(1) Installation
(1.1) Install XCode and Command Line Utilities from Apple
(1.2) Install Homebrew
(1.3) Install John the Ripper and add path by using Terminal command
brew install john-jumbo export PATH=/opt/homebrew/Cellar/john-jumbo/1.9.0/share/john/:$PATH
(1.4) Install rar and. unrar for testing (as the HomeBrew version might not working.
cd $(HOME)/Downloads wget https://www.rarlab.com/rar/rarmacos-arm-611.tar.gz sudo cp rar/rar /usr/local/bin sudo cp rar/unrar /usr/local/bin
(1.5)Install hashcat from git
cd $(HOME)/Downloads git clone https://github.com/hashcat/hashcat.git cd hashcat make
(2) Testing
# create a test.rar file with password of 1234 for testing
cd $(HOME)/Downloads
mkdir -p testhashcat
cd testhascat
echo 'I am testing' > test.txt
rar a -P1234 test.rar test.txt
Use John the Ripper to generate hash% rar2john test.rar
test.rar:$rar5$16$852481e911dc38c66cec2fbe8e9a825b$15$e1c319e802eec30efab80c6bd7470468$8$f9c3bfde638768a5
And copy the hash value in blue color and it will be used again in hashcat
Use hashcat to brute force attack
../hashcat/hashcat -m 13000 -w 3 -a 3 \
'$rar5$16$852481e911dc38c66cec2fbe8e9a825b$15$e1c319e802eec30efab80c6bd7470468$8$f9c3bfde638768a5' \
--increment --increment-min 2 --increment-max 8 '?d?d?d?d?d?d?d?d' --potfile-path=rarfile.pot -o testrar.out.txt
Explanation of the parameters used in hashcat -m 13000 means --hash-type RAR5 see here https://hashcat.net/wiki/doku.php?id=example_hashes -a 3 means attack-mode Brute-force -w 3 Workload Profiles High --increment --increment-min 2 --increment-max 8 means increment the guess password with minimum of 2 and maximum of 8 ?d means digit as below Built-in charsets are ?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = 0123456789 ?h = 0123456789abcdef ?H = 0123456789ABCDEF ?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ?a = ?l?u?d?s
If finished, the password will be in testrar.out.txt $rar5$16$852481e911dc38c66cec2fbe8e9a825b$15$e1c319e802eec30efab80c6bd7470468$8$f9c3bfde638768a5:1234
Testing of zip file with password
zip -e test.zip test.txt zip2john test.zip
% zip2john test.zip
ver 1.0 efh 5455 efh 7875 test.zip/test.txt PKZIP Encr: 2b chk, TS_chk, cmplen=25, decmplen=13, crc=A491CD37
test.zip/test.txt:$pkzip2$1*2*2*0*19*d*a491cd37*0*42*0*19*a491*796a*55a56112ff0d2913127e2502764b2f8044e7975a5a23014084*$/pkzip2$:test.txt:test.zip::test.zip
../hashcat/hashcat -m 17210 -w 3 -a 3 \ '$pkzip2$1*2*2*0*19*d*a491cd37*0*42*0*19*a491*796a*55a56112ff0d2913127e2502764b2f8044e7975a5a23014084*$/pkzip2$' \ --increment --increment-min 2 --increment-max 8 '?d?d?d?d?d?d?d?d' --potfile-path=zipfile.pot -o testzip.out.txt % cat testzip.out.txt $pkzip2$1*2*2*0*19*d*a491cd37*0*42*0*19*a491*796a*55a56112ff0d2913127e2502764b2f8044e7975a5a23014084*$/pkzip2$:1256
Testing of pdf file with password
% perl pdf2john.pl testpdf.pdf testpdf.pdf:$pdf$4*4*128*-4*1*16*9d60ea4e1b8444818557a392476b3ab3*32*13f7b5e82e85872782a2795121fc850d00000000000000000000000000000000*32*7f8b9892322afb0dccd7a4259da14c65e9d5009abb26bae6d1708fed9dc60edc ../hashcat/hashcat -m 10500 -w 3 -a 3 \ '$pdf$4*4*128*-4*1*16*9d60ea4e1b8444818557a392476b3ab3*32*13f7b5e82e85872782a2795121fc850d00000000000000000000000000000000*32*7f8b9892322afb0dccd7a4259da14c65e9d5009abb26bae6d1708fed9dc60edc' \ --increment --increment-min 2 --increment-max 8 '?d?d?d?d?d?d?d?d' --potfile-path=pdffile.pot -o testpdf.out.txt
note: hash-type for pdf 10400 PDF 1.1 - 1.3 (Acrobat 2 - 4) 10410 PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1 10420 PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 10500 PDF 1.4 - 1.6 (Acrobat 5 - 8) 10600 PDF 1.7 Level 3 (Acrobat 9) 10700 PDF 1.7 Level 8 (Acrobat 10 - 11)
Testing of office file with password
% python office2john.py test.docx test.docx:$office$*2013*100000*256*16*561f4dcaaac333e7c06d150f9ea5aea2*ef4e7b026217124561ecb865b324eac4*e9ef4a859f2c81581db0e27d9ce48e6451b82cd1641941e8adc10dc5600969cb ../hashcat/hashcat -m 9600 -w 3 -a 3 \ '$office$*2013*100000*256*16*561f4dcaaac333e7c06d150f9ea5aea2*ef4e7b026217124561ecb865b324eac4*e9ef4a859f2c81581db0e27d9ce48e6451b82cd1641941e8adc10dc5600969cb' \ --increment --increment-min 2 --increment-max 8 '?h?h?h?h?h?h?h?h' --potfile-path=officefile.pot -o testdocx.out.txt
note: hash-type for office doc 9400 MS Office 2007 9500 MS Office 2010 9600 MS Office 2013
If you don't have the machine for cracking purpose, you can do this using cloud GPU for a fee.
No comments:
Post a Comment