edit draft post and publish it

also adds feature image from pixabay
2024-09-08 23:07:55 +02:00 · 2024-09-08 23:07:55 +02:00 · bc89f56c32
commit bc89f56c32
parent f29df8f314
2 changed files with 266 additions and 26 deletions
--- a/content/posts/2024/69-recover-your-lost-password-on-the-command-line/hacking.feature.png
+++ b/content/posts/2024/69-recover-your-lost-password-on-the-command-line/hacking.feature.png
--- a/content/posts/2024/69-recover-your-lost-password-on-the-command-line/index.md
+++ b/content/posts/2024/69-recover-your-lost-password-on-the-command-line/index.md
@ -4,43 +4,23 @@ summary: >
  If you are like me and use many different passwords you may come to that point
  when you can't think of a password for a specific service (or (zip)file). This
  is how I recover most of them.
-date: 2024-08-18T16:36:17+0200
+date: 2024-09-08T22:49:01+0200
 #lastmod: 
+coverCaption: Cover image by [jaydeep_](https://pixabay.com/illustrations/hacking-cybercrime-cybersecurity-3112539/).
 categories:
- amateur-radio
 - computerstuff
 tags:
 - pentest
 - scripting
 - john
 - hashcat
+- cracking
 - command-line
- draft_post
-
-# showBreadcrumbs: true
-# showDate: false
-# showReadingTime: false
-# showWordCount: false
-# showPagination: false
-
-# feed_exclude: true
-# site_exclude: true
-
-# some help
-#
-# highlighting with highlights
-#
-# use table, as inline creates a padding around
-# and it pushes the text more to the right side (end of screen)
-#
-# ~~~html {linenos=table,hl_lines="3-6"}
-# ~~~html {linenos=inline,hl_lines="1,3-6"}
-
-draft: true
+- nvidia

 ---

-I usually save most variations of my passwords in a secure file and with a rule
+For this reason I save most variations of my passwords in a secure file and with a rule
 file I can re-create most of the passwords that I have ever used.

 And because I do not want to type all the passwords by hand I use tools for this task,
@ -80,6 +60,7 @@ $m $i $n $e
 ^i T1
 ^0
 ^0 T1
+$1 $2 $s $h $a $r $k
 ~~~

 So if you tend to finish your weak passwords with `12shark`, you may want to add this to
@ -102,7 +83,7 @@ So our initial password file contains 2 words (2 lines), the modified new passwo
 based on our own ruleset contains 24 lines (passwords).

 And the other two files (_best64_ and _d3ad0ne_) were made with some default rules from a
-tool called [john](https://www.openwall.com/john/).
+tool called [john].

 As you can see the wide-known ruleset _best64_ created 154 passwords from it and the
 more enhanced rule _d3ad0ne_ created 68196 passwords from our 2 words.
@ -138,4 +119,260 @@ iOtherpassword
 0Otherpassword
 ~~~

