Password Cracking
Password cracking is the process of recovering passwords from data that has been stored or transmitted in a system by exploiting weak password security measures. This practice is widely used in cybersecurity for both ethical hacking and malicious attacks. Tools such as Hashcat and John the Ripper are commonly employed to perform brute force, dictionary, and hybrid attacks on hashed passwords, revealing the original password in the process. Password cracking plays a critical role in penetration testing, where ethical hackers test the strength of an organization’s password policies, or during investigations in digital forensics. While password cracking serves an essential purpose in identifying vulnerabilities, it must always be performed in a legal and controlled environment with the consent of the system owner to avoid ethical and legal violations.
Installing Password Cracking Tools
To begin, we need to install popular password cracking tools such as Hashcat and John the Ripper. These tools are essential for performing password attacks in a controlled and ethical manner.
sudo apt-get install hashcat sudo apt-get install john
Using Wordlists for Password Cracking
Password cracking tools often require wordlists to attempt multiple password combinations. The most commonly used wordlist is rockyou.txt
, which can be found in /usr/share/wordlists
:
cd /usr/share/wordlists/
If the wordlist is not available, you can download it manually:
sudo wget https://gitlab.com/kalilinux/packages/wordlists/-/raw/kali/master/rockyou.txt.gz -P /usr/share/wordlists/
Once downloaded, unzip the file:
sudo gzip -d /usr/share/wordlists/rockyou.txt.gz
Preparing Hashes for Cracking
Before using a password cracking tool, you need to have the hash of the password that you want to crack. To create a file containing a hash, use the following command:
echo "hash_value_here" > hash.txt
If you need to add multiple hashes to one file:
echo "another_hash_value" >> hash.txt
You can also use a text editor like nano to paste multiple hashes manually:
nano hash.txt
Cracking Passwords with Hashcat
Hashcat is one of the most powerful and versatile password-cracking tools available. It supports a wide range of hash types and cracking modes, allowing penetration testers and ethical hackers to break passwords using different approaches. Below, we'll go through the steps for using Hashcat, including how to prepare for a cracking session, the different attack modes, and best practices to optimize your cracking efforts.
Introduction to Hashcat
Hashcat is a command-line tool that utilizes the processing power of GPUs to crack password hashes. Hashes are cryptographic representations of passwords, and Hashcat allows users to reverse these hashes back to plain text passwords using brute force and dictionary attacks. Hashcat supports a large number of hashing algorithms, including MD5, SHA1, bcrypt, NTLM, and more.
Video Credit: NetworkChuck - Hashcat Password Cracking
Preparing for Hash Cracking
Before using Hashcat, you need a few components:
- A Hash File: This is the file containing the hash or hashes you want to crack. Hashes can be captured from databases or sniffed during penetration testing engagements.
- A Wordlist: A wordlist is a file containing potential passwords that Hashcat will use to attempt to crack the hash. A popular wordlist is the
rockyou.txt
, which can be found in/usr/share/wordlists/
in most Linux distributions. - Hashcat Installed: Install Hashcat by running
sudo apt install hashcat
in your Linux terminal. - Identifying the Hash Type: Before attempting to crack the hash, it's crucial to identify its type. Different hashing algorithms require different Hashcat modes. You can use the tool
hashid
to identify the hash type. Install hashid by runningsudo apt install hashid
. After installation, identify your hash type with the following command:
hashid -m <hash_value>
This will return a list of possible hash types and modes that Hashcat can use for cracking.
Hashcat Attack Modes
Hashcat provides different attack modes that determine how passwords are attempted. Some of the common attack modes include:
- Dictionary Attack (Mode 0): This attack mode tries passwords from a wordlist, one by one, against the hash. It is useful for cracking weak passwords.
- Brute Force Attack (Mode 3): This attack mode generates passwords by attempting all possible combinations of characters. It can be very time-consuming but guarantees that if the password is within the specified character set and length, it will be found.
- Combination Attack (Mode 1): This attack mode combines words from two different wordlists, creating new candidate passwords by appending words together.
- Rule-Based Attack: This is one of the most advanced attacks in Hashcat, allowing users to apply specific rules to wordlists in order to generate password variations.
Cracking an MD5 Hash Using Hashcat
To crack a hash using Hashcat, follow these steps. In the following example, we will crack an MD5 hash using a dictionary attack:
Command to Crack an MD5 Hash
Use the following command to start cracking:
hashcat -m <hash_type> -a 0 <hash_file> /usr/share/wordlists/rockyou.txt
For example, to crack an MD5 hash (hash type -m 0
), use:
hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
Explanation of parameters:
-m 0
: Specifies the hash type (MD5 in this case).-a 0
: Specifies the attack mode (Dictionary attack).hash.txt
: The file containing the hash to be cracked./usr/share/wordlists/rockyou.txt
: The wordlist file to use for cracking.
