Disclaimer:
This is intended to be used solely for ethical purposes. Please make sure you don't try the below-discussed methods on a live machine without any authorization. At the very end of this article, I've included an URL (TryHackMe) to a practice lab. You are more than welcome to play around in that practice room.
Before we get our hands dirty with password cracking, we have to know how to identify a password hash. There are tens of thousands of hashing techniques with which a password can be hashed. So, it is almost impossible to detect a password hash manually. It is recommended to automate this stuff. Do not worry though, there are a number of tools which can make your life easier in determining a hash type.
What is Password Hashing anyway?
Hashing is a process of converting data of arbitrary size into a fixed-size output, using a mathematical function. In the context of password security, hashing is used to protect user passwords by converting them into a hashed value before storing them in a database. This makes it much harder for the attackers to retrieve the original password if the database is compromised. And to add on that, hashing is an irreversible process (one-way process).
Types of Password Attacks
There are different ways a password hash can be cracked. Two of the most prominent methods are mentioned below:
1. Pure Brute-Force attacks:
- This particular type of attack generates and tests every potential password, making it the only method that can guarantee you a valid password.
- The algorithm must cycle through all possible lowercase characters to find an unknown password of undefined length. Uppercase characters will be tested next, followed by numbers and special characters. This is repeated for each iteration, with each character space going through the same cycle. If the actual password is eight characters long, the algorithm repeats the above steps eight times until the password is verified. As you can guess, this process is a bit laborious, and if the password length is more than six to eight characters, consisting of uppercase, lowercase, numbers and special characters, then it becomes increasingly difficult to crack the password hash within a limited timeframe.
2. Dictionary Attacks:
- In this type of attack, we use a dictionary/wordlist of the most commonly used passwords to crack the password hash. One of the most common wordlists that you might’ve heard is the rockyou.txt wordlist. Apart from rockyou.txt, you can also use SecLists’ wordlist, which is used by penetration testers all over the world. I’ve included the GitHub repository of Seclists at the end of this blogpost.
- These wordlists contain passwords discovered during data breaches. So you can kind of rely on such wordlists to crack a password hash.
What is Hashcat? And how does one use it?
Hashcat is a tool that is used to crack password hashes. I did mention earlier that hashing is a one-way function, so how can you obtain the original password from the hashed value you ask? You’re asking me the right question, my friend. The act of recovering plain-text passwords from their hashes is known as password cracking. It is just a process of guessing, in which the attacker tries to guess the password, hashes it, and then compares the result with the hash stored within the password database. Without any further ado, let’s get straight into using hashcat.
Determining the type of password hash is vital for cracking passwords using hashcat. This can be done using a tool called Name-That-Hash. I’ve included the link to download the tool at the end of this blogpost.
You have to use the command nth --text '<HASH-VALUE>' to get the results:
As highlighted in the above output, you can see that the hash we’ve entered might be one of those four hashing algorithms. In most cases, the correct hashing algorithm will be one of the first two results. Name-that-hash (nth) also gives you the hash type code for hashcat (HC: 0 in the above image) and format type for John the Ripper (JTR: raw-md5 in the above image). We will discuss the hash type code in a moment.
Dictionary Attack:
The most common command to crack the password hashes using hashcat is:
hashcat -m 0 -a 0 -D2 example.hash/usr/share/wordlists/rockyou.txt
where:
- -m is used to specify the hash type algorithm. 0 is for MD5 hash, 1400 is for SHA-256, and so on.
- -a is used to specify the attack mode. 0 is for straight attack mode or a simple dictionary attack, 3 is for brute-force attack mode, etc.
- -D is used to specify the OpenCL device type, or in other words, the device that can be used by the hashcat to crack the password hash. 1 is for CPU, 2 is for GPU and 3 is for FPGA.
- example.hash is the file where we’ve inputted the hash.
- /usr/share/wordlists/rockyou.txt is our dictionary file/wordlist, which will be used by hashcat to crack the password hash.
As you can see in the above figure, the highlighted part shows the password that was cracked with hashcat. The cracked password is stored in a “.potfile”. You can locate the potfile using the below command:
Rule-Based Attack:
You can set specific rules, and hashcat will crack the password by those rules. Example:
: → Nothing
l → lowercase all the letters.
u → uppercase all the letters.
c → Capitalize the first letter and lower the rest.
C → Lowercase the first found character, uppercase the rest.
These are some examples of the rules that can be set. You can refer to the link at the end of this blogpost to get more information about the type of rules that can be set. The rules have to be written in a “.rule**********” file and specified on the command line using the -r command line option. The default set of rules are present in “/usr/share/hashcat/rules”*********** directory. Example:
hashcat -m 0 -a 0 example.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule
Mask Attack:
Password hashes can also be cracked using another technique known as a Mask Attack. It is almost a brute-force attack, but just for the specified set of characters. You could instruct hashcat, for instance, to only brute-force characters in the a-z or A-Z or 0-9 range, and so forth. Hashcat comes with the following character sets:
- ?l → abcdefghijklmnopqrstuvwxyz
- ?u → ABCDEFGHIJKLMNOPOQRSTUVWXYZ
- ?d → 0123456789
- ?h → 0123456789abcdef
- ?H → 01234567889ABCDEF
Refer to the link at the end of this post for more information regarding this attack. Example:
hashcat -m 0 -a 3 <hash-file> <wordlist> ?l?l?l?l
Notice that I’ve entered ‘3’ for attack mode, as the number ‘3’ instructs hashcat to use the brute-force attack method. The below image shows all the attack methods that are available with hashcat.
The password that we’re trying to crack is four characters long. Hence, we’ve entered the mask range four times (?l for one character).
You can always use hashcat --help or man hashcat command to learn more about hashcat. Or, you can visit their official website linked at the end of this blogpost to learn more about hashcat.
Pure Brute-Force Attack:
I’m addressing this attack at the end because this is probably the least favorite choice of password attack for penetration testers.
The command you have to use is:
hashcat -m 0 -a 3 example.hash
That is all for this article!
Thanks for your patience! Hope you’ve learnt something out of this.
References/Links:
- SecLists: https://github.com/danielmiessler/SecLists
- Name-That-Hash: https://github.com/HashPals/Name-That-Hash
- Hashcat Official Website: https://hashcat.net/hashcat/
- Hashcat Rule-Based Attack: https://hashcat.net/wiki/doku.php?id=rule_based_attack
- Hashcat Mask Attack: https://hashcat.net/wiki/doku.php?id=mask_attack
- TryHackMe password cracking practice room: https://tryhackme.com/room/crackthehash
My Socials:
- LinkedIn: https://www.linkedin.com/in/aditya-kattimani/
- Twitter: https://twitter.com/termihell
The post Hashcat: A Beginner's Guide appeared first on Hakin9 - IT Security Magazine.