LabEx
Log InJoin Free

Use John the Ripper to Crack RAR Archives

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will explore the process of cracking password-protected RAR archives using a powerful tool called John the Ripper. RAR (Roshal Archive) is a proprietary archive file format that supports data compression, error recovery, and file spanning. While RAR files offer robust compression and security features, weak passwords can make them vulnerable to brute-force attacks.

John the Ripper is a free and open-source password cracking tool. It is designed to detect weak Unix passwords, but it also supports various other hash types, including those from RAR archives. By the end of this lab, you will understand how to create a password-protected RAR file, extract its hash using rar2john, and then use John the Ripper to attempt to recover the password. You will also gain insights into the differences between cracking RAR and ZIP archives and learn about best practices for securing your RAR files.

Create a Password-Protected RAR File

In this step, you will create a simple text file and then compress it into a password-protected RAR archive. This RAR file will serve as our target for password cracking in subsequent steps.

First, create a new directory named rar_test and navigate into it:

mkdir ~/project/rar_test
cd ~/project/rar_test

Next, create a text file named secret.txt with some content. We will use nano for this.

nano secret.txt

Type the following content into the nano editor:

This is a secret message.
The password is 'labex'.

Press Ctrl+S to save the file and Ctrl+X to exit nano.

Now, create a password-protected RAR archive named secret.rar from secret.txt. We will use the password labex.

rar a -p labex secret.rar secret.txt

The a option stands for "add files to archive", and -p is used to specify the password. You should see output similar to this:

RAR 5.00 freeware      Copyright (c) 1993-2013 Alexander Roshal      20 August 2013
Shareware version         Type 'rar -?' for help

Creating archive secret.rar

Adding    secret.txt                                               OK
Done

To verify that the file is indeed password-protected, try to extract it without providing a password:

unrar e secret.rar

You will be prompted for a password:

UNRAR 5.00 freeware      Copyright (c) 1993-2013 Alexander Roshal      20 August 2013
secret.rar

Extracting from secret.rar

Enter password (will not be echoed) for secret.txt:

Press Ctrl+C to cancel the extraction.

Extract Hash from RAR File using rar2john

In this step, you will use the rar2john utility, which is part of the John the Ripper suite, to extract the password hash from the secret.rar file. This hash is a representation of the password that John the Ripper can attempt to crack.

Ensure you are still in the ~/project/rar_test directory:

cd ~/project/rar_test

Now, run rar2john on your secret.rar file and redirect its output to a new file named rar_hash.txt:

rar2john secret.rar > rar_hash.txt

This command processes the secret.rar file and outputs the extracted hash to standard output, which is then saved into rar_hash.txt.

You can view the content of the rar_hash.txt file using cat:

cat rar_hash.txt

The output will look something like this (the actual hash value will be different):

secret.rar:$rar5$16$...

This line contains the necessary information for John the Ripper to start cracking the password. The format $rar5$... indicates that it's a RAR5 hash.

Crack RAR Hash with John the Ripper

In this step, you will use John the Ripper to crack the password hash extracted in the previous step. We will use a simple wordlist attack, which is effective for weak passwords.

Ensure you are still in the ~/project/rar_test directory:

cd ~/project/rar_test

John the Ripper comes with a default wordlist. For this lab, we will create a small custom wordlist that includes our known password (labex) to ensure a quick crack.

Create a file named wordlist.txt with the following content:

nano wordlist.txt

Type the following passwords into the nano editor, each on a new line:

password
123456
labex
john

Press Ctrl+S to save the file and Ctrl+X to exit nano.

Now, run John the Ripper using the rar_hash.txt file and your custom wordlist.txt:

john --wordlist=wordlist.txt rar_hash.txt

John the Ripper will start processing the hash. Since labex is in our wordlist, it should find the password quickly. The output will show the cracked password:

Using default input encoding: UTF-8
Loaded 1 password hash from rar_hash.txt (RAR5)
Cost 1 (iteration count) is 262144 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
labex            (secret.rar)
1g 0:00:00:00 DONE (2023-10-27 10:30) 100.0% (ETA: 00:00:00) 1.000g/s 4.000p/s 4.000c/s 4.000C/s labex
Session completed.

The line labex (secret.rar) indicates that the password labex was found for the secret.rar archive.

You can also check the cracked passwords that John the Ripper has found and stored:

john --show rar_hash.txt

This command will display any passwords that have been successfully cracked and stored in John's internal pot file:

secret.rar:labex

1 password hash cracked, 0 left

This confirms that John the Ripper successfully cracked the RAR password.

Compare RAR and ZIP Cracking

In this step, we will briefly compare the process of cracking RAR archives with cracking ZIP archives, highlighting some key differences. Both formats are common for compression, but their encryption mechanisms and the tools used to crack them can differ.

