John the Ripper for Bruteforcing Link to heading

Case1: The zip passowrd cracking Link to heading

In below case there is zip file which require password to open.

──(rocky㉿kali)-[~/hckbox/node]
└─$ unzip newbackup.zip           
Archive:  newbackup.zip
   creating: var/www/myplace/
[newbackup.zip] var/www/myplace/package-lock.json password:

This requires a password and we need to crack the zip with john to get passowrd.

As this is a zip file we need to use the script from John for converting this to a hash value. The scripts are usually located under /usr/share/john

The First command gives lot of warnings.

┌──(rocky㉿kali)-[/usr/share/john]
└─$ sudo zip2john ~/hckbox/node/newbackup.zip > ~/hckbox/node/newbackup.hashes                                                                                         1 ⨯
[sudo] password for rocky: 
newbackup.zip/var/www/myplace/ is not encrypted!
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/package-lock.json PKZIP Encr: 2b chk, TS_chk, cmplen=4404, decmplen=21264, crc=37EF7D4C
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/node_modules/ is not encrypted, or stored with non-handled compression type
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/node_modules/serve-static/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/serve-static/README.md PKZIP Encr: 2b chk, TS_chk, cmplen=2733, decmplen=7508, crc=9C88B932
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/serve-static/index.js PKZIP Encr: 2b chk, TS_chk, cmplen=1640, decmplen=4533, crc=211D4438
es/merge-descriptors/LICENSE PKZIP Encr: 2b chk, TS_chk, cmplen=701, decmplen=1167, crc=E5199DFD
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/merge-descriptors/HISTORY.md PKZIP Encr: 2b chk, TS_chk, cmplen=212, decmplen=363, crc=B39B861C
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/merge-descriptors/package.json PKZIP Encr: 2b chk, TS_chk, cmplen=791, decmplen=1973, crc=7DF9E1F4
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/node_modules/media-typer/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/media-typer/README.md PKZIP Encr: 2b chk, TS_chk, cmplen=824, decmplen=2371, crc=FC21E3D4
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/media-typer/index.js PKZIP Encr: 2b chk, TS_chk, cmplen=2153, decmplen=6375, crc=954EE4EC
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/media-typer/LICENSE PKZIP Encr: 2b chk, TS_chk, cmplen=654, decmplen=1089, crc=EEDA1571
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/media-typer/HISTORY.md PKZIP Encr: 2b chk, TS_chk, cmplen=238, decmplen=461, crc=831BFF63

/on-finished/HISTORY.md PKZIP Encr: 2b chk, TS_chk, cmplen=671, decmplen=1694, crc=A7755A8F
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/on-finished/package.json PKZIP Encr: 2b chk, TS_chk, cmplen=842, decmplen=1973, crc=69CB31FE
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/node_modules/encodeurl/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/encodeurl/README.md PKZIP Encr: 2b chk, TS_chk, cmplen=1358, decmplen=3613, crc=8B7C0973
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/encodeurl/index.js PKZIP Encr: 2b chk, TS_chk, cmplen=776, decmplen=1584, crc=4A7F0ECB
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/encodeurl/LICENSE PKZIP Encr: 2b chk, TS_chk, cmplen=654, decmplen=1089, crc=B05A5771
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/encodeurl/HISTORY.md PKZIP Encr: 2b chk, TS_chk, cmplen=118, decmplen=159, crc=EC7CEBBF
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/encodeurl/package.json PKZIP Encr: 2b chk, TS_chk, cmplen=872, decmplen=2046, crc=2FADFBCD
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/node_modules/type-is/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/type-is/README.md PKZIP Encr: 2b chk, TS_chk, cmplen=1480, decmplen=4161, crc=DC8E6598
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/type-is/index.js PKZIP Encr: 2b chk, TS_chk, cmplen=1835, decmplen=5525, crc=D02938BD
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/type-is/LICENSE PKZIP Encr: 2b chk, TS_chk, cmplen=705, decmplen=1172, crc=64AADF93
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/type-is/HISTORY.md PKZIP Encr: 2b chk, TS_chk, cmplen=1077, decmplen=3923, crc=D6966BE8
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/type-is/package.json PKZIP Encr: 2b chk, TS_chk, cmplen=926, decmplen=2206, crc=EAC9E6F2
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/node_modules/parseurl/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/parseurl/README.md PKZIP Encr: 2b chk, TS_chk, cmplen=1079, decmplen=3463, crc=C0082F23
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/parseurl/index.js PKZIP Encr: 2b chk, TS_chk, cmplen=886, decmplen=2425, crc=9CEDEE92
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/parseurl/LICENSE PKZIP Encr: 2b chk, TS_chk, cmplen=700, decmplen=1168, crc=5428B6A9
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/parseurl/HISTORY.md PKZIP Encr: 2b chk, TS_chk, cmplen=370, decmplen=832, crc=D36C9E89
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/parseurl/package.json PKZIP Encr: 2b chk, TS_chk, cmplen=870, decmplen=2018, crc=14F24EA9
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/node_modules/resolve-from/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/resolve-from/index.js PKZIP Encr: 2b chk, TS_chk, cmplen=294, decmplen=532, crc=EA419ACB
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/resolve-from/package.json PKZIP Encr: 2b chk, TS_chk, cmplen=669, decmplen=1605, crc=6DF22948
les/fresh/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/fresh/README.md PKZIP Encr: 2b chk, TS_chk, cmplen=1336, decmplen=3236, crc=9E3E393F
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/fresh/index.js PKZIP Encr: 2b chk, TS_chk, cmplen=756, decmplen=1740, crc=22ACD7E3
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/fresh/LICENSE PKZIP Encr: 2b chk, TS_chk, cmplen=711, decmplen=1174, crc=F9A49A45
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/fresh/HISTORY.md PKZIP Encr: 2b chk, TS_chk, cmplen=538, decmplen=1220, crc=4209F5B1
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/fresh/package.json PKZIP Encr: 2b chk, TS_chk, cmplen=905, decmplen=2132, crc=2D265872
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/node_modules/mime-db/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/mime-db/README.md PKZIP Encr: 2b chk, TS_chk, cmplen=1580, decmplen=3698, crc=7EBAE334
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/mime-db/index.js PKZIP Encr: 2b chk, TS_chk, cmplen=129, decmplen=136, crc=5C777A15
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/mime-db/LICENSE PKZIP Encr: 2b chk, TS_chk, cmplen=664, decmplen=1099, crc=703F5655
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/mime-db/HISTORY.md PKZIP Encr: 2b chk, TS_chk, cmplen=2026, decmplen=7912, crc=4CB89A0D
mongodb-core/lib/connection/logger.js PKZIP Encr: 2b chk, TS_chk, cmplen=1355, decmplen=6219, crc=8FA81201
 crc=6BDBF084
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

