 Welcome back everyone. Today we're going to practice breaking passwords on files. These could be on files, it could be on maybe protected or encrypted disks. It's a very important skill for digital investigators to have because it's very easy to put passwords on word documents, PDFs, JPEGs, whatever it is that you want to put a password on or encrypt. It's really easy to do it now. So investigators need to be able to know how to basically decrypt at least simple passwords or recover simple passwords for different types of files. So what we're going to be using today is John the Ripper to be able to recover or do brute force password cracking. I've created two files here. One is called secret and it's a PDF document. If you open it up, open it up, then it asks for the password. If you give the wrong password, then unlock nope. Okay, so then you can't get into it. And then I also have this, I can tell that there's some sort of JPEG inside of it, just by the file name probably. And it's a zip file. And if I try to open it up, then I can see that, again, most likely a JPEG image. If I try to open it up, nope, nothing. Okay, so both of these might have potentially interesting evidence inside of them that I want to recover. So I'm going to use John the Ripper to try to recover it. John the Ripper is a command line tool, freely available command line tool to try to brute force password, try to do brute force password cracking. Yeah, so I'm going to run it from command line. The commands for Windows and Linux are pretty much the same. So it works for Windows, Linux and OS X. So pretty much do the same, the same as what I do here. For all operating systems, you can download pre compiled binary. So you don't actually have to build them yourselves. I built the binary, or I built the binaries from source, you just go into, first you download the source folder, and you go into the src folder, and just do dot slash configure, and then make and make install like usual. Okay, well after you do make, then inside the run folder, you should get a bunch of different, most of these are just extra kind of helper utilities to be able to extract hashes. What we really want to see is John. This is the the actual tool to do the password cracking. Just to show you, basically what what brute force password cracking is, is trying to guess all possible combinations of characters, characters, numbers, and special characters in a password. Okay, so we can we can see actually what John is doing by doing John. And in Linux, you run a program with dot slash. If you were doing it on windows, you would just type john.exe. And that would that would run it Linux dot slash john. And then we can do dash dash incremental. And dash dash std out. And basically what this is going to do is generate passwords incrementally and output that to the standard output or basically my screen. So if I press enter, now I'm going to stop this and we can see what exactly is this doing? Well, it's essentially generating in this case numbers, but if I go up far enough, we'll probably get back to characters. It's generating a bunch of number and character, calm combinations. Now it's not necessarily exactly incremental. So it doesn't go 20, 20, 21, 22, 23. What John is trying to do is guess the most likely combinations based on certain patterns. And you can configure what those patterns are. But basically it's just going through and it's trying a bunch of different patterns of characters. And what John actually does is, well, you can make it generate, generate a character set or generate a password. And then John will encrypt this password, or it will hash this password with whatever hash type is used to hash passwords for zip files or PDFs or whatever it is that you're trying to crack. So it will generate the password, hash that password, and then compare the hashes. If the hashes are the same, then that password is effectively the same or should be. Okay, so John can both generate brute force passwords and also hashes those brute force passwords. Okay, so let's start, let's start working on this. So I'm going to try to get the password hash for secret.PDF. Secret.PDF stores, the PDF stores the password hash inside the file. So if we know where that password hash is located, then we can extract it and then run it through John the Ripper. Luckily for us, John has a tool called PDF to John, and it's a Perl script. So if we just run dot slash PDF PDF to John, and then tell my desktop, so desktop secret.PDF, and I press Enter, then this is the password hash extracted from the PDF file. Now I need to save that into a location. So I'm going to save the password hash to my desktop and call it PDF.Hash. Okay, so what I'm doing here is using PDF to John to extract the password hash from secret.PDF, and then saving that to a file on the desktop called PDF.Hash. So if I press Enter, now we have PDF.Hash, if I open it up, then you can see the hash value. Okay, so now that we have the hash value, I'm going to run dot slash John, and this is going to actually try to crack the password, or password hash, and then I'm going to feed it the password hash file that we just extracted. So John, and then the file that I saved the password hash in. Okay, hit Enter. Now it opened up. Basically, what we want to see is loaded one password hash, that's good, because we did want it to load password hash, and it was a PDF, and this is the hash type that it's going to try to crack. It's running on eight open MP threads, so it's using eight processors. These are just CPUs. If you set John up to use GPUs, it will go much, much faster, and right now it's cracking. If I press any button, or any button, then you can see the current progress and basically how many passwords it's guessing at the same time. So I'm not guessing a lot here. So it'll take, for this password, I know this password is simple, so it should take a couple seconds basically to do it. Okay, so now it's finished. And it says, okay, how long it took to actually crack it? Well, it took one minute. The reason it took one minute is not because my computer is extremely fast, it's because the password was very, very easy. Okay, so now we want to actually see what the password is. So we need to use the show command, so john dash dash show, and then give it the hash file that you just gave it. So desktop, and it was called PDF, PDF to hash, okay, enter. And then this is the format of the password. So for secret PDF, the password is test one two, password is test one two, that's a pretty easy password. So if we open up the PDF now, type in test one two, and we can see the content. So the peanut is in the butter. Okay, great. Next, let's try to crack this zip file. So we need to do the same thing. There's another utility called luckily for us, there's another utility called zip, zip to john, here it is zip to john. So I want to run dot slash zip to john, zip to john is not a pearl script. But anyway, so we run zip to john, and then we give it the zip file. It's called help. So if I do this, we can actually see the hash value and it's a different type of hash for the zip file. So I just want to save it again to the desktop like I did before desktop and I'm going to call this zip dot hash. Okay, now I just need to run dot slash john, and then give it the hash value zip dot hash john. So I ran zip to john and gave it the zip file saved the hash value into zip dot hash, and then give john the hash value. So then hit enter. One password hash loaded, it's detected as zip, when zip, and then this is the hash type, we'll run on eight MP threads that looks good. So now we just wait for it to crack. Okay, so now it's finished. So we just do it like last time, john, and then dash dash show, and then give it the hash file that we had, and hit enter. And then we can see that the password in this case help test to one. Okay, so if we try to open this up, go in test to one, and then we can open up the image. Right. Now one thing I want to point out, if you notice last time, if we go way up, okay, I don't want to go past the hash. But last time, it took one minute to finish the hash or finish hashing and finding the password. In this case, it took six minutes. Now I skipped ahead. I skipped ahead so you don't have to see it all, but it took six minutes to get the hash on this system. And before the password was test one to this time, the password is test to one. So why did it take so much longer for test to one? Well, because it's more common for, for example, to have the pattern some word, and then one, two, three, four. That's much more common than having a word and then a reverse number. Now we eventually found it, and we found it only in six minutes. So it's still a really bad password. But just be aware that whenever you are trying to break a password, it's a really odd combination. For example, even just reversing numbers isn't very normal because people normally do one, two, three, four, or just some sort of, yeah, people usually do like ABC one, two, three, four instead of backwards. So small variations can have huge impacts on the time it takes to break passwords. So just be aware of that. Again, I chose really simple passwords that can break pretty easily. Notice this is a one, two, four, five, six, six character passwords. So six character passwords on my system that's not even very powerful, I can break them pretty quickly. So if you have like six or less characters, you're, let's say pretty insecure. So again, the more characters you have, the longer it's going to take. And by default, John is set, I think I need to check again, but I'm pretty sure there's an eight character limit for the default configuration. So you do need to go in and modify your configurations if you know that passwords are going to be longer, especially for Korean. Right now, it's just testing basically ASCII character sets. So if you want to do Unicode, you also have to get different dictionaries and different libraries of words and tell John how to use those words. Okay. So that's it for basic password cracking. Thank you very much.