessary system paths like libraries and fonts.

Finding SSH Keys

grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"

Purpose: Search for SSH keys across the filesystem.
Encrypted SSH keys:
- Header indicates encryption method (e.g., AES-128-CBC).
- Requires a passphrase to decrypt.

Cracking Encrypted Files

Tools for Extracting Hashes

Locate scripts for various file types:
```
locate *2john*
```
Examples:
- ssh2john.py: For SSH keys.
- office2john.py: For Microsoft Office files.
- pdf2john.py: For PDFs.

Steps to Crack Files

Convert File to Hash:

ssh2john.py SSH.private > ssh.hash
office2john.py Protected.docx > protected-docx.hash
pdf2john.py PDF.pdf > pdf.hash

Crack Hash Using Wordlist:
```
john --wordlist=rockyou.txt <hash_file>
```
Display Cracked Passwords:
```
john <hash_file> --show
```

Example: Cracking SSH Keys

# Convert SSH key to hash
ssh2john.py SSH.private > ssh.hash

# Crack with John and display results
john --wordlist=rockyou.txt ssh.hash
john ssh.hash --show

Document Cracking

Cracking Office Documents

office2john.py Protected.docx > protected-docx.hash
john --wordlist=rockyou.txt protected-docx.hash
john protected-docx.hash --show

Cracking PDF Documents

pdf2john.py PDF.pdf > pdf.hash
john --wordlist=rockyou.txt pdf.hash
john pdf.hash --show

Protected Archives

What Are Archives?

Archives are compressed file formats that can bundle multiple files (e.g., PDFs, Word documents, etc.) into one for better organization and transfer.
Examples of archive file extensions:
- Common Formats: .tar, .gz, .zip, .rar, .7z
- Encrypted/Specialized Formats: .luks, .truecrypt, .bitlocker, .kdbx

Password-Protected Archives

Not all archive formats natively support password protection.
Tools like OpenSSL or GPG are often used to encrypt unprotected archive types like .tar.

Cracking Password-Protected Archives

1. ZIP Archives

Commonly used for bundling files in Windows environments.

Steps to Crack ZIP Passwords

Extract Hashes

zip2john ZIP.zip > zip.hash

Example Output:

ZIP.zip/customers.csv:$pkzip2$1*2*2*0*...

Use John the Ripper to Crack Hash

john --wordlist=rockyou.txt zip.hash

Example Output:

1234             (ZIP.zip/customers.csv)

View Cracked Password
```
john zip.hash --show
```

2. OpenSSL-Encrypted Archives

Gzip files can be encrypted with OpenSSL.

Steps to Crack OpenSSL Encrypted Archives

Identify Encryption

file GZIP.gzip

Example Output:

GZIP.gzip: openssl enc'd data with salted password

Crack Password with a For-Loop

for i in $(cat rockyou.txt); do \
    openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null | tar xz; \
done

Verify Extraction
```
ls
```
Example Output:
```
customers.csv  GZIP.gzip  rockyou.txt
```

3. BitLocker Encrypted Drives

Used by Windows for partition or external drive encryption.
Based on AES encryption (128/256-bit).

Steps to Crack BitLocker Password

Extract Hashes

bitlocker2john -i Backup.vhd > backup.hashes
grep "bitlocker\$0" backup.hashes > backup.hash

Use Hashcat to Crack Hash

hashcat -m 22100 backup.hash rockyou.txt -o backup.cracked

Example Output:

Recovered: 1/1 (100.00%)
Candidates: chemical -> secrets

View Cracked Password

cat backup.cracked

Example:

$bitlocker$0$16$...:1234qwer

PreviousWindows Lateral Movement NextPassword Management