0x3: Password Hash Cracking

‘Crack the Hash’ Write-up

I decided to do a write-up on one of the Try Hack Me rooms I finished recently, Crack the Hash and briefly explain hashes, and the process of identifying and cracking them. ‘Crack the Hash’ is a fun little challenge that demonstrates the fundamentals of cryptographic hash cracking and the importance of a long password, hashed with a strong algorithm.

password_strength
By Xkcd https://xkcd.com/936/

This guide assumes you are working in a Kali Linux environment and have hash-identifier, hashid, hashcat and john the ripper installed and configured correctly, as well as the word lists preinstalled with Kali found at ‘/usr/share/wordlists’.

What even is hashing?

First of all we need to begin to understand what hashing even is before we can crack it: hashing is the method of transferring any piece of data into a unique string, that summarizes the original data. Any piece of data can be hashed, regardless of it’s type or size or length, and a unique piece of data will always produce the same hash. This hash can then be used to verify that the data has not been corrupted, modified or is otherwise different when compared to the hash the provided data generated.

We come into contact with the method of hashing everyday in the context of our passwords we use in our various credentials. For example when you create an account on a social media platform, the social media platform likely doesn’t store your password. Instead it stores a hash, which is then compared to the password you enter every time you log on. So every time you log on, a hash is created of the password you provide and compared to the stored hash; authentication is then only authorized when these two hashes match.

Occasionally you hear about major security breaches of big networks and how users passwords are often involved in these data breaches. Hackers can’t dump a huge database of plain text passwords (because no network admin worth their salt would ever store passwords in plain text) and it isn’t a realistic task for them to crack the potential thousands of password hashes they have, so instead they dump them on the internet for individuals to crack at their own discretion.

Hashing in cryptography is a huge field of mathematics and computer science, and this article couldn’t ever hope to do more than barely scratch the surface. If you’re interested in learning more generally about hashing, hashing algorithms and password hash cracking, I suggest the following videos by Computerphile: Hashing Algorithms and Security, SHA: Secure Hashing Algorithm and Password Cracking.

Password Cracking

Now that we know what a hash is and how it could be used in the context of storing passwords, the concept of cracking a password hash should be clear. We can compare a list of words (a wordlist or a dictionary) and the hashes they generate to a target hash. If one of those words on the list and the hash it generates matches the hash we are targeting, we have succeeded in cracking the hash.

Now generally speaking this process seems pretty straightforward — however it wouldn’t really be humanly possible for us to do these comparison manually, as it could possibly require thousands upon thousands of comparisons to crack a single hash. So we use tools that utilize either your CPU or GPU to automate this task at a much faster rate of comparison than a thumb owning ape could ever hope to achieve.

The method we have described here is known as a ‘dictionary attack’. Besides dictionary attacks, there is a similar method called the ‘Rainbow Table attack’. We are going to focus on dictionary attacks, and the dictionary or wordlist we will be using is the ‘rockyou.txt’ file located at ‘/usr/share/wordlists/rockyou.txt’.

Hash Identification

Before we can begin cracking a hash, we first have to identify what type of algorithm was used to generate the hash (or in other words, the hash format). This is important as we need to provide the correct format we are targeting for the tool to be successful. Fortunately for us in the challenge the hash type has been provided, there are also a couple of tools that can help us identify hashes and the correct format to use.

Practice Run

Let’s run through the process of identifying and cracking a hash using one I have generated. Firstly save the hash as a text file for later reference and use with hashcat and john.

Hash: e16b2ab8d12314bf4efbd6203906ea6c

Run hash-identifier and enter the hash:

hashidtest

We have identified the target hash as being the hash type MD5. We can issue the following command to see which format we need to use with hashcat to crack it:

hashid -m e16b2ab8d12314bf4efbd6203906ea6c

hashidtest1

Now using hashcat we crack the hash, issue the following:

hashcat -m 0  testhash.txt /usr/share/wordlists/rockyou.txt

Created with GIMP

Identify the format we need to use with john:

hashid -j e16b2ab8d12314bf4efbd6203906ea6c

hashidtest2

Crack the hash with john issuing:

john –format=raw-md5 –wordlist=/usr/share/wordlists/rockyou.txt testhash.txt

johntest

Hashes cracked with john are also saved in the ‘~/.john/john.pot’ file, which ensures john only ever cracks a hash once.

