--- title: Recover Your Lost Password On The Command Line summary: > If you are like me and use many different passwords you may come to that point when you can't think of a password for a specific service (or (zip)file). This is how I recover most of them. The thumbnail was taken from [jaydeep_](https://pixabay.com/illustrations/hacking-cybercrime-cybersecurity-3112539/). date: 2024-09-08T22:49:01+0200 lastmod: 2024-12-08T11:11:45+0000 categories: - computerstuff tags: - pentest - scripting - john - hashcat - cracking - command-line - nvidia --- For this reason I save most variations of my passwords in a secure file and with a rule file I can re-create most of the passwords that I have ever used. And because I do not want to type all the passwords by hand I use tools for this task, which speeds this whole process up and it costs me minutes (where I can do other things meanwhile)... ## Create the initial password file I only use lower letters because I will punch that file through rules later that will automatically make some letters uppercase, add some numbers to it et cetera... ``` password otherpassword ``` Let these be our initial password file with the initial password that we use. ## The rule file Now create a rule file that will do most of the work by modifying the lines from our initial password file. ``` ## take it as it is, toggle first character to uppercase or lowercase, uppercase all characters : T0 u ## append/prepend something to the password itself $! $1 $2 $3 $3 $2 $1 $m $i $n $e ^y ^m ^i ^i T1 ^0 ^0 T1 $1 $2 $s $h $a $r $k ``` So if you tend to finish your weak passwords with `12shark`, you may want to add this to your ruleset as `$1 $2 $s $h $a $r $k`. Now every line from your password file gets appended with `12shark`. ## Line counts ```console $ wc -l * 154 list.best64.txt 68196 list.d3ad0ne.txt 24 list.simple.txt 2 pwlist.txt 15 simple.rule ``` So our initial password file contains 2 words (2 lines), the modified new password list based on our own ruleset contains 24 lines (passwords). And the other two files (_best64_ and _d3ad0ne_) were made with some default rules from a tool called [john]. As you can see the wide-known ruleset _best64_ created 154 passwords from it and the more enhanced rule _d3ad0ne_ created 68196 passwords from our 2 words. ## What the output looks like Using our own ruleset from above, we get these combinations: ``` password Password PASSWORD password! password123 password321 passwordmine mypassword ipassword iPassword 0password 0Password otherpassword Otherpassword OTHERPASSWORD otherpassword! otherpassword123 otherpassword321 otherpasswordmine myotherpassword iotherpassword iOtherpassword 0otherpassword 0Otherpassword ``` Try and experiment with [hashcat] to get similar combinations: ```console $ hashcat pwlist.txt -r simple.rule --stdout > list.simple.txt ``` You can now use the generated wordlist file `list.simple.txt` with other tools like [john]. ## Cracking a zip file List file contents, if possible. ```console $ unzip -l test.zip Archive: test.zip Length Date Time Name --------- ---------- ----- ---- 57 2024-09-08 20:52 testfile.txt --------- ------- 57 1 file ``` Create a hashfile that can be used with [john] and/or [hashcat]. ```console $ zip2john -a testfile.txt -o testfile.txt test.zip > hash.txt Using file testfile.txt as an 'ASCII' quick check file Using file testfile.txt as only file to check ver 2.0 efh 5455 efh 7875 test.zip/testfile.txt PKZIP Encr: 2b chk, TS_chk, cmplen=68, decmplen=57, crc=6059407C ``` Let us use a different file for hashcat, we have to remove the file paths from the hashfile. ```console $ cp hash.txt hash.cat.txt $ nvim hash.cat.txt ``` Modify the file and leave only the hash in the file. Content of `hash.txt` file: ```txt test.zip/testfile.txt:$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$:testfile.txt:test.zip::test.zip ``` Content of `hash.cat.txt` file: ```txt $pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$ ``` We now try to crack the hash in `hash.cat.txt` with [hashcat]. ```console $ hashcat -m 17220 -a 0 hash.cat.txt pwlist.txt -r simple.rule hashcat (v6.2.6) starting OpenCL API (OpenCL 3.0 ) - Platform #1 [Intel(R) Corporation] ============================================================= * Device #1: Intel(R) UHD Graphics 620, 7136/14368 MB (2047 MB allocatable), 24MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 13 Optimizers applied: * Not-Iterated * Single-Hash * Single-Salt Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. * Device #1: Skipping (hash-mode 17220) This is due to a known OpenCL runtime and/or device driver issue (not a hashcat issue) You can use --force to override, but do not report related errors. Started: Sun Sep 8 22:11:10 2024 Stopped: Sun Sep 8 22:11:13 2024 ``` So [hashcat] will not work on my Carbon X1 laptop for this specific hash-mode. I will then try [john] with the pre-generated wordlist then. ```console $ hashcat pwlist.txt -r simple.rule --stdout >customlist.txt $ john --wordlist=customlist.txt hash.txt [odin:52509] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.odin.1000/jf.0/1299054592/shared_mem_cuda_pool.odin could be created. [odin:52509] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728 Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status password12shark (?) 1g 0:00:00:00 DONE (2024-09-08 22:14) 25.00g/s 650.0p/s 650.0c/s 650.0C/s password..otherpassword12shark Use the "--show" option to display all of the cracked passwords reliably Session completed $ john --show hash.txt [odin:52580] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.odin.1000/jf.0/3210149888/shared_mem_cuda_pool.odin could be created. [odin:52580] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728 ?:password12shark 1 password hash cracked, 0 left $ unzip -P password12shark test.zip Archive: test.zip replace testfile.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: r new name: newfile.txt inflating: newfile.txt $ cat newfile.txt I am a little testfile. This is absolutely top secret. ``` I would do all the "heavy" lifting on my gaming laptop which has a real graphics card built into. ## Cracking on a remote computer How? Copy the files to the remote computer and run hashcat over there: ```console $ rsync --no-motd -acvhz --stats --del pass/ polaris:pass/ sending incremental file list ./ customlist.txt hash.txt list.best64.txt list.d3ad0ne.txt list.simple.txt list.simple2.txt newfile.txt pwlist.txt simple.rule test.zip testfile.txt Number of files: 12 (reg: 11, dir: 1) Number of created files: 11 (reg: 11) Number of deleted files: 0 Number of regular files transferred: 11 Total file size: 852,05K bytes Total transferred file size: 852,05K bytes Literal data: 852,05K bytes Matched data: 0 bytes File list size: 0 File list generation time: 0,004 seconds File list transfer time: 0,000 seconds Total bytes sent: 208,34K Total bytes received: 235 sent 208,34K bytes received 235 bytes 417,14K bytes/sec total size is 852,05K speedup is 4,09 ``` Login on the remote machine: `ssh polaris`. polaris is the short name of the remote computer in my ssh configuration file `~/.ssh/config`. On the remote machine: ```console $ cd pass $ hashcat -m 17200 -a 0 hash.txt pwlist.txt -r simple.rule hashcat (v6.2.5) starting nvmlDeviceGetFanSpeed(): Not Supported CUDA API (CUDA 12.4) ==================== * Device #1: NVIDIA GeForce RTX 2060, 5833/5919 MB, 30MCU OpenCL API (OpenCL 3.0 CUDA 12.4.131) - Platform #1 [NVIDIA Corporation] ======================================================================== * Device #2: NVIDIA GeForce RTX 2060, skipped Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 13 Optimizers applied: * Not-Iterated * Single-Hash * Single-Salt Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 263 MB Dictionary cache built: * Filename..: pwlist.txt * Passwords.: 2 * Bytes.....: 23 * Keyspace..: 26 * Runtime...: 0 secs The wordlist or mask that you are using is too small. This means that hashcat cannot use the full parallel power of your device(s). Unless you supply more work, your cracking speed will drop. For tips on supplying more work, see: https://hashcat.net/faq/morework Approaching final keyspace - workload adjusted. $pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$:password12shark Session..........: hashcat Status...........: Cracked Hash.Mode........: 17200 (PKZIP (Compressed)) Hash.Target......: $pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*...kzip2$ Time.Started.....: Sun Sep 8 22:26:17 2024 (0 secs) Time.Estimated...: Sun Sep 8 22:26:17 2024 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (pwlist.txt) Guess.Mod........: Rules (simple.rule) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 27415 H/s (0.48ms) @ Accel:512 Loops:13 Thr:32 Vec:1 Recovered........: 1/1 (100.00%) Digests Progress.........: 26/26 (100.00%) Rejected.........: 0/26 (0.00%) Restore.Point....: 0/2 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-13 Iteration:0-13 Candidate.Engine.: Device Generator Candidates.