When obtaining hashed passwords, we must run various plaintext passwords through the hashing algorithm and compare the returned hash to the target hash. This password attack technique is known as password cracking.
Cracking hashes is usually done on attacker-controlled systems outside of the target network, as this technique does not require direct interaction with the target.
Practice
Note that John is mainly a CPU-based cracking tool that also supports GPUs, while Hashcat is mainly a GPU-based cracking tool that also supports CPUs.
Finding Hashcat Mode
Hashcat offers different modes that you can use to crack a specific algorithm. When you crack a hash with hashcat, the first step is to find the right mode.
To do this, we can use the -h or --example-hashes arguments. Alternatively we may refers to the example_hash online resource.
HashId & Help
We may use hashid against a hash to do identify the hash type
We may perform a brute-force attack against a target hash using Hashcat charsets:
# Hashcat Charsets?l # Lowercase a-z?u # Uppercase A-Z?d # Decimals?h # Hex using lowercase chars?H # Hex using uppercase chars?s # Special chars?a # All (l,u,d,s)?b # Binary
Following commands can be used
# -a 3 : Bruteforce attack mode (using masks)# -i : increment# --increment-min : Start increment at X chars# --increment-max : Stop increment at X chars#Crack hashes using all char in 7 char passwordshashcat-m<mode>-a3-ihashes.txt?a?a?a?a?a?a?a# Crack hashes using mask for Summer2018 like passwordshashcat-m<mode>-a3hashes.txt?u?l?l?l?l?l?l?d?d?d?d!# Crack hash incrementing from 5 char to 7 chars password using all chars (?a)hashcat-m<mode>-a3-ihashes.txt?a?a?a?a?a?a?a--increment-min=5--increment-max=7
We may perform a brute-force attack against a target hash using john:
We may perform a dictionary attack against a target hash using Hashcat
# -a 1 : Dictionary attack modehashcat-m<mode>-a0hash.txtwordlist.txt
We may perform a dictionary attack against a target hash using John
john--wordlist=wordlist.txthash.txt
Rule-Based Attack
Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords. Using pre-existing wordlists may be useful when generating passwords that fit a policy — for example, manipulating or 'mangling' a password such as password: p@ssword, Pa$$word, Passw0rd, and so on.
Hashcat has rule sets located at /usr/share/hashcat/rules/. To create your own rules, you may check this hashcat documentation.
# Crack hash using rule + wordlisthashcat-m<mode>-a0hash.txtwordlist.txt-r/usr/share/rules/best64.rulehashcat-m<mode>-a0hash.txt/usr/share/wordlist/rockyou-r/usr/share/hashcat/rules/rockyou-30000.rule# Crack hash with combinor# each word of a dictionary is appended to each word in another dictionary. (left and right)# -a 1 : Combinator mode (dict1 dict2)hashcat-m<mode>-a1hash.txtdict1.txtdict2.txt# Crack hash with combinor and rule# -j : Single rule applied to each word on the left dictionary# -k : Single rule applied to each word on the right dictionaryhashcat-m<mode>-a1hash.txtdict1.txtdict1.txt-j'$-'-k'$!'
John the ripper has a config file that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your distro or how john was installed. You can read /etc/john/john.conf and look for List.Rules to see all the available rules:
# Dictionnary attack using default or specific rulesjohn--wordlist=password.lst--rules=rulenamehashFile
Hybrid Attack
We can use hashcat to perform hybrid attacks using both a dictionary and a mask and even rules.
# -a 6: Hybrid wordlist + mask# wordlist + maskhashcat-a6-m<mode>names.txt?d?d?d?d# wordlist + mask + ruleshashcat-a6-m<mode>wordlist.txt?d?d?d?d-rrules/yourule.rule# Single rule used to uppercase first letter --> Marie2018hashcat-a6-m0names.txt?d?d?d?d-j'c'
Rainbow Table Attack
Crackstation is a website that can be used for Rainbow Table Attacks.
