[EN]

Intro

So you want to be a password cracker, huh? Let us show you how it's done. In this post you will learn how to crack passwords with hashcat dictionary attack.

First things first.

A few things are required for Hashcat to begin cracking in dictionary mode:

  • Hash(es) to crack
  • Hash id for given hash(es)
  • A dictionary

What is a dictionary attack mode? We will just hash all entries in a text file, one by one, and check if any of them equals to our hash to crack. If it does, we did it!

Grab the hashtype

The first step is to check what kind of hash we are dealing with, because we do not always know the hashing algorithm used. Why is it so important?

Hashcat requires the -m (-hash-type) parameter to begin cracking. Hash types are represented by numbers. For example, NTLM has the id 1000 (-m 1000).

So, how to get the hash type of a given hash? We can use special tools for that purpose. We can visit online sites such as:

https://www.tunnelsup.com/hash-analyzer https://hashes.com/en/tools/hash_identifier https://md5hashing.net/hash_type_checker
https://www.dcode.fr/hash-identifier

or use command-line tools such as:

https://github.com/blackploit/hash-identifier
https://github.com/noraj/haiti
https://github.com/HashPals/Name-That-Hash

All the above tools give one or more possible hashing algorithm names, and with that name we can get a hast-type id for hashcat.

We need to remember that in some cases, tools depend just on hash length to determine the type. Hash ABAF3912CA4ABADF8823CEC34B785BC8 could be MD5 as well as NTLM.

Example:

NTLM HASH: ABAF3912CA4ABADF8823CEC34B785BC8 - [AlphaPwners]

Haiti: haiti-hashenum

HashID: Pasted_image_20220801102633

Most of the times we use haiti, but you can grab any tool that does the job.

Sometimes we know the type of a hash, based on it's origin. Despite the same length as MD5, a hash grabbed form a Windows SAM would be a NTLM

Anything else?

Another method of determining a hashtype is using the hashcat list of example hashes. We can list them via command line with the simple command hashcat --example-hashes or visit https://hashcat.net/wiki/doku.php?id=example_hashes

Most of the time, we just need to copy the beginning of the hash and search/grep in the hashcat example_hashes page.

According to example_hashes:

the hash $2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6 would be 3200 bcrypt $2*$, Blowfish (Unix) hash.

the hash $office$*2007*20*128*16*411a51284e0d0200b131a89a5cc*1[...]81cde would be 9400 MS Office 2007 hash.

the hash $krb5asrep$23$administrator@company.local:36246105349[...]60e94 would be 18200 Kerberos 5, etype 23, AS-REP hash.

Let's crack some hashes!

The hash in the example below can be cracked using popular rockyou.txt dictionary. It's also our first choice on any CTF/HackTheBox/TryHackMe/Whatever where hash cracking or bruteforcing is involved.

You can download it, for example, from here: https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/wordlists/rockyou.txt.gz


Let's crack this beauty:

0a909ffe7be1ffe2ec130aa243a64c26

The hash algorithm is MD5, and in hashcat the proper id for MD5 is 0.

Hashcat supports many attacks such as:

  • Dictionary attack
  • Mask attack (kind of bruteforce)
  • Combinatory attack
  • Rule-based attack
  • Toggle-case attack

In this post, only a dictionary attack is used. Feel free to check next posts on hashes cracking to learn about other methods.

To use the dictionary attack, an -a toggle with value 0 must be provided.

To start cracking, we use

{{< code language="bash" title="Hashcat dictionary attack" id="1" expand="Show" collapse="Hide" isCollapsed="false" >}}

hashcat -m 0 -a 0 '0a909ffe7be1ffe2ec130aa243a64c26' 'rockyou.txt.gz' -O

{{< /code >}}

Command explanation:

-m 0 -> hash type id (in this case MD5)
-a 0 -> attack mode (in this case Dictionary attack, mode number 0) 0a909ffe7be1ffe2ec130aa243a64c26 -> a hash to crack
rockyou.txt.gz -> dictionary file (can be compressed)
-O -> Enable optimized kernels flag (limits password & salt length in exchange for speed)

Pasted_image_20220801140504 Pasted_image_20220801140535 Gotcha!

Pasted_image_20220801140616 To show previously cracked hashed in hashcat, a --show switch can be used.

{{< code language="bash" title="Show cracked hashes" id="2" expand="Show" collapse="Hide" isCollapsed="false" >}}

hashcat '0a909ffe7be1ffe2ec130aa243a64c26' --show

{{< /code >}}

When the password is cracked, the hashcat saves plaint text value it in the hashcat.potfile, in the format 'hash':'password'. On different systems or depending on the configuration/installation of the hashcat, the place where this file is located may be different e.g.

Kali Linux: ~/.local/share/hashcat/hashcat.potfile

Ubuntu system: ~/.local/share/hashcat/hashcat.potfile

If we cannot find the .potfile then just call the command:

{{< code language="bash" title="Locate hashcat.potfile" id="2" expand="Show" collapse="Hide" isCollapsed="false" >}}

find / -name hashcat.potfile

{{< /code >}}

Pasted_image_20220801140810

More hashes more fun.

Hashcat, of course supports cracking many hashes at once. Just replace the hash we want to crack with the filename of the file containing hashes. File with hashes should contain only hashes of one algorithm, and every hash should be placed in a new line, like this:

unshadeit

[DOWNLOAD] unshade-hash-b1.txt - hashes to crack.

{{< code language="bash" title="cracking many hashes" id="3" expand="Show" collapse="Hide" isCollapsed="false" >}}

hashcat -m 0 -a 0 unshade-hash-b1.txt 'rockyou.txt.gz' -O

{{< /code >}}

Homework

[1]

005fa475cd6073c2a3299aa31d9e9025b8737b94
9790595269fbdf7792bd4012158b61f51d38814d
4ffc350caaa08aadf788774a3c13954b2da8bf52
9d41cc7a34c3c34c4e3a65332358aac11c25ce5e

[2]

7900d6556a7deb9818041aea381872a8
64463bf3c02ba2b295421e607ad15ab2
08e948966ffdfc3d3618b15ae4dc7610
004a6beec22971468ecff512fd7902ac

[3]

15CB872FA3FEAAA7B965B8DB21DF61DE
E3A116866FED857F74EC3E62F38E60FD
D3F81F595A598A5CF8D535B91EF57857
38DDD8ED7F48687DAF504C9C918B598F

Previous Post Next Post