First, let's create a password-protected ZIP file for comparison. Ensure you are in ~/project/rar_test:

cd ~/project/rar_test

Create a new text file for the ZIP archive:

nano zip_secret.txt

Add some content:

This is a secret message for ZIP.
The password is 'zip_pass'.

Save and exit nano (Ctrl+S, Ctrl+X).

Now, create a password-protected ZIP archive named zip_secret.zip with the password zip_pass:

zip -P zip_pass zip_secret.zip zip_secret.txt

The -P option is used to specify the password directly.

  adding: zip_secret.txt (deflated 29%)

Similar to rar2john, there's a zip2john utility for extracting hashes from ZIP files.

zip2john zip_secret.zip > zip_hash.txt

View the extracted ZIP hash:

cat zip_hash.txt

The output will look different from the RAR hash, typically starting with zip_secret.zip:$zip$...:

zip_secret.zip:$zip2$*0*1*0*...

Now, let's try to crack it with John the Ripper using a wordlist that includes zip_pass:

nano zip_wordlist.txt

Add the following content:

password
zip_pass
123456

Save and exit nano.

john --wordlist=zip_wordlist.txt zip_hash.txt

John the Ripper will crack the ZIP password:

Using default input encoding: UTF-8
Loaded 1 password hash from zip_hash.txt (PKZIP)
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
zip_pass         (zip_secret.zip)
1g 0:00:00:00 DONE (2023-10-27 10:35) 100.0% (ETA: 00:00:00) 1.000g/s 4.000p/s 4.000c/s 4.000C/s zip_pass
Session completed.

Key Differences:

  • Hash Format: RAR and ZIP files use different internal encryption and hash formats, requiring specific *2john utilities (rar2john vs. zip2john).
  • Encryption Strength: Modern RAR (RAR5) encryption is generally considered stronger than standard ZIP encryption (ZipCrypto), especially when using AES-256. This means cracking RAR5 can be more computationally intensive and time-consuming for strong passwords.
  • Tools: While John the Ripper can handle both, the underlying hash extraction and cracking modules are distinct. Other tools like fcrackzip are specifically designed for ZIP, while rarcrack is for RAR.

This comparison demonstrates that while the general approach (extract hash, crack with wordlist) is similar, the specifics of handling different archive formats vary.

Best Practices for RAR Security

In this step, we will discuss best practices to secure your RAR archives and prevent them from being easily cracked. Understanding these practices is crucial for protecting your sensitive data.

The ease with which we cracked the secret.rar file in this lab highlights the importance of strong passwords. Here are some best practices for RAR security:

  1. Use Strong, Unique Passwords:

    • Length: Aim for passwords that are at least 12-16 characters long. Longer passwords are exponentially harder to crack.
    • Complexity: Include a mix of uppercase letters, lowercase letters, numbers, and special characters. Avoid common words, names, or easily guessable sequences (like "123456" or "password").
    • Uniqueness: Never reuse passwords across different accounts or archives. If one password is compromised, others remain secure.

  2. Utilize Password Managers:

    • Password managers can generate and store complex, unique passwords for you, making it easier to follow the above recommendations without having to memorize them all.

  3. Enable Strong Encryption (RAR5 with AES-256):

    • When creating RAR archives, ensure you are using the latest RAR format (RAR5) which defaults to AES-256 encryption. This is significantly more secure than older RAR formats or weaker encryption algorithms. Most modern rar tools use RAR5 by default.

  4. Avoid Storing Passwords Near Archives:

    • Never store the password for an archive in a text file or sticky note alongside the archive itself. This defeats the purpose of password protection.

  5. Limit Access to Archives:

    • Store your password-protected RAR files in secure locations with restricted access. Even with a strong password, if an attacker gains physical access to your device or network, they might have more opportunities to attempt cracking.

  6. Be Wary of Phishing and Social Engineering:

    • Attackers might try to trick you into revealing your passwords through fake emails, websites, or direct communication. Always be suspicious of unsolicited requests for sensitive information.

By following these best practices, you can significantly enhance the security of your RAR archives and protect your data from unauthorized access. Remember, the weakest link in any security chain is often the human element or a weak password.

Summary

In this lab, you gained hands-on experience with cracking password-protected RAR archives using John the Ripper. You started by creating a sample RAR file with a known password. Then, you learned how to extract the RAR hash using the rar2john utility, which converts the archive's password information into a format that John the Ripper can understand.

Subsequently, you successfully used John the Ripper with a custom wordlist to crack the password of the RAR archive, demonstrating the vulnerability of archives protected by weak or common passwords. You also explored the differences between cracking RAR and ZIP archives, noting the distinct hash formats and encryption strengths.

Finally, the lab concluded with a discussion on best practices for RAR security, emphasizing the importance of strong, unique passwords, utilizing modern encryption, and practicing good security hygiene to protect your sensitive data stored in archives. This lab provides a foundational understanding of password cracking techniques and the critical need for robust password policies.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux