Introduction
In this lab, you will learn the process of cracking a password-protected RAR archive. This is a common task in penetration testing and digital forensics. You will use a combination of powerful, industry-standard tools available on Linux: rar for creating the archive, the John the Ripper suite (specifically rar2john) for extracting a hash from the archive, and Hashcat for cracking the hash to reveal the original password.
The process involves creating a sample protected file, extracting its password hash, identifying the correct hash type for the cracking tool, and finally, launching a dictionary attack to find the password. This hands-on exercise will provide you with a fundamental understanding of password cracking mechanics.
Create a Password-Protected RAR File
In this step, you will create a password-protected RAR archive. This will serve as the target for our password cracking exercise. We will use the rar command-line tool. The lab environment has already created a sample file named secret.txt in your current directory, /home/labex/project.
First, let's use the rar command to create an archive. The a option stands for "add to archive," and the -p switch is used to specify a password directly. We will use labex as the password for this exercise.
Execute the following command in your terminal to create a password-protected archive named secret.rar containing the secret.txt file.
rar a -plabex secret.rar secret.txt
You will see output indicating that the file is being added and the archive is being created.
RAR 6.12 Copyright (c) 1993-2022 Alexander Roshal 17 May 2022
Trial version Type 'rar -?' for help
Evaluation copy. Please register.
Creating archive secret.rar
Adding secret.txt OK
Done
Now, verify that the secret.rar file has been created in your project directory using the ls -l command.
ls -l
total 12
-rw-r--r-- 1 labex labex 338 Dec 05 10:30 secret.rar
-rw-r--r-- 1 labex labex 25 Dec 05 10:28 secret.txt
-rw-r--r-- 1 labex labex 29 Dec 05 10:28 wordlist.txt
You have now successfully created the target file for this lab.
Use rar2john to Extract the Hash from the RAR File
In this step, you will use rar2john, a utility from the John the Ripper suite, to extract the password hash from the secret.rar file. Cracking tools like Hashcat don't work on the RAR file directly; they need a specific hash format that contains the necessary information to verify a password. rar2john is designed for this exact purpose.
Run the following command to process the secret.rar file:
rar2john secret.rar
The command will print a long string to the terminal. This string is the hash.
secret.rar:$RAR3$*0*b51874e2d3731234*f82b2123456789012345678901234567:8:secret.txt:24:0
This hash contains the archive's salt, encrypted data, and other metadata required for the cracking process. To make it easier to use, it's best practice to save this hash into a text file.
Use output redirection (>) to save the hash into a file named rar_hash.txt.
rar2john secret.rar > rar_hash.txt
This command won't produce any visible output because the output is being redirected to the file. You can confirm the file was created and contains the hash by using the cat command.
cat rar_hash.txt
secret.rar:$RAR3$*0*b51874e2d3731234*f82b2123456789012345678901234567:8:secret.txt:24:0
You now have the RAR hash in a format that password cracking tools can understand.
Identify the Correct Hash Mode for RAR3-hp or RAR5
In this step, you will identify the correct mode for Hashcat to use when cracking the hash. Hashcat supports hundreds of different hash types, and you must specify the correct one using a mode number.
The hash you extracted begins with $RAR3$*.... This prefix tells you the type of RAR encryption used. To find the corresponding mode in Hashcat, you can search its help menu.
Use the following command to list all Hashcat modes and filter for those related to "RAR". The -i flag in grep makes the search case-insensitive.
hashcat --help | grep -i "RAR"
The output will show the different RAR modes supported by Hashcat.
...
12500 | RAR3-hp | Archives
13000 | RAR5 | Archives
...
From the output, you can see two primary modes:
12500forRAR3-hp13000forRAR5
Since our hash starts with $RAR3$, the correct mode to use is 12500. Identifying the correct hash mode is a critical step for a successful cracking attempt.
Prepare the Hash and Wordlist for the Attack
In this step, you will prepare the necessary files for the cracking attempt. A dictionary attack, which is what we will perform, requires two main inputs: the file containing the hash to be cracked and a wordlist (a file containing potential passwords).
You have already completed the first part by saving the hash in rar_hash.txt. Let's quickly review its content.
cat rar_hash.txt
secret.rar:$RAR3$*0*b51874e2d3731234*f82b2123456789012345678901234567:8:secret.txt:24:0
Next, you need the wordlist. For this lab, a simple wordlist named wordlist.txt was created for you during the setup process. In a real-world scenario, you would use a much larger wordlist, such as the famous rockyou.txt. Let's examine the contents of our small wordlist.
cat wordlist.txt
password
123456
labex
secret
As you can see, our wordlist contains a few common passwords, including the correct one, labex. With both the hash file and the wordlist ready, you are now prepared to launch the attack.
Execute the Attack to Find the RAR Password
In this step, you will execute the dictionary attack using Hashcat. With the hash file, wordlist, and correct mode number identified, you have everything you need.
The basic syntax for a Hashcat dictionary attack is: hashcat -m <mode> <hash_file> <wordlist_file>.
Now, run the command using mode 12500, your hash file rar_hash.txt, and your wordlist wordlist.txt.
hashcat -m 12500 rar_hash.txt wordlist.txt
Hashcat will initialize, start the cracking session, and quickly test the passwords from your wordlist against the hash. Once it finds a match, the process will finish, and the status will show Cracked.
...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: RAR3-hp
Hash.Target......: secret.rar
Time.Started.....: ...
Time.Estimated...: 0 secs (0.00ms)
Guess.Base.......: File (wordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 24211 H/s (0.01ms) @ Accel:128 Loops:128 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 4/4 (100.00%)
Rejected.........: 0/4 (0.00%)
Restore.Point....: 4/4 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1
Candidate.Engine.: Optimized Kernel
Candidates.#1....: password -> secret
Hardware.Mon.#1..: Temp: 45c Fan: 30%
...
Hashcat automatically saves cracked passwords to a file called a "potfile" located at ~/.hashcat/hashcat.potfile. To view the cracked password, you can use the --show option with your original command.
hashcat -m 12500 rar_hash.txt --show
This will display the hash and its corresponding cracked password.
secret.rar:$RAR3$*0*b51874e2d3731234*f82b2123456789012345678901234567:8:secret.txt:24:0:labex
The password, labex, is displayed at the end of the line, separated by a colon. You have successfully cracked the password for the RAR archive.
Summary
Congratulations on completing this lab! You have successfully learned the end-to-end process of cracking a password-protected RAR archive.
In this lab, you practiced several key skills:
- Creating a password-protected archive using the
rarcommand. - Extracting a crackable hash from a RAR file with
rar2john. - Identifying the correct hash type and its corresponding mode in
Hashcat. - Executing a dictionary attack with
Hashcatusing the extracted hash and a wordlist. - Viewing the recovered password.
These techniques are fundamental in the field of cybersecurity for password recovery and security auditing. It is important to remember that these skills should only be used ethically and legally, for example, on systems you have explicit permission to test.
