# Files & Archives Cracking

## Protected Files

### **Importance of File Encryption**

* Encryption ensures confidentiality in personal and business communication.
* Lack of encryption in emails containing sensitive data is negligent and potentially violates laws (e.g., GDPR in the EU).
* Symmetric encryption (e.g., AES-256):
  * Uses the same key for encryption and decryption.
* Asymmetric encryption:
  * Requires a **public key** (to encrypt) and a **private key** (to decrypt).
* Common tools and passwords can crack poorly implemented encryption.

### **File Hunting and Identifying Sensitive Files**

#### **Command for Hunting Specific File Extensions**

```bash
for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*"); do 
    echo -e "\nFile extension: $ext"; 
    find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core";
done
```

* **Purpose**: Locate files with extensions that might store sensitive information.
* **Filtering**: Avoid unnecessary system paths like libraries and fonts.

#### **Finding SSH Keys**

```bash
grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"
```

* **Purpose**: Search for SSH keys across the filesystem.
* Encrypted SSH keys:
  * Header indicates encryption method (e.g., AES-128-CBC).
  * Requires a **passphrase** to decrypt.

### **Cracking Encrypted Files**

#### **Tools for Extracting Hashes**

* Locate scripts for various file types:

  ```bash
  locate *2john*
  ```
* Examples:
  * `ssh2john.py`: For SSH keys.
  * `office2john.py`: For Microsoft Office files.
  * `pdf2john.py`: For PDFs.

#### **Steps to Crack Files**

1. **Convert File to Hash**:

   ```bash
   ssh2john.py SSH.private > ssh.hash
   office2john.py Protected.docx > protected-docx.hash
   pdf2john.py PDF.pdf > pdf.hash
   ```
2. **Crack Hash Using Wordlist**:

   ```bash
   john --wordlist=rockyou.txt <hash_file>
   ```
3. **Display Cracked Passwords**:

   ```bash
   john <hash_file> --show
   ```

#### **Example: Cracking SSH Keys**

```bash
# Convert SSH key to hash
ssh2john.py SSH.private > ssh.hash

# Crack with John and display results
john --wordlist=rockyou.txt ssh.hash
john ssh.hash --show
```

### **Document Cracking**

#### **Cracking Office Documents**

```bash
office2john.py Protected.docx > protected-docx.hash
john --wordlist=rockyou.txt protected-docx.hash
john protected-docx.hash --show
```

#### **Cracking PDF Documents**

```bash
pdf2john.py PDF.pdf > pdf.hash
john --wordlist=rockyou.txt pdf.hash
john pdf.hash --show
```

## Protected Archives

### **What Are Archives?**

* Archives are compressed file formats that can bundle multiple files (e.g., PDFs, Word documents, etc.) into one for better organization and transfer.
* Examples of archive file extensions:
  * **Common Formats:** `.tar`, `.gz`, `.zip`, `.rar`, `.7z`
  * **Encrypted/Specialized Formats:** `.luks`, `.truecrypt`, `.bitlocker`, `.kdbx`

### **Password-Protected Archives**

* Not all archive formats natively support password protection.
* Tools like **OpenSSL** or **GPG** are often used to encrypt unprotected archive types like `.tar`.

***

### **Cracking Password-Protected Archives**

#### **1. ZIP Archives**

* Commonly used for bundling files in Windows environments.

**Steps to Crack ZIP Passwords**

1. **Extract Hashes**

   ```bash
   zip2john ZIP.zip > zip.hash
   ```

   Example Output:

   ```
   ZIP.zip/customers.csv:$pkzip2$1*2*2*0*...
   ```
2. **Use John the Ripper to Crack Hash**

   ```bash
   john --wordlist=rockyou.txt zip.hash
   ```

   Example Output:

   ```
   1234             (ZIP.zip/customers.csv)
   ```
3. **View Cracked Password**

   ```bash
   john zip.hash --show
   ```

#### **2. OpenSSL-Encrypted Archives**

* Gzip files can be encrypted with OpenSSL.

**Steps to Crack OpenSSL Encrypted Archives**

1. **Identify Encryption**

   ```bash
   file GZIP.gzip
   ```

   Example Output:

   ```
   GZIP.gzip: openssl enc'd data with salted password
   ```
2. **Crack Password with a For-Loop**

   ```bash
   for i in $(cat rockyou.txt); do \
       openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null | tar xz; \
   done
   ```
3. **Verify Extraction**

   ```bash
   ls
   ```

   Example Output:

   ```
   customers.csv  GZIP.gzip  rockyou.txt
   ```

#### **3. BitLocker Encrypted Drives**

* Used by Windows for partition or external drive encryption.
* Based on AES encryption (128/256-bit).

**Steps to Crack BitLocker Password**

1. **Extract Hashes**

   ```bash
   bitlocker2john -i Backup.vhd > backup.hashes
   grep "bitlocker\$0" backup.hashes > backup.hash
   ```
2. **Use Hashcat to Crack Hash**

   ```bash
   hashcat -m 22100 backup.hash rockyou.txt -o backup.cracked
   ```

   Example Output:

   ```
   Recovered: 1/1 (100.00%)
   Candidates: chemical -> secrets
   ```
3. **View Cracked Password**

   ```bash
   cat backup.cracked
   ```

   Example:

   ```
   $bitlocker$0$16$...:1234qwer
   ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://edu.noirchapeau.com/password-attacks/files-and-archives-cracking.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.