ITCooky Recipes

Lets cooky it yammy things!

How to find forgotten password for RAR ZIP archive using John-the-ripper!

дата September 17, 2022

The usual everyday situation – an old file, a forgotten passwords, what can be done? It can be found by trying all possible passwords in an appropriate time using GPU, of course, if it is a human password and not 8 characters with a lowercase letter, a uppercase letter, a Cyrillic, an English, a number, a special character! You can also do it on the CPU and not on the GPU, but instead of months it will take years, it’s all about the cores in the processors, there are only a dozen cores in the CPU and there are thousands in the video card.

I chose John-the-ripper because he (John) at least showed signs of life – it worked, but of course he has a lot of quirks, but first about the quirks of Ubuntu 22!

In Ubuntu we can install it from the repositories
sudo apt-get install john-the-ripper
but it is older version 1.8 where there is no modern settings at all

You can install it via snap
sudo snap install john-the-ripper
I don’t like snap and now it’s obvious why. If you install via snap, you can’t change the installed package files on your system, well no way, even if the developers write you have to edit the config file, snap won’t let you do this. You can copy the configuration to another location, edit it and run jhon like this
john --config=./myjohn.conf ...

But but there is another problem John-the-ripper from snap in Ubuntu does not want or it cannot work with OpenCL
john --list=opencl-devices

Error: No OpenCL-capable platforms were detected by the installed OpenCL driver.
Error: No OpenCL-capable devices were detected by the installed OpenCL driver.

And therefore it is necessary to install it in the third way according to the instructions here this one INSTALL-UBUNTU

I already have the Nvidia drivers installed of course and to be honest I don’t know what helped me… here all the commands from the instructions

mkdir -p ~/src
sudo apt-get -y install git build-essential libssl-dev zlib1g-dev

this one
sudo apt-get -y install nvidia-opencl-dev
was already installed
cd ~/src
git clone -b bleeding-jumbo john
cd ~/src/john/src
./configure && make -s clean && make -sj4

lets see
./src/john/run/john --list=opencl-devices
after CPU

Platform #1 name: NVIDIA CUDA, version: OpenCL 3.0 CUDA 11.7.101
    Device #0 (2) name:     NVIDIA RTX A4500
    Device vendor:          NVIDIA Corporation
    Device type:            GPU (LE)
    Device version:         OpenCL 3.0 CUDA
    Driver version:         515.65.01 [recommended]
    Native vector widths:   char 1, short 1, int 1, long 1
    Preferred vector width: char 1, short 1, int 1, long 1
    Global Memory:          20183 MiB
    Global Memory Cache:    1568 KiB
    Local Memory:           48 KiB (Local)
    Constant Buffer size:   64 KiB
    Max memory alloc. size: 5045 MiB
    Max clock (MHz):        1650
    Profiling timer res.:   1000 ns
    Max Work Group Size:    1024
    Parallel compute cores: 56
    CUDA INT32 cores:       3584  (56 x 64)
    Speed index:            5913600
    Warp size:              32
    Max. GPRs/work-group:   65536
    Compute capability:     8.6 (sm_86)
    Kernel exec. timeout:   yes
    NVML id:                0
    PCI device topology:    0a:00.0
    PCI lanes:              16/16
    Fan speed:              54%
    Temperature:            79°C
    Utilization:            100%

I didn’t understand the line

CUDA INT32 cores:       3584  (56 x 64)

there should be 7168 CUDA’s, exactly double that!

Password Guessing Strategy
First you need to create a file with a HASH password
./src/john/run/rar2john test_en.rar > ./output.txt

That one was for RAR and that one for ZIP
./src/john/run/zip2john test_en.rar > ./output.txt



By default, John is sharp to select English passwords, there is even a list of frequently used passwords, for the test, of course, I will simplify the work for him, we will select a password only from English lowercase letters

For this in the file./src/john/run/john.conf


# Subsets mode charsets 0-9. These are literal strings. TAB and space
# characters can be used as long as they do not come first or last. The only
# "magic" used here is \U+HHHH or \U+HHHHH for any Unicode character (except
# the very highest private area that has six hex digits). For example, you

instead of 6th line (they are there from 0 to 9) we add

6 = abcdefghijklmnopqrstuvwxyz

Here, by the way, the Russian alphabet is already written on the fourth line. You will have to play around with this to type the most likely characters from different languages to get the fastest result!

