---
title: Recover Your Lost Password On The Command Line
summary: >
  If you are like me and use many different passwords you may come to that point
  when you can't think of a password for a specific service (or (zip)file). This
  is how I recover most of them.
date: 2024-09-08T22:49:01+0200
lastmod: 2024-10-13T09:19:41+0000
coverCaption: Cover image by [jaydeep_](https://pixabay.com/illustrations/hacking-cybercrime-cybersecurity-3112539/).
categories:
  - computerstuff
tags:
  - pentest
  - scripting
  - john
  - hashcat
  - cracking
  - command-line
  - nvidia
---

For this reason I save most variations of my passwords in a secure file and with a rule
file I can re-create most of the passwords that I have ever used.

And because I do not want to type all the passwords by hand I use tools for this task,
which speeds this whole process up and it costs me minutes (where I can do other things
meanwhile)...

## Create the initial password file

I only use lower letters because I will punch that file through rules later that will
automatically make some letters uppercase, add some numbers to it et cetera...

```
password
otherpassword
```

Let these be our initial password file with the initial password that we use.

## The rule file

Now create a rule file that will do most of the work by modifying the lines
from our initial password file.

```
## take it as it is, toggle first character to uppercase or lowercase, uppercase all characters
:
T0
u

## append/prepend something to the password itself
$!
$1 $2 $3
$3 $2 $1
$m $i $n $e
^y ^m
^i
^i T1
^0
^0 T1
$1 $2 $s $h $a $r $k
```

So if you tend to finish your weak passwords with `12shark`, you may want to add this to
your ruleset as `$1 $2 $s $h $a $r $k`.

Now every line from your password file gets appended with `12shark`.

## Line counts

```console
$ wc -l *
   154 list.best64.txt
 68196 list.d3ad0ne.txt
    24 list.simple.txt
     2 pwlist.txt
    15 simple.rule
```

So our initial password file contains 2 words (2 lines), the modified new password list
based on our own ruleset contains 24 lines (passwords).

And the other two files (_best64_ and _d3ad0ne_) were made with some default rules from a
tool called [john].

As you can see the wide-known ruleset _best64_ created 154 passwords from it and the
more enhanced rule _d3ad0ne_ created 68196 passwords from our 2 words.

## What the output looks like

Using our own ruleset from above, we get these combinations:

```
password
Password
PASSWORD
password!
password123
password321
passwordmine
mypassword
ipassword
iPassword
0password
0Password
otherpassword
Otherpassword
OTHERPASSWORD
otherpassword!
otherpassword123
otherpassword321
otherpasswordmine
myotherpassword
iotherpassword
iOtherpassword
0otherpassword
0Otherpassword
```

Try and experiment with [hashcat] to get similar combinations:

```console
$ hashcat pwlist.txt -r simple.rule --stdout > list.simple.txt
```

You can now use the generated wordlist file `list.simple.txt` with
other tools like [john].

## Cracking a zip file

List file contents, if possible.

```console
$ unzip -l test.zip
Archive:  test.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
       57  2024-09-08 20:52   testfile.txt
---------                     -------
       57                     1 file
```

Create a hashfile that can be used with [john] and/or [hashcat].

```console
$ zip2john -a testfile.txt -o testfile.txt test.zip > hash.txt
Using file testfile.txt as an 'ASCII' quick check file
Using file testfile.txt as only file to check
ver 2.0 efh 5455 efh 7875 test.zip/testfile.txt PKZIP Encr: 2b chk, TS_chk, cmplen=68, decmplen=57, crc=6059407C
```

Let us use a different file for hashcat, we have to remove the file paths from the hashfile.

```console
$ cp hash.txt hash.cat.txt
$ nvim hash.cat.txt
```

Modify the file and leave only the hash in the file.

Content of `hash.txt` file:

```txt
test.zip/testfile.txt:$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$:testfile.txt:test.zip::test.zip
```

Content of `hash.cat.txt` file:

```txt
$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$
```

We now try to crack the hash in `hash.cat.txt` with [hashcat].

```console
$ hashcat -m 17220 -a 0 hash.cat.txt pwlist.txt -r simple.rule
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) UHD Graphics 620, 7136/14368 MB (2047 MB allocatable), 24MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 13

Optimizers applied:
* Not-Iterated
* Single-Hash
* Single-Salt

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: Skipping (hash-mode 17220)
             This is due to a known OpenCL runtime and/or device driver issue (not a hashcat issue)
             You can use --force to override, but do not report related errors.

Started: Sun Sep  8 22:11:10 2024
Stopped: Sun Sep  8 22:11:13 2024
```

So [hashcat] will not work on my Carbon X1 laptop for this specific hash-mode.

