As a penetration tester we can’t ignore hash cracking if we even can do pass-the-hash. Hash cracking could be one of the last resort if nothing work. Hashcat is the most popular and fastest program to crack password hash. I have included most common technique that can be used in hashcat to crack password hash.
Installation
apt install cmake build-essential -y
apt install checkinstall git -y
git clone https://github.com/hashcat/hashcat.git
make && make installPerformance on nVidia 3080 Ti
Performance check for all supported hash:
hashcat -bHere is the full output
Performance check for specific hash:
hashcat -b -m 100Output:
Hashcat Basic Command
#Available commands
hashcat --help
#Identify hash
hashcat --identify hash.txt
#Restore Session
hashcat --restore
hashcat --restore --session session_nameExample
This command will make a dictionary attack against SHA1 hash by specifying session name
#Start Brute Forcing
hashcat -a 0 -m 100 --session session1 hash.txt pass.txt
#Restore later, if you terminated the brute force
hashcat --restore --session session1-a 0 is the attack mode, -m 100 is the hash type, --session session1 is the session name to restore later
Attack Mode
Attack mode:
#Attack Mode -a digit
---------------------------------------
1. Dictionary Attack -a 0
2. Combination Attack -a 1
3. Brute Force Attack -a 3
4. Mask Attack and Hybrid -a 6 or 7
5. Rule Based Attack
6. Association -a 9Dictionary Attack
If this attack mode is used, hashcat will use a dictionary file to check against the hash/hashes. The dictionary file could be rockyou.txt or other better one.
Example
hashcat -a 0 -m 100 --session session1 hash.txt words.txtCombination Attack
This attack mode combine two dictionary to make valid passwords. For example if we have words.txt contains:
password
adminAnd words1.txt
CityThen with this attack mode password word will be generated contains:
Command:
hashcat -a 1 -m 100 hash.txt words.txt words1.txtValid password will be generated:
passwordCity
adminCityIt is also possible to append or prepends additional characters:
hashcat -a 1 --rule-left='$#' --rule-right='$$' --stdout words.txt words1.txtpassword#City$
admin#City$Example
hashcat -a 1 -m 100 --rule-left='$#' --rule-right='$$' words.txt words1.txtBrute Force Attack
Traditionally brute force mean, try all possible words combination of a-zA-z~!@#$%^&*()_+=|\]}{/ which is not realistic(at least for me). If we want to brute force e61a5821062add06b1b6e96a228c378d6f187cec with length of 8, the command is:
hashcat -a 3 -m 100 -O -1 ?u?l?s?d /tmp/hash.txt ?1?1?1?1?1?1?1?1It needs more than 3 days:
Imagine, how long hashcat needs to crack a hash of 10 chars password(2 years?).
Mask and Charsets
From Hashcat website:
Hashcat charsets:
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?h = 0123456789abcdef
?H = 0123456789ABCDEF
?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xffSo a custom charsets can be like:
-1 ?l?u?d
-1 ubcdefUBCDEF?s?dExample
Using custom charset technique we still can crack the password in a short time:
#d574df7a0e1fe169b3743344c3f69c0b14ae86a1:Test12345#
hashcat -a 3 -m 100 -O -1 esTt?d?s /tmp/hash.txt Test?1?1?1?1?1?1
#870d1afa2fc48ebbf1cd2c549ee2d456ad470bc1:Test123#
hashcat -a 3 -m 100 -O -1 Test?d?s /tmp/hash.txt ?d?d?d?sThe requirement for this to work we need to know/guess the Password length, and first few chars. But if we know nothing about the password then best bet is Rule based attack with a good dictionary.
Association attack
This is a new feature added to hashcat which is use an username, a filename, a hint, or any other pieces of information which could have had an influence in the password generation to attack one specific hash.
Example
hashcat -m 3200 has1.txt words.txt -o result.txt -a 9 -r /opt/hashcat/rules/best64.ruleHybrid Attack
Hybrid attack is combined dictionary with Brute force attack. This mean, the brute force word will be appended or prepended.
As an example the words.txt contains:
password
adminIf we want to add all possible 4 digits at the end of each word in the words.txt, following command will do the trick:
.... -a 6 words.txt ?d?d?d?dand if we want to prepend:
.... -a 7 ?d?d?d?d words.txtAs a demonstration, hashcat is in --stdout mode:
test@redtm: hashcat -a 6 --stdout words.txt ?d
password1
password0
password2
password3
password9
password4
password5
password8
password7
password6
admin1
admin0
admin2
admin3
admin9
admin4
admin5
admin8
admin7
admin6
test@redtm: hashcat -a 6 -j '^#' --stdout words.txt ?d
#password1
#password0
#password2
#password3
#password9
#password4
#password5
#password8
#password7
#password6
#admin1
#admin0
#admin2
#admin3
#admin9
#admin4
#admin5
#admin8
#admin7
#admin6Example
If appended then -a 6 and if prepended -a 7
#Appened brute force digits and also prepend an special char
#Cracked- 03174b1c507223f0b5bb5349cf999c33678bd0fc:#password1
#
hashcat -m 100 -a 6 -j '^#' hash2.txt words.txt ?d
#Prepend brute forced digits and appened an special char
# Cracked - 734eab43f4d197ab226ce5b12cfcc4ded486af72:21admin#
#
hashcat -m 100 -a 7 -k '$#' hash2.txt ?d?d words.txtRule-based attack(Favorite)
This is the most efficient attack for password cracking. A simple password can be converted to a complex password with hashcat rules. For example with only one word password combining two hashcat rules can generate 44113 unique complex password.
When Rule-based attack is useful?
- Common dictionary failed.
- Password is in a minimum length.
- Password has a specific policy(Upper+Lower+Num+Special=Valid password?).
If we want to do traditional brute force a hash of plaintext Pas$w0rd! it may take years. Rockyou.txt will fail because it does not has such a complex word but it must contains password . Peoples choose the easy password but meet the password policy just by replacing some characters.
Here rule based attack comes to play.
Built-in rules in hashcat
test@redtm: ls /opt/hashcat/rules/
best64.rule d3ad0ne.rule generated.rule InsidePro-HashManager.rule oscommerce.rule T0XlC-insert_00-99_1950-2050_toprules_0_F.rule T0XlC.rule toggles2.rule toggles5.rule
combinator.rule dive.rule hybrid InsidePro-PasswordsPro.rule rockyou-30000.rule T0XlC-insert_space_and_special_0_F.rule T0XlCv1.rule toggles3.rule unix-ninja-leetspeak.rule
custom.rule generated2.rule Incisive-leetspeak.rule leetspeak.rule specific.rule T0XlC-insert_top_100_passwords_1_G.rule toggles1.rule toggles4.rule
test@redtm: ls /opt/hashcat/rules/hybrid
append_d_passthrough.rule append_hl.rule append_ldus_passthrough.rule append_lus.rule prepend_ds_passthrough.rule prepend_hu.rule prepend_l_passthrough.rule prepend_s.rule
append_d.rule append_hu_passthrough.rule append_ldus.rule append_s_passthrough.rule prepend_ds.rule prepend_ld_passthrough.rule prepend_l.rule prepend_u_passthrough.rule
append_ds_passthrough.rule append_hu.rule append_l_passthrough.rule append_s.rule prepend_du_passthrough.rule prepend_ld.rule prepend_ls_passthrough.rule prepend_u.rule
append_ds.rule append_ld_passthrough.rule append_l.rule append_u_passthrough.rule prepend_du.rule prepend_lds_passthrough.rule prepend_ls.rule prepend_us_passthrough.rule
append_du_passthrough.rule append_ld.rule append_ls_passthrough.rule append_u.rule prepend_dus_passthrough.rule prepend_lds.rule prepend_lu_passthrough.rule prepend_us.rule
append_du.rule append_lds_passthrough.rule append_ls.rule append_us_passthrough.rule prepend_dus.rule prepend_ldu_passthrough.rule prepend_lu.rule
append_dus_passthrough.rule append_lds.rule append_lu_passthrough.rule append_us.rule prepend_hl_passthrough.rule prepend_ldu.rule prepend_lus_passthrough.rule
append_dus.rule append_ldu_passthrough.rule append_lu.rule prepend_d_passthrough.rule prepend_hl.rule prepend_ldus_passthrough.rule prepend_lus.rule
append_hl_passthrough.rule append_ldu.rule append_lus_passthrough.rule prepend_d.rule prepend_hu_passthrough.rule prepend_ldus.rule prepend_s_passthrough.ruleCombine two or more rules
In my opinion, For effectiveness it is best to combine two or more rules to meet the password policy. For example:
hashcat ..... -r /opt/hashcat/rules/leetspeak.rule -r /opt/hashcat/rules/InsidePro-HashManager.rule ...Can we Crack sha1 of P@ssword?
I have not tried all rules but i think a single rule can’t crack it
hashcat -a 0 -m 100 -r /opt/hashcat/rules/leetspeak.rule hash.txt words.txtBut combining two rule was able to crack
hashcat -a 0 -m 100 -r /opt/hashcat/rules/leetspeak.rule -r /opt/hashcat/rules/InsidePro-HashManager.rule hash.txt words.txtCan we Crack sha1 of P@ssw0rd92?
I was able to crack the hash by combining 3 rules:
hashcat -a 0 -m 100 -r /opt/hashcat/rules/leetspeak.rule -r /opt/hashcat/rules/InsidePro-HashManager.rule -r /opt/hashcat/rules/best64.rule hash.txt words.txtWriting rules
Hashcat allow to write our own rule. This is useful when we want more custom word from a dictionary file. For example, combining bellow rule can generate P@ssw0rd1@ if the dictionary has password word:
$@
^%Here is the output from hashcat stdout mode:
For quick reference a screenshot taken from hashcat website for available functions:
Finally
Lot’s can be done with hashcat. But password cracking success depend on how good our dictionary is and how we combine the rules. This post is for future reference so that i can do some copy pasting in real job :) . Also i will keep updating when i do more experiment!
