Cracking KeePass Database

In this post I will describe how you can crack a KeePass Database file (.kdbx) in an easy way. Or to be correct we are not cracking the DB, we are cracking the password hash.

To demonstrate this I created a new database that I called “SecretDB.kdbx” and our mission will be to find out which master password I chose for the database.

Keepass-DB-file

To be able to crack the hash we will need to extract and save it and that can be done with the John the ripper utility tool “keepass2john“. It comes with Kali Linux so you don’t have to install it.

What you do to extract the hash is really simple, you just run:

keepass2john SecretDB.kdbx


You can also send the output to a file by adding “>” like I did in the screenshot below.

keepass2john SecretDB.kdbx > Keepasshash.txt

keepass2john-screenshot

We now have our hash ready to be cracked. In this example we will try to crack it using a dictionary and John the ripper. I used a modified version of rockyou.txt as dictionary. You can also use other great cracking tools like hashcat but I went with john here.

We run john and specify our custom wordlist with “–wordlist” parameter and then define our hash file.

john --wordlist=rockyou.txt KeepassHash.txt

We then just let it run for some time and as soon as we crack the hash it will be displayed. As you can see in the screenshot we did crack the hash and the password of this SecretDB.kdbx-database was “SuperSecretPassword2020”.

I hope you found this post useful and make sure to not use weak password for your database.

// Rickard

How to crack hashes with John the Ripper – Linux

In this post I will show you how you can crack passwords with John the Ripper. We will start off by collecting the hashes from a linux machine, then use the tool unshadow and at last crack the hashes with John the Ripper.

john the ripper

1 – Collect hashes from a Linux machine
We will start with collecting the hashes from the target machine. We will need both /etc/passwd and /etc/shadow. Save them to your Kali Linux machine, preferably on the desktop. It can be done with the following commands.
cat /etc/passwd > ~/Desktop/passwd.txt

/etc/passwd

cat /etc/shadow > ~/Desktop/shadow.txt

/etc/shadow


2 – Combine passwd and shadow with unshadow
Now we need to combine these two files into one. This can be done with the tool unshadow.
unshadow passwd.txt shadow.txt > hashtocrack.txt

unshadow passwd and shadow files


3 – Crack with John
Now we are ready to crack the hashes. John can run in different modes. You can use wordlists or straight brute force. The method I will use in this example is wordlist mode since that is the most effective way. Brute forcing takes a lot of time and I recommend you to only use it as a last resort when your wordlists won’t crack the hashes. In this example we define the wordlist to use to the built in rockyou.txt.
john --wordlist=/usr/share/wordlists/rockyou.txt hashtocrack.txt

crack with rockyou.txt

4 – Show cracked credentials
If you let john run you will be prompted with the credentials as soon as they have been cracked. In this example we can see that the the password for the user SuperAdmin was Password1.

We can also come back at a later time and check the credentials again by defining the unshadowed file and add the parameter –show.

john hashtocrack.txt --show

//Rickard

Crunch

Today I will continue to write about tools that you can use to generate wordlists. Today we will take a look at crunch.

crunch
Where you can find crunch in Kali Linux.

Background and the functionality:
Crunch is another great tool that can be used to create wordlists. The tool was initially released in 2004 and the author is bofh28 according to tools.kali.org.

You use the tool to generates wordlists based on the charset you specify.

How to get started with Crunch:
To make sure that you have crunch installed, which comes pre-installed with Kali, you just open up the terminal and write crunch.

installed

If you start off by running the tool with only the required parameters you will get all possible words using all characters. So if you for example run “crunch 8 8” you will get all words that are eight characters long.

You can also specify which characters you want to use for your wordlist.

t-768x390

In the example above you can see that we specified all worlds between 5-6 that uses the following charcters: abcd123.

3-2
Here you can see the start and end of the file we just created.

