Cracking the Hashes
Hack Responsibly.
Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
Password Hashes
Identifying Hashes
Find the type of hash:
Find hash type at https://hashkiller.co.uk
Running john
with no parameters will attempt to tell you the hash type:
Hash Cracking
Hashcat basic syntax:
John the Ripper basic syntax:
Convert hashes from /etc/shadow
to a crackable format (then use john to crack):
/etc/shadow
to a crackable format (then use john to crack):Generating wordlists
Online rainbow tables:
https://crackstation.net/
http://www.cmd5.org/
https://hashkiller.co.uk/md5-decrypter.aspx
https://www.onlinehashcrack.com/
http://rainbowtables.it64.com/
http://www.md5online.org
https://www.cmd5.org/
http://hashes.org
https://gpuhash.me/
https://crack.sh/
https://hash.help/
https://passwordrecovery.io/
http://cracker.offensive-security.com/
https://md5decrypt.net/en/Sha256/
https://weakpass.com/wordlists
Hashcat Cheatsheet
Hashcat Cheatsheet for OSCP https://hashcat.net/wiki/doku.php?id=hashcat
Identify Hashes
hash-identifier
Example Hashes: https://hashcat.net/wiki/doku.php?id=example_hashes
MOAR POWAR!
I have found that I can squeeze some more power out of my hash cracking by adding these parameters:
These will force Hashcat to use the CUDA GPU interface which is buggy but provides more performance (–force) , will Optimize for 32 characters or less passwords (-O) and will set the workload to "Insane" (-w 4) which is supposed to make your computer effectively unusable during the cracking process. Finally "--opencl-device-types 1,2 " will force HashCat to use BOTH the GPU and the CPU to handle the cracking.
Using a dictionary
Hashcat example: cracking Linux md5crypt passwords (identified by $1$) using a wordlist:
hashcat --force -m 500 -a 0 -o $out_cracked_passes $hash_file $pass_list
Hashcat example cracking WordPress passwords using a wordlist: hashcat --force -m 400 -a 0 -o $out_cracked_passes $hash_file $pass_list
Sample Hashes http://openwall.info/wiki/john/sample-hashes
One Rule to Rule Them All
@NotSoSecure has built a custom rule that combines many of the most popular Hashcat rules: https://www.notsosecure.com/one-rule-to-rule-them-all/
The rule can be downloaded from GitHub: https://github.com/NotSoSecure/password_cracking_rules
Put the OneRuleToRuleThemAll.rule
file into the /usr/share/hashcat/rules/
folder and run it:
Using Hashcat for brute-forcing
Predefined character sets:
?u?l?d is the same as: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
Brute-force all passwords of length 1-8 with these possible characters: A-Z a-z 0-9 hashcat -m 500 $hash_file -a 3 --increment -1 ?l?d?u ?1?1?1?1?1?1?1?1
Cracking Linux Hashes from /etc/shadow
file
/etc/shadow
fileID | Description | Type |
500 | md5crypt $1$, MD5(Unix) | Operating-Systems |
200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems |
400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems |
1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems |
Cracking Windows Hashes
ID | Description | Type |
3000 | LM | Operating-Systems |
1000 | NTLM | Operating-Systems |
Cracking Common Application Hashes
ID | Description | Type |
900 | MD4 | Raw Hash |
0 | MD5 | Raw Hash |
5100 | Half MD5 | Raw Hash |
100 | SHA1 | Raw Hash |
10800 | SHA-384 | Raw Hash |
1400 | SHA-256 | Raw Hash |
1700 | SHA-512 | Raw Hash |
Cracking Common File Password Protections
ID | Description | Type |
11600 | 7-Zip | Archives |
12500 | RAR3-hp | Archives |
13000 | RAR5 | Archives |
13200 | AxCrypt | Archives |
13300 | AxCrypt in-memory SHA1 | Archives |
13600 | WinZip | Archives |
9700 | MS Office <= 2003 $0/$1, MD5 + RC4 | Documents |
9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1 | Documents |
9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2 | Documents |
9800 | MS Office <= 2003 $3/$4, SHA1 + RC4 | Documents |
9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1 | Documents |
9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2 | Documents |
9400 | MS Office 2007 | Documents |
9500 | MS Office 2010 | Documents |
9600 | MS Office 2013 | Documents |
