You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

377 lines
11 KiB

---
title: Recover Your Lost Password On The Command Line
summary: >
If you are like me and use many different passwords you may come to that point
when you can't think of a password for a specific service (or (zip)file). This
is how I recover most of them.
date: 2024-09-08T22:49:01+0200
2 months ago
#lastmod:
coverCaption: Cover image by [jaydeep_](https://pixabay.com/illustrations/hacking-cybercrime-cybersecurity-3112539/).
categories:
2 months ago
- computerstuff
tags:
2 months ago
- pentest
- scripting
- john
- hashcat
- cracking
- command-line
- nvidia
---
For this reason I save most variations of my passwords in a secure file and with a rule
file I can re-create most of the passwords that I have ever used.
And because I do not want to type all the passwords by hand I use tools for this task,
which speeds this whole process up and it costs me minutes (where I can do other things
meanwhile)...
## Create the initial password file
I only use lower letters because I will punch that file through rules later that will
automatically make some letters uppercase, add some numbers to it et cetera...
2 months ago
```
password
otherpassword
2 months ago
```
Let these be our initial password file with the initial password that we use.
## The rule file
Now create a rule file that will do most of the work by modifying the lines
from our initial password file.
2 months ago
```
## take it as it is, toggle first character to uppercase or lowercase, uppercase all characters
:
T0
u
## append/prepend something to the password itself
$!
$1 $2 $3
$3 $2 $1
$m $i $n $e
^y ^m
^i
^i T1
^0
^0 T1
$1 $2 $s $h $a $r $k
2 months ago
```
So if you tend to finish your weak passwords with `12shark`, you may want to add this to
your ruleset as `$1 $2 $s $h $a $r $k`.
Now every line from your password file gets appended with `12shark`.
## Line counts
2 months ago
```console
$ wc -l *
154 list.best64.txt
68196 list.d3ad0ne.txt
24 list.simple.txt
2 pwlist.txt
15 simple.rule
2 months ago
```
So our initial password file contains 2 words (2 lines), the modified new password list
based on our own ruleset contains 24 lines (passwords).
And the other two files (_best64_ and _d3ad0ne_) were made with some default rules from a
tool called [john].
As you can see the wide-known ruleset _best64_ created 154 passwords from it and the
more enhanced rule _d3ad0ne_ created 68196 passwords from our 2 words.
## What the output looks like
Using our own ruleset from above, we get these combinations:
2 months ago
```
password
Password
PASSWORD
password!
password123
password321
passwordmine
mypassword
ipassword
iPassword
0password
0Password
otherpassword
Otherpassword
OTHERPASSWORD
otherpassword!
otherpassword123
otherpassword321
otherpasswordmine
myotherpassword
iotherpassword
iOtherpassword
0otherpassword
0Otherpassword
2 months ago
```
Try and experiment with [hashcat] to get similar combinations:
2 months ago
```console
$ hashcat pwlist.txt -r simple.rule --stdout > list.simple.txt
2 months ago
```
You can now use the generated wordlist file `list.simple.txt` with
other tools like [john].
## Cracking a zip file
List file contents, if possible.
2 months ago
```console
$ unzip -l test.zip
Archive: test.zip
Length Date Time Name
--------- ---------- ----- ----
57 2024-09-08 20:52 testfile.txt
--------- -------
57 1 file
2 months ago
```
Create a hashfile that can be used with [john] and/or [hashcat].
2 months ago
```console
$ zip2john -a testfile.txt -o testfile.txt test.zip > hash.txt
Using file testfile.txt as an 'ASCII' quick check file
Using file testfile.txt as only file to check
ver 2.0 efh 5455 efh 7875 test.zip/testfile.txt PKZIP Encr: 2b chk, TS_chk, cmplen=68, decmplen=57, crc=6059407C
2 months ago
```
Let us use a different file for hashcat, we have to remove the file paths from the hashfile.
2 months ago
```console
$ cp hash.txt hash.cat.txt
$ nvim hash.cat.txt
2 months ago
```
Modify the file and leave only the hash in the file.
Content of `hash.txt` file:
2 months ago
```txt
test.zip/testfile.txt:$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$:testfile.txt:test.zip::test.zip
2 months ago
```
Content of `hash.cat.txt` file:
2 months ago
```txt
$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$
2 months ago
```
We now try to crack the hash in `hash.cat.txt` with [hashcat].
2 months ago
```console
$ hashcat -m 17220 -a 0 hash.cat.txt pwlist.txt -r simple.rule
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) UHD Graphics 620, 7136/14368 MB (2047 MB allocatable), 24MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 13
Optimizers applied:
* Not-Iterated
* Single-Hash
* Single-Salt
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
* Device #1: Skipping (hash-mode 17220)
This is due to a known OpenCL runtime and/or device driver issue (not a hashcat issue)
You can use --force to override, but do not report related errors.
