Protected Archives

Cracking ZIP

Using zip2john

neutron@kali[/kali]$ zip2john > zip.hash

ver 2.0 efh 5455 efh 7875 PKZIP Encr: 2b chk, TS_chk, cmplen=42, decmplen=30, crc=490E7510

By extracting the hashes, we will also see which files are in the ZIP archive.

neutron@kali[/kali]$ cat zip.hash$pkzip2$1*2*2*0*2a*1e*490e7510*0*42*0*2a*490e*409b*ef1e7feb7c1cf701a6ada7132e6a5c6c84c032401536faf7493df0294b0d5afc3464f14ec081cc0e18cb*$/pkzip2$

Once we have extracted the hash, we can now use john again to crack it with the desired password list. Because if john cracks it successfully, it will show us the corresponding password that we can use to open the ZIP archive.

neutron@kali[/kali]$ john --wordlist=rockyou.txt zip.hash

Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1234             (
1g 0:00:00:00 DONE (2022-02-09 09:18) 100.0g/s 250600p/s 250600c/s 250600C/s 123456..1478963
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Viewing the Cracked Hash

neutron@kali[/kali]$ john zip.hash --show

1 password hash cracked, 0 left

Cracking OpenSSL Encrypted Archives

Listing the Files

neutron@kali[/kali]$ ls


Using the tool file, we can obtain information about the specified file's format.

neutron@kali[/kali]$ file GZIP.gzip 

GZIP.gzip: openssl enc'd data with salted password

The following one-liner will show many errors related to the GZIP format, which we can ignore. If we have used the correct password list, as in this example, we will see that we have successfully extracted another file from the archive.

neutron@kali[/kali]$ for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null| tar xz;done

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now


Once the for-loop has finished, we can look in the current folder again to check if the cracking of the archive was successful.

neutron@kali[/kali]$ ls

customers.csv  GZIP.gzip  rockyou.txt

Cracking BitLocker Encrypted Drives

Four different hashes will be extracted, which can be used with different Hashcat hash modes. For our example, we will work with the first one, which refers to the BitLocker password.

neutron@kali[/kali]$ bitlocker2john -i Backup.vhd > backup.hashes
neutron@kali[/kali]$ grep "bitlocker\$0" backup.hashes > backup.hash
neutron@kali[/kali]$ cat backup.hash

neutron@kali[/kali]$ hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked

hashcat (v6.1.1) starting...



Session..........: hashcat
Status...........: Cracked
Hash.Name........: BitLocker
Hash.Target......: $bitlocker$0$16$02b329c0453b9273f2fc1b927443b5fe$10...8ec54f
Time.Started.....: Wed Feb  9 11:46:40 2022 (1 min, 42 secs)
Time.Estimated...: Wed Feb  9 11:48:22 2022 (0 secs)
Guess.Base.......: File (/opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       28 H/s (8.79ms) @ Accel:32 Loops:4096 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 2880/6163 (46.73%)
Rejected.........: 0/2880 (0.00%)
Restore.Point....: 2816/6163 (45.69%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1044480-1048576
Candidates.#1....: chemical -> secrets

Started: Wed Feb  9 11:46:35 2022
Stopped: Wed Feb  9 11:48:23 2022

Viewing the Cracked Hash

neutron@kali[/kali]$ cat backup.cracked 


Once we have cracked the password, we will be able to open the encrypted drives. The easiest way to mount a BitLocker encrypted virtual drive is to transfer it to a Windows system and mount it. To do this, we only have to double-click on the virtual drive. Since it is password protected, Windows will show us an error. After mounting, we can again double-click BitLocker to prompt us for the password.