Files & Archives Cracking
Protected Files
Importance of File Encryption
Encryption ensures confidentiality in personal and business communication.
Lack of encryption in emails containing sensitive data is negligent and potentially violates laws (e.g., GDPR in the EU).
Symmetric encryption (e.g., AES-256):
Uses the same key for encryption and decryption.
Asymmetric encryption:
Requires a public key (to encrypt) and a private key (to decrypt).
Common tools and passwords can crack poorly implemented encryption.
File Hunting and Identifying Sensitive Files
Command for Hunting Specific File Extensions
for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*"); do
echo -e "\nFile extension: $ext";
find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core";
donePurpose: Locate files with extensions that might store sensitive information.
Filtering: Avoid unnecessary system paths like libraries and fonts.
Finding SSH Keys
grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"Purpose: Search for SSH keys across the filesystem.
Encrypted SSH keys:
Header indicates encryption method (e.g., AES-128-CBC).
Requires a passphrase to decrypt.
Cracking Encrypted Files
Tools for Extracting Hashes
Locate scripts for various file types:
locate *2john*Examples:
ssh2john.py: For SSH keys.office2john.py: For Microsoft Office files.pdf2john.py: For PDFs.
Steps to Crack Files
Convert File to Hash:
ssh2john.py SSH.private > ssh.hash office2john.py Protected.docx > protected-docx.hash pdf2john.py PDF.pdf > pdf.hashCrack Hash Using Wordlist:
john --wordlist=rockyou.txt <hash_file>Display Cracked Passwords:
john <hash_file> --show
Example: Cracking SSH Keys
# Convert SSH key to hash
ssh2john.py SSH.private > ssh.hash
# Crack with John and display results
john --wordlist=rockyou.txt ssh.hash
john ssh.hash --showDocument Cracking
Cracking Office Documents
office2john.py Protected.docx > protected-docx.hash
john --wordlist=rockyou.txt protected-docx.hash
john protected-docx.hash --showCracking PDF Documents
pdf2john.py PDF.pdf > pdf.hash
john --wordlist=rockyou.txt pdf.hash
john pdf.hash --showProtected Archives
What Are Archives?
Archives are compressed file formats that can bundle multiple files (e.g., PDFs, Word documents, etc.) into one for better organization and transfer.
Examples of archive file extensions:
Common Formats:
.tar,.gz,.zip,.rar,.7zEncrypted/Specialized Formats:
.luks,.truecrypt,.bitlocker,.kdbx
Password-Protected Archives
Not all archive formats natively support password protection.
Tools like OpenSSL or GPG are often used to encrypt unprotected archive types like
.tar.
Cracking Password-Protected Archives
1. ZIP Archives
Commonly used for bundling files in Windows environments.
Steps to Crack ZIP Passwords
Extract Hashes
zip2john ZIP.zip > zip.hashExample Output:
ZIP.zip/customers.csv:$pkzip2$1*2*2*0*...Use John the Ripper to Crack Hash
john --wordlist=rockyou.txt zip.hashExample Output:
1234 (ZIP.zip/customers.csv)View Cracked Password
john zip.hash --show
2. OpenSSL-Encrypted Archives
Gzip files can be encrypted with OpenSSL.
Steps to Crack OpenSSL Encrypted Archives
Identify Encryption
file GZIP.gzipExample Output:
GZIP.gzip: openssl enc'd data with salted passwordCrack Password with a For-Loop
for i in $(cat rockyou.txt); do \ openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null | tar xz; \ doneVerify Extraction
lsExample Output:
customers.csv GZIP.gzip rockyou.txt
3. BitLocker Encrypted Drives
Used by Windows for partition or external drive encryption.
Based on AES encryption (128/256-bit).
Steps to Crack BitLocker Password
Extract Hashes
bitlocker2john -i Backup.vhd > backup.hashes grep "bitlocker\$0" backup.hashes > backup.hashUse Hashcat to Crack Hash
hashcat -m 22100 backup.hash rockyou.txt -o backup.crackedExample Output:
Recovered: 1/1 (100.00%) Candidates: chemical -> secretsView Cracked Password
cat backup.crackedExample:
$bitlocker$0$16$...:1234qwer