-o
With the -o variable you can chose where the output should be saved.
Example: crunch 8 8 -o wordlist.txt

-b
With the -b parameter you can specify how big wordlist-files you want. In the example below I first created a wordlist with the size of ~2kB. When I use the -b parameter to define that each file only can be 1kB big you see that three files was created instead and none of them were bigger than 1kB.

b
An example of how you can use the -b parameter.

-i
With the -i parameter you can invert the order of the words. If you use crunch 3 3 without using the -i parameter you will get a file that starts with

  • aaa
  • aab
  • aac

If you use -i you will instead get the following result:

i

-t
The -t parameter is one of my favorites to use. If you know that a password uses a special pattern you can use the -t parameter to specify that pattern and reduce the amount of words in your list significantly and make your wordlist more efficient.

A normal use case can be that you got information about that many users in your targets company creates passwords based on the current season, for example Summer2019! . You can then create a wordlist based on that structure.

t-768x390
An example on how you can use the -t parameter.

You can use the following characters to build your patterns:

  • @ will insert lower case characters
  • , will insert upper case characters
  • % will insert numbers
  • ^ will insert symbols

-z
You can also use the -z parameter to compress and create an archive-file. You can choose between gzip, bzip2, lzma and 7z. Gzip is fastest but compression is minimal while 7z is slowest with best compression.

z
An example on how you can use the -z parameter.

That was everything for this time. Please contact me if you feel like I missed something or if you want to share any special tips and tricks for Crunch.

Thanks
/R

Cewl

This is the first blog post in my series where I will go through all built-in Kali Linux tools. I will write information about how the tools work and give you examples on when to use them. This will be an excellent way for me to learn the tools in depth and hopefully it can come in handy for some of you.
I won’t get much enjoyment if I write about them in one by one from top to bottom since that will be boring. The first tool I will write about is from section 05- Password Attacks and the tool I have chosen to start with is CeWL.

Background and the functionality:
CeWL is a tool that was created by Robin Wood and it is used for creating custom word lists based on the text from a target website. It can come in handy to use this tool if you are doing a pen test and you haven’t been successful with your usual word lists and want to create one that is more customized for the target company.

cewl
CeWL from Kali Linux

CeWL are built in Ruby and the main idea is that the program spiders the specified URL according to the configuration and returns a list of words that was found on that site. These custom word lists can later be used when trying to crack passwords with the other available tools. In a later post I will show you how that is being done.

How to get started with CeWL:
So how do you use CeWL then? It’s pretty easy and straight forward and you can get out the most information from the manual which you get by running “man cewl”. I will go through some of the most common options that you can configure and these are:

  • -w
  • -d
  • -m
  • –with-numbers
  • -c
  • -e

-w
Define where the word list should be saved. example: customwordlist.txt
-d
Define the depth the scan should spider. Default value is 2 and that means that it will go to all links that are presented on the defined URL and collect words from them as well.
-m
Define the minimum length of a word. No words with less characters than this will be saved.

So let’s try it and see how it works in practice. For this example I will just use a website that I know include many words and which site are better than Wikipedia? I’ve set the parameters to depth = 1 and characters = 10.

An example on how to use CeWL to generate a custom word list based on a URL.

It can take some time if you want to spider through many sites but if you use a configuration like mine it will be very quick and in this example I got out 1895 useful words.

wordcount
An example on how you can count the number of files in the file.

–with-numbers
Accept words where numbers are included as well. Like for example the word below. “Riteshkumar1256”.

In the figure you can see the first ten entries in the list that was created.

-c – counts number of entries
If you add the -c parameter the tool will also count how many times each word was found on the site. You can use that for many purposes and one example is that you easy can find out which words the company likes to mention and that might be something users uses in their passwords.

An example on how you can use the -c parameter for CeWL.

-e – includes email addresses
You can also save all email addresses that can be found on the website to a file. Perfect for recon and helps you find mailboxes at the target company. If you also include –email file you can specify where you want to save the emails addresses.

An example on how you can use the -e parameter for CeWL.

That was everything for this time. Please contact me if you feel like I missed something or if you want to share any special tips and tricks for using CeWL?

Thanks
/Rickard

Copyright © 2019