Once you’ve come across an SSH key, they are sometimes encrypted and require a password to be passed along with it before you’re able to successfully use it for authentication. When this occurs, we can leverage John to extract the hash used to encrypt this key and attempt to crack it offline.
First, we’ll start by extracting the hash using SSHng2John. python sshng2john.py ssh.key
Then we can rerun the above command, but redirect to a file. python sshng2john.py /root/ssh.key > hash.ssh
And finally, we can pass it to John for cracking against a dictionary file. john --wordlist=/opt/wordlists/rockyou.txt hash.ssh
Thanks for checking out another quick hacking tutorial! This one is super simple, but helpful to know in case you come across a password protected ZIP archive that you need access to.
To start, I created a couple text files on my Windows machine and stored them into an encrypted ZIP archive using 7-zip.
Let’s transfer over the CrackMe.zip file to our Kali machine.
Once the CrackMe.zip file is present on the filesystem, go ahead and Right-Click and select Extract Here.
You’ll get a prompt stating that there is a Password Required.
In order for us to crack this password, we need to first extract its hash. Luckily, John The Ripper has everything we need built-in. Let’s spin up a Terminal window and get started. Start by making sure you’re in the correct directory that contains the ZIP file.
Run the following command to decrypt any hashes that are contained within the archive. This will create a new text document titled hash-to-crack.txt
sudo zip2john CrackMe.zip > hash-to-crack.txt
We can verify the contents of the file by utilizing cat.
Great! Now that we have a hash contained in the text document, let’s try our hand at cracking it. First, we’ll need a wordlist. I always like to utilize the rockyou.txt wordlist built into Kali first. This list can be found at /usr/share/wordlists/rockyou.txt. If you haven’t first unzipped this list, you’ll want to do that before proceeding. Check out this guide for help with that.
With wordlist in hand, let’s run the following command to start our brute-force.
sudo john hash-to-crack.txt --wordlist=/usr/share/wordlists/rockyou.txt
If you receive an error, you may need to specify the format the hash is in.
sudo john --format=zip hash-to-crack.txt --wordlist=/usr/share/wordlists/rockyou.txt
Based on the result above, we see that our password is password123! Let’s attempt to extract the archive again, and enter that password to make sure it works.
Doing so creates a new folder titled CrackMe. Let’s go ahead and expand the contents of this and see what we can find!
That’s it! Super quick and easy to crack this if you have a weak password. As you’ve heard 1000 times, strong passwords are essential for keeping your data secure, and this is just one example that proves that.