Different hashing algorithms:
- MD5 (-m 0): One of the most commonly used hashing algorithms. However, it is considered weak due to its vulnerability to collision attacks.
- SHA1 (-m 100): A widely-used hashing algorithm that is stronger than MD5 but still vulnerable to attacks.
- SHA256 (-m 1400): A secure hash function that is commonly used in many security protocols and applications.
- bcrypt (-m 3200): A password hashing function designed to be slow to make brute-force attacks difficult.
- NTLM (-m 1000): A hash type used in Windows systems for storing password data.
- SHA512 (-m 1700): A stronger version of the SHA family, offering better protection against brute-force attacks.
- LM (-m 3000): LAN Manager hash, used in older Windows systems. It is highly vulnerable and should not be used.
- WPA/WPA2 (-m 2500): Hash type used for cracking Wi-Fi network passwords (handshake files).
- PBKDF2-HMAC-SHA1 (-m 12000): A key derivation function commonly used for securing passwords in applications.
- MD5(Unix) (-m 500): MD5-based password hashing used by Unix systems.
- SHA1(Unix) (-m 1500): SHA1-based password hashing used by Unix systems.
- SHA256(Unix) (-m 7400): SHA256-based password hashing used by Unix systems.
- SHA512(Unix) (-m 1800): SHA512-based password hashing used by Unix systems.
- MySQL323 (-m 200): Hashing method used in older versions of MySQL for password storage.
- MySQL5 (-m 300): Hashing method used in newer versions of MySQL for password storage.
- Oracle 11g (-m 112): Hash type used for password storage in Oracle 11g databases.
- Office 2007 (-m 9400): Hash type used for Microsoft Office 2007 document encryption.
- Office 2013 (-m 9600): Hash type used for Microsoft Office 2013 document encryption.
To crack a hash, specify the appropriate hash type by using the -m
flag followed by the correct mode number. For example, to crack an NTLM hash, use:
hashcat -m 1000 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
Be sure to consult the official Hashcat documentation for a comprehensive list of supported hash types and their corresponding mode numbers.
Example Output
hashcat (v6.2.6) starting Session..........: hashcat Status...........: Cracked Hash.Mode........: 0 (MD5) Hash.Target......: password_hash Time.Started.....: Sun Sep 22 15:30:55 2024 (3 secs) Time.Estimated...: Sun Sep 22 15:30:58 2024 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 2706.7 kH/s (0.31ms) @ Accel:1024 Loops:1 Thr:1 Vec:4 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 8331264/14344385 (58.08%) Rejected.........: 0/8331264 (0.00%) Restore.Point....: 8325120/14344385 (58.04%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: emma2544 -> emiliap Hardware.Mon.#1..: Util: 35%
The output shows that the hash has been successfully cracked and provides details about the cracking session, such as the speed, progress, and the recovered password.
Monitoring and Viewing Results
While cracking is in progress, you may want to check the current status of the process. To do so, use the following command:
hashcat --status
Once the hash is cracked, you can view the cracked password using:
hashcat --show -m 0 hash.txt
Output example:
hash:password plaintext
Cracking Windows NTLM Hashes with Ophcrack
Ophcrack is an efficient tool for cracking Windows NTLM hashes. It is preinstalled with Kali Linux. First, save the NTLM hashes into a text file:
nano ntlm_hashes.txt
Next, download the XP special tables (7.5GB) to enhance the cracking process:
Open ophcrack GUI application > Select Tables > Install XP Special /opt/ophcrack/tables/xp_special
Load the PWDUMP file and click on the CRACK button to start cracking the hashes.
Viewing Cracked Passwords
After successfully cracking passwords, save the results to a new file:
cat ntlm_cracked.txt
(output example) ::hash:password plaintext
PDF Password Cracking
To crack passwords for PDF files, we use a tool called pdf2john. Start by installing the tool:
sudo apt install pdf2john
Extract the hash from a PDF file:
pdf2john <file.pdf> > hash.txt
To avoid syntax errors, remove filenames in front of the hash:
cat hash.txt | cut -d ":" -f 2- > clean.txt
Explanation of the command:
cut -d ":"
: Specifies the delimiter as a colon (:
).-f 2-
: Extracts the second field and everything after it.
Use Hashcat to crack the password from clean.txt
:
hashcat clean.txt -m 10700 -a 0 /usr/share/wordlists/rockyou.txt