10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4) | Documents |
10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1 | Documents |
10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 | Documents |
10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8) | Documents |
10600 | PDF 1.7 Level 3 (Acrobat 9) | Documents |
10700 | PDF 1.7 Level 8 (Acrobat 10 - 11) | Documents |
16200 | Apple Secure Notes | Documents |
Cracking Commmon Database Hash Formats
ID | Description | Type | Example Hash |
12 | PostgreSQL | Database Server | a6343a68d964ca596d9752250d54bb8a:postgres |
131 | MSSQL (2000) | Database Server | 0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578 |
132 | MSSQL (2005) | Database Server | 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe |
1731 | MSSQL (2012, 2014) | Database Server | 0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375 |
200 | MySQL323 | Database Server | 7196759210defdc0 |
300 | MySQL4.1/MySQL5 | Database Server | fcf7c1b8749cf99d88e5f34271d636178fb5d130 |
3100 | Oracle H: Type (Oracle 7+) | Database Server | 7A963A529D2E3229:3682427524 |
112 | Oracle S: Type (Oracle 11+) | Database Server | ac5f1e62d21fd0529428b84d42e8955b04966703:38445748184477378130 |
12300 | Oracle T: Type (Oracle 12+) | Database Server | 78281A9C0CF626BD05EFC4F41B515B61D6C4D95A250CD4A605CA0EF97168D670EBCB5673B6F5A2FB9CC4E0C0101E659C0C4E3B9B3BEDA846CD15508E88685A2334141655046766111066420254008225 |
8000 | Sybase ASE | Database Server | 0xc00778168388631428230545ed2c976790af96768afa0806fe6c0da3b28f3e132137eac56f9bad027ea2 |
Cracking NTLM hashes
After grabbing or dumping the NTDS.dit
and SYSTEM
registry hive or dumping LSASS memory from a Windows machine:
Path | Description |
C:\Windows\NTDS\ntds.dit | Active Directory database |
C:\Windows\System32\config\SYSTEM | Registry hive containing the key used to encrypt hashes |
Using Impacket
to dump the hashes:
You can crack the NTLM hash dump usign the following hashcat syntax:
Cracking KRB5TGS Hashes - "Kerberoasting"
A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. These SPNs cat be collected by using a username list and Impacket's example scripts. After gathering a list of valid usernames that have the property ‘Do not require Kerberos pre-authentication’ set (UF_DONT_REQUIRE_PREAUTH), you can get the SPN hash for cracking, replay, or creating of Kerberos tickets using the example below.
Hashcat supports multiple versions of the KRB5TGS hash which can easily be identified by the number between the dollar signs in the hash itself.
13100 - Type 23 - $krb5tgs$23$
19600 - Type 17 - $krb5tgs$17$
19700 - Type 18 - $krb5tgs$18$
KRB5TGS Type 23 - Crackstation humans only word list with OneRuleToRuleThemAll mutations rule list.
To crack Linux hashes with John you must first unshadow
them
unshadow
themCrack a zip password
zip2john Zipfile.zip | cut -d ':' -f 2 > hashes.txt
hashcat -a 0 -m 13600 hashes.txt /usr/share/wordlists/rockyou.txt
Hashcat appears to have issues with some zip hash formats generated from zip2john. You can fix this by editing the zip hash contents to align with the example zip hash format found on the hash cat example page: $zip2$*0*3*0*b5d2b7bf57ad5e86a55c400509c672bd*d218*0**ca3d736d03a34165cfa9*$/zip2$
John seems to accept a wider range of zip formats for cracking.
John the ripper: john --wordlist=/usr/share/wordlists/rockyou.txt <hash_file>
Jumbo John = Better than original john
Hashes.org: large database of pre-cracked hashes
Many password lists to download at skullsecurity
21.1GB wordlist of passwords! (Smaller samples available too) https://md5decrypt.net/en/Password-cracking-wordlist-download/
Hash formats list for hashcat
Brute-force crack password with known format:
Create wordlist of 'words' with known character-set & length:
Generate password for insertion directly into /etc/passwd
(assumes write privilege to that file):
/etc/passwd
(assumes write privilege to that file):Custom Code Examples
Decrypt LDAP Passwords
https://dotnetfiddle.net/2RDoWz
Decodes to: w3lc0meFr31nd
If you like this content and would like to see more, please consider buying me a coffee!
Last updated