Академический Документы
Профессиональный Документы
Культура Документы
by
Taylor Cook
Master of Computer Security
This book is dedicated to all Cyber Security students – have the time of your
life!
This ebook is licensed for your personal enjoyment only. This ebook may not
be re-sold or given away to other people. If you like to share this book with
another person, please purchase an additional copy for each person you share
it with.
Copyright © 2017 T. Cook. All rights reserved. Including the right to
reproduce this book or portions thereof, in any form. No part of this text may
be reproduced in any form without the express written permission of the
author.
Version 2017.01
1 What is a Hash?
Rules set. In the initial stages of password cracking, we will not use rule sets.
However, once you become proficient, rules sets are invaluable, in tackling
complex passwords.
We can use Hash Identifier to give us a good idea as to the possible hashing
algorithm.
STEP 2 – HOW TO IDENTIFY THE HASH IN ORDER TO CRACK
IT
KALI Hash-Identifier
Hash-Identifier is preinstalled within Kali under:
05 > Password Attacks > Offline Attacks >
Hash Identifier detects the most likely hash based on its characteristics.
In Windows, you can download HashID from this site:
https://sourceforge.net/projects/hashidentifier/
Paste in the hash and it will identify the likely hashing algorithm. I hashed
“hashcat” in MD5.
HashID identified this as an MD5 hash
/root/Documents/Hashcat/word.txt
HASH.TXT
In hash.txt, put in the MD5 hashes for the 3 test passwords in word.txt
To get MD5 hashes, visit:
http://www.miraclesalad.com/webtools/md5.php
Type in “password” and the MD5 hash will appear.
/root/Documents/Hashcat/hash.txt
Hashcat will output the cracked passwords into cracked.txt, so we do not edit
this file.
That’s all our prep set up. Now we move onto using Hashcat.
If you wish to check the files contain the data entered, use leafpad to open the
file and doublecheck.
Leafpad /root/Documents/Hashcat/word.txt
2 KALI Linux - Hashcat
Hashcat comes preinstalled on KALI Linux, and these screenshots are from
KALI 2017.1.
Remember that we created those 3 text files earlier? This is where we use
them.
When we created the text documents, they were saved to
/root/Documents/Hashcat.
If you saved the text files to a different directory, then now is the time to
write down the full path.
STEP 4 – RUN HASHCAT
hashcat -a 0 -m 0 /root/Documents/Hashcat/hash.txt.
hashcat -a 0 -m 0 /root/Documents/Hashcat/hash.txt
/root/Documents/Hashcat/word.txt
hashcat -a 0 -m 0 --
outfile=/root/Documents/Hashcat/cracked.txt
/root/Documents/Hashcat/hash.txt
/root/Documents/Hashcat/word.txt
--force (if needed)
Hashcat finds all 3 passwords:
If we type in leafpad cracked.txt, leafpad will display the contents of the file.
Locate –i “*potfile*”
Here we can see the .potfile is under the /root directory, which tells us that
Hashcat was first run under this directory.
Next, we use Leafpad to open and delete the contents of the .potfile.
LEAFPAD /ROOT/.HASHCAT/HASHCAT.POTFILE
--potfile -disable
Next we add a 4th word (coffee) to our wordlist and add the MD5 hash to the
hash.txt
Important
If the base password is not in the word.txt or our wordlist,
the password cannot be cracked.
3 – Download Larger Wordlists
So far, we have only 3 words. The real power comes when we add large
word lists.
In order to crack a password, the base word of the password must be
contained in the wordlist.
After a major security breach, the wordlists often leak out onto the Internet.
The passwords lists kept by Daniel Miessler offer a broad range of easy to
use wordlists that start with 500 or even 10,000 passwords.
https://github.com/danielmiessler/SecLists/tree/master/Passwords
If you look up the worst 500 passwords, you can paste this into the word.txt
file and use this in Hashcat.
Copy the top 500 worst passwords into word.txt.
cat /etc/shadow
Did you see the root hash listed on the first line?
root:$6$tZ5sZcY8$HN2NbtT6i4H3i4ScGve6CsPLQHd3pZD2w3Pcfh7wsuKwGjghK5Gi
We look up the mode number for the hash – and see 1800 listed.
Next, we consider the number between the two $ signs, this is called the
“Salt”.
THE SALT IS BETWEEN THE $DOLLARSIGN$
A Salt is a random number added, into the calculation, so that the hash will
alter even where the same password has been used.
So if 10,000 Kali installations have the default password of “toor”, the hash
would be different for every installation, because the salt alters the hash.
SELECT A LARGE ENOUGH DICTIONARY
The plain text password has to be in the dictionary in order for it to be
cracked. Therefore we need to find a dictionary that contains the word
“toor”.
Luckily “toor” is included in this dictionary:
https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_l
As this is a large wordlist, view it, copy all and paste into the word.txt file
using leafpad.
