15 KiB
title | summary | date | lastmod | coverCaption | categories | tags | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Recover Your Lost Password On The Command Line | If you are like me and use many different passwords you may come to that point when you can't think of a password for a specific service (or (zip)file). This is how I recover most of them. | 2024-09-08T22:49:01+0200 | 2024-10-13T09:19:41+0000 | Cover image by [jaydeep_](https://pixabay.com/illustrations/hacking-cybercrime-cybersecurity-3112539/). |
|
|
For this reason I save most variations of my passwords in a secure file and with a rule file I can re-create most of the passwords that I have ever used.
And because I do not want to type all the passwords by hand I use tools for this task, which speeds this whole process up and it costs me minutes (where I can do other things meanwhile)...
Create the initial password file
I only use lower letters because I will punch that file through rules later that will automatically make some letters uppercase, add some numbers to it et cetera...
password
otherpassword
Let these be our initial password file with the initial password that we use.
The rule file
Now create a rule file that will do most of the work by modifying the lines from our initial password file.
## take it as it is, toggle first character to uppercase or lowercase, uppercase all characters
:
T0
u
## append/prepend something to the password itself
$!
$1 $2 $3
$3 $2 $1
$m $i $n $e
^y ^m
^i
^i T1
^0
^0 T1
$1 $2 $s $h $a $r $k
So if you tend to finish your weak passwords with 12shark
, you may want to add this to
your ruleset as $1 $2 $s $h $a $r $k
.
Now every line from your password file gets appended with 12shark
.
Line counts
$ wc -l *
154 list.best64.txt
68196 list.d3ad0ne.txt
24 list.simple.txt
2 pwlist.txt
15 simple.rule
So our initial password file contains 2 words (2 lines), the modified new password list based on our own ruleset contains 24 lines (passwords).
And the other two files (best64 and d3ad0ne) were made with some default rules from a tool called john.
As you can see the wide-known ruleset best64 created 154 passwords from it and the more enhanced rule d3ad0ne created 68196 passwords from our 2 words.
What the output looks like
Using our own ruleset from above, we get these combinations:
password
Password
PASSWORD
password!
password123
password321
passwordmine
mypassword
ipassword
iPassword
0password
0Password
otherpassword
Otherpassword
OTHERPASSWORD
otherpassword!
otherpassword123
otherpassword321
otherpasswordmine
myotherpassword
iotherpassword
iOtherpassword
0otherpassword
0Otherpassword
Try and experiment with hashcat to get similar combinations:
$ hashcat pwlist.txt -r simple.rule --stdout > list.simple.txt
You can now use the generated wordlist file list.simple.txt
with
other tools like john.
Cracking a zip file
List file contents, if possible.
$ unzip -l test.zip
Archive: test.zip
Length Date Time Name
--------- ---------- ----- ----
57 2024-09-08 20:52 testfile.txt
--------- -------
57 1 file
Create a hashfile that can be used with john and/or hashcat.
$ zip2john -a testfile.txt -o testfile.txt test.zip > hash.txt
Using file testfile.txt as an 'ASCII' quick check file
Using file testfile.txt as only file to check
ver 2.0 efh 5455 efh 7875 test.zip/testfile.txt PKZIP Encr: 2b chk, TS_chk, cmplen=68, decmplen=57, crc=6059407C
Let us use a different file for hashcat, we have to remove the file paths from the hashfile.
$ cp hash.txt hash.cat.txt
$ nvim hash.cat.txt
Modify the file and leave only the hash in the file.
Content of hash.txt
file:
test.zip/testfile.txt:$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$:testfile.txt:test.zip::test.zip
Content of hash.cat.txt
file:
$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$
We now try to crack the hash in hash.cat.txt
with hashcat.
$ hashcat -m 17220 -a 0 hash.cat.txt pwlist.txt -r simple.rule
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) UHD Graphics 620, 7136/14368 MB (2047 MB allocatable), 24MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 13
Optimizers applied:
* Not-Iterated
* Single-Hash
* Single-Salt
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
* Device #1: Skipping (hash-mode 17220)
This is due to a known OpenCL runtime and/or device driver issue (not a hashcat issue)
You can use --force to override, but do not report related errors.
