You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
377 lines
11 KiB
377 lines
11 KiB
---
|
|
title: Recover Your Lost Password On The Command Line
|
|
summary: >
|
|
If you are like me and use many different passwords you may come to that point
|
|
when you can't think of a password for a specific service (or (zip)file). This
|
|
is how I recover most of them.
|
|
date: 2024-09-08T22:49:01+0200
|
|
#lastmod:
|
|
coverCaption: Cover image by [jaydeep_](https://pixabay.com/illustrations/hacking-cybercrime-cybersecurity-3112539/).
|
|
categories:
|
|
- computerstuff
|
|
tags:
|
|
- pentest
|
|
- scripting
|
|
- john
|
|
- hashcat
|
|
- cracking
|
|
- command-line
|
|
- nvidia
|
|
---
|
|
|
|
For this reason I save most variations of my passwords in a secure file and with a rule
|
|
file I can re-create most of the passwords that I have ever used.
|
|
|
|
And because I do not want to type all the passwords by hand I use tools for this task,
|
|
which speeds this whole process up and it costs me minutes (where I can do other things
|
|
meanwhile)...
|
|
|
|
## Create the initial password file
|
|
|
|
I only use lower letters because I will punch that file through rules later that will
|
|
automatically make some letters uppercase, add some numbers to it et cetera...
|
|
|
|
```
|
|
password
|
|
otherpassword
|
|
```
|
|
|
|
Let these be our initial password file with the initial password that we use.
|
|
|
|
## The rule file
|
|
|
|
Now create a rule file that will do most of the work by modifying the lines
|
|
from our initial password file.
|
|
|
|
```
|
|
## take it as it is, toggle first character to uppercase or lowercase, uppercase all characters
|
|
:
|
|
T0
|
|
u
|
|
|
|
## append/prepend something to the password itself
|
|
$!
|
|
$1 $2 $3
|
|
$3 $2 $1
|
|
$m $i $n $e
|
|
^y ^m
|
|
^i
|
|
^i T1
|
|
^0
|
|
^0 T1
|
|
$1 $2 $s $h $a $r $k
|
|
```
|
|
|
|
So if you tend to finish your weak passwords with `12shark`, you may want to add this to
|
|
your ruleset as `$1 $2 $s $h $a $r $k`.
|
|
|
|
Now every line from your password file gets appended with `12shark`.
|
|
|
|
## Line counts
|
|
|
|
```console
|
|
$ wc -l *
|
|
154 list.best64.txt
|
|
68196 list.d3ad0ne.txt
|
|
24 list.simple.txt
|
|
2 pwlist.txt
|
|
15 simple.rule
|
|
```
|
|
|
|
So our initial password file contains 2 words (2 lines), the modified new password list
|
|
based on our own ruleset contains 24 lines (passwords).
|
|
|
|
And the other two files (_best64_ and _d3ad0ne_) were made with some default rules from a
|
|
tool called [john].
|
|
|
|
As you can see the wide-known ruleset _best64_ created 154 passwords from it and the
|
|
more enhanced rule _d3ad0ne_ created 68196 passwords from our 2 words.
|
|
|
|
## What the output looks like
|
|
|
|
Using our own ruleset from above, we get these combinations:
|
|
|
|
```
|
|
password
|
|
Password
|
|
PASSWORD
|
|
password!
|
|
password123
|
|
password321
|
|
passwordmine
|
|
mypassword
|
|
ipassword
|
|
iPassword
|
|
0password
|
|
0Password
|
|
otherpassword
|
|
Otherpassword
|
|
OTHERPASSWORD
|
|
otherpassword!
|
|
otherpassword123
|
|
otherpassword321
|
|
otherpasswordmine
|
|
myotherpassword
|
|
iotherpassword
|
|
iOtherpassword
|
|
0otherpassword
|
|
0Otherpassword
|
|
```
|
|
|
|
Try and experiment with [hashcat] to get similar combinations:
|
|
|
|
```console
|
|
$ hashcat pwlist.txt -r simple.rule --stdout > list.simple.txt
|
|
```
|
|
|
|
You can now use the generated wordlist file `list.simple.txt` with
|
|
other tools like [john].
|
|
|
|
## Cracking a zip file
|
|
|
|
List file contents, if possible.
|
|
|
|
```console
|
|
$ unzip -l test.zip
|
|
Archive: test.zip
|
|
Length Date Time Name
|
|
--------- ---------- ----- ----
|
|
57 2024-09-08 20:52 testfile.txt
|
|
--------- -------
|
|
57 1 file
|
|
```
|
|
|
|
Create a hashfile that can be used with [john] and/or [hashcat].
