From bc89f56c32f40fa3280b143041524bc088e9a751 Mon Sep 17 00:00:00 2001 From: Dominic Reich Date: Sun, 8 Sep 2024 23:07:55 +0200 Subject: [PATCH] edit draft post and publish it also adds feature image from pixabay --- .../hacking.feature.png | 3 + .../index.md | 289 ++++++++++++++++-- 2 files changed, 266 insertions(+), 26 deletions(-) create mode 100644 content/posts/2024/69-recover-your-lost-password-on-the-command-line/hacking.feature.png diff --git a/content/posts/2024/69-recover-your-lost-password-on-the-command-line/hacking.feature.png b/content/posts/2024/69-recover-your-lost-password-on-the-command-line/hacking.feature.png new file mode 100644 index 0000000..d75b3d9 --- /dev/null +++ b/content/posts/2024/69-recover-your-lost-password-on-the-command-line/hacking.feature.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ce01c5e0ef14473068d1702ebed9b395ef6712275d25cd92378c03c34b572558 +size 247877 diff --git a/content/posts/2024/69-recover-your-lost-password-on-the-command-line/index.md b/content/posts/2024/69-recover-your-lost-password-on-the-command-line/index.md index 3816cea..52b29aa 100644 --- a/content/posts/2024/69-recover-your-lost-password-on-the-command-line/index.md +++ b/content/posts/2024/69-recover-your-lost-password-on-the-command-line/index.md @@ -4,43 +4,23 @@ summary: > If you are like me and use many different passwords you may come to that point when you can't think of a password for a specific service (or (zip)file). This is how I recover most of them. -date: 2024-08-18T16:36:17+0200 +date: 2024-09-08T22:49:01+0200 #lastmod: +coverCaption: Cover image by [jaydeep_](https://pixabay.com/illustrations/hacking-cybercrime-cybersecurity-3112539/). categories: -- amateur-radio - computerstuff tags: - pentest - scripting - john - hashcat +- cracking - command-line -- draft_post - -# showBreadcrumbs: true -# showDate: false -# showReadingTime: false -# showWordCount: false -# showPagination: false - -# feed_exclude: true -# site_exclude: true - -# some help -# -# highlighting with highlights -# -# use table, as inline creates a padding around -# and it pushes the text more to the right side (end of screen) -# -# ~~~html {linenos=table,hl_lines="3-6"} -# ~~~html {linenos=inline,hl_lines="1,3-6"} - -draft: true +- nvidia --- -I usually save most variations of my passwords in a secure file and with a rule +For this reason I save most variations of my passwords in a secure file and with a rule file I can re-create most of the passwords that I have ever used. And because I do not want to type all the passwords by hand I use tools for this task, @@ -80,6 +60,7 @@ $m $i $n $e ^i T1 ^0 ^0 T1 +$1 $2 $s $h $a $r $k ~~~ So if you tend to finish your weak passwords with `12shark`, you may want to add this to @@ -102,7 +83,7 @@ So our initial password file contains 2 words (2 lines), the modified new passwo based on our own ruleset contains 24 lines (passwords). And the other two files (_best64_ and _d3ad0ne_) were made with some default rules from a -tool called [john](https://www.openwall.com/john/). +tool called [john]. As you can see the wide-known ruleset _best64_ created 154 passwords from it and the more enhanced rule _d3ad0ne_ created 68196 passwords from our 2 words. @@ -138,4 +119,260 @@ iOtherpassword 0Otherpassword ~~~ +Try and experiment with [hashcat] to get similar combinations: + +~~~console +$ hashcat pwlist.txt -r simple.rule --stdout > list.simple.txt +~~~ + +You can now use the generated wordlist file `list.simple.txt` with +other tools like [john]. + +## Cracking a zip file + +List file contents, if possible. + +~~~console +$ unzip -l test.zip +Archive: test.zip + Length Date Time Name +--------- ---------- ----- ---- + 57 2024-09-08 20:52 testfile.txt +--------- ------- + 57 1 file +~~~ + +Create a hashfile that can be used with [john] and/or [hashcat]. + +~~~console +$ zip2john -a testfile.txt -o testfile.txt test.zip > hash.txt +Using file testfile.txt as an 'ASCII' quick check file +Using file testfile.txt as only file to check +ver 2.0 efh 5455 efh 7875 test.zip/testfile.txt PKZIP Encr: 2b chk, TS_chk, cmplen=68, decmplen=57, crc=6059407C +~~~ + +Let us use a different file for hashcat, we have to remove the file paths from the hashfile. + +~~~console +$ cp hash.txt hash.cat.txt +$ nvim hash.cat.txt +~~~ + +Modify the file and leave only the hash in the file. + +Content of `hash.txt` file: + +~~~txt +test.zip/testfile.txt:$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$:testfile.txt:test.zip::test.zip +~~~ + +Content of `hash.cat.txt` file: + +~~~txt +$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$ +~~~ + +We now try to crack the hash in `hash.cat.txt` with [hashcat]. + +~~~console +$ hashcat -m 17220 -a 0 hash.cat.txt pwlist.txt -r simple.rule +hashcat (v6.2.6) starting + +OpenCL API (OpenCL 3.0 ) - Platform #1 [Intel(R) Corporation] +============================================================= +* Device #1: Intel(R) UHD Graphics 620, 7136/14368 MB (2047 MB allocatable), 24MCU + +Minimum password length supported by kernel: 0 +Maximum password length supported by kernel: 256 + +Hashes: 1 digests; 1 unique digests, 1 unique salts +Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates +Rules: 13 + +Optimizers applied: +* Not-Iterated +* Single-Hash +* Single-Salt + +Watchdog: Hardware monitoring interface not found on your system. +Watchdog: Temperature abort trigger disabled. + +* Device #1: Skipping (hash-mode 17220) + This is due to a known OpenCL runtime and/or device driver issue (not a hashcat issue) + You can use --force to override, but do not report related errors. + +Started: Sun Sep 8 22:11:10 2024 +Stopped: Sun Sep 8 22:11:13 2024 +~~~ + +So [hashcat] will not work on my Carbon X1 laptop for this specific hash-mode. + +I will then try [john] with the pre-generated wordlist then. + +~~~console +$ hashcat pwlist.txt -r simple.rule --stdout >customlist.txt +$ john --wordlist=customlist.txt hash.txt +[odin:52509] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.odin.1000/jf.0/1299054592/shared_mem_cuda_pool.odin could be created. +[odin:52509] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728 +Using default input encoding: UTF-8 +Loaded 1 password hash (PKZIP [32/64]) +Will run 8 OpenMP threads +Press 'q' or Ctrl-C to abort, almost any other key for status +password12shark (?) +1g 0:00:00:00 DONE (2024-09-08 22:14) 25.00g/s 650.0p/s 650.0c/s 650.0C/s password..otherpassword12shark +Use the "--show" option to display all of the cracked passwords reliably +Session completed +$ john --show hash.txt +[odin:52580] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.odin.1000/jf.0/3210149888/shared_mem_cuda_pool.odin could be created. +[odin:52580] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728 +?:password12shark + +1 password hash cracked, 0 left +$ unzip -P password12shark test.zip +Archive: test.zip +replace testfile.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: r +new name: newfile.txt + inflating: newfile.txt +$ cat newfile.txt +I am a little testfile. + +This is absolutely top secret. + +~~~ + +I would do all the "heavy" lifting on my gaming laptop which has a real graphics card +built into. + +## Cracking on a remote computer + +How? Copy the files to the remote computer and run hashcat over there: + +~~~console +$ rsync --no-motd -acvhz --stats --del pass/ polaris:pass/ +sending incremental file list +./ +customlist.txt +hash.txt +list.best64.txt +list.d3ad0ne.txt +list.simple.txt +list.simple2.txt +newfile.txt +pwlist.txt +simple.rule +test.zip +testfile.txt + +Number of files: 12 (reg: 11, dir: 1) +Number of created files: 11 (reg: 11) +Number of deleted files: 0 +Number of regular files transferred: 11 +Total file size: 852,05K bytes +Total transferred file size: 852,05K bytes +Literal data: 852,05K bytes +Matched data: 0 bytes +File list size: 0 +File list generation time: 0,004 seconds +File list transfer time: 0,000 seconds +Total bytes sent: 208,34K +Total bytes received: 235 + +sent 208,34K bytes received 235 bytes 417,14K bytes/sec +total size is 852,05K speedup is 4,09 +~~~ + +Login on the remote machine: `ssh polaris`. + +polaris is the short name of the remote computer in my ssh configuration file `~/.ssh/config`. + +On the remote machine: + +~~~console +$ cd pass +$ hashcat -m 17200 -a 0 hash.txt pwlist.txt -r simple.rule +hashcat (v6.2.5) starting + +nvmlDeviceGetFanSpeed(): Not Supported + +CUDA API (CUDA 12.4) +==================== +* Device #1: NVIDIA GeForce RTX 2060, 5833/5919 MB, 30MCU + +OpenCL API (OpenCL 3.0 CUDA 12.4.131) - Platform #1 [NVIDIA Corporation] +======================================================================== +* Device #2: NVIDIA GeForce RTX 2060, skipped + +Minimum password length supported by kernel: 0 +Maximum password length supported by kernel: 256 + +Hashes: 1 digests; 1 unique digests, 1 unique salts +Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates +Rules: 13 + +Optimizers applied: +* Not-Iterated +* Single-Hash +* Single-Salt + +Watchdog: Temperature abort trigger set to 90c + +Host memory required for this attack: 263 MB + +Dictionary cache built: +* Filename..: pwlist.txt +* Passwords.: 2 +* Bytes.....: 23 +* Keyspace..: 26 +* Runtime...: 0 secs + +The wordlist or mask that you are using is too small. +This means that hashcat cannot use the full parallel power of your device(s). +Unless you supply more work, your cracking speed will drop. +For tips on supplying more work, see: https://hashcat.net/faq/morework + +Approaching final keyspace - workload adjusted. + +$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$:password12shark + +Session..........: hashcat +Status...........: Cracked +Hash.Mode........: 17200 (PKZIP (Compressed)) +Hash.Target......: $pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*...kzip2$ +Time.Started.....: Sun Sep 8 22:26:17 2024 (0 secs) +Time.Estimated...: Sun Sep 8 22:26:17 2024 (0 secs) +Kernel.Feature...: Pure Kernel +Guess.Base.......: File (pwlist.txt) +Guess.Mod........: Rules (simple.rule) +Guess.Queue......: 1/1 (100.00%) +Speed.#1.........: 27415 H/s (0.48ms) @ Accel:512 Loops:13 Thr:32 Vec:1 +Recovered........: 1/1 (100.00%) Digests +Progress.........: 26/26 (100.00%) +Rejected.........: 0/26 (0.00%) +Restore.Point....: 0/2 (0.00%) +Restore.Sub.#1...: Salt:0 Amplifier:0-13 Iteration:0-13 +Candidate.Engine.: Device Generator +Candidates.#1....: password -> otherpassword12shark +Hardware.Mon.#1..: Temp: 40c Util: 0% Core:1005MHz Mem:5500MHz Bus:8 + +Started: Sun Sep 8 22:25:48 2024 +Stopped: Sun Sep 8 22:26:18 2024 +~~~ + +This is probably the only reason why you would want a NVIDIA graphics card +in your computer :wink: + +## Some notes + +Most of the files can easily be cracked on my laptop with integrated graphics using +either [john] or [hashcat]. For more complicated or tasks that may run longer than +expected I put all that stuff to the gaming laptop and try cracking them over there. + +This is sufficient for all my tasks but if you want to do more you should probably +consider using a tower with a "real" graphics card (not a mobile one). + +Unfortunately current libreoffice files cannot be cracked; or at least, I haven't +found a working routine for now... + +[john]: https://www.openwall.com/john/ +[hashcat]: https://hashcat.net/hashcat/