Cracking Protected Files with Password
2john is a tool that is part of the password cracking utilities provided by the John the Ripper project (also known as John). John the Ripper is a popular and powerful password cracking tool used by security professionals and security analysts to test the strength of passwords in systems and applications.
Specifically, “2john” is a script or utility that converts password hashes stored in different formats (such as Unix password files, Windows databases, etc.) into a specific format used by John the Ripper. This allows users to use John’s functionality to perform brute-force attacks or dictionary attacks to efficiently attempt to decrypt passwords.
In general, any file or system that stores passwords in the form of hashes can potentially be targeted by John the Ripper attacks using the functionality provided by ‘2john’.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
user@kali$ locate *2john*
/usr/bin/bitlocker2john
/usr/bin/dmg2john
/usr/bin/gpg2john
/usr/bin/hccap2john
/usr/bin/keepass2john
/usr/bin/putty2john
/usr/bin/racf2john
/usr/bin/rar2john
/usr/bin/uaf2john
/usr/bin/vncpcap2john
/usr/bin/wlanhcx2john
/usr/bin/wpapcap2john
/usr/bin/zip2john
/usr/share/john/1password2john.py
/usr/share/john/7z2john.pl
/usr/share/john/DPAPImk2john.py
/usr/share/john/adxcsouf2john.py
/usr/share/john/aem2john.py
/usr/share/john/aix2john.pl
/usr/share/john/aix2john.py
/usr/share/john/andotp2john.py
/usr/share/john/androidbackup2john.py
...SNIP...
Download in: https://github.com/openwall/john/tree/bleeding-jumbo/run
Cracking phrase for SSH
1
ssh2john.py idRSA.private > ssh.hash
1
john --wordlist=</pathWordlist> ssh.hash
1
john ssh.hash --show
Cracking protected DOC and DOCX files
1
office2john.py <file.docx> > protected-docx.hash
1
john --wordlist=</pathWordlist> protected-docx.hash
1
john protected-docx.hash --show
Cracking protected PDF files
1
pdf2john.py <file.pdf> > pdf.hash
Cracking protected ZIP file
Sometimes a ZIP file is protected with a password and this can be attacked with brute force attacks.
1
zip2john <nameZip.zip> > <zip.john>
1
john <zip.john>
1
john <zip.john> --wordlist=</pathWordlists>
To see the result:
1
john hash --show
There are different ways to unzip the file once the password is known (or it doesn’t have any protection).
Commands to unzip:
1
2
3
4
5
unzip <name.zip>
gunzip <name.gz>
tar -xzvf <name.tar.gz>
Hash Cracking
It would be ideal to be able to know the type of hash that is going to be attacked. There are some interesting tools for it, for example: hash-identifier
1
hash-identifier <hash>
There are different tools for hash cracking, such as:
Hashcat:
1
hashcat -m 0 -a 0 <pathFileContainsHash> <pathWordlist>
- “-m”: type hash we are cracking (for example 0 = MD5).
- “-a 0”: designates a dictionary attack.
Common type hashes:
1
2
5600 = NTLMv2
13100 y 19700 = cracking Ticket Kerberos Offline
John The Ripper
1
john --format=<hash_type> --wordlist=<pathWordlist> <pathFileContainsHash>
Online tool - Crackstation
Cracking /etc/passwd and /etc/shadow Files
If access to the /etc/passwd and /etc/shadow files is available, they should be copied separately into two text files, and later its neccessary to run this command:
1
unshadow <passwd.txt> <shadow.txt> > <passwords>
Then, it can be cracked with John:
1
john <passwords>