Noirchapeau's Gitbook
Noirchapeau
NoirchapeauEsau
Noirchapeau
NoirchapeauEsau
  • Welcome to NoirChapeau Gitbook
  • Network Mapping and Security Auditing Tool
  • Footprinting - Enumeration and Information Gathering Notes
    • FTP Pentesting Notes
    • SMB Pentesting Notes
    • SSH Pentesting Notes
    • IPMI Pentesting Notes
    • Oracle TNS Pentesting Notes
    • MSSQL Pentesting Notes
    • MySQL Pentesting Notes
    • SNMP Pentesting Notes
    • IMAP/POP3 Pentesting Notes
    • SMTP Pentesting Notes
    • DNS Pentesting Notes
    • NFS Pentesting Notes
  • Web Reconnaissance Notes
  • Vulnerability Assessment Notes
    • Nessus Vulnerability Scanner Notes
    • OpenVAS (GVM) Vulnerability Scanner Notes
  • File Transfer Techniques for Pentesting
    • Advanced File Transfer Techniques
    • File Transfer Detection & Evasion Techniques
  • Shells & Payloads: Shell Overview
    • Shells & Payloads: Payloads Overview
    • Shells & Payloads: Web Shells Overview
    • Shells & Payloads: Detection & Prevention
  • Metasploit
    • Working with Metasploit Modules
    • Targets and Payloads
    • Encoders & Msfvenom: Advanced Exploitation Techniques
    • Database Management in Metasploit
    • Sessions and Jobs
    • Writing and Importing Custom Modules into Metasploit
    • Firewall and IDS/IPS Evasion
  • Password Attacks
    • Remote Password Attacks
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Files & Archives Cracking
    • Password Management
  • Interacting with Common Services
    • Protocol Specific Attacks
Powered by GitBook
On this page
  • Protected Files
  • Importance of File Encryption
  • File Hunting and Identifying Sensitive Files
  • Cracking Encrypted Files
  • Document Cracking
  • Protected Archives
  • What Are Archives?
  • Password-Protected Archives
  • Cracking Password-Protected Archives
  1. Password Attacks

Files & Archives Cracking

Protected Files

Importance of File Encryption

  • Encryption ensures confidentiality in personal and business communication.

  • Lack of encryption in emails containing sensitive data is negligent and potentially violates laws (e.g., GDPR in the EU).

  • Symmetric encryption (e.g., AES-256):

    • Uses the same key for encryption and decryption.

  • Asymmetric encryption:

    • Requires a public key (to encrypt) and a private key (to decrypt).

  • Common tools and passwords can crack poorly implemented encryption.

File Hunting and Identifying Sensitive Files

Command for Hunting Specific File Extensions

for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*"); do 
    echo -e "\nFile extension: $ext"; 
    find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core";
done

  • Purpose: Locate files with extensions that might store sensitive information.

  • Filtering: Avoid unnecessary system paths like libraries and fonts.

Finding SSH Keys

grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"

  • Purpose: Search for SSH keys across the filesystem.

  • Encrypted SSH keys:

    • Header indicates encryption method (e.g., AES-128-CBC).

    • Requires a passphrase to decrypt.

Cracking Encrypted Files

Tools for Extracting Hashes

  • Locate scripts for various file types:

    locate *2john*

  • Examples:

    • ssh2john.py: For SSH keys.

    • office2john.py: For Microsoft Office files.

    • pdf2john.py: For PDFs.

Steps to Crack Files

  1. Convert File to Hash:

    ssh2john.py SSH.private > ssh.hash
office2john.py Protected.docx > protected-docx.hash
pdf2john.py PDF.pdf > pdf.hash

  2. Crack Hash Using Wordlist:

    john --wordlist=rockyou.txt <hash_file>

  3. Display Cracked Passwords:

    john <hash_file> --show

Example: Cracking SSH Keys

# Convert SSH key to hash
ssh2john.py SSH.private > ssh.hash

# Crack with John and display results
john --wordlist=rockyou.txt ssh.hash
john ssh.hash --show

Document Cracking

Cracking Office Documents

office2john.py Protected.docx > protected-docx.hash
john --wordlist=rockyou.txt protected-docx.hash
john protected-docx.hash --show

Cracking PDF Documents

pdf2john.py PDF.pdf > pdf.hash
john --wordlist=rockyou.txt pdf.hash
john pdf.hash --show

Protected Archives

What Are Archives?

  • Archives are compressed file formats that can bundle multiple files (e.g., PDFs, Word documents, etc.) into one for better organization and transfer.

  • Examples of archive file extensions:

    • Common Formats: .tar, .gz, .zip, .rar, .7z

    • Encrypted/Specialized Formats: .luks, .truecrypt, .bitlocker, .kdbx

Password-Protected Archives

  • Not all archive formats natively support password protection.

  • Tools like OpenSSL or GPG are often used to encrypt unprotected archive types like .tar.

Cracking Password-Protected Archives

1. ZIP Archives

  • Commonly used for bundling files in Windows environments.

Steps to Crack ZIP Passwords

  1. Extract Hashes

    zip2john ZIP.zip > zip.hash

    Example Output:

    ZIP.zip/customers.csv:$pkzip2$1*2*2*0*...

  2. Use John the Ripper to Crack Hash

    john --wordlist=rockyou.txt zip.hash

    Example Output:

    1234             (ZIP.zip/customers.csv)

  3. View Cracked Password

    john zip.hash --show

2. OpenSSL-Encrypted Archives

  • Gzip files can be encrypted with OpenSSL.

Steps to Crack OpenSSL Encrypted Archives

  1. Identify Encryption

    file GZIP.gzip

    Example Output:

    GZIP.gzip: openssl enc'd data with salted password

  2. Crack Password with a For-Loop

    for i in $(cat rockyou.txt); do \
    openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null | tar xz; \
done

  3. Verify Extraction

    ls

    Example Output:

    customers.csv  GZIP.gzip  rockyou.txt

3. BitLocker Encrypted Drives

  • Used by Windows for partition or external drive encryption.

  • Based on AES encryption (128/256-bit).

Steps to Crack BitLocker Password

  1. Extract Hashes

    bitlocker2john -i Backup.vhd > backup.hashes
grep "bitlocker\$0" backup.hashes > backup.hash

  2. Use Hashcat to Crack Hash

    hashcat -m 22100 backup.hash rockyou.txt -o backup.cracked

    Example Output:

    Recovered: 1/1 (100.00%)
Candidates: chemical -> secrets

  3. View Cracked Password

    cat backup.cracked

    Example:

    $bitlocker$0$16$...:1234qwer
PreviousWindows Lateral MovementNextPassword Management