A XIT’s Guide to Cracking Password-Protected Files

How to Crack Passwords for Protected ZIP, PDF, RAR, and Word Documents: Step-by-Step Guide

Cracking Password Protected Files, Crypto Wallet Files, SSH Private Keys, BitLocker encrypted drives & more…

XIT
6 min readDec 15, 2023

Follow XIT on medium & UglyCompany on Telegram for more..

Greetings, World! Welcome to XIT. Today, I’ll teach you how to crack passwords for protected .ZIP files on a Windows machine.

For better understanding, I’ve created a password-protected ZIP file named “secret.zip,” as shown below. We will crack its password step by step in this blog.

As the ZIP file has no restrictions on false attempts for the password, instead of guessing it, we will simply brute force it using a well-known tool called ‘John the Ripper.’ Follow the steps below to successfully install it on your Windows machine.

John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems.

Step-By-Step Installation:

  1. Navigate to https://www.openwall.com/john/. Since I am on a 64-bit Windows machine, I’ll install ‘jumbo-1 64-bit Windows binaries.’

Once downloaded, extract the ZIP file.

Navigate to the ‘run’ folder inside the downloaded file and find ‘zip2john.exe.’

Open CMD inside the current folder (/run) and enter the following command:

zip2john.exe target.zip

We can see the file hash, we will use this to crack the password for the target file.

To save this hash file to current folder, run the following command:

zip2john.exe target.zip > hash

Now, open the hash file in Notepad.

Run the following command along with the hash file:

john hash

Tada! We have successfully cracked the password.

Crack Passwords Faster with Custom Word List

Making your own custom word list or using custom wordlist is simple — just think about things your target might use as a password, like their pet’s name or favorite hobby. You can even find free word lists online on places like GitHub or SecLists to get some ideas. Then, you use these words to guess the password using the same process.

Using SecLists to get custom PassWordlist

SecLists is a powerful resource for wordlists used in ethical hacking and cybersecurity. Dorks are search queries to find specific information on search engines.

Go to the SecLists GitHub repository: https://github.com/danielmiessler/SecLists.

Click on “Code” and then “Download ZIP” to get the entire collection.

You’ve got a custom wordlist based on your search criteria. This list can be used for password cracking further.

BONUS

You can find usage guides for cracking other files in the ‘doc’ folder inside the downloaded file. While I’m too lazy to type them all, I’ll add a few popular guides below:

Cracking ZIP files with JtR Jumbo
=================================

1. Run zip2john on password protected .zip file(s).

E.g. $ ../run/zip2john target.zip > hash

2. Run john on the output of zip2john.

E.g. $ ../run/john hash

3. Wait for the password to get cracked.
Cracking PDF files with JtR
---------------------------

1. Run pdf2john.pl on the .pdf file(s).

E.g. $ ../run/pdf2john.pl test.pdf > hashes

2. Run john on the output of pdf2john.pl program.

E.g. $ ../run/john hashes
Cracking Tezos keys with JtR Jumbo
==================================

1. Run tezos2john.py and provide it with the required data. Run tezos2john.py
without any options to see the usage instructions.

E.g. $ ../run/tezos2john.py 'put guide flat machine express cave hello connect stay local spike ski romance express brass' 'jbzbdybr.vpbdbxnn@tezos.example.org' 'tz1eTjPtwYjdcBMStwVdEcwY2YE3th1bXyMR' > hashes

E.g. $ ../run/tezos2john.py 'monster crack glance favorite humble group bone grid clock bottom employ gold jelly fatigue tragic' 'pfbbhuvm.jlbcintw@tezos.example.org' 'tz1Zgd3LHuryw6rBzsQKnBMVqu99KzWankj8' >> hashes

The passwords for these sample hashes are "4FGU8MpuCo" and "VPhvU2LgyJ" respectively.

