Ready to Start Your Career?

WannaCrack! A Mix of Digital Forensics + Python Cracking

jumb01 's profile image

By: jumb01

June 14, 2017

~$ whoamiI am Aslam Admani, and this is an interactive article that's most beneficial if you can practically follow along.~$ Setting_The_SceneYou are a digital forensic analyst. Your boss has given you a USB flash drive which was recovered from a suspect's home. He is suspected to be a fraud who is involved in credit card scams.Inside the USB is the following files (which you must set-up):
  1. Let's download an image and rename it: BlvckAr7.jpg.
    • This is a basic image, within this we'll place a secret file i.e. use stenography, which we'll come to a little later.
    • [caption id="attachment_94456" align="aligncenter" width="281"] Right click image, then select "save as" or "save image as" to save this file to your computer.[/caption]
  2.  A zip file, which appears to be password protected... We'll come to this later.
~$ The_setup_1
  • Kali Linux OS (on any environment)
    • If you do not have a Kali box, there are plenty of tutorials out there which go through, a step-by-step process in order to install and configure it properly. NOTE, it would be worthless installing and configuring a Kali machine SPECIFICALLY for this article. However, I would suggest it if you're interested in hacking and forensics in general. I'll leave links towards the end of this article for tutorials and guides on the installation process.
  • A USB flash drive (to set the scene, this isn't a necessity though)
Assuming you have these two requirements, let's move on to the next stage.~$ The_setup_2
  • sudo apt-get upgrade (if your machine requires upgrading)
  • sudo apt-get install steghide
Now that we have the tool required, let's create our secret file.You can use any text editor. Name this file S3CR37Z.txt, and the layout should look something like this:FORENAME SURNAME:    ACCOUNT NUMBERTYPE:                                          VISAEXPIRATION:                         DATECreate multiple entries, and try to make it seem as real as possible.Once you've completed this task, let's hide this file into the image file we downloaded earlier. In order to do this, we use steghide. On the terminal enter the following:
  • steghide embed -cf BlvckAr7.jpg -ef S3CR37Z.txt
    • Next, it will ask you for a password. For this, we will use qwerty123 (Of course this is significantly insecure, however, the criminal assumes nobody would know that the file is hidden inside of the image).
  • Once we have completed this successfully we can delete S3CR37Z.txt
    • Type in rm S3CR37Z.txt (to remove the text file with the secret contents).
Subsequently we create a zip file which is named This zip will also be password protected and contain the image BlvckAr7.jpg
  • zip -e BlvckAr7.jpg
    • Again, it will ask you for a password, which we will set as scarface23 (this password is more secure than the last, however is it really strong?)
--- At this point you should have a zip file named, inside of this zip, is an image, within the image is a secret file, which we have no access to ---If you've reached this point, great! Now it's time to store this zipfile into a USB, which is the hypothetical USB we've recovered from the crime scene. So place the content inside of it and let's begin with the forensics!~$ Setting_the_scene  --Forensic_AnalystOkay so, we receive a USB stick, the first thing we should do as a forensic analyst is to create a bit-by-bit image of it, and verify the integrity of it, however before we proceed with this, we should create a folder called 'Secure_Store'.Within this, we will have a few more folders.
  • mkdir Secure_Store
  • cd Secure_Store; mkdir image logical physical analysis
For this assignment we will be using image, physical and analysis.
  • Image will contain the bit-by-bit copied image
  • physical will contain the contents of the USB
  • and analysis will have our analysis of the USB, i.e. our findings.
Once we have created these directories we must unmount the flash drive from the main file system, so that we could image it, and mount it within our Secure evidence directory (Secure_Store)We do this by entering:
  • df -hl (this will list the drives withing your machine)
    • You should look for the flash drive, if you're finding difficulties in doing so, you could unplug it, run the same command and find the differences between the result.
Filesystem           size           used           avail           use%               mounted onThe above should be the columns that the command returns, once we have identified the USB drive, locate where it is mounted.From this we should note the filesystem entry of the USB and the mounted on entry.It may look something like: /media/root/Name_of_USB in the mount entry column. (This would differ depending on your user name, USB name etc.)So we can copy that row (/media/root/Name_of_USB)Next, type in the following command to remove it from the main filesystem:
  • umount /media/root/Name_of_USB
    • now type the df command again to see if it has been removed from the list.
Next we create a bit-by-bit image by using the name of the USB filesystem. We could use dd, or dd_secure, either one would be an excellent choice. This may take a while, so be patient.
