Date: Tue, 29 Dec 2020 23:21:06 +0100 From: Solar Designer <solar@...nwall.com> To: Jeff Johnson <echo5juliet@...il.com> Cc: john-users@...ts.openwall.com Subject: Re: use data from known password zipfile created by the same machine/user? Hello Jeff, On Mon, Dec 28, 2020 at 06:03:53PM -0800, Jeff Johnson wrote: > I have two zip files I created on the same machine. One password I know, > the other I have lost. I have created zip2john hash files for both zip > files. File1.zip I know the password for. File2.zip I don't. > > Is it possible to gather any kind of hash result or salt from processing > the File1.zip file that will aid jtr in figuring out File2.zip easier? It depends. If both are PKZIP archives, were created in a similar way, and contain similar data, then you might be able to exploit PKZIP's vulnerability to a known plaintext attack. The tool to use is bkcrack: https://github.com/kimci86/bkcrack This is tricky to do and it does not always succeed (as you might not correctly guess enough data the way it looks post-compression), but now there are some writeups/tutorials: https://ctftime.org/writeup/15072 https://www.programmersought.com/article/13436370754/ https://blog.devolutions.net/2020/08/why-you-should-never-use-zipcrypto If successful, you'll be able to recover your encrypted data without ever needing nor finding out the unknown password. Now to uses of JtR: > File1.zip password is very similar to: 1Jump.H1gh3r > It's highly likely I used similar kinds of letter replacement for File2.zip > > I tried: > ./john File2.hash > and > ./john --wordlist=rockyou.txt --rules:All File2.hash This is a good start, but as you've found out now you need to customize the attack. Robert suggested you use Crunch, but there's no reason to: JtR has that functionality built-in. If you think you know the password pattern, you can use mask mode, e.g.: ./john -2='?l?u?d' --mask='?u?l?l?l.?u?2?2?2?2?2' File2.hash If you think the password is at a small edit distance from 1Jump.H1gh3r, you can put that known password in a wordlist file and run substitutions against it, e.g.: echo '1Jump.H1gh3r' > w ./john -w=w --rules=oi File2.hash ./john -w=w --rules=oi --rules-stack=oi File2.hash This also works with other rulesets. As to "similar kinds of letter replacement", you can try the pre-defined Leet external mode, e.g.: ./john -w=rockyou.txt --external=leet File2.hash The rules you already ran also try such substitutions, but the external mode tries some more. I notice 1Jump.H1gh3r is based on two words. So you might want to take short lists of common English words and combine them into pairs before applying rules. You can use wordlists and Perl scripts mentioned here: https://www.openwall.com/lists/john-users/2018/08/31/3 https://www.openwall.com/lists/john-users/2020/07/22/3 https://www.openwall.com/lists/john-users/2020/07/22/4 To have JtR itself combine words, you can use PRINCE mode, e.g.: ./john --prince=top3000eng File2.hash ./john --prince=top3000eng --rules=oi File2.hash You can also do something like: ./john -w=top3000eng --rules=jumbo --stdout | ./unique top3kj ./john --prince=top3kj File2.hash Indeed, you can also combine the above approaches, and will probably need to do so. For testing, you might want to see which of these commands would have cracked your known 1Jump.H1gh3r password. For near-misses, adjust the commands to hit that one password. Then you'll probably have a better chance to crack your unknown password as well. I hope this helps. Alexander P.S. You don't appear to be subscribed to the list (unless possibly under another address). If so, you might want to subscribe so that you don't miss a reply and can participate in discussions.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.