How to Crack Hashes?
By Vedant Jain
Today we are going to learn how to crack some hashes we can also learn how to make a difference in a penetration testing assignment or during bug bounty hunting by taking advantage of leaks or web application vulnerabilities or something that can give us access to a list of hashes and sometimes we can penetrate a system by gaining access to a very Important password like admin or administrative or user in a web application. So, it’s a skill that most penetration testers have and most of the newcomers can learn it by this blog. I hope you can find this informative. So let’s get started,
Let’s first understand what a hash is for people who don’t know what it is. So it is a function that maps arbitrary size of data to a fixed size value but most importantly it’s a one-way function which means that once you generate the hash you cannot go back, you cannot extract the password from the hash.
So, let us take the example if I print the word example and pipe it to md5 which is a hashing algorithm you can get a hash string.
But see when I add another character in my input, we get a totally different hash string but with the same size and length.
So, now the question is how attackers can go from this hash to the plain text or examples?
As we discussed previously that we cannot go back. There’s a trivial technique that is trying a lot of candidates and applying the md5 hashing algorithm and comparing the hash to that values so this is known as password cracking.
So let’s try this out on our string example now there are minor details which are that echo prints string with the end of line character so if we pipe this to xxd which generates the hexadecimal of the given text example.
Whereas 6578 Corresponds ex, 616d Corresponds am, 706c Corresponds pl, and again 65 is for e.
So, let’s use example and generate the md5 hash now there’s an even trivial way of looking up this hash which is just googling it suppose that you get a list of hashes or one hash by exfiltration of a database of users using a SQL injection so you grab that hash the first reflex is to go to search engines and type it and right away
When you click on the first link
You see the plain text string that generated the md5 hash we are looking for the awesome right. So when we found the password of the user now we can go ahead and try to make that user.
In the real world, it’s not really easy passwords people will keep even though they use predictable passwords sometimes you still can’t find them on the internet. Let’s take an example
We will use a commonly known pattern for users which is a password that starts with a capital letter for example “Example786” and because web applications normally say to take strong password policies at least the ones that are respectable users tend to end the password with maybe number or special characters.
So, let us take this hash and we will see it on the internet.
So, when there is a strong hash internet, we cannot find that, now what we will do in this case?
Let’s start cracking this hash. We know the hash algorithms if you don’t know that you can go on google search about the hash analyzer in our case this md5. We know the hash algorithm but don’t know the password.
Option 1: We can iterate through a list of common passwords because people are lean with the common passwords and try to crack this hash and these passwords are stored in a file which we as a wordlist. If we talk about how there are a bunch of wordlists on the internet but there is one particular one that is used by a lot of beginners and starts with all hacking distribution. It’s already including Kali Linux and the wordlist name called rockyou.txt
There a lot of tools that perform these kinds of attacks. There is one tool is personally like for password hash cracking that is hashcat. You can also use John the Ripper as well but it’s based on CPU which means that it’s not that fast as much hashcat because it’s uses the GPU but for beginners, you can already start using hashcat. Now keep in your mind that sometimes you need to install drivers and configure your hardware to work with hashcat so it depends really on what OS you are using what graphic cards you are using.
If we run hashcat -h | grep -i md5
I have user -i for the case insensitive keywords
Okay so there are a lot anyway, so on the top of the row is md5 which is marked with id0 md5 is easy to calculate so it won’t take much time. So I m going to use hashcat to try a crack the md5.
Command: hashcat -m 0 83974a5917e06bb318698505614930d6 /usr/share/wordlists/rockyou.txt
unfortunately, we don’t crack it because we get the status exhausted and we don’t have any output mentioning any successful crack but let’s try the first one let’s try “example”
Command: hashcat -m 0 1a79a4d60de6718e8e5b326e338ae533 /usr/share/wordlists/rockyou.txt
and that’s the password is an example which gets printed along with the hash it was like in maybe less than 3 seconds people out there who are using weak passwords just know that they are firstly referenced on google and secondly you can crack them in less than a minute of course depending on the quality of the word list you’re using but rock you really rock in terms of passwords so we still have the problem of not being able to crack our hash Example786.
Option 2: So what we can do is apply what we call rules so how does that work well hashcat will take each entry in our wordlist rockyou.txt and perform some permutations some appending of special characters lead speak conversion like for example a would be four or ats o would be zero capitalize each one of those entries because most of the people do capitalize the first letter append or prepend strings digits things that you can use to mimic a real password the best part is that you can write your own and hashcat has a lot of rules that come predefined okay located the rules which are under this directory under the rules directory you see a lot of entries and one of them is best 64.
Hashcat again our module remembers it’s zero and then our hash, in this case, it’s that one our word list which is rock u and then we’re going to add a -r for rules and then we’re going to point it to our base best 64. rule file okay so let’s run
This one and see how long it takes so if I hit s now it’s taking slightly more time and that’s normal because we’re trying multiple permutations multiple versions of the same entry and here you can see the range of the strings that are candidates for cracking
So let’s hit q to quit and then maybe use another rule so let’s write our own rule that will try to crack our seemingly strong password.
I am going to call my file example.rule and what I have used c for capitalizing and then we will going to use for what was my exact string yeah so it’s c and then 7$8$6$ and then dollar you can go to hashcat documentation on here. to get a list of all the functions that you can use so in this case we used the c to capitalize the first letter and lower the rest and the dollar with our character to append our characters to the end of the password so hopefully, this would allow us to crack this password
now it’s cracked in no time
I hope that this article gave you some insights on how to use hashcat to crack password hashes.