2. Run john on the output of tezos2john.py script.

E.g. $ ../run/john hashes

3. Wait for the password(s) to get cracked.
Cracking password protected ssh private keys
============================================

1. Build JtR-jumbo

2. Run ssh2john.py on SSH private key file(s)

3. Run john on the output of step 2.
Cracking bitcoin-qt (bitcoin) wallet files with john
====================================================

1. Run bitcoin2john.py on bitcoin wallet file(s).

E.g. $ ../run/bitcoin2john.py wallet.dat >> hashes

2. Run john on the output of bitcoin2john.py script.

E.g. $ ../run/john hashes

3. Wait for the password(s) to get cracked.
This document is about cracking password protected BitLocker encrypted
volumes with JtR.

Step 1: Extract the hash
------------------------

In order to use the BitLocker-OpenCL format, you must produce a well-formatted
hash from your BitLocker encrypted image. Use the bitlocker2john tool to
extract hashes from password protected BitLocker encrypted volumes. It returns
four output hashes with different prefixes:

* If the device was encrypted using the User Password authentication method,
bitlocker2john prints these two hashes:
* $bitlocker$0$... : it starts the User Password fast attack mode
* $bitlocker$1$... : it starts the User Password attack mode with MAC verification (slower execution, no false positives)

* In any case, bitlocker2john prints these two hashes:
* $bitlocker$2$... : it starts the Recovery Password fast attack mode
* $bitlocker$3$... : it starts the Recovery Password attack mode with MAC verification (slower execution, no false positives)

Hash extraction example,

$ ../run/bitlocker2john minimalistic.raw # operate on a disk image
Signature found at 0x00010003
Version: 8
Invalid version, looking for a signature with valid version...
Signature found at 0x02110000
Version: 2 (Windows 7 or later)
VMK entry found at 0x021100b6
Key protector with user password found
minimalistic.raw:$bitlocker$0$16$e221443f32c419b74504ed51b0d66dbf$1048576$12$704e12c6c...

Instead of running bitlocker2john directly on BitLocker encrypted devices
(e.g. /dev/sdb1), you may use the dd command to create a disk image of a
device encrypted with BitLocker

$ sudo dd if=/dev/disk2 of=disk_image conv=noerror,sync
+4030464+0 records in
+4030464+0 records out
+2063597568 bytes transferred in 292.749849 secs (7049013 bytes/sec)

For further details about User Password and Recovery Password attacks, please
refer to the Wiki page: http://openwall.info/wiki/john/OpenCL-BitLocker.

Step 2: Attack!
---------------

Use the BitLocker-OpenCL format specifying the hash file:

$ ./john --format=bitlocker-opencl --wordlist=wordlist target_hash

Currently, this format is able to evaluate passwords having length between 8
(minimum password length) and 55 characters.

The mask you can use to generate Recovery Passwords is:

-mask=?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d

Links
-----

Samples BitLocker images for testing are available at,

* https://github.com/kholia/libbde/tree/bitlocker2john/samples
* https://github.com/e-ago/bitcracker/tree/master/Images

Samples of User Password/Recovery Passwords dictionaries are available at
https://github.com/e-ago/bitcracker/tree/master/Dictionary

More information on BitLocker cracking can be found at,

* http://openwall.info/wiki/john/OpenCL-BitLocker
* https://github.com/e-ago/bitcracker
Cracking Mozilla Firefox, Thunderbird and SeaMonkey master passwords
====================================================================

1. Run mozilla2john.py on key3.db file.
./mozilla2john /some/path/key3.db > mozilla.in

2. Run john on output of mozilla2john.
./john mozilla.in

3. Wait for master password to get cracked.

If you learnt anything from this blog, we’d appreciate your engagement — give it a clap and consider sharing to help spread the knowledge. Also Follow XIT on medium & UglyCompany on Telegram. Your support means a lot to us!

A supporter is worth a thousand followers. 😊

--

--

XIT
XIT

Written by XIT

SHHH! The voice of none is stronger than the voice of one.

No responses yet