I will then try [john] with the pre-generated wordlist then.

```console
$ hashcat pwlist.txt -r simple.rule --stdout >customlist.txt
$ john --wordlist=customlist.txt hash.txt
[odin:52509] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.odin.1000/jf.0/1299054592/shared_mem_cuda_pool.odin could be created.
[odin:52509] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password12shark  (?)
1g 0:00:00:00 DONE (2024-09-08 22:14) 25.00g/s 650.0p/s 650.0c/s 650.0C/s password..otherpassword12shark
Use the "--show" option to display all of the cracked passwords reliably
Session completed
$ john --show hash.txt
[odin:52580] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.odin.1000/jf.0/3210149888/shared_mem_cuda_pool.odin could be created.
[odin:52580] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728
?:password12shark

1 password hash cracked, 0 left
$ unzip -P password12shark test.zip
Archive:  test.zip
replace testfile.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: r
new name: newfile.txt
  inflating: newfile.txt
$ cat newfile.txt
I am a little testfile.

This is absolutely top secret.

```

I would do all the "heavy" lifting on my gaming laptop which has a real graphics card
built into.

## Cracking on a remote computer

How? Copy the files to the remote computer and run hashcat over there:

```console
$ rsync --no-motd -acvhz --stats --del pass/ polaris:pass/
sending incremental file list
./
customlist.txt
hash.txt
list.best64.txt
list.d3ad0ne.txt
list.simple.txt
list.simple2.txt
newfile.txt
pwlist.txt
simple.rule
test.zip
testfile.txt

Number of files: 12 (reg: 11, dir: 1)
Number of created files: 11 (reg: 11)
Number of deleted files: 0
Number of regular files transferred: 11
Total file size: 852,05K bytes
Total transferred file size: 852,05K bytes
Literal data: 852,05K bytes
Matched data: 0 bytes
File list size: 0
File list generation time: 0,004 seconds
File list transfer time: 0,000 seconds
Total bytes sent: 208,34K
Total bytes received: 235

sent 208,34K bytes  received 235 bytes  417,14K bytes/sec
total size is 852,05K  speedup is 4,09
```

Login on the remote machine: `ssh polaris`.

<kbd>polaris</kbd> is the short name of the remote computer in my ssh configuration file `~/.ssh/config`.

On the remote machine:

```console
$ cd pass
$ hashcat -m 17200 -a 0 hash.txt pwlist.txt -r simple.rule
hashcat (v6.2.5) starting

nvmlDeviceGetFanSpeed(): Not Supported

CUDA API (CUDA 12.4)
====================
* Device #1: NVIDIA GeForce RTX 2060, 5833/5919 MB, 30MCU

OpenCL API (OpenCL 3.0 CUDA 12.4.131) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: NVIDIA GeForce RTX 2060, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 13

Optimizers applied:
* Not-Iterated
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 263 MB

Dictionary cache built:
* Filename..: pwlist.txt
* Passwords.: 2
* Bytes.....: 23
* Keyspace..: 26
* Runtime...: 0 secs

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$:password12shark

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 17200 (PKZIP (Compressed))
Hash.Target......: $pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*...kzip2$
Time.Started.....: Sun Sep  8 22:26:17 2024 (0 secs)
Time.Estimated...: Sun Sep  8 22:26:17 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (pwlist.txt)
Guess.Mod........: Rules (simple.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    27415 H/s (0.48ms) @ Accel:512 Loops:13 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 26/26 (100.00%)
Rejected.........: 0/26 (0.00%)
Restore.Point....: 0/2 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-13 Iteration:0-13
Candidate.Engine.: Device Generator
Candidates.#1....: password -> otherpassword12shark
Hardware.Mon.#1..: Temp: 40c Util:  0% Core:1005MHz Mem:5500MHz Bus:8

Started: Sun Sep  8 22:25:48 2024
Stopped: Sun Sep  8 22:26:18 2024
```

This is probably the only reason why you would want a NVIDIA graphics card
in your computer :wink:

## Some notes

Most of the files can easily be cracked on my laptop with integrated graphics using
either [john] or [hashcat]. For more complicated or tasks that may run longer than
expected I put all that stuff to the gaming laptop and try cracking them over there.

This is sufficient for all my tasks but if you want to do more you should probably
consider using a tower with a "real" graphics card (not a mobile one).