|
|
|
|
```console
|
|
$ zip2john -a testfile.txt -o testfile.txt test.zip > hash.txt
|
|
Using file testfile.txt as an 'ASCII' quick check file
|
|
Using file testfile.txt as only file to check
|
|
ver 2.0 efh 5455 efh 7875 test.zip/testfile.txt PKZIP Encr: 2b chk, TS_chk, cmplen=68, decmplen=57, crc=6059407C
|
|
```
|
|
|
|
Let us use a different file for hashcat, we have to remove the file paths from the hashfile.
|
|
|
|
```console
|
|
$ cp hash.txt hash.cat.txt
|
|
$ nvim hash.cat.txt
|
|
```
|
|
|
|
Modify the file and leave only the hash in the file.
|
|
|
|
Content of `hash.txt` file:
|
|
|
|
```txt
|
|
test.zip/testfile.txt:$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$:testfile.txt:test.zip::test.zip
|
|
```
|
|
|
|
Content of `hash.cat.txt` file:
|
|
|
|
```txt
|
|
$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$
|
|
```
|
|
|
|
We now try to crack the hash in `hash.cat.txt` with [hashcat].
|
|
|
|
```console
|
|
$ hashcat -m 17220 -a 0 hash.cat.txt pwlist.txt -r simple.rule
|
|
hashcat (v6.2.6) starting
|
|
|
|
OpenCL API (OpenCL 3.0 ) - Platform #1 [Intel(R) Corporation]
|
|
=============================================================
|
|
* Device #1: Intel(R) UHD Graphics 620, 7136/14368 MB (2047 MB allocatable), 24MCU
|
|
|
|
Minimum password length supported by kernel: 0
|
|
Maximum password length supported by kernel: 256
|
|
|
|
Hashes: 1 digests; 1 unique digests, 1 unique salts
|
|
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
|
|
Rules: 13
|
|
|
|
Optimizers applied:
|
|
* Not-Iterated
|
|
* Single-Hash
|
|
* Single-Salt
|
|
|
|
Watchdog: Hardware monitoring interface not found on your system.
|
|
Watchdog: Temperature abort trigger disabled.
|
|
|
|
* Device #1: Skipping (hash-mode 17220)
|
|
This is due to a known OpenCL runtime and/or device driver issue (not a hashcat issue)
|
|
You can use --force to override, but do not report related errors.
|
|
|
|
Started: Sun Sep 8 22:11:10 2024
|
|
Stopped: Sun Sep 8 22:11:13 2024
|
|
```
|
|
|
|
So [hashcat] will not work on my Carbon X1 laptop for this specific hash-mode.
|
|
|
|
I will then try [john] with the pre-generated wordlist then.
|
|
|
|
```console
|
|
$ hashcat pwlist.txt -r simple.rule --stdout >customlist.txt
|
|
$ john --wordlist=customlist.txt hash.txt
|
|
[odin:52509] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.odin.1000/jf.0/1299054592/shared_mem_cuda_pool.odin could be created.
|
|
[odin:52509] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728
|
|
Using default input encoding: UTF-8
|
|
Loaded 1 password hash (PKZIP [32/64])
|
|
Will run 8 OpenMP threads
|
|
Press 'q' or Ctrl-C to abort, almost any other key for status
|
|
password12shark (?)
|
|
1g 0:00:00:00 DONE (2024-09-08 22:14) 25.00g/s 650.0p/s 650.0c/s 650.0C/s password..otherpassword12shark
|
|
Use the "--show" option to display all of the cracked passwords reliably
|
|
Session completed
|
|
$ john --show hash.txt
|
|
[odin:52580] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.odin.1000/jf.0/3210149888/shared_mem_cuda_pool.odin could be created.
|
|
[odin:52580] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728
|
|
?:password12shark
|
|
|
|
1 password hash cracked, 0 left
|
|
$ unzip -P password12shark test.zip
|
|
Archive: test.zip
|
|
replace testfile.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: r
|
|
new name: newfile.txt
|
|
inflating: newfile.txt
|
|
$ cat newfile.txt
|
|
I am a little testfile.
|
|
|
|
This is absolutely top secret.
|
|
|
|
```
|
|
|
|
I would do all the "heavy" lifting on my gaming laptop which has a real graphics card
|
|
built into.
|
|
|
|
## Cracking on a remote computer
|
|
|
|
How? Copy the files to the remote computer and run hashcat over there:
|
|
|
|
```console
|
|
$ rsync --no-motd -acvhz --stats --del pass/ polaris:pass/
|
|
sending incremental file list
|
|
./
|
|
customlist.txt
|
|
hash.txt
|
|
list.best64.txt
|
|
list.d3ad0ne.txt
|
|
list.simple.txt
|
|
list.simple2.txt
|
|
newfile.txt
|
|
pwlist.txt
|
|
simple.rule
|
|
test.zip
|
|
testfile.txt
|
|
|
|
Number of files: 12 (reg: 11, dir: 1)
|
|
Number of created files: 11 (reg: 11)
|
|
Number of deleted files: 0
|
|
Number of regular files transferred: 11
|
|
Total file size: 852,05K bytes
|
|
Total transferred file size: 852,05K bytes
|
|
Literal data: 852,05K bytes
|
|
Matched data: 0 bytes
|
|
File list size: 0
|
|
File list generation time: 0,004 seconds
|
|
File list transfer time: 0,000 seconds
|
|
Total bytes sent: 208,34K
|
|
Total bytes received: 235
|
|
|
|
sent 208,34K bytes received 235 bytes 417,14K bytes/sec
|
|
total size is 852,05K speedup is 4,09
|
|
```
|
|
|
|
Login on the remote machine: `ssh polaris`.