Started: Sun Sep 8 22:11:10 2024
Stopped: Sun Sep 8 22:11:13 2024
2 months ago
```
So [hashcat] will not work on my Carbon X1 laptop for this specific hash-mode.
I will then try [john] with the pre-generated wordlist then.
2 months ago
```console
$ hashcat pwlist.txt -r simple.rule --stdout >customlist.txt
$ john --wordlist=customlist.txt hash.txt
[odin:52509] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.odin.1000/jf.0/1299054592/shared_mem_cuda_pool.odin could be created.
[odin:52509] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password12shark (?)
1g 0:00:00:00 DONE (2024-09-08 22:14) 25.00g/s 650.0p/s 650.0c/s 650.0C/s password..otherpassword12shark
Use the "--show" option to display all of the cracked passwords reliably
Session completed
$ john --show hash.txt
[odin:52580] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.odin.1000/jf.0/3210149888/shared_mem_cuda_pool.odin could be created.
[odin:52580] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728
?:password12shark
1 password hash cracked, 0 left
$ unzip -P password12shark test.zip
Archive: test.zip
replace testfile.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: r
new name: newfile.txt
inflating: newfile.txt
$ cat newfile.txt
I am a little testfile.
This is absolutely top secret.
2 months ago
```
I would do all the "heavy" lifting on my gaming laptop which has a real graphics card
built into.
## Cracking on a remote computer
How? Copy the files to the remote computer and run hashcat over there:
2 months ago
```console
$ rsync --no-motd -acvhz --stats --del pass/ polaris:pass/
sending incremental file list
./
customlist.txt
hash.txt
list.best64.txt
list.d3ad0ne.txt
list.simple.txt
list.simple2.txt
newfile.txt
pwlist.txt
simple.rule
test.zip
testfile.txt
Number of files: 12 (reg: 11, dir: 1)
Number of created files: 11 (reg: 11)
Number of deleted files: 0
Number of regular files transferred: 11
Total file size: 852,05K bytes
Total transferred file size: 852,05K bytes
Literal data: 852,05K bytes
Matched data: 0 bytes
File list size: 0
File list generation time: 0,004 seconds
File list transfer time: 0,000 seconds
Total bytes sent: 208,34K
Total bytes received: 235
sent 208,34K bytes received 235 bytes 417,14K bytes/sec
total size is 852,05K speedup is 4,09
2 months ago
```
Login on the remote machine: `ssh polaris`.
<kbd>polaris</kbd> is the short name of the remote computer in my ssh configuration file `~/.ssh/config`.
On the remote machine:
2 months ago
```console
$ cd pass
$ hashcat -m 17200 -a 0 hash.txt pwlist.txt -r simple.rule
hashcat (v6.2.5) starting
nvmlDeviceGetFanSpeed(): Not Supported
CUDA API (CUDA 12.4)
====================
* Device #1: NVIDIA GeForce RTX 2060, 5833/5919 MB, 30MCU
OpenCL API (OpenCL 3.0 CUDA 12.4.131) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: NVIDIA GeForce RTX 2060, skipped
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 13
Optimizers applied:
* Not-Iterated
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 263 MB
Dictionary cache built:
* Filename..: pwlist.txt
* Passwords.: 2
* Bytes.....: 23
* Keyspace..: 26
* Runtime...: 0 secs
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$:password12shark
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 17200 (PKZIP (Compressed))
Hash.Target......: $pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*...kzip2$
Time.Started.....: Sun Sep 8 22:26:17 2024 (0 secs)
Time.Estimated...: Sun Sep 8 22:26:17 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (pwlist.txt)
Guess.Mod........: Rules (simple.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 27415 H/s (0.48ms) @ Accel:512 Loops:13 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 26/26 (100.00%)
Rejected.........: 0/26 (0.00%)
Restore.Point....: 0/2 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-13 Iteration:0-13
Candidate.Engine.: Device Generator
Candidates.#1....: password -> otherpassword12shark
Hardware.Mon.#1..: Temp: 40c Util: 0% Core:1005MHz Mem:5500MHz Bus:8
Started: Sun Sep 8 22:25:48 2024
Stopped: Sun Sep 8 22:26:18 2024
2 months ago
```
This is probably the only reason why you would want a NVIDIA graphics card
in your computer :wink:
## Some notes
Most of the files can easily be cracked on my laptop with integrated graphics using
either [john] or [hashcat]. For more complicated or tasks that may run longer than
expected I put all that stuff to the gaming laptop and try cracking them over there.
This is sufficient for all my tasks but if you want to do more you should probably
consider using a tower with a "real" graphics card (not a mobile one).
Unfortunately current libreoffice files cannot be cracked; or at least, I haven't
found a working routine for now...
[john]: https://www.openwall.com/john/
[hashcat]: https://hashcat.net/hashcat/