Unfortunately current libreoffice files cannot be cracked; or at least, I haven't
found a working routine for now...

[john]: https://www.openwall.com/john/
[hashcat]: https://hashcat.net/hashcat/

## Update: Laptop comparisons

_Updated on October 13, 2024_

{{< alert circle-info >}}
The results can probably increased by using a high-end tower PC with one or more
graphic cards.
{{< /alert >}}

{{< alert triangle-exclamation >}}
Notice the units in the following tables (like <kbd>H/s</kbd>,
<kbd>kH/s</kbd> or <kbd>MH/s</kbd>)!
{{< /alert >}}

Below you see a short comparison between my **Lenovo X1 Carbon (Gen7; i7-8665U)**
and my **Tuxedo Polaris 17 (Ryzen 7 4800H)** with **integrated NVIDIA GeForce RTX 2060**.

{{< alert circle-info >}}
Only CUDA was used on the Polaris, no CPU was involved. I am not sure if there is any
progress for OpenCL on AMD CPUs (I haven't looked into this as it's not relevant for me).
{{< /alert >}}

### WPA-PBKDF2-PMKID+EAPOL

| hash mode | command line                 | X1 Carbon | Polaris 17 |
| --------- | ---------------------------- | --------- | ---------- |
| 22000     | `hashcat -m 22000 -D 1,2 -b` | 17178 H/s | 152.9 kH/s |

### WPA-PMKID-PBKDF2

Deprecated in favor of mode 22000 (see above):

> The plugin 16800 is deprecated and was replaced with plugin 22000.
> For more details, please read: https://hashcat.net/forum/thread-10253.html

| hash mode | command line                 | X1 Carbon | Polaris 17 |
| --------- | ---------------------------- | --------- | ---------- |
| 16800     | `hashcat -m 16800 -D 1,2 -b` | 16930 H/s | 146.7 kH/s |

### WPA-EAPOL-PBKDF2

Deprecated in favor of mode 22000 (see above above):

> The plugin 2500 is deprecated and was replaced with plugin 22000.
> For more details, please read: https://hashcat.net/forum/thread-10253.html

| hash mode | command line                | X1 Carbon | Polaris 17 |
| --------- | --------------------------- | --------- | ---------- |
| 2500      | `hashcat -m 2500 -D 1,2 -b` | 15865 H/s | 152.0 kH/s |

### PKZIP (Compressed Multi-File)

Expect some OpenCL issues! Only the CPU was used on the X1 Carbon and the
Tuxedo Polaris wasn't able to finish the session.

| hash mode | command line                 | X1 Carbon    | Polaris 17  |
| --------- | ---------------------------- | ------------ | ----------- |
| 17220     | `hashcat -m 17220 -D 1,2 -b` | 64116.2 kH/s | N/A (error) |

The X1 Carbon displayed the following warning:

> ```console
> -------------------------------------------------
> * Hash-Mode 17220 (PKZIP (Compressed Multi-File))
> -------------------------------------------------
>
> * Device #2: Skipping (hash-mode 17220)
>              This is due to a known OpenCL runtime and/or device driver issue (not a hashcat issue)
>              You can use --force to override, but do not report related errors.
> ```

The Polaris aborted with a few of these error messages:

> ```console
> clEnqueueNDRangeKernel(): CL_OUT_OF_HOST_MEMORY
> ```

### MD5

| hash mode | command line             | X1 Carbon   | Polaris 17  |
| --------- | ------------------------ | ----------- | ----------- |
| 0         | `hashcat -m 0 -D 1,2 -b` | 1224.0 MH/s | 9527.4 MH/s |

### SHA1

| hash mode | command line               | X1 Carbon  | Polaris 17  |
| --------- | -------------------------- | ---------- | ----------- |
| 100       | `hashcat -m 100 -D 1,2 -b` | 317.9 MH/s | 3029.0 MH/s |

### SHA2-512

| hash mode | command line                | X1 Carbon    | Polaris 17 |
| --------- | --------------------------- | ------------ | ---------- |
| 1700      | `hashcat -m 1700 -D 1,2 -b` | 42721.2 kH/s | 442.4 MH/s |

### SHA3-512

| hash mode | command line                 | X1 Carbon    | Polaris 17 |
| --------- | ---------------------------- | ------------ | ---------- |
| 17600     | `hashcat -m 17600 -D 1,2 -b` | 36062.7 kH/s | 277.2 MH/s |