John the Ripper Pt. 3

May 09, 2022

Intro

It should come as no surprise that John can also deal with .zip and .rar archives. John does this by leveraging the zip2john and rar2john utilities, built in the tool, so that it can ingest something that it will know how to use. The syntax is pretty much the same, and by now, you should be quite familiar with it; still, we will use this article to show some examples of how we can make our .zip and .rar archives John-ready. As we will see, this is akin to the unshadow tool we’ve used previously.

 

zip2john

As mentioned, similar to unshadow, John has the inbuilt tool that’s called zip2john, which we use to convert our target .zip archive into a format john will know what to do with, and, we hope, crack successfully.

The basic syntax looks something like this:

zip2john [target_zip_file] > [output_file]

Flags:

target_zip_file – this is the path to our password protected protected .zip archive

> - greater than sign which redirects our command results to a specified output file

output_file – in this file we store our output

So, our command will look something like this:

zip2john target_archive.zip > zip_hash.txt

Once we’ve successfully obtained the zip_hash.txt output file, we simply supply it to John. And yes, we can use the wordlists too. Thus, we just had a couple of extra steps before we return to using John as we’ve already learned previously.

More simply put, we can say to John, something like this:

john –wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt

As you can see, this is something that we’ve already learned, and we’ve just used the zip2john utility to prepare our archive for John to work with. 

Let’s quickly cover rar2john next, and then we will go over some examples.

 

rar2john

The same as zip files, rar can also compress various files and folders. It does so by using the Winrar archive manager.

We use it in the same way as zip2john. First, we use rar2john to make the .rar archive ready for John – by obtaining its hash, then we supply the said hash to John to try and crack it.

The syntax is the same as for zip2john:

rar2john [target_rar_file] > [output_file]

Flags:

target_rar_file – this is the path to our password protected protected ..rar archive

> - greater than sign which redirects our command results to a specified output file

output_file – in this file we store our output

It will look something like this:

rar2john rar_archive.rar > rar_hash.txt

Now we just use John, the way we’ve learned, giving it our rar_hash.txt file:

john –wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txt

 

Examples

Now that we’ve covered some basic stuff, let’s look at some examples.


We have a .zip archive, called testZip1.zip with three files inside, called pass.txt, sop.txt, and supersecret.txt.

To digress for a bit: it would be terrible if we saw something like this on our test, as an attacker. The naming convention here in our article is there for our convenience and illustrative purposes. Nobody should have a file called sop.txt (which usually stands for standard operating procedure). Pass.txt and supersecret.txt even less so, for obvious reasons.

Going back to our .zip cracking, we give John a command asking it to make an output file it can understand, and try to crack it. (image below)


We just gave John our output file (in this case test1.hashes), and it cracked our password. Note that you can make your output file to be of any format, for further processing/manipulation. Use what makes the most sense for your purposes.

Since we have our password, we show it with John, and try to open our password protected archive, which prompts us:





Finally, we have our cracked .zip archive, and contents opened, of one of the files:


Let’s look at some more examples.


We password protect our .rar archive, called safe.rar, as we can see – password is password1. Inside, we have put two files, called pass.txt, and pass2.txt, respectively. We now need to make something John can use, out of our .rar archive:


Now we ask John to crack our new file, called rar_cracked.hash, for demonstration, we passed no arguments/options to John first.


When we ask John to crack something, without giving other arguments, it will go through the default modes, with their default settings. (That’s why it started with single crack mode first, in the image above)

Since we know our password is really weak, and we don’t want to wait that much, we use our trusty rockyou.txt wordlist:


Our wordlist mode works immediately, giving us the password we were looking for – password1, as shown above.

We then try to open our archive, finally:


As we can see, we get a popup saying we need to enter our password to access safe.rar, which we type in:


Et voila! We have managed to access the .rar archive:


From the image above – two files, called pass.txt and pass2.txt, as mentioned previously – and their contents.

 

Conclusion

We’ve seen how we can use John to crack password protected .zip and .rar archives, and how it's just one extra step after what we’ve already covered previously. Please note, though, that we were using just the rockyou.txt wordlist in our examples, and there are many wordlists out there, of different sizes (which can definitely speed up your attempts), purpose/type (why stop at passwords? We can also have URLs, web shells, fuzzing payloads, etc). Personally, I like to start off with the shortest wordlist that suits my particular need, as it is simply the fastest way. After that, if I don’t crack anything, I can easily switch to some larger lists.

One awesome resource would be the Openwall wordlists found on Openwall website – which is John the Ripper’s original website. There you can find some publicly downloadable lists, as well as paid ones, which can dramatically increase your password recovery potential, as that particular collection has 20+ languages, over 40 million entries, and also has pre-applied mangling rules (in this way you can do other likely password variations – adding digits instead of words, capitalization, etc.)

Before finishing, we would like to add that the best way to get these materials to ‘stick’ is to go and try for yourself. So, go fire up a VM, make some archives, add some files to it, password protect it, and attempt to crack it! (Once you master the easy ones, like in our examples, it's time to start attacking some more complex passwords, and that’s where the greatest fun begins)

Tags

  • #cybersecurity

  • #hacking

  • #infosec

  • #thicalhacking

  • #johntheripper

  • #passwordcracking

  • #vicarius_blog

users/photos/cl09w23tf2efa0mpf8sov0k5q.jpg

Written by

acephale 4w

Recent Posts

  • 1

    How to test application with ZAP - Part Two

    Jenny R September 28, 2022
  • 2

    How to test application with ZAP - Part One

    Jenny R September 28, 2022
  • 3

    The World's Worst Hackers Have Flags

    Paul Lighter September 27, 2022
  • 4

    Intro to Windows (Win32) API

    acephale 4w September 26, 2022
  • 5

    State of the Union's Infrastructure Security According to CISA

    Kent Weigle September 23, 2022
last_chanse_02.png

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 30-day trial