Started: Sun Sep 8 22:11:10 2024
Stopped: Sun Sep 8 22:11:13 2024
So hashcat will not work on my Carbon X1 laptop for this specific hash-mode.
I will then try john with the pre-generated wordlist then.
$ hashcat pwlist.txt -r simple.rule --stdout >customlist.txt
$ john --wordlist=customlist.txt hash.txt
[odin:52509] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.odin.1000/jf.0/1299054592/shared_mem_cuda_pool.odin could be created.
[odin:52509] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password12shark (?)
1g 0:00:00:00 DONE (2024-09-08 22:14) 25.00g/s 650.0p/s 650.0c/s 650.0C/s password..otherpassword12shark
Use the "--show" option to display all of the cracked passwords reliably
Session completed
$ john --show hash.txt
[odin:52580] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.odin.1000/jf.0/3210149888/shared_mem_cuda_pool.odin could be created.
[odin:52580] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728
?:password12shark
1 password hash cracked, 0 left
$ unzip -P password12shark test.zip
Archive: test.zip
replace testfile.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: r
new name: newfile.txt
inflating: newfile.txt
$ cat newfile.txt
I am a little testfile.
This is absolutely top secret.
I would do all the "heavy" lifting on my gaming laptop which has a real graphics card built into.
Cracking on a remote computer
How? Copy the files to the remote computer and run hashcat over there:
$ rsync --no-motd -acvhz --stats --del pass/ polaris:pass/
sending incremental file list
./
customlist.txt
hash.txt
list.best64.txt
list.d3ad0ne.txt
list.simple.txt
list.simple2.txt
newfile.txt
pwlist.txt
simple.rule
test.zip
testfile.txt
Number of files: 12 (reg: 11, dir: 1)
Number of created files: 11 (reg: 11)
Number of deleted files: 0
Number of regular files transferred: 11
Total file size: 852,05K bytes
Total transferred file size: 852,05K bytes
Literal data: 852,05K bytes
Matched data: 0 bytes
File list size: 0
File list generation time: 0,004 seconds
File list transfer time: 0,000 seconds
Total bytes sent: 208,34K
Total bytes received: 235
sent 208,34K bytes received 235 bytes 417,14K bytes/sec
total size is 852,05K speedup is 4,09
Login on the remote machine: ssh polaris
.
polaris is the short name of the remote computer in my ssh configuration file ~/.ssh/config
.
On the remote machine:
$ cd pass
$ hashcat -m 17200 -a 0 hash.txt pwlist.txt -r simple.rule
hashcat (v6.2.5) starting
nvmlDeviceGetFanSpeed(): Not Supported
CUDA API (CUDA 12.4)
====================
* Device #1: NVIDIA GeForce RTX 2060, 5833/5919 MB, 30MCU
OpenCL API (OpenCL 3.0 CUDA 12.4.131) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: NVIDIA GeForce RTX 2060, skipped
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 13
Optimizers applied:
* Not-Iterated
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 263 MB
Dictionary cache built:
* Filename..: pwlist.txt
* Passwords.: 2
* Bytes.....: 23
* Keyspace..: 26
* Runtime...: 0 secs
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$:password12shark
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 17200 (PKZIP (Compressed))
Hash.Target......: $pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*...kzip2$
Time.Started.....: Sun Sep 8 22:26:17 2024 (0 secs)
Time.Estimated...: Sun Sep 8 22:26:17 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (pwlist.txt)
Guess.Mod........: Rules (simple.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 27415 H/s (0.48ms) @ Accel:512 Loops:13 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 26/26 (100.00%)
Rejected.........: 0/26 (0.00%)
Restore.Point....: 0/2 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-13 Iteration:0-13
Candidate.Engine.: Device Generator
Candidates.#1....: password -> otherpassword12shark
Hardware.Mon.#1..: Temp: 40c Util: 0% Core:1005MHz Mem:5500MHz Bus:8
Started: Sun Sep 8 22:25:48 2024
Stopped: Sun Sep 8 22:26:18 2024
This is probably the only reason why you would want a NVIDIA graphics card in your computer 😉
Some notes
Most of the files can easily be cracked on my laptop with integrated graphics using either john or hashcat. For more complicated or tasks that may run longer than expected I put all that stuff to the gaming laptop and try cracking them over there.
