Hash Cracking Passwords
Hash-cracking communities:
https://hashes.org/crackers.php
Password dictionaries:
https://wiki.skullsecurity.org/Passwords
Kali supplies you with several wordlists and hash lists in /usr/share/.
John the Ripper
John the Ripper is quite old, and still an excellent tool. John can use Kali’s built-in wordlists: /usr/share/wordlists/rockyou.txt.gz etc.
“How to crack passwords using john the ripper in kali linux”
https://www.youtube.com/watch?v=eAn8dYdn1eY
Exercises
1 Create a simple text file with a hashed password (which is “password”):
echo -n password | md5sum | tr -d " -" >> /root/testhash.txt
Now use the RockYou wordlist to crack the password:
john --format=raw-md5 --show /usr/share/wordlists/rockyou.txt.gz /root/testhash.txt
2 Follow the steps on this page:
https://www.tunnelsup.com/getting-started-cracking-password-hashes/
Brutus
Brutus is ancient Windows software for cracking passwords. You may get lucky with it today, but really just know the tool for the CEH exam.
https://www.youtube.com/watch?v=dloKOen31yk
THC-Hydra
“Hydra is a very fast online password cracking tool, which can perform rapid dictionary attacks against more than 50 Protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases and much more. THC (The Hackers Choice) created Hydra for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.”
https://www.youtube.com/watch?v=9iRoYdKGPFo
Hashcat
Hashcat is the bad daddy of hash cracking. No, I don’t wanna argue about it, just learn to use it and then we’ll talk.
Requires 4 arguments:
-m or –hash-type (use –help to list hash types; use -m 1000 for Windows NT hashes)
Example hashes: https://hashcat.net/wiki/doku.php?id=example_hashes
-a or –attack-mode (method: dictionary, brute-force; use -a 0 to use a dictionary attack)
[filename|hash] (hashes to crack, e.g. ./hashes/ntlm.txt; you can supply a single hash directly)
[dictionary|mask|directory] (A wordlist, mask or directory containing wordlist(s), e.g. rockyou.txt)
See this really excellent step-by-step example:
http://www.adeptus-mechanicus.com/codex/crkpass/crkpass.php
“HOW TO CRACK MD5 HASHES USING HASHCAT”:
https://www.4armed.com/blog/hashcat-crack-md5-hashes/
Exercise: Dictionary Attack
1 Hashcat doesn’t support compressed lists, so unzip Kali’s supplied RockYou wordlist, /usr/share/wordlists/rockyou.txt.gz:
gunzip /usr/share/wordlists/rockyou.txt.gz
2 Create a folder called hashlists in your home directory. Make a hash file called win.hash inside it:
touch ./hashlists/win.hash
Go to this page to create some NTLM hashes. Place them in the win.hash file:
https://tobtu.com/lmntlm.php
3 Now run hashcat to crack the hashes, using the RockYou wordlist:
hashcat -m 1000 -a 0 --force ./hashlists/win.hash /usr/share/wordlists/rockyou.txt
Cracked hashes go into hashcat.potfile in the user’s home directory, in a folder named .hashcat – unless you specify an output file with the -o option (see the next example).
Exercise: Rule Set Permutations
Rule Sets allow permutations like “Airplane1 to Airplane59”.
For deep details see this page:
https://www.4armed.com/blog/hashcat-rule-based-attack/
Rule Set rules are in /usr/share/hashcat/rules/, for example the best64.rule rule list.
3 Use this command to crack the hashes in win.hash:
hashcat -m 1000 -a 0 -o /root/cracked.txt -r /usr/share/hashcat/rules/best64.rule ./hashlists/win.hash /usr/share/wordlists/rockyou.txt
Exercise: Mask Attack
See this explanation straight from the Hashcat people:
https://hashcat.net/wiki/doku.php?id=mask_attack
And see this page for examples (halfway down the page):
https://www.4armed.com/blog/perform-mask-attack-hashcat/
You will need at least these four options for hashcat:
hashcat-binary attack-mode hash-file mask
For instance:
hashcat -a 3 hash.file ?a?a?a
?d Digit (repeat 5 times for 5 places)
?l lowercase letter
?u uppercase letter
?s special char
?a all character sets
For example, look for all three-character passwords:
hashcat -m 1000 -a 3 ./testhash.txt ?a?a?a
Up to 7 chars is reasonable, 8 takes days, 9 takes years (on generic hardware).
4 What would the command be to look for all five-character passwords?
Exercise: Combinator Attacks
Use two wordlists, or the same wordlist twice, and try all possible combinations:
hashcat -m 0 -a 1 ./testhash.txt [wordlist1] [wordlist2]
5 Follow this page step-by-step:
https://www.4armed.com/blog/hashcat-crack-md5-hashes/
The LinkedIn hashdump and more instructions:
http://adeptus-mechanicus.com/codex/linkhap/linkhap.php
And another good tutorial on masks:
https://www.unix-ninja.com/p/Exploiting_masks_in_Hashcat_for_fun_and_profit