So Use this command to suppress these warnings

┌──(rocky㉿kali)-[/usr/share/john]
└─$ sudo zip2john ~/hckbox/node/newbackup.zip 2>/dev/null > tee ~/hckbox/node/newbackup.hashes

┌──(rocky㉿kali)-[/usr/share/john]
└─$ head ~/hckbox/node/newbackup.hashes                                                                                                                                1 ⨯
newbackup.zip:$pkzip2$3*2*1*0*8*24*9c88*1223*e0af0f04a36d44530af05c2a7e10141069f4e924d664c5cae80577db1922cdba9f715cae*1*0*8*24*37ef*0145*5559cbc60694621e9f201804b78c8ff7cae08157768c13b80f878f5091f72d7394374bde*2*0*11*5*118f1dfc*94cb*67*0*11*118f*3d0f*3339585e708a5ddb3b65e439900c62bab3*$/pkzip2$::newbackup.zip:var/www/myplace/node_modules/qs/.eslintignore, var/www/myplace/node_modules/serve-static/README.md, var/www/myplace/package-lock.json:/home/rocky/hckbox/node/newbackup.zip

As we can see the format is pkzip. John has craked this fast for me.

sudo john ~/hckbox/node/newbackup.hashes --wordlist=/usr/share/wordlists/rockyou.txt --format=pkzip
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
magicword        (newbackup.zip)
1g 0:00:00:00 DONE (2022-04-01 21:53) 50.00g/s 9420Kp/s 9420Kc/s 9420KC/s sandrad..becky101
Use the "--show" option to display all of the cracked passwords reliably
Session completed

We can unzip now with passowrd craked. Its a “var” folder

node

Case2- SSH passphrase Link to heading

I have a ssh key and when i try to view it asks for password/passphrase. The ssh2john script under /usr/share/john can be helpful here as well.

john

Unable to ssh without passphrase: Link to heading

ssh -i id_rsa_kay orestis@10.10.10.17                                                                                                                               1 ⨯
Warning: Identity file id_rsa_kay not accessible: No such file or directory.
The authenticity of host '10.10.10.17 (10.10.10.17)' can't be established.
ED25519 key fingerprint is SHA256:R2LI9xfR5z8gb7vJn7TAyhLI9RT5GEVp76CK9aoKnM8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.17' (ED25519) to the list of known hosts.
orestis@10.10.10.17: Permission denied (publickey).

Using ssh2john script genarate the hash values. Python3 does not work for me. So i tried python2 command.

python2 /usr/share/john/ssh2john.py id_rsa > ssh.priv1                          

┌──(rocky㉿kali)-[~/hckbox/brainfuck]
└─$ ls
 40939.txt   alltcp.txt   cookie.html   directory.txt   key.priv   ssh2john.c   ssh.priv1           wp.html
 41006.txt   alludp.txt   details.txt   id_rsa          mail       ssh.priv    'wp (copy 1).html'

┌──(rocky㉿kali)-[~/hckbox/brainfuck]
└─$ cat ssh.priv1
id_rsa:$sshng$1$16$6904FEF19397786F75BE2D7762AE7382$1200$9a779a83f60263c001f8e2ddae0b722aa9eb7531f09a95864cd5bda5f847b0dcfc09f19d03181c8546877a84e3feb87f0769d2e3ef426012bc211dd5b79168ecfa160428c0030598971f9c2b4c350d7a9adc0f812e5b122342b0b3d8de6ba1a25b599afd5ed6a0927e57824d23bb9f4e143238450eefa3e560d44cf54105f0c00d42624adfb31df44ceee77c09a54a99edd29c83a00cfe8f5584e969897ed220d4fd75129a29ebce8e8a516f210532588fd351fb6656a158f7514667c25d2990cf11fd2369462104ed451037ac592d2e935e74d3ee650092b3051e73b79556dda673666ff4f33d9424c9b914b3cd5ba6a33dd712785a1a63f58e63285415a20fed91ae72fac27cfd92cb15fad802574983f7b592fb5c9d5843de0a9874e8c7a674b4762f5baf04625eb

Now compare the hash value with rockyou bruteforce world list using the john, we have a passphrase and i am able to ssh.

john --wordlist=/usr/share/wordlists/rockyou.txt ssh.priv1 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
3poulakia!       (id_rsa)

SSH login works with new cracked password in combination with the ssk key.

ssh -i id_rsa orestis@brainfuck.htb                                             
The authenticity of host 'brainfuck.htb (10.10.10.17)' can't be established.
ED25519 key fingerprint is SHA256:R2LI9xfR5z8gb7vJn7TAyhLI9RT5GEVp76CK9aoKnM8.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:69: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'brainfuck.htb' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)