  • dd if=/dev/sdb1   of=~/Desktop/Secure_Store/image/USB_image.dd
    • Where it says /dev/sdb1 on this example, you may need to change it depending on the results from the output of your df -lh command.
Once this task is complete, we can verify the bit-by-bit copy by using the md5 hashing algorithm.
  • md5sum /dev/sdb1
  • mdf5sum ~/Desktop/Secure_Store/image/USB_image.dd
    • if these provide the exact same result, we're good to go!
    • It may be best to note these down, or store them in a text file, for the final report (We won't be going over the report as part of this article)
Subsequently we can mount the USB inside of the Secure_Store/physical directory
  • mount ~/Desktop/Secure_Store/image/USB_image.dd ~/Desktop/Secure_Store/physical
Now if we go into the physical directory we should see a zip file named copy it to the analysis directory, begin working inside of the analysis directory. Now we can see, it has a password? How do we get around this?Let's create a small password cracking script with python. The password file we will use is called rockyou.txt. This file could be found online, it contains millions of real-user passwords, which were found on vulnerable website databases.Go to this website,, and click on rockyou.txt.bz2, give it some time to download.Once we have it downloaded, extract the file into your Desktop.Now let's make the script.This script will loop through every line within the rockyou.txt file, attempting to extract the files from the folder passing the line as a password.Open a text editor, we'll just use gedit, enter gedit  Created by Aslam Admani for Cybrary WannaCrack blog################################################import zipfiledef Main()    f = open('~/Desktop/rockyou.txt', 'r')#open the rockyou.txt file in read mode    for line in f.readlines():#iterate through each line of the password file         pw = line.strip('n')#remove default newline keys at the end of each password         try:             zfile = zipfile.ZipFile('/root/Desktop/Secure_Store/physical/')#declare the zip file you want to use, the path I'm using is /root/Desktop/ Because I'm using the root user, find the current working directory in which your zip file lies.             zfile.extractall(/root/Desktop/Secure_Store/physical ,pwd=pw)#attempt to extract all from the zip file, with the current password             print 'password found: %s' % pw  #if this works, print the password to the screen        except:             pass#otherwise pass until we have our passwordif __name__ == '__main__':    Main()The python script looks good, run it in the terminal:
  • python
This may take a while depending on how deep the passwords we made are within the rockyou.txt file.If this has run successfully, which it should, your next objective is to analyse the image we see...We have an image named BlvckAr7.jpg, it appears to look like a normal jpeg file. However the eyes can deceive, we must dig further.Let's start, using EXIFTOOL.Exiftool is an analysis tool, which can analyse many file extensions, find original extensions plus more.
  • exiftool BlvckAr7.jpg
    • if this command doesn't work, use sudo apt-get install exiftool to install it.
With this jpg file we shouldn't see anything particularly suspicious?However let's put our forensics caps on and think outside the box, we have an image which states 'nothing to see here', let's google this and see if we have the same image, with the same extension, if so, we could download all similar files and compare the sizes. Maybe that could give us a lead?So we download the exact same images we find, and we compare the sizes, using exiftool, notice the difference? One is bigger than the other right?Let's check the integrity of both files, using md5sum,We can see there's a difference. Maybe it could be that this image was taken from another source, or something of the sort, regardless we have our suspicions. Let's assume there's another file inside of the S3CR37Z.jpg file, so let's now use steghide to extract what we may have in there.
  • steghide extract -sf BlvckAr7.jpg
    • it's asking us for a passphrase, what do we do here!
Let's create a python file called ############################################### Created by Aslam Admani for Cybrary WannaCrack blog###############################################import pexpectimport osdef Main():    PROMPT = ['$ ',  '# ', '> ', '>> ']    f=open('~/Desktop/rockyou.txt', 'r')    for line in f.readlines():        pw = line.strip('n')        try:            child = pexpect.spawn('steghide extract -sf S3CR37Z.jpg')            child.expect([pexpect.TIMEOUT, 'passphrase: ', 'Passphrase: ', 'password: '])            child.sendline(pw)             child.expect(PROMPT)         except:             passif __name__ == '__main__':    Main()This should release the hidden file into the current directory, and now we should see a file called: S3CR37Z.txtUnfortunately this script doesn't display the password to the output, however you can check out my github to see if there are any updates to these scripts. you're interested or need help, here's a video to show how to download and install Kali Linux on VMWare Player: if you have completed this article, followed along and were sucessful!Comments and tips would be highly appreciated.
Schedule Demo