To cheat, I have pasted “toor” into the first line of word.txt, to speed up the
recovery time.
HASHCAT SYNTAX TO CRACK KALI LINUX HASHES.
Here is the moment we have been waiting for; the syntax to crack the Kali
root hash.
This time, the output was saved to a file called cracked1.txt – toor has been
identified.
FAMOUS HACKING DICTIONARIES.
The two major cracking dictionaries are Rockyou and CrackStation.
ROCKYOU
Rockyou contains 14 million unique passwords.
https://github.com/danielmiessler/SecLists/tree/master/Passwords
You can download the 15GB version, or the human wordlist which has only
64 million passwords.
Download CrackStation by Torrent:
https://crackstation.net/buy-crackstation-wordlist-password-cracking-
dictionary.htm
WEAKPASS
Be careful to check the size of the download; the smallest download on
Weakpass is 28 GB.
http://weakpass.com/download
4 – Rule Sets
Under the Hashcat directory, you will find a folder called Rules.
Hashcat states that “the rule based attack is one of the most complicated of
the attack modes. The rule based attack is like a programming language
designed for password generation”.
Each rule allows Hashcat to modify, cut or extend passwords, making this the
most accurate and efficient attack.
When users must have a number in their password, they will normally add it
to the end of the password.
Where the minimum password length has been set to say 8 characters,
Hashcat can ignore all passwords with 7 or less characters.
The use of rules makes any attack, more precise and faster. You can open
each rule set in Leafpad, and this is a great way to learn more about rule sets.
You can open each rule in leafpad to learn more about it. There are
screenshots of each rule set in the next section.
LEETSPEAK RULE SET
The Leetspeak rule set enables Hashcat to replace standard letters with a
number or special character.
A common transformation would be to change “password” in the wordlist to
“p4ssw0rd” or “p@55w0rd”. Use Leafpad to open up the leetspeak rule.
LEETSPEAK ATTACK SYNTAX
This means:
-m 0 – specifies the hashing algorithm applied which in this case is MD5.
This can be found using the Hashing Identifier tool.
hash.txt – the file with the hashes in.
word.txt – the file with the base passwords in
-r – specifies that a rule set will be used in this cracking session
-r rules\leetspeak.rule - specifies the location of the rule set.
--outfile=cracked1.txt – txt file of cracked passwords
Leetspeak rules change a single character, such as a into a 4 or a @. The
leetspeak rules are below.
If we generated an MD5 hash for “p@ssword” and pasted that into hash.txt,
the added password into our word.txt, what would happen?
Hashcat has converted our “password” base word into various leetspeak
options and has recovered “p@ssword”.
Note:The word.txt file never contained “p@ssword” only “password”.
Wasn’t that fun?
So what does this imply for complex passwords that use numbers to replace
letters?
There is a contentious debate within Cyber Security regarding overly
complex passwords.
Each extra character doubles the effort required by the password cracker.
Therefore, it would take twice as many guesses to Brute force an 11-character
password as a 10-character password. Hence, many researchers consider a
longer password to be more robust than a shorter complex password.
Personally, I would recommend a password of at least 14 characters, in
addition to the use of a structured password to assist our memory. Structure
is important to recall; and the reason that complex passwords are so difficult
to remember is that they are unstructured.
Of course, it makes sense to add in special characters to a password, as this
increases the “keyspace”, to the 95 keys on a keyboard. If you only used
lower case letters, that is a keyspace of 26 in the English alphabet. The use
of special characters is to increase the keyspace, which slows down a
cracker.
There is a lot more going on inside this ruleset, so it’s worth reading
carefully.
hashcat -m 0 hash.txt word.txt
-r /usr/share/hashcat/rules/best64.rule
--outfile=cracked1.txt --force
This means:
-m 0 – specifies the hashing algorithm applied which in this case is MD5.
This can be found using the Hashing Identifier tool.
hash.txt – the file with the hashes in.
word.txt – the file with the base passwords in
-r – specifies that a rule set will be used in this cracking session
-r rules\best64.rule - specifies the location of the rule set.
--outfile=cracked1.txt – txt file of cracked passwords
So let’s add the MD5 hash for “password9” into our hash.txt file and see if
this rule will add “9” to the word “password” contained in the word file.
Hash.txt now contains the hash for “password9”.
Awesome right?
Therefore when users add a year to their password, the PasswordsPro rule is
our best friend.
Inside the PasswordsPro rule, there are some letters, which you might want to
research, ready for Masks.
Next is a table, which shows how advanced these rules can become.
EXPLANATION OF HASHCAT RULES
These are some Hashcat word mangling rules.
Reference:
http://thesprawl.org/research/automatic-password-rule-analysis-generation/
STRAIGHT THROUGH
Straight Through cracking, just compares the hash to the passwords in the
wordlist. This is the fastest form of cracking
However, its weakness is that it cannot crack complex passwords not
included in the basic wordlist.
