After seeing how to compile John the Ripper to use all your computer's processors now we can use it for some tasks that may be useful to digital forensic investigators: getting around passwords. Today we will focus on cracking passwords for ZIP and RAR archive files. Luckily, the JtR community has done most of the hard work for us. For this to work you need to have built the community version of John the Ripper since it has extra utilities for ZIP and RAR files.
The password for the rar file is 'test1234' and the password for the zip file is 'test4321'.
In the 'run' folder of John the Ripper community version (I am using John-1.7.9-jumbo-7), there are two programs called 'zip2john' and 'rar2john'. Run them against their respective file types to extract the password hashes:
This will give you files that contain the password hashes to be cracked... something like this:
After, that you can run John the Ripper directly on the password hash files:
You should get a message like:
Notice, in this case we are not using explicit dictionaries. You could potentially speed the cracking process up if you have an idea what the password may be. If you look at your processor usage, if only one is maxed out, then you did not enable OpenMP when building. If you have a multi-processor system, it will greatly speed up the cracking process.
Now sit back and wait for the cracking to finish. On a 64bit quad-core i7 system, without using GPU, and while doing some other CPU-intensive tasks, the password was cracked in 6.5 hours.
Now if you want to see the cracked passwords give john the following arguments:
It should output something like:
Note: the hash file should have the same type of hashes. For example, we cannot put the rar AND zip hashes in the same file. But this means you could try to crack more than one zip/rar file at a time.
For the rar file it did not take nearly as long since the password was relatively common. If you take a look at john.conf in the run directory, it has a list of the patterns it checks (in order). The pattern 12345 is much more likely than 54321, so it is checked first resulting in a quick crack.
- John the Ripper is designed to be both feature-rich and fast. It combines several cracking modes in one program and is fully configurable for your particular needs (you can even define a custom cracking mode using the built-in compiler supporting a subset of C).
- Raw output from zip2john at the terminal gives this: coderedacted redacted If I use the full output from the terminal of zip2john then Hashcat complains of Signature unmatched - no hashes loaded. color=#000000size=smallAny help would be well received. JTR is much slower than using my GPU/hashcat.
- Thank you so much. This program really works. I have a password-protected.zip file and I don't know how to crack it. This might be a silly question, but I do not have any knowledge of this kind of profession. I tried 'zip2john' and notepad, but I can't find a solution.
- root@kali-hsun test# zip2john license. Zip passwd.txt license. Zip /license/ is not encrypted! Ver 1.0 license. Zip /license/ is not encrypted, or stored with non-handled compression type ver 2.0 efh 9901 license. Zip /license/license.dat PKZIP Encr: cmplen= 630, decmplen= 2810, crc= 5ED111EF ver 2.0 efh 9901 efh 7075 license.
今回はrar2johnを使用しましたが、zip2johnを使用すれば全く同じようにzipファイルでパス解析できます。 参考にしたリンク. Knbの日記: rar ファイルのパスワード解析 How-to Cracking ZIP and RAR protected files with John the Ripper; How to crack archive password faster; いますぐ実践!
For this exercise I have created password protected RAR and ZIP files, that each contain two files.The password for the rar file is 'test1234' and the password for the zip file is 'test4321'.
In the 'run' folder of John the Ripper community version (I am using John-1.7.9-jumbo-7), there are two programs called 'zip2john' and 'rar2john'. Run them against their respective file types to extract the password hashes:
This will give you files that contain the password hashes to be cracked... something like this:
After, that you can run John the Ripper directly on the password hash files:
How To Use Zip2john
You should get a message like:
Loaded 1 password hash (PKZIP [32/64])
. By using John with no options it will use its default order of cracking modes. See the examples page for more information on modes.Notice, in this case we are not using explicit dictionaries. You could potentially speed the cracking process up if you have an idea what the password may be. If you look at your processor usage, if only one is maxed out, then you did not enable OpenMP when building. If you have a multi-processor system, it will greatly speed up the cracking process.
![Zip2john Zip2john](/uploads/1/1/9/5/119500084/943273612.png)
Now if you want to see the cracked passwords give john the following arguments:
It should output something like:
Note: the hash file should have the same type of hashes. For example, we cannot put the rar AND zip hashes in the same file. But this means you could try to crack more than one zip/rar file at a time.
For the rar file it did not take nearly as long since the password was relatively common. If you take a look at john.conf in the run directory, it has a list of the patterns it checks (in order). The pattern 12345 is much more likely than 54321, so it is checked first resulting in a quick crack.
Choose which x2john program to run online and extract a hash that can be used with JohnTheRipper or Hashcat
Popular
bitcoin2johnExtract hashes from Bitcoin and Litecoin wallet.dat files
pdf2johnExtract hashes from encrypted PDF .pdf files
rar2johnExtract hashes from encrypted .zip or .rar or .7z files
zip2johnExtract hashes from encrypted .zip or .rar or .7z files
7z2johnExtract hashes from encrypted .zip or .rar or .7z files
office2johnExtract hashes from encrypted Microsoft Office files (.doc, .docx, .xls, .xlsx, .ppt, .pot)
itunes_backup2johnExtract hashes from encrypted iTunes backups Manifest.plist
ethereum2johnExtract hashes from encrypted Ethereum wallets (Geth/Mist/MyEtherWallet)
monero2johnExtract hashes from encrypted Monero wallet .keys files January 2016 or later
gpg2johnExtract hashes from encrypted GnuPGP .asc files
Other
bitlocker2johnExtract hashes from encrypted Bitlocker volumes
bitwarden2johnExtract hashes from Bitwarden storage.js / com.x8bit.bitwarden_preferences.xml / Google Chrome's 'nngceckbap...'
blockchain2johnExtract hashes from Blockchain.info v1, v2, v3 wallets
dmg2johnExtract hashes from encrypted .dmg files
filezilla2johnExtract hashes from Filezilla Server .xml configuration file
keepass2johnExtract hashes from encrypted Keepass .kdb .kdbx files
keychain2johnExtract hashes from Mac OS Keychain file ~/Library/Keychains
keyring2johnExtract hashes from Keyring file ~/.local/share/keyrings
keystore2johnExtract hashes from encrypted .keystore / .jks files
money2johnExtract hashes from Microsoft MS Money 2002-2007 / Money Plus file
mozilla2johnExtract hashes from Mozilla Firefox password database key3.db file
padlock2johnExtract hashes from encrypted Padlock files
pem2johnExtract hashes from encrypted PEM/OpenSSL .pem files
putty2johnExtract hashes from encrypted PuTTy .ppk files
pwsafe2johnExtract hashes from encrypted PasswordSafe .psafe3 files
signal2johnExtract hashes from encrypted Signal messages SecureSMS-Preferences.xml
ssh2johnExtract hashes from SSH Private keys
Zip2john Download
staroffice2johnExtract hashes from encrypted StarOffice files (.sxc, .sdw, .sxd, .sxw, .sxi)