|
|
|
|
<kbd>polaris</kbd> is the short name of the remote computer in my ssh configuration file `~/.ssh/config`.
|
|
|
|
On the remote machine:
|
|
|
|
```console
|
|
$ cd pass
|
|
$ hashcat -m 17200 -a 0 hash.txt pwlist.txt -r simple.rule
|
|
hashcat (v6.2.5) starting
|
|
|
|
nvmlDeviceGetFanSpeed(): Not Supported
|
|
|
|
CUDA API (CUDA 12.4)
|
|
====================
|
|
* Device #1: NVIDIA GeForce RTX 2060, 5833/5919 MB, 30MCU
|
|
|
|
OpenCL API (OpenCL 3.0 CUDA 12.4.131) - Platform #1 [NVIDIA Corporation]
|
|
========================================================================
|
|
* Device #2: NVIDIA GeForce RTX 2060, skipped
|
|
|
|
Minimum password length supported by kernel: 0
|
|
Maximum password length supported by kernel: 256
|
|
|
|
Hashes: 1 digests; 1 unique digests, 1 unique salts
|
|
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
|
|
Rules: 13
|
|
|
|
Optimizers applied:
|
|
* Not-Iterated
|
|
* Single-Hash
|
|
* Single-Salt
|
|
|
|
Watchdog: Temperature abort trigger set to 90c
|
|
|
|
Host memory required for this attack: 263 MB
|
|
|
|
Dictionary cache built:
|
|
* Filename..: pwlist.txt
|
|
* Passwords.: 2
|
|
* Bytes.....: 23
|
|
* Keyspace..: 26
|
|
* Runtime...: 0 secs
|
|
|
|
The wordlist or mask that you are using is too small.
|
|
This means that hashcat cannot use the full parallel power of your device(s).
|
|
Unless you supply more work, your cracking speed will drop.
|
|
For tips on supplying more work, see: https://hashcat.net/faq/morework
|
|
|
|
Approaching final keyspace - workload adjusted.
|
|
|
|
$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$:password12shark
|
|
|
|
Session..........: hashcat
|
|
Status...........: Cracked
|
|
Hash.Mode........: 17200 (PKZIP (Compressed))
|
|
Hash.Target......: $pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*...kzip2$
|
|
Time.Started.....: Sun Sep 8 22:26:17 2024 (0 secs)
|
|
Time.Estimated...: Sun Sep 8 22:26:17 2024 (0 secs)
|
|
Kernel.Feature...: Pure Kernel
|
|
Guess.Base.......: File (pwlist.txt)
|
|
Guess.Mod........: Rules (simple.rule)
|
|
Guess.Queue......: 1/1 (100.00%)
|
|
Speed.#1.........: 27415 H/s (0.48ms) @ Accel:512 Loops:13 Thr:32 Vec:1
|
|
Recovered........: 1/1 (100.00%) Digests
|
|
Progress.........: 26/26 (100.00%)
|
|
Rejected.........: 0/26 (0.00%)
|
|
Restore.Point....: 0/2 (0.00%)
|
|
Restore.Sub.#1...: Salt:0 Amplifier:0-13 Iteration:0-13
|
|
Candidate.Engine.: Device Generator
|
|
Candidates.#1....: password -> otherpassword12shark
|
|
Hardware.Mon.#1..: Temp: 40c Util: 0% Core:1005MHz Mem:5500MHz Bus:8
|
|
|
|
Started: Sun Sep 8 22:25:48 2024
|
|
Stopped: Sun Sep 8 22:26:18 2024
|
|
```
|
|
|
|
This is probably the only reason why you would want a NVIDIA graphics card
|
|
in your computer :wink:
|
|
|
|
## Some notes
|
|
|
|
Most of the files can easily be cracked on my laptop with integrated graphics using
|
|
either [john] or [hashcat]. For more complicated or tasks that may run longer than
|
|
expected I put all that stuff to the gaming laptop and try cracking them over there.
|
|
|
|
This is sufficient for all my tasks but if you want to do more you should probably
|
|
consider using a tower with a "real" graphics card (not a mobile one).
|
|
|
|
Unfortunately current libreoffice files cannot be cracked; or at least, I haven't
|
|
found a working routine for now...
|
|
|
|
[john]: https://www.openwall.com/john/
|
|
[hashcat]: https://hashcat.net/hashcat/
|