We can apply the methodology outlined here to the rest of the challenge.

Task 1.1

Hash: 48bb6e862e54f2a795ffc4e541caed4d

Hash Type: MD5

john:

john –format=raw-md5 –wordlist=/usr/share/wordlists/rockyou.txt hash1-1.txt

hashcat:

hashcat -m 0 hash1-1.txt /usr/share/wordlists/rockyou.txt

Task 1.2

Hash: CBFDAC6008F9CAB4083784CBD1874F76618D2A97

Hash Type: SHA1

john:

john-format=raw-sha1 –wordlist=/usr/share/wordlists/rockyou.txt hash1-2.txt

hashcat:

hashcat -m 100 hash1-2.txt /usr/share/wordlists/rockyou.txt

Task 1.3

Hash: 1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032

Hash Type: SHA256

john:

john -format=raw-sha256 –wordlist=/usr/share/wordlists/rockyou.txt hash1-3.txt

hashcat:

hashcat -m 1400 hash1-3.txt /usr/share/wordlists/rockyou.txt

Task 1.4

Hash: $2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom

Hash Type: Bcrypt

john:

john -format=bcrypt –wordlist=/usr/share/wordlists/rockyou.txt hash1-4.txt

hashcat:

hashcat -m 3200 hash1-4.txt /usr/share/wordlists/rockyou.txt

Task 1.5

Hash: 279412f945939ba78ce0758d3fd83daa

Hash type: MD4

john:

john –format=raw-md4 –wordlist=/usr/share/wordlists/rockyou.txt hash1-5.txt

hashcat:

hashcat -m 900 hash1-5.txt /usr/share/wordlists/rockyou.txt

Task 2.1

Hash: F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85

Hash Type: SHA256

john:

john –format=raw-sha256 –wordlist=/usr/share/wordlists/rockyou.txt hash2-1.txt

hashcat:

hashcat -m 1400 hash2-1.txt /usr/share/wordlists/rockyou.txt

Task 2.2

Hash: 1DFECA0C002AE40B8619ECF94819CC1B

Hash Type: NTLM

john:

john -format=nt –wordlist=/usr/share/wordlists/rockyou.txt hash2-2.txt

hashcat:

hashcat -m 1000 hash2-2.txt /usr/share/wordlists/rockyou.txt

Task 2.3

Hash: $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.

Hash Type: SHA512

john:

john –wordlist=/usr/share/wordlists/rockyou.txt hash2-3.txt

hashcat:

hashcat -m 1800 hash2-3.txt /usr/share/wordlists/rockyou.txt

Taks 2.4

Hash: e5d8870e5bdd26602cab8dbe07a942c8669e56d6

Hash Type: HMAC-SHA1

john:

john –wordlist=/usr/share/wordlists/rockyou.txt hash2-4.txt

hashcat:

hashcat -m 160 hash2-4.txt /usr/share/wordlists/rockyou.txt

Final Thoughts:

As you probably noticed, a couple of the hashes took a considerable amount of time for the tools to crack over others. This is partly due to the fact that the more complex a hashing algorithm is, the harder it is to crack.

Two of the hashes contains a ‘salt’ which is something we didn’t touch on in this article. You can read more here about salting a hash and how it helps secure the hash even further.

Much like we practiced on a hash I generated before completing the challenge, if you wanted to practice the process some more you can generate your own hashes to crack. Hashes of a variety of types can be generated online or using hash tools in Linux.

Lastly, you should probably go and change your passwords right now because at some point or another, your various account credentials have probably been involved in a data breach.

One thought on “0x3: Password Hash Cracking

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s