+Try and experiment with [hashcat] to get similar combinations:
+
+~~~console
+$ hashcat pwlist.txt -r simple.rule --stdout > list.simple.txt
+~~~
+
+You can now use the generated wordlist file `list.simple.txt` with
+other tools like [john].
+
+## Cracking a zip file
+
+List file contents, if possible.
+
+~~~console
+$ unzip -l test.zip
+Archive:  test.zip
+  Length      Date    Time    Name
+---------  ---------- -----   ----
+       57  2024-09-08 20:52   testfile.txt
+---------                     -------
+       57                     1 file
+~~~
+
+Create a hashfile that can be used with [john] and/or [hashcat].
+
+~~~console
+$ zip2john -a testfile.txt -o testfile.txt test.zip > hash.txt
+Using file testfile.txt as an 'ASCII' quick check file
+Using file testfile.txt as only file to check
+ver 2.0 efh 5455 efh 7875 test.zip/testfile.txt PKZIP Encr: 2b chk, TS_chk, cmplen=68, decmplen=57, crc=6059407C
+~~~
+
+Let us use a different file for hashcat, we have to remove the file paths from the hashfile.
+
+~~~console
+$ cp hash.txt hash.cat.txt
+$ nvim hash.cat.txt
+~~~
+
+Modify the file and leave only the hash in the file.
+
+Content of `hash.txt` file:
+
+~~~txt
+test.zip/testfile.txt:$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$:testfile.txt:test.zip::test.zip
+~~~
+
+Content of `hash.cat.txt` file:
+
+~~~txt
+$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$
+~~~
+
+We now try to crack the hash in `hash.cat.txt` with [hashcat].
+
+~~~console
+$ hashcat -m 17220 -a 0 hash.cat.txt pwlist.txt -r simple.rule
+hashcat (v6.2.6) starting
+
+OpenCL API (OpenCL 3.0 ) - Platform #1 [Intel(R) Corporation]
+=============================================================
+* Device #1: Intel(R) UHD Graphics 620, 7136/14368 MB (2047 MB allocatable), 24MCU
+
+Minimum password length supported by kernel: 0
+Maximum password length supported by kernel: 256
+
+Hashes: 1 digests; 1 unique digests, 1 unique salts
+Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
+Rules: 13
+
+Optimizers applied:
+* Not-Iterated
+* Single-Hash
+* Single-Salt
+
+Watchdog: Hardware monitoring interface not found on your system.
+Watchdog: Temperature abort trigger disabled.
+
+* Device #1: Skipping (hash-mode 17220)
+             This is due to a known OpenCL runtime and/or device driver issue (not a hashcat issue)
+             You can use --force to override, but do not report related errors.
+
+Started: Sun Sep  8 22:11:10 2024
+Stopped: Sun Sep  8 22:11:13 2024
+~~~
+
+So [hashcat] will not work on my Carbon X1 laptop for this specific hash-mode.
+
+I will then try [john] with the pre-generated wordlist then.
+
+~~~console
+$ hashcat pwlist.txt -r simple.rule --stdout >customlist.txt
+$ john --wordlist=customlist.txt hash.txt
+[odin:52509] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.odin.1000/jf.0/1299054592/shared_mem_cuda_pool.odin could be created.
+[odin:52509] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728
+Using default input encoding: UTF-8
+Loaded 1 password hash (PKZIP [32/64])
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+password12shark  (?)
+1g 0:00:00:00 DONE (2024-09-08 22:14) 25.00g/s 650.0p/s 650.0c/s 650.0C/s password..otherpassword12shark
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+$ john --show hash.txt
+[odin:52580] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.odin.1000/jf.0/3210149888/shared_mem_cuda_pool.odin could be created.
+[odin:52580] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728
+?:password12shark
+
+1 password hash cracked, 0 left
+$ unzip -P password12shark test.zip
+Archive:  test.zip
+replace testfile.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: r
+new name: newfile.txt
+  inflating: newfile.txt
+$ cat newfile.txt
+I am a little testfile.
+
+This is absolutely top secret.
+
+~~~
+
+I would do all the "heavy" lifting on my gaming laptop which has a real graphics card
+built into.
+
+## Cracking on a remote computer
+
+How? Copy the files to the remote computer and run hashcat over there:
