‘Crack the Hash’ Write-up
I decided to do a write-up on one of the Try Hack Me rooms I finished recently, Crack the Hash and briefly explain hashes, and the process of identifying and cracking them. ‘Crack the Hash’ is a fun little challenge that demonstrates the fundamentals of cryptographic hash cracking and the importance of a long password, hashed with a strong algorithm.
This guide assumes you are working in a Kali Linux environment and have hash-identifier, hashid, hashcat and john the ripper installed and configured correctly, as well as the word lists preinstalled with Kali found at ‘/usr/share/wordlists’.
What even is hashing?
First of all we need to begin to understand what hashing even is before we can crack it: hashing is the method of transferring any piece of data into a unique string, that summarizes the original data. Any piece of data can be hashed, regardless of it’s type or size or length, and a unique piece of data will always produce the same hash. This hash can then be used to verify that the data has not been corrupted, modified or is otherwise different when compared to the hash the provided data generated.
We come into contact with the method of hashing everyday in the context of our passwords we use in our various credentials. For example when you create an account on a social media platform, the social media platform likely doesn’t store your password. Instead it stores a hash, which is then compared to the password you enter every time you log on. So every time you log on, a hash is created of the password you provide and compared to the stored hash; authentication is then only authorized when these two hashes match.
Occasionally you hear about major security breaches of big networks and how users passwords are often involved in these data breaches. Hackers can’t dump a huge database of plain text passwords (because no network admin worth their salt would ever store passwords in plain text) and it isn’t a realistic task for them to crack the potential thousands of password hashes they have, so instead they dump them on the internet for individuals to crack at their own discretion.
Hashing in cryptography is a huge field of mathematics and computer science, and this article couldn’t ever hope to do more than barely scratch the surface. If you’re interested in learning more generally about hashing, hashing algorithms and password hash cracking, I suggest the following videos by Computerphile: Hashing Algorithms and Security, SHA: Secure Hashing Algorithm and Password Cracking.
Now that we know what a hash is and how it could be used in the context of storing passwords, the concept of cracking a password hash should be clear. We can compare a list of words (a wordlist or a dictionary) and the hashes they generate to a target hash. If one of those words on the list and the hash it generates matches the hash we are targeting, we have succeeded in cracking the hash.
Now generally speaking this process seems pretty straightforward — however it wouldn’t really be humanly possible for us to do these comparison manually, as it could possibly require thousands upon thousands of comparisons to crack a single hash. So we use tools that utilize either your CPU or GPU to automate this task at a much faster rate of comparison than a thumb owning ape could ever hope to achieve.
The method we have described here is known as a ‘dictionary attack’. Besides dictionary attacks, there is a similar method called the ‘Rainbow Table attack’. We are going to focus on dictionary attacks, and the dictionary or wordlist we will be using is the ‘rockyou.txt’ file located at ‘/usr/share/wordlists/rockyou.txt’.
Before we can begin cracking a hash, we first have to identify what type of algorithm was used to generate the hash (or in other words, the hash format). This is important as we need to provide the correct format we are targeting for the tool to be successful. Fortunately for us in the challenge the hash type has been provided, there are also a couple of tools that can help us identify hashes and the correct format to use.
Let’s run through the process of identifying and cracking a hash using one I have generated. Firstly save the hash as a text file for later reference and use with hashcat and john.
Run hash-identifier and enter the hash:
We have identified the target hash as being the hash type MD5. We can issue the following command to see which format we need to use with hashcat to crack it:
hashid -m e16b2ab8d12314bf4efbd6203906ea6c
Now using hashcat we crack the hash, issue the following:
hashcat -m 0 testhash.txt /usr/share/wordlists/rockyou.txt
Identify the format we need to use with john:
hashid -j e16b2ab8d12314bf4efbd6203906ea6c
Crack the hash with john issuing:
john –format=raw-md5 –wordlist=/usr/share/wordlists/rockyou.txt testhash.txt
Hashes cracked with john are also saved in the ‘~/.john/john.pot’ file, which ensures john only ever cracks a hash once.
We can apply the methodology outlined here to the rest of the challenge.
Hash Type: MD5
john –format=raw-md5 –wordlist=/usr/share/wordlists/rockyou.txt hash1-1.txt
hashcat -m 0 hash1-1.txt /usr/share/wordlists/rockyou.txt
Hash Type: SHA1
john-format=raw-sha1 –wordlist=/usr/share/wordlists/rockyou.txt hash1-2.txt
hashcat -m 100 hash1-2.txt /usr/share/wordlists/rockyou.txt
Hash Type: SHA256
john -format=raw-sha256 –wordlist=/usr/share/wordlists/rockyou.txt hash1-3.txt
hashcat -m 1400 hash1-3.txt /usr/share/wordlists/rockyou.txt
Hash Type: Bcrypt
john -format=bcrypt –wordlist=/usr/share/wordlists/rockyou.txt hash1-4.txt
hashcat -m 3200 hash1-4.txt /usr/share/wordlists/rockyou.txt
Hash type: MD4
john –format=raw-md4 –wordlist=/usr/share/wordlists/rockyou.txt hash1-5.txt
hashcat -m 900 hash1-5.txt /usr/share/wordlists/rockyou.txt
Hash Type: SHA256
john –format=raw-sha256 –wordlist=/usr/share/wordlists/rockyou.txt hash2-1.txt
hashcat -m 1400 hash2-1.txt /usr/share/wordlists/rockyou.txt
Hash Type: NTLM
john -format=nt –wordlist=/usr/share/wordlists/rockyou.txt hash2-2.txt
hashcat -m 1000 hash2-2.txt /usr/share/wordlists/rockyou.txt
Hash Type: SHA512
john –wordlist=/usr/share/wordlists/rockyou.txt hash2-3.txt
hashcat -m 1800 hash2-3.txt /usr/share/wordlists/rockyou.txt
Hash Type: HMAC-SHA1
john –wordlist=/usr/share/wordlists/rockyou.txt hash2-4.txt
hashcat -m 160 hash2-4.txt /usr/share/wordlists/rockyou.txt
As you probably noticed, a couple of the hashes took a considerable amount of time for the tools to crack over others. This is partly due to the fact that the more complex a hashing algorithm is, the harder it is to crack.
Two of the hashes contains a ‘salt’ which is something we didn’t touch on in this article. You can read more here about salting a hash and how it helps secure the hash even further.
Much like we practiced on a hash I generated before completing the challenge, if you wanted to practice the process some more you can generate your own hashes to crack. Hashes of a variety of types can be generated online or using hash tools in Linux.
Lastly, you should probably go and change your passwords right now because at some point or another, your various account credentials have probably been involved in a data breach.