Password cracking is a technique to predict the password to encrypted files. It uses a wordlist—a list of common passwords—to brute-force the encrypted file until the accurate password is found. John the Ripper, an open-source password-cracking tool, is often used for password recovery and security testing. It is important to note that this process cannot be used for illegal purposes.
Let’s dive into the process of cracking an encrypted file password.
John the Ripper is a command line tool. To demonstrate the process of decrypting encrypted files, we need certain files. The first requirement is the target password-protected file. We will use an encrypted PDF for this demonstration, which can be created using the following steps.
We create a Word file and add secret content within the Word file.
We save it as a PDF.
We go to a PDF encryption site online and set our password.
The downloaded PDF is now our target encrypted PDF to test John the Ripper, but we can also use other sorts of target files. We write the following command in the terminal to check the formats that John the Ripper supports:
./john --list=formats
./john: This is the keyword to start the John the Ripper script.
--list: This is the flag that indicates the list we need to print. Here, we printed the formats supported by John the Ripper.
Lastly, we need a wordlist containing commonly used passwords stored within the file. John the Ripper uses the hashes of the passwords in the wordlist to compare against the hash of the password of the encrypted PDF file. In this demonstration, we have a wordlist called rockyou.txt. Using this, we can tell that John the Ripper uses the
John the Ripper uses brute force and dictionary attacks to decrypt the encrypted files. It is important to note that it directly decrypts the file and doesn’t show the concluded password. So, we use it to extract the encrypted file’s contents.
The encrypted file password is run against each password in the wordlist. Because the method to determine the password is hash comparison, we first need to extract the hash of the password used for encrypting the PDF file. John the Ripper uses a pdf2john.pl script to extract the hash of the password used for the encrypted file. To do so, we navigate to the “john/run” folder and execute the following command:
./pdf2john.pl test_protected.pdf > hash.txt
./pdf2john.pl: This is the keyword to execute the pdf2john script, which helps in extracting the hash of the password of the encrypted PDF file and storing it in the hash.txt file.
test_protected.pdf: This is the encrypted PDF file to extract the password from.
hash.txt: This is the output file to store the hash of the extracted password.
Once complete, we must run John the Ripper with the wordlist and encrypted PDF file. We run the following command to decrypt the file using the extracted hash of the password:
./john --format=PDF --wordlist=rockyou.txt hash.txt
./john: This is the keyword to start the John the Ripper script.
--format: This is the flag to indicate the format of the target encrypted file.
–-wordlist: This is the flag to indicate the path to the wordlist.
hash.txt: This is the file containing the hash of the extracted password of the encrypted file.
The output of running the command is the cracked password to the encrypted file, test_protected.pdf. The “Password Not Cracked” output occurs when the hash in the hash.txt file does not match the hash of any password in the wordlist.
You can test the decryption process on the test_protected.pdf encrypted file and the rockyou.txt wordlist to test your comprehension of the subject. Once you run the commands in the following terminal, you can see the cracked password with a file named test_protected.pdf.
Free Resources