Yes, Hashcat has performed a little bit of magic and cracked both passwords.
You probably noticed that this time that we did not specify an output file, but
relied on the hashcat.potfile to contain the cracked passwords.
Question:
How do you clear the potfile message?
Leafpad hashcat.potfile
Delete the contents, and now the attack will rerun.
Remember, the .potfile holds a list of all previously cracked passwords.
TOGGLE
Rather than using all lower case characters, a user will often toggle the case
of a few characters to strengthen their password.
In the legacy Hashcat, this was a separate Toggle attack, now a ruleset is used
as a more efficient attack.
Under rules we will find various rule sets to toggle a certain number of
characters within a password.
First, we copy a hash of “PaSSword” into our hash.txt file – the hash is:
b5652d2f1754c2e97c9f0762c2e960fe
MASK ATTACK
The Mask Attack limits the keyspace of a Brute Force Attack, making it
faster. Most companies will enforce a minimum password length. There is
no need for us to consider passwords less than this.
Where we know that the minimum password length is 8 characters, we limit
the attack with a mask.
A Mask Attack will always relate to the number of
characters in a password.
Under rules we find various Hashcat masks, which ends in .hcmask. The
masks (.hcmask files) are located under:
/USR/SHARE/HASHCAT/MASKS/
If we open the masks, we see built-in character sets being specified. Such as:
?l = lowercase letters.
First, enter in hash.txt the hash for “1234”.
81dc9bdb52d04dc20036dbd8313ed055
Notes:
Read the .hcmask file to see what combinations will be cracked.
Each mask tackles a different combination.
We use masks instead of brute force attacks as they are faster
and more effective.
Remember the keyspace limitations. The longer the password,
the longer it will take to crack it. So limit the keyspace.
To set a minimum and maximum password length to brute force
Here, we wish to Brute Force “letmein” with a minimum of 7 characters and
a maximum of 8 characters.
?a – this means to recover all, this includes lowercase, upper case and special
characters. You need a “?a” for each character.
Keep pressing “s” to display the current status of the attack. Hashcat will
give you a Time Estimate, and here the attack is 11 days 13 hours.
As stated earlier, avoid Brute Forcing, as there are better attacks.
ONLINE CRACKERS - HASHKILLER
If you have a complex hash, you could always submit the hash to a free
online cracker.
Hashkiller
https://hashkiller.co.uk/md5-decrypter.aspx
Windows hashing is based on NTLM, and this reduces the maximum Hashcat
password length from 55 to 27 characters. How come?
NTLM is based on UTF16 which uses 16 bits, or 2 bytes per character. This
means we have to halve the number of characters to find the limit.
So if we have 55 characters/ 2 bytes, we end up with 27.5 characters.
So the maximum NTLM password length is 27.
Hashcat would fail if where the NTLM password had 28 characters.
The restriction is due to the fact that Hashcat uses registers to store
passwords. Once the registers are full, then longer passwords cannot be
cracked, even where the word is in the password dictionary.
For Fast hashes, the attack mode can be a limitation:
Attack Mode Max Password
Length
Mode 0 – Straight 31 Characters
through
Mode 1 – 31 Characters
Combination
Mode 6 – Hybrid 31 Characters
Wordlist & Mask
Mode 7 – Hybrid 31 Characters
Mask and Wordlist
So length is important!
5 – How do I extract a Windows NTLM
Hash?
C:\windows\system32\config\SAM
Use Notepad to open the file at c:\pwdump7.txt and you’ll see a range of user
id’s and hashes displayed.
The pwdump7 website shows this output – with the user account and the hash
displayed.
I used Peazip to unzip the files; Peazip is a free open source unzipping
program, which works with both Windows and Linux.
USE OCLHASHCAT WITH A GRAPHICS CARD
The fastest way to hack passwords is to use a high powered graphics card,
which can crack passwords many times faster than a CPU. In fact cracking
is estimated to be around 150 times faster using a GPU compared to a CPU.
In 2012, a graphics card cluster managed to bruteforce 350 billion guesses
per second against the Windows NTLM hash. Therefore, every possible 8
character Windows password could be guessed within 5.5 hours.
You can read the Ars Technica article online:
https://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-
standard-windows-password-in-6-hours/
If you have a powerful graphics card, then you might want to try graphics
card hacking, and see if you can surpass 350 billion guesses per second.
Go on, you know you want to.
Hashing Cracking Speed
The Windows hashing algorithm (NTLM) is one of the fastest to Brute force.
One of the slowest hashes to Brute force is Bcrypt (it was designed out of a
block cipher called Blowfish).
If you liked this hacking and cyber security series, please post a review at
Amazon, and let your friends know about the series.