using John the Ripper to recover RAR password
Solution 1
I would probably do something like this instead:
john --incremental:all -stdout | while read pass;do
rar x -p"${pass}" test2.rar
if [ "$?" -eq 0 ];then
exit 0
fi
done
Replace rar options, etc. as you like. This way the command only runs until it successfully unpacks the file and you don't have to grep for something. $? is a shell variable containing the return code of the last run command, and if run successfully it equals 0. So if you match it with 0 you know the previous command "worked".
Edit 1: Added "'s around the password, like -p"${pass}".
Solution 2
I don't know of a way (other than -0 mode) to get xargs to ignore quotes in its input, but it's easy to use tr to convert the newlines to nulls and then use -0 mode:
john --incremental:all --stdout | tr "\n" "\0" | xargs -0 -I jtr unrar e -pjtr -inul test2.rar | grep 100%
Related videos on Youtube
07 : 07
12 : 27
03 : 52
12 : 04
08 : 15
chuckkahn
Updated on September 18, 2022Comments
-
chuckkahn over 1 year
Testing John the Ripper in Mac OS X as a RAR password recovery solution, but xargs gives me an error:
john --incremental:all --stdout | xargs -I jtr unrar e -pjtr -inul test2.rar | grep 100% xargs: unterminated quoteBut when I add '-0' to xargs to deal with the quote, I get another xargs error:
john --incremental:all --stdout | xargs -0 -I jtr unrar e -pjtr -inul test2.rar | grep 100% xargs: insufficient space for argumentWhich I suppose is because the '-0' is preventing xargs from using newlines as delimiters, which is creating the space issue?
Any ideas on how to make xargs happy? Is there a way to solve the quotes issue while keeping the newline delimiter intact?
-
David Costa over 12 yearsxargs launches ONE instance of your command with too many arguments, you need to launch unrar for each password you want to try like explained by @Mattias
-
-
chuckkahn over 12 yearsWhen I add the tr portion, it does this at the end: Enter password (will not be echoed): Reenter password: I guess that's rar asking? I dunno.
-
chuckkahn over 12 yearsThis also asks for a password (will not be echoed) immediately followed by a reenter request partway through. I wonder if that's john or unrar?
-
Mattias Ahnberg over 12 yearsI tried this with a dummy password protected rar file, it matched the 25th password and it worked just fine. Use rar and not unrar to be sure, and type =exactly= as above, don't change rar for unrar, etc. Don't change variable names or anything.
-
Gordon Davisson over 12 yearsI think that's what it does with the argument "-p" (i.e. when given the empty string as a password). If I'm right, you should be able to suppress this by creating a john.conf file with "MinLen = 1".
-
chuckkahn over 12 yearsYeah it was set to = 0. Weird.
-
chuckkahn over 12 yearsIf I wanted to restore a previous aborted session, would I just substitute "--incremental:all" with "--restore"?
-
Mattias Ahnberg over 12 yearsShould work fine, yes!
-
chuckkahn over 12 yearsThe homebrew package manager has unrar but not rar -- what was the reason to use rar and not unrar?
-
Mattias Ahnberg over 12 yearsThe reason was simply that rar worked for me in my example, and you said that unrar didn't work for you. unrar should work pretty much the same way, so if you get it to work and won't have to install rar, all good! :) No other reason than that!
-
chuckkahn over 12 yearsIf I set MinLen and MaxLen to 1 in john.conf, and add "<echo 'pass is ['${pass}']'" before the unrar line, it does a bunch of letters, and then after "pass is [z]" and before "pass is [!], there is "pass is []" and it stops with the prompt "Enter password" -- is it echoing correctly that the pass is nothing?
-
Mattias Ahnberg over 12 yearsIf john sends out a totally empty string it will fail like that, yes. If john sends out a space it should work, but you MIGHT have to modify the line to read like this to cover spaces or words including spaces, if john generates those:
rar x -p"${pass}" test2.rar
