Skip to main content

Recover Your Lost Password On The Command Line

··1816 words·9 mins
Cover image by jaydeep_.

For this reason I save most variations of my passwords in a secure file and with a rule file I can re-create most of the passwords that I have ever used.

And because I do not want to type all the passwords by hand I use tools for this task, which speeds this whole process up and it costs me minutes (where I can do other things meanwhile)…

Create the initial password file #

I only use lower letters because I will punch that file through rules later that will automatically make some letters uppercase, add some numbers to it et cetera…

password
otherpassword

Let these be our initial password file with the initial password that we use.

The rule file #

Now create a rule file that will do most of the work by modifying the lines from our initial password file.

## take it as it is, toggle first character to uppercase or lowercase, uppercase all characters
:
T0
u

## append/prepend something to the password itself
$!
$1 $2 $3
$3 $2 $1
$m $i $n $e
^y ^m
^i
^i T1
^0
^0 T1
$1 $2 $s $h $a $r $k

So if you tend to finish your weak passwords with 12shark, you may want to add this to your ruleset as $1 $2 $s $h $a $r $k.

Now every line from your password file gets appended with 12shark.

Line counts #

$ wc -l *
   154 list.best64.txt
 68196 list.d3ad0ne.txt
    24 list.simple.txt
     2 pwlist.txt
    15 simple.rule

So our initial password file contains 2 words (2 lines), the modified new password list based on our own ruleset contains 24 lines (passwords).

And the other two files (best64 and d3ad0ne) were made with some default rules from a tool called john.

As you can see the wide-known ruleset best64 created 154 passwords from it and the more enhanced rule d3ad0ne created 68196 passwords from our 2 words.

What the output looks like #

Using our own ruleset from above, we get these combinations:

password
Password
PASSWORD
password!
password123
password321
passwordmine
mypassword
ipassword
iPassword
0password
0Password
otherpassword
Otherpassword
OTHERPASSWORD
otherpassword!
otherpassword123
otherpassword321
otherpasswordmine
myotherpassword
iotherpassword
iOtherpassword
0otherpassword
0Otherpassword

Try and experiment with hashcat to get similar combinations:

$ hashcat pwlist.txt -r simple.rule --stdout > list.simple.txt

You can now use the generated wordlist file list.simple.txt with other tools like john.

Cracking a zip file #

List file contents, if possible.

$ unzip -l test.zip
Archive:  test.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
       57  2024-09-08 20:52   testfile.txt
---------                     -------
       57                     1 file

Create a hashfile that can be used with john and/or hashcat.

$ zip2john -a testfile.txt -o testfile.txt test.zip > hash.txt
Using file testfile.txt as an 'ASCII' quick check file
Using file testfile.txt as only file to check
ver 2.0 efh 5455 efh 7875 test.zip/testfile.txt PKZIP Encr: 2b chk, TS_chk, cmplen=68, decmplen=57, crc=6059407C

Let us use a different file for hashcat, we have to remove the file paths from the hashfile.

$ cp hash.txt hash.cat.txt
$ nvim hash.cat.txt

Modify the file and leave only the hash in the file.

Content of hash.txt file:

test.zip/testfile.txt:$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$:testfile.txt:test.zip::test.zip

Content of hash.cat.txt file:

$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$

We now try to crack the hash in hash.cat.txt with hashcat.

$ hashcat -m 17220 -a 0 hash.cat.txt pwlist.txt -r simple.rule
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) UHD Graphics 620, 7136/14368 MB (2047 MB allocatable), 24MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 13

Optimizers applied:
* Not-Iterated
* Single-Hash
* Single-Salt

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: Skipping (hash-mode 17220)
             This is due to a known OpenCL runtime and/or device driver issue (not a hashcat issue)
             You can use --force to override, but do not report related errors.

Started: Sun Sep  8 22:11:10 2024
Stopped: Sun Sep  8 22:11:13 2024

So hashcat will not work on my Carbon X1 laptop for this specific hash-mode.

I will then try john with the pre-generated wordlist then.

$ hashcat pwlist.txt -r simple.rule --stdout >customlist.txt
$ john --wordlist=customlist.txt hash.txt
[odin:52509] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.odin.1000/jf.0/1299054592/shared_mem_cuda_pool.odin could be created.
[odin:52509] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password12shark  (?)
1g 0:00:00:00 DONE (2024-09-08 22:14) 25.00g/s 650.0p/s 650.0c/s 650.0C/s password..otherpassword12shark
Use the "--show" option to display all of the cracked passwords reliably
Session completed
$ john --show hash.txt
[odin:52580] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.odin.1000/jf.0/3210149888/shared_mem_cuda_pool.odin could be created.
[odin:52580] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728
?:password12shark

1 password hash cracked, 0 left
$ unzip -P password12shark test.zip
Archive:  test.zip
replace testfile.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: r
new name: newfile.txt
  inflating: newfile.txt
$ cat newfile.txt
I am a little testfile.

This is absolutely top secret.

I would do all the “heavy” lifting on my gaming laptop which has a real graphics card built into.

Cracking on a remote computer #

How? Copy the files to the remote computer and run hashcat over there:

$ rsync --no-motd -acvhz --stats --del pass/ polaris:pass/
sending incremental file list
./
customlist.txt
hash.txt
list.best64.txt
list.d3ad0ne.txt
list.simple.txt
list.simple2.txt
newfile.txt
pwlist.txt
simple.rule
test.zip
testfile.txt

Number of files: 12 (reg: 11, dir: 1)
Number of created files: 11 (reg: 11)
Number of deleted files: 0
Number of regular files transferred: 11
Total file size: 852,05K bytes
Total transferred file size: 852,05K bytes
Literal data: 852,05K bytes
Matched data: 0 bytes
File list size: 0
File list generation time: 0,004 seconds
File list transfer time: 0,000 seconds
Total bytes sent: 208,34K
Total bytes received: 235

sent 208,34K bytes  received 235 bytes  417,14K bytes/sec
total size is 852,05K  speedup is 4,09

Login on the remote machine: ssh polaris.

polaris is the short name of the remote computer in my ssh configuration file ~/.ssh/config.

On the remote machine:

$ cd pass
$ hashcat -m 17200 -a 0 hash.txt pwlist.txt -r simple.rule
hashcat (v6.2.5) starting

nvmlDeviceGetFanSpeed(): Not Supported

CUDA API (CUDA 12.4)
====================
* Device #1: NVIDIA GeForce RTX 2060, 5833/5919 MB, 30MCU

OpenCL API (OpenCL 3.0 CUDA 12.4.131) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: NVIDIA GeForce RTX 2060, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 13

Optimizers applied:
* Not-Iterated
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 263 MB

Dictionary cache built:
* Filename..: pwlist.txt
* Passwords.: 2
* Bytes.....: 23
* Keyspace..: 26
* Runtime...: 0 secs

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

$pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*56e69569c63b3f0ac307d758e4a511cf0088f0f91edeb7bc3e1cb885ce05733ff91f654fb44c54f04ec23c79c44cd0c279fe96f1199542eae900a1533bd390f8bbbc2bc1*$/pkzip2$:password12shark

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 17200 (PKZIP (Compressed))
Hash.Target......: $pkzip2$1*2*2*0*44*39*6059407c*0*46*8*44*6059*a693*...kzip2$
Time.Started.....: Sun Sep  8 22:26:17 2024 (0 secs)
Time.Estimated...: Sun Sep  8 22:26:17 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (pwlist.txt)
Guess.Mod........: Rules (simple.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    27415 H/s (0.48ms) @ Accel:512 Loops:13 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 26/26 (100.00%)
Rejected.........: 0/26 (0.00%)
Restore.Point....: 0/2 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-13 Iteration:0-13
Candidate.Engine.: Device Generator
Candidates.#1....: password -> otherpassword12shark
Hardware.Mon.#1..: Temp: 40c Util:  0% Core:1005MHz Mem:5500MHz Bus:8

Started: Sun Sep  8 22:25:48 2024
Stopped: Sun Sep  8 22:26:18 2024

This is probably the only reason why you would want a NVIDIA graphics card in your computer 😉

Some notes #

Most of the files can easily be cracked on my laptop with integrated graphics using either john or hashcat. For more complicated or tasks that may run longer than expected I put all that stuff to the gaming laptop and try cracking them over there.

This is sufficient for all my tasks but if you want to do more you should probably consider using a tower with a “real” graphics card (not a mobile one).

Unfortunately current libreoffice files cannot be cracked; or at least, I haven’t found a working routine for now…

Update: Laptop comparisons #

Updated on October 13, 2024

The results can probably increased by using a high-end tower PC with one or more graphic cards.
Notice the units in the following tables (like H/s, kH/s or MH/s)!

Below you see a short comparison between my Lenovo X1 Carbon (Gen7; i7-8665U) and my Tuxedo Polaris 17 (Ryzen 7 4800H) with integrated NVIDIA GeForce RTX 2060.

Only CUDA was used on the Polaris, no CPU was involved. I am not sure if there is any progress for OpenCL on AMD CPUs (I haven’t looked into this as it’s not relevant for me).

WPA-PBKDF2-PMKID+EAPOL #

hash modecommand lineX1 CarbonPolaris 17
22000hashcat -m 22000 -D 1,2 -b17178 H/s152.9 kH/s

WPA-PMKID-PBKDF2 #

Deprecated in favor of mode 22000 (see above):

The plugin 16800 is deprecated and was replaced with plugin 22000. For more details, please read: https://hashcat.net/forum/thread-10253.html

hash modecommand lineX1 CarbonPolaris 17
16800hashcat -m 16800 -D 1,2 -b16930 H/s146.7 kH/s

WPA-EAPOL-PBKDF2 #

Deprecated in favor of mode 22000 (see above above):

The plugin 2500 is deprecated and was replaced with plugin 22000. For more details, please read: https://hashcat.net/forum/thread-10253.html

hash modecommand lineX1 CarbonPolaris 17
2500hashcat -m 2500 -D 1,2 -b15865 H/s152.0 kH/s

PKZIP (Compressed Multi-File) #

Expect some OpenCL issues! Only the CPU was used on the X1 Carbon and the Tuxedo Polaris wasn’t able to finish the session.

hash modecommand lineX1 CarbonPolaris 17
17220hashcat -m 17220 -D 1,2 -b64116.2 kH/sN/A (error)

The X1 Carbon displayed the following warning:

-------------------------------------------------
* Hash-Mode 17220 (PKZIP (Compressed Multi-File))
-------------------------------------------------

* Device #2: Skipping (hash-mode 17220)
             This is due to a known OpenCL runtime and/or device driver issue (not a hashcat issue)
             You can use --force to override, but do not report related errors.

The Polaris aborted with a few of these error messages:

clEnqueueNDRangeKernel(): CL_OUT_OF_HOST_MEMORY

MD5 #

hash modecommand lineX1 CarbonPolaris 17
0hashcat -m 0 -D 1,2 -b1224.0 MH/s9527.4 MH/s

SHA1 #

hash modecommand lineX1 CarbonPolaris 17
100hashcat -m 100 -D 1,2 -b317.9 MH/s3029.0 MH/s

SHA2-512 #

hash modecommand lineX1 CarbonPolaris 17
1700hashcat -m 1700 -D 1,2 -b42721.2 kH/s442.4 MH/s

SHA3-512 #

hash modecommand lineX1 CarbonPolaris 17
17600hashcat -m 17600 -D 1,2 -b36062.7 kH/s277.2 MH/s