This is sufficient for all my tasks but if you want to do more you should probably consider using a tower with a "real" graphics card (not a mobile one).
Unfortunately current libreoffice files cannot be cracked; or at least, I haven't found a working routine for now...
Update: Laptop comparisons
Updated on October 13, 2024
{{< alert circle-info >}} The results can probably increased by using a high-end tower PC with one or more graphic cards. {{< /alert >}}
{{< alert triangle-exclamation >}} Notice the units in the following tables (like H/s, kH/s or MH/s)! {{< /alert >}}
Below you see a short comparison between my Lenovo X1 Carbon (Gen7; i7-8665U) and my Tuxedo Polaris 17 (Ryzen 7 4800H) with integrated NVIDIA GeForce RTX 2060.
{{< alert circle-info >}} Only CUDA was used on the Polaris, no CPU was involved. I am not sure if there is any progress for OpenCL on AMD CPUs (I haven't looked into this as it's not relevant for me). {{< /alert >}}
WPA-PBKDF2-PMKID+EAPOL
hash mode | command line | X1 Carbon | Polaris 17 |
---|---|---|---|
22000 | hashcat -m 22000 -D 1,2 -b |
17178 H/s | 152.9 kH/s |
WPA-PMKID-PBKDF2
Deprecated in favor of mode 22000 (see above):
The plugin 16800 is deprecated and was replaced with plugin 22000. For more details, please read: https://hashcat.net/forum/thread-10253.html
hash mode | command line | X1 Carbon | Polaris 17 |
---|---|---|---|
16800 | hashcat -m 16800 -D 1,2 -b |
16930 H/s | 146.7 kH/s |
WPA-EAPOL-PBKDF2
Deprecated in favor of mode 22000 (see above above):
The plugin 2500 is deprecated and was replaced with plugin 22000. For more details, please read: https://hashcat.net/forum/thread-10253.html
hash mode | command line | X1 Carbon | Polaris 17 |
---|---|---|---|
2500 | hashcat -m 2500 -D 1,2 -b |
15865 H/s | 152.0 kH/s |
PKZIP (Compressed Multi-File)
Expect some OpenCL issues! Only the CPU was used on the X1 Carbon and the Tuxedo Polaris wasn't able to finish the session.
hash mode | command line | X1 Carbon | Polaris 17 |
---|---|---|---|
17220 | hashcat -m 17220 -D 1,2 -b |
64116.2 kH/s | N/A (error) |
The X1 Carbon displayed the following warning:
------------------------------------------------- * Hash-Mode 17220 (PKZIP (Compressed Multi-File)) ------------------------------------------------- * Device #2: Skipping (hash-mode 17220) This is due to a known OpenCL runtime and/or device driver issue (not a hashcat issue) You can use --force to override, but do not report related errors.
The Polaris aborted with a few of these error messages:
clEnqueueNDRangeKernel(): CL_OUT_OF_HOST_MEMORY
MD5
hash mode | command line | X1 Carbon | Polaris 17 |
---|---|---|---|
0 | hashcat -m 0 -D 1,2 -b |
1224.0 MH/s | 9527.4 MH/s |
SHA1
hash mode | command line | X1 Carbon | Polaris 17 |
---|---|---|---|
100 | hashcat -m 100 -D 1,2 -b |
317.9 MH/s | 3029.0 MH/s |
SHA2-512
hash mode | command line | X1 Carbon | Polaris 17 |
---|---|---|---|
1700 | hashcat -m 1700 -D 1,2 -b |
42721.2 kH/s | 442.4 MH/s |
SHA3-512
hash mode | command line | X1 Carbon | Polaris 17 |
---|---|---|---|
17600 | hashcat -m 17600 -D 1,2 -b |
36062.7 kH/s | 277.2 MH/s |