Today, I would like to show you how to hack a password protected archive using two the most popular tools JohnTheRipper vs HashCat. To do so, we will use two different setups.
JohnTheRipper with Kali Linux 2023.01
The first setup is a Kali Linux virtual box:
I will use pretty common 9-digits random password just to save time. You may play hacking more complex hashes yourself, just give you an idea.
First of all, go to any password generator portal, like there, and create a password:
Now, we are ready to start. I would like to begin with the John The Ripper, which is already installed as part of wonderful Kali.
Let’s try to generate hash from zip file first. To do so, there are a few tool available as a part of John The Ripper community toolset: zip2john and rar2john. We will go with zip version of course:
As you can see, the archive contain two files, style.css and index.php.
Now, we have to thing about a method. There would be brute force attack with a dictionary list of most common passwords:
$ john backup.hashes --wordlist=<your_wordlist>
… not this time. Of course, I know the password. The best approach here will be the using a mask attack, which unlike regex supports GPU:
$ john backup.hashes --mask=?d?d?d?d?d?d?d?d?d
This is simple 9-digits mask.
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?h = 0123456789abcdef
?H = 0123456789ABCDEF
?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff
Go with this setup. I am planning to measure a time to crack as well:
Less than 40 seconds, not bad.
What about HashCat? HashCat is a well know beautiful hash cracking tool, which supports all of variety of OS and the most known for ability using GPU for high-performance operations. It allows to hack a complex password in significantly small amount of time using GPU (graphical unit). First of all, let’s copy a hash into a new hashcat.hashes file, keeping only everything inside $pkzip$ tag. Now, we need to specify attack method. Thereby, let’s grab all information about methods contained zip:
It looks like 17220 is a perfect candidate here. Set attack method to mask and run:
$ time hashcat hashcat.hashes -m 17220 -a 3 ?d?d?d?d?d?d?d?d?d
It took slightly more time than first run with Johny but let’s say, the result is pretty the same:
HashCat GPU on Windows 10
The second setup is made up Windows 10 machine:
and NVIDIA GeForce GTX 1660Ti aboard:
Running HashCat with the same parameters and measure:
PS> Measure-Command { .\hashcat.exe ..\hashcat.txt -m 17220 -a 3 ?d?d?d?d?d?d?d?d?d | Out-Host }
Great! Fabulous result, as expected, we fell below 15 seconds there! Taking into account time to warm up the result must be even better on a long run doing more complex crack.
Unfortunately, JohnTheRipper supports not all of hash algorisms in OpenCL mode (using GPU) and actually does not support PKZIP. So, the results for OpenMP are below:
It took significantly less time of 21 seconds under Windows host with 12 OpenMP threads instead of 36 sec on Linux VM and 2 OpenMP threads.
Verdict
Who is better? Of course it depends. If doing password cracking, you might realize that there are generally two options:
- Slow CPU cracking with both John The Ripper or Hashcat. John is a straightforward tool, easy to use, supports high number of hash formats, dictionary, mask, regex attacks. But quite limited for OpenCL.
- Fast GPU cracking with Hashcat, which supports a variety of hash formats. Hashcat is a great tool for fast GPU cracking any type of hashes like WPA2, MD5, PKZIP, it has a very well developed community support but it a bit more difficult to configurate and use than John.
The combination of tools allows to hack a large range of hash formats both Windows and Linux.
That is it for today. Later I will post my seria of results which presents a data for different attack methods and passwords complexity for both John and HashCat. So, we saw how easy it might be cracking a zip archive in about 30 seconds with John The Ripper preinstalled on Kali Purple and this is actually why I like it. For sure, if we need more performance, HashCat with high performance GPU setup might be a right choice,
be an ethical,
save your privacy!