Offline - Password Cracking

MITRE ATT&CK™ Brute Force: Password Cracking - Technique T1110.002

Theory

When obtaining hashed passwords, we must run various plaintext passwords through the hashing algorithm and compare the returned hash to the target hash. This password attack technique is known as password cracking.

Cracking hashes is usually done on attacker-controlled systems outside of the target network, as this technique does not require direct interaction with the target.

Practice

Note that John is mainly a CPU-based cracking tool that also supports GPUs, while Hashcat is mainly a GPU-based cracking tool that also supports CPUs.

Finding Hashcat Mode

Hashcat offers different modes that you can use to crack a specific algorithm. When you crack a hash with hashcat, the first step is to find the right mode.

To do this, we can use the -h or --example-hashes arguments. Alternatively we may refers to the example_hash online resource.

HashId & Help

We may use hashid against a hash to do identify the hash type

$ hashid '$S$C33783772bRXEx1aCsvY.dqgaaSu76XmVlKrW9Qu8IQlvxHlmzLf'
Analyzing '$S$C33783772bRXEx1aCsvY.dqgaaSu76XmVlKrW9Qu8IQlvxHlmzLf'
[+] Drupal > v7.x

Then we can use following commands to retrieve that the Hashcat mode is 7900

$ hashcat -h |grep -i 'Drupal'
   7900 | Drupal7  | Forums, CMS, E-Commerce

Example_hashes & Grep

We may directly use the --example-hash argument to find the right mode. Using the previous hash, we can easily find the 7900 mode.

$ hashcat --example-hashes|grep -i '\$S\$' -B 11
Hash mode #7900
  Name................: Drupal7
  Category............: Forums, CMS, E-Commerce
  Slow.Hash...........: Yes
  Password.Len.Min....: 0
  Password.Len.Max....: 256
  Salt.Type...........: Embedded
  Salt.Len.Min........: 0
  Salt.Len.Max........: 256
  Kernel.Type(s)......: pure
  Example.Hash.Format.: plain
  Example.Hash........: $S$C20340258nzjDWpoQthrdNTR02f0pmev0K/5/Nx80WSkOQcPEQRh

Brute-Force Attack

We may perform a brute-force attack against a target hash using Hashcat charsets:

# Hashcat Charsets
?l # Lowercase a-z
?u # Uppercase A-Z
?d # Decimals
?h # Hex using lowercase chars
?H # Hex using uppercase chars
?s # Special chars
?a # All (l,u,d,s)
?b # Binary

Following commands can be used

# -a 3 : Bruteforce attack mode (using masks)
# -i : increment
# --increment-min : Start increment at X chars
# --increment-max : Stop increment at X chars

#Crack hashes using all char in 7 char passwords
hashcat -m <mode> -a 3 -i hashes.txt ?a?a?a?a?a?a?a

# Crack hashes using mask for Summer2018 like passwords
hashcat -m <mode> -a 3 hashes.txt ?u?l?l?l?l?l?l?d?d?d?d!

# Crack hash incrementing from 5 char to 7 chars password using all chars (?a)
hashcat -m <mode> -a 3 -i hashes.txt ?a?a?a?a?a?a?a --increment-min=5 --increment-max=7

We may perform a brute-force attack against a target hash using john:

# Incremental mode
john --incremental hash.txt

# Mask bruteforce attack
john --mask=?1?1?1?1?1?1 --1=[A-Z] hash.txt --min-len=8

Dictionary Attack

We may perform a dictionary attack against a target hash using Hashcat

# -a 1 : Dictionary attack mode
hashcat -m <mode> -a 0 hash.txt wordlist.txt

Rule-Based Attack

Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords. Using pre-existing wordlists may be useful when generating passwords that fit a policy — for example, manipulating or 'mangling' a password such as password: p@ssword, Pa$$word, Passw0rd, and so on.

To generate a rule-based wordlists, see this page.

Hashcat has rule sets located at /usr/share/hashcat/rules/. To create your own rules, you may check this hashcat documentation.

# Crack hash using rule + wordlist
hashcat -m <mode> -a 0 hash.txt wordlist.txt -r /usr/share/rules/best64.rule
hashcat -m <mode> -a 0 hash.txt /usr/share/wordlist/rockyou -r /usr/share/hashcat/rules/rockyou-30000.rule

# Crack hash with combinor
# each word of a dictionary is appended to each word in another dictionary. (left and right)
# -a 1 : Combinator mode (dict1 dict2)
hashcat -m <mode> -a 1 hash.txt dict1.txt dict2.txt

# Crack hash with combinor and rule
# -j : Single rule applied to each word on the left dictionary
# -k : Single rule applied to each word on the right dictionary
hashcat -m <mode> -a 1 hash.txt dict1.txt dict1.txt -j '$-' -k '$!'

John the ripper has a config file that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your distro or how john was installed. You can read /etc/john/john.conf and look for List.Rules to see all the available rules:

# Dictionnary attack using default or specific rules
john --wordlist=password.lst --rules=rulename hashFile

Hybrid Attack

We can use hashcat to perform hybrid attacks using both a dictionary and a mask and even rules.

# -a 6: Hybrid wordlist + mask
# wordlist + mask
hashcat -a 6 -m <mode> names.txt ?d?d?d?d

# wordlist + mask + rules
hashcat -a 6 -m <mode> wordlist.txt ?d?d?d?d -r rules/yourule.rule

# Single rule used to uppercase first letter --> Marie2018
hashcat -a 6 -m 0 names.txt ?d?d?d?d -j 'c'

Rainbow Table Attack

Crackstation is a website that can be used for Rainbow Table Attacks.

Resources

Brute Force: Password Cracking, Sub-technique T1110.002 - Enterprise | MITRE ATT&CK®attack.mitre.org

https://cheatsheet.haax.fr/passcracking-hashfiles/hashcat_cheatsheet/cheatsheet.haax.fr

Last updated 1 year ago

hashtagTheory

hashtagPractice

hashtagFinding Hashcat Mode

hashtagHashId & Help

hashtagExample_hashes & Grep

hashtagBrute-Force Attack

hashtagDictionary Attack

hashtagRule-Based Attack

hashtagHybrid Attack

hashtagRainbow Table Attack

hashtagResources