#1....: password -> otherpassword12shark Hardware.Mon.#1..: Temp: 40c Util: 0% Core:1005MHz Mem:5500MHz Bus:8 Started: Sun Sep 8 22:25:48 2024 Stopped: Sun Sep 8 22:26:18 2024 ``` This is probably the only reason why you would want a NVIDIA graphics card in your computer :wink: ## Some notes Most of the files can easily be cracked on my laptop with integrated graphics using either [john] or [hashcat]. For more complicated or tasks that may run longer than expected I put all that stuff to the gaming laptop and try cracking them over there. This is sufficient for all my tasks but if you want to do more you should probably consider using a tower with a "real" graphics card (not a mobile one). Unfortunately current libreoffice files cannot be cracked; or at least, I haven't found a working routine for now... [john]: https://www.openwall.com/john/ [hashcat]: https://hashcat.net/hashcat/ ## Update: Laptop comparisons _Updated on October 13, 2024_ {{< alert circle-info >}} The results can probably increased by using a high-end tower PC with one or more graphic cards. {{< /alert >}} {{< alert triangle-exclamation >}} Notice the units in the following tables (like H/s, kH/s or MH/s)! {{< /alert >}} Below you see a short comparison between my **Lenovo X1 Carbon (Gen7; i7-8665U)** and my **Tuxedo Polaris 17 (Ryzen 7 4800H)** with **integrated NVIDIA GeForce RTX 2060**. {{< alert circle-info >}} Only CUDA was used on the Polaris, no CPU was involved. I am not sure if there is any progress for OpenCL on AMD CPUs (I haven't looked into this as it's not relevant for me). {{< /alert >}} ### WPA-PBKDF2-PMKID+EAPOL | hash mode | command line | X1 Carbon | Polaris 17 | | --------- | ---------------------------- | --------- | ---------- | | 22000 | `hashcat -m 22000 -D 1,2 -b` | 17178 H/s | 152.9 kH/s | ### WPA-PMKID-PBKDF2 Deprecated in favor of mode 22000 (see above): > The plugin 16800 is deprecated and was replaced with plugin 22000. > For more details, please read: https://hashcat.net/forum/thread-10253.html | hash mode | command line | X1 Carbon | Polaris 17 | | --------- | ---------------------------- | --------- | ---------- | | 16800 | `hashcat -m 16800 -D 1,2 -b` | 16930 H/s | 146.7 kH/s | ### WPA-EAPOL-PBKDF2 Deprecated in favor of mode 22000 (see above above): > The plugin 2500 is deprecated and was replaced with plugin 22000. > For more details, please read: https://hashcat.net/forum/thread-10253.html | hash mode | command line | X1 Carbon | Polaris 17 | | --------- | --------------------------- | --------- | ---------- | | 2500 | `hashcat -m 2500 -D 1,2 -b` | 15865 H/s | 152.0 kH/s | ### PKZIP (Compressed Multi-File) Expect some OpenCL issues! Only the CPU was used on the X1 Carbon and the Tuxedo Polaris wasn't able to finish the session. | hash mode | command line | X1 Carbon | Polaris 17 | | --------- | ---------------------------- | ------------ | ----------- | | 17220 | `hashcat -m 17220 -D 1,2 -b` | 64116.2 kH/s | N/A (error) | The X1 Carbon displayed the following warning: > ```console > ------------------------------------------------- > * Hash-Mode 17220 (PKZIP (Compressed Multi-File)) > ------------------------------------------------- > > * Device #2: Skipping (hash-mode 17220) > This is due to a known OpenCL runtime and/or device driver issue (not a hashcat issue) > You can use --force to override, but do not report related errors. > ``` The Polaris aborted with a few of these error messages: > ```console > clEnqueueNDRangeKernel(): CL_OUT_OF_HOST_MEMORY > ``` ### MD5 | hash mode | command line | X1 Carbon | Polaris 17 | | --------- | ------------------------ | ----------- | ----------- | | 0 | `hashcat -m 0 -D 1,2 -b` | 1224.0 MH/s | 9527.4 MH/s | ### SHA1 | hash mode | command line | X1 Carbon | Polaris 17 | | --------- | -------------------------- | ---------- | ----------- | | 100 | `hashcat -m 100 -D 1,2 -b` | 317.9 MH/s | 3029.0 MH/s | ### SHA2-512 | hash mode | command line | X1 Carbon | Polaris 17 | | --------- | --------------------------- | ------------ | ---------- | | 1700 | `hashcat -m 1700 -D 1,2 -b` | 42721.2 kH/s | 442.4 MH/s | ### SHA3-512 | hash mode | command line | X1 Carbon | Polaris 17 | | --------- | ---------------------------- | ------------ | ---------- | | 17600 | `hashcat -m 17600 -D 1,2 -b` | 36062.7 kH/s | 277.2 MH/s |