and run it first on the video card
./src/john/run/john --subsets=6 --format=rar5-opencl ./output.txt
–format=rar5-opencl – here 5 because the archive is the latest version of WinRAR and opencl so that it can be processed on the video card
–subsets=6 – 6th line of symbols

start the calculation

[Device 2: NVIDIA RTX A4500
Using default input encoding: UTF-8
Loaded 1 password hash (RAR5-opencl [PBKDF2-SHA256 OpenCL])
Cost 1 (iteration count) is 32768 for all loaded hashes
LWS=32 GWS=131072 (4096 blocks) 
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
0g 0:00:00:00 1.00% (4) (ETA: 11:58:14) 0g/s 0p/s 0c/s 0C/s Dev#2:53°C
0g 0:00:00:03 19.73% (4) (ETA: 11:58:29) 0g/s 42974p/s 42974c/s 42974C/s Dev#2:56°C grgrgggg..yyxn

the number 4 in parentheses indicates how many characters of the password are currently being sorted, also shows the temperature of the card, just in case

More detailed information can be obtained by clicking s

Remaining hashes    1 (0 removed)
Remaining salts     1 (0 removed)
Time in seconds     817 (476.01 new)
Successful guesses  0 (0 new, 0 g/s)
Passwords tested    52953088 (30670848 new, 64433 p/s)
 dupe suppressor    is disabled
 and it accepted    0 (0.00%, 0 p/s)
        rejected    0 (0.00%, 0 p/s)
    out of total    0 (0 p/s)
Hash computations   52953088 (30670848 new, 64433 c/s)
Hash combinations   52953088 (30670848 new, 64433 C/s)

Most of the buttons only update the preview where you are currently moving

0g 0:03:45:45 1.62% (7) (ETA: 2022-09-14 03:51) 0g/s 65714p/s 65714c/s 65714C/s Dev#2:82°C jehhhjheehj..ekkkkhhhehh

I have 7 letters in my password, and when I try to guess 7 letters, I realized that I have overdone it! In the ETA (estimated time of arrival in English) it showed me in five days: it is a very long search, but then I realized, no not how to speed it up, but why they ask you to change the password every 3 months, even though it’s already very complicated, because there is no computer on Earth that can brute force a complex password in three months!

here I remember Wheat and chessboard problem, as an example of what at first glance seemed insignificant, but then turned out to be enormous and impossible – and here, by the way, it started with only 2 exponentiate – and here it starts with 26 letters and is raised to itself with the sum of each character …. uh, for my test I will make a password of 4 lowercase letters!!!

And that’s it

0g 0:00:00:13 39.84% (4) (ETA: 16:00:17) 0g/s 62966p/s 62966c/s 62966C/s Dev#2:58°C oywa..bhxu
itco             (test_en4.rar)     
1g 0:00:00:14 54.18% (4) (ETA: 16:00:10) 0.07137g/s 65489p/s 65489c/s 65489C/s Dev#2:59°C lxfc..emdz
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

GPU finds the itco password of four lowercase English letters in 17 seconds!

Here john has a weird thing, john remembers the HASH for which he found the password and doesn’t finde for them anymore he just says.

No password hashes left to crack (see FAQ)

And it does not show you the passwords already found
./src/john/run/john --show

Password files required, but none specified

But the passwords are in his folder in the john.pot file
cat ./src/john/run/john.pot


Here it is at the end of the line.

And in order for us to start the password lookup again, we need to delete this file
rm ./src/john/run/john.pot

But there are some useful quirks in john, you can restart the password lookup from the last place when it was interrupted or crashed with an error
./src/john/run/john --restore
Here the strange thing is that there is no configuration, that is, it only works with the last search, and not all the other attempts.

What does it cost to add one more letter? Each subsequent letter only increases the search time by 26 times.
5 – 7 min
6 – 3.2 h
7 – 3.4 days
8 – 89 days
This is why everyone is told to create an 8-character password, no one will want to look for it! And if you add a capital letter, it will already be 52 exponentiate, and if it is a Cyrillic (without specifying lowercase or uppercase), then 118 AAAAAAA!

And how does it do it in CPU
17 sec 62966p/s – GPU NVIDIA RTX A4500
317 sec 2767p/s – CPU AMD Ryzen 7 3700X

On a video card, it’s almost 18 times faster – you can get a password in a couple of months instead of years 🙂

What can be done?
Recall back in the years of creating the archive, you may have created passwords with just letters; this greatly simplifies the process. If then you mixed letters from different languages and even inserted special characters then … but on the other hand, for years you did not know and did not remember about this file! A hard time guessing it for a year, and not even you will do it, but your card of video, the price of the problem (video card) is not important compared to nostalgia… and electricity also costs!

You can completely humiliate yourself and decide that you made a password from a word without numbers without capital letters, then a dictionary selection will work.
Find a dictionary of your language in a list and
./src/john/run/john –wordlist=./word_rus.utf8 –format=rar-opencl ./output.txt

Maybe yes?! But 100% sure not!

Leave a Reply

Your email address will not be published. Required fields are marked *