+
+~~~console
+$ rsync --no-motd -acvhz --stats --del pass/ polaris:pass/
+sending incremental file list
+./
+customlist.txt
+hash.txt
+list.best64.txt
+list.d3ad0ne.txt
+list.simple.txt
+list.simple2.txt
+newfile.txt
+pwlist.txt
+simple.rule
+test.zip
+testfile.txt
+
+Number of files: 12 (reg: 11, dir: 1)
+Number of created files: 11 (reg: 11)
+Number of deleted files: 0
+Number of regular files transferred: 11
+Total file size: 852,05K bytes
+Total transferred file size: 852,05K bytes
+Literal data: 852,05K bytes
+Matched data: 0 bytes
+File list size: 0
+File list generation time: 0,004 seconds
+File list transfer time: 0,000 seconds
+Total bytes sent: 208,34K
+Total bytes received: 235
+
+sent 208,34K bytes  received 235 bytes  417,14K bytes/sec
+total size is 852,05K  speedup is 4,09
+~~~
+
+Login on the remote machine: `ssh polaris`.
+
+<kbd>polaris</kbd> is the short name of the remote computer in my ssh configuration file `~/.ssh/config`.
+
+On the remote machine:
+
+~~~console
+$ cd pass
+$ hashcat -m 17200 -a 0 hash.txt pwlist.txt -r simple.rule
+hashcat (v6.2.5) starting
+
+nvmlDeviceGetFanSpeed(): Not Supported
+
+CUDA API (CUDA 12.4)
+====================
+* Device #1: NVIDIA GeForce RTX 2060, 5833/5919 MB, 30MCU
+
+OpenCL API (OpenCL 3.0 CUDA 12.4.131) - Platform #1 [NVIDIA Corporation]
+========================================================================
+* Device #2: NVIDIA GeForce RTX 2060, skipped
+
+Minimum password length supported by kernel: 0
+Maximum password length supported by kernel: 256
+
+Hashes: 1 digests; 1 unique digests, 1 unique salts
+Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
+Rules: 13
+
+Optimizers applied:
+* Not-Iterated
+* Single-Hash
+* Single-Salt
+
+Watchdog: Temperature abort trigger set to 90c
+
+Host memory required for this attack: 263 MB
+
+Dictionary cache built:
+* Filename..: pwlist.txt
+* Passwords.: 2
+* Bytes.....: 23
+* Keyspace..: 26
+* Runtime...: 0 secs
+
+The wordlist or mask that you are using is too small.
+This means that hashcat cannot use the full parallel power of your device(s).
+Unless you supply more work, your cracking speed will drop.
+For tips on supplying more work, see: https://hashcat.net/faq/morework
+
+Approaching final keyspace - workload adjusted.
+
+$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$:password12shark
+
+Session..........: hashcat
+Status...........: Cracked
+Hash.Mode........: 17200 (PKZIP (Compressed))
+Hash.Target......: $pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*...kzip2$
+Time.Started.....: Sun Sep  8 22:26:17 2024 (0 secs)
+Time.Estimated...: Sun Sep  8 22:26:17 2024 (0 secs)
+Kernel.Feature...: Pure Kernel
+Guess.Base.......: File (pwlist.txt)
+Guess.Mod........: Rules (simple.rule)
+Guess.Queue......: 1/1 (100.00%)
+Speed.#1.........:    27415 H/s (0.48ms) @ Accel:512 Loops:13 Thr:32 Vec:1
+Recovered........: 1/1 (100.00%) Digests
+Progress.........: 26/26 (100.00%)
+Rejected.........: 0/26 (0.00%)
+Restore.Point....: 0/2 (0.00%)
+Restore.Sub.#1...: Salt:0 Amplifier:0-13 Iteration:0-13
+Candidate.Engine.: Device Generator
+Candidates.#1....: password -> otherpassword12shark
+Hardware.Mon.#1..: Temp: 40c Util:  0% Core:1005MHz Mem:5500MHz Bus:8
+
+Started: Sun Sep  8 22:25:48 2024
+Stopped: Sun Sep  8 22:26:18 2024
+~~~
+
+This is probably the only reason why you would want a NVIDIA graphics card
+in your computer :wink:
+
+## Some notes
+
+Most of the files can easily be cracked on my laptop with integrated graphics using
+either [john] or [hashcat]. For more complicated or tasks that may run longer than
+expected I put all that stuff to the gaming laptop and try cracking them over there.
+
+This is sufficient for all my tasks but if you want to do more you should probably
+consider using a tower with a "real" graphics card (not a mobile one).
+
+Unfortunately current libreoffice files cannot be cracked; or at least, I haven't
+found a working routine for now...
+
+[john]: https://www.openwall.com/john/
+[hashcat]: https://hashcat.net/hashcat/