Step 14: Cracking Passwords with Hashcat

Starting this one from Vietnam! I’m jetlagged to hell, but we’re here and chilling. Anyway… I should’ve probably started this module earlier than I have as I’ve done some password cracking elsewhere but it’s on the to do list so here we go…

Hashing Vs Encryption

Hashing

The process of converting text into a string. This is a one-way process.

echo -n “p@ssw0rd” | md5sum
0f359740bd1cda994f8b55330c86d845

echo -n “p@ssw0rd123456” | md5sum
f64c413ca36f5cfe643ddbec4f7d92d0

As you can see above, just adding ‘123456’ to the same password, completely changes the hash using the md5 algorithm. You’ll find that this is common with any hashing algorithm.

Note: Turns out the MD5 algorithm has had the problem where two different strings of text can produce the exact same hash.

Encryption

The process of converting data into a format where the original format is no longer accessible. Unlike hashing, encryption is reversible. There are two forms of encryption: symmetric and asymmetric.

Symmetric

The same key is used to encrypt and decrypt. XOR is an example of symmetric encryption within Python. This type of encryption is prone to key bruteforcing, frequency analysis, padding oracle attacks, etc.

Asymmetric

On the other hand, asymmetric algorithms divide the key into two parts (public and private). The public key is given to anyone who wishes to encrypt some information and pass it securely to the owner. The owner then uses their private key to decrypt the content. Some examples of asymmetric algorithms are RSA, ECDSA, and Diffie-Hellman.

This is used in HTTPS in the form of Secure Sockets Layer (SSL).

Task:

1. md5hash of ‘HackTheBox123!’:

┌──(kali㉿R4v3n)-[~]
└─$ echo -n ‘HackTheBox123!’ | md5sum
87946d0585ba62c0671b734cada46b41 -

2. Create the XOR ciphertext of the password ‘opens3same’ using the key ‘academy’. Open P

Identifying Hashes

$1$ : MD5
$2a$ : Blowfish
$2y$ : Blowfish, with correct handling of 8 bit characters
$5$ : SHA256
$6$ : SHA512

Above are some of the ids for commonly used hashes.

$6$vb1tLY1qiY$M.1ZCqKtJBxBtZm1gRi8Bbkn39KU0YJW1cuMFzTRANcNKFKR4RmAQVk4rqQQCkaJT6wXqjUkFcA/qNxLyqW.U/

The next section ‘vb1tLY1qiY’ is the salt, random bits of text added before hashing to mitigate hash table attacks.

HashID

Python tool used to detect what type of hash is present.

AWildRavenclaw@htb[/htb]$ hashid ‘$apr1$71850310$gh9m4xcAn3MGxogwX/ztb.’
Analyzing ‘$apr1$71850310$gh9m4xcAn3MGxogwX/ztb.’
[+] MD5(APR) 
[+] Apache MD5

Hashcat has a ‘-m’ flag that can be used to tell you which Hashcat mode needs to be used:

hashid ‘$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f’ -m
Analyzing ‘$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f’
[+] Domain Cached Credentials 2 [Hashcat Mode: 2100

Context is Important

It isn’t always possible to crack a hash algorithm based on the hash string received. Often times, things can go through multiple string/salt passes.

Hashcat provides this reference list to help identify which hashcat mode to use.

Task:

Identify which algorithm this hash is: $S$D34783772bRXEx1aCsvY.bqgaaSu75XmVlKrW9Du8IQlvxHlmzLc

Noticed I’m using ny own VM more now? Figure it’s time I get used to using Kali more rather than embrace the convenience of ParrotOS that PwnBox uses

Hashcat Overview

Just shows you how to install Hashcat if your machine doesn’t already have it. I checked mine was installed/up to date and we’re good to go!

The ‘-b’ flag is used for performance/benchmark mode. If used on its own, it will use all algorithms, but you can specify using additional flags.

AWildRavenclaw@htb[/htb]$ hashcat -b -m 0
hashcat (v6.1.1) starting in benchmark mode…
Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.
OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) — Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7–5820K CPU @ 3.30GHz, 4377/4441 MB (2048 MB allocatable), 6MCU
Benchmark relevant options:
===========================
* — optimized-kernel-enable
Hashmode: 0 — MD5
Speed.#1………: 449.4 MH/s (12.84ms) @ Accel:1024 Loops:1024 Thr:1 Vec:8
Started: Fri Aug 28 21:52:35 2020
Stopped: Fri Aug 28 21:53:25 2020

Optimisations

HTB: Academy Table from Module

WARNING FROM HASHCAT DEVS:

It is important to note that the use of — force should be avoided. While this appears to make Hashcat work on certain hosts, it is actually disabling safety checks, muting warnings, and bypasses problems that the tool’s developers have deemed to be blockers. These problems can lead to false positives, false negatives, malfunctions, etc. If the tool is not working properly without forcing it to run with — force appended to your command, we should troubleshoot the root cause (i.e., a driver issue). Using — force is discouraged by the tool’s developers and should only be used by experienced users or developers.

Task:

What is the Hashcat mode number for Cisco-ASA MD5?

Use this from the module…

Dictionary Attack

Straight or Dictionary Attack

hashcat -a 0 -m <hash type> <hash file> <wordlist>
For example, the following commands will crack a SHA256 hash using the rockyou.txt wordlist.
AWildRavenclaw@htb[/htb]$ echo -n ‘!academy’ | sha256sum | cut -f1 -d’ ‘ > sha256_hash_example
AWildRavenclaw@htb[/htb]$ hashcat -a 0 -m 1400 sha256_hash_example /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt
hashcat (v6.1.1) starting…
<SNIP>
Dictionary cache built:
* Filename..: /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt
* Passwords.: 14344392
* Bytes…..: 139921507
* Keyspace..: 14344385
* Runtime…: 2 secs
Approaching final keyspace — workload adjusted.
006fc3a9613f3edd9f97f8e8a8eff3b899a2d89e1aabf33d7cc04fe0728b0fe6:!academy
 
Session……….: hashcat
Status………..: Cracked
Hash.Name……..: SHA2–256
Hash.Target……: 006fc3a9613f3edd9f97f8e8a8eff3b899a2d89e1aabf33d7cc…8b0fe6
Time.Started…..: Fri Aug 28 21:58:44 2020 (4 secs)
Time.Estimated…: Fri Aug 28 21:58:48 2020 (0 secs)
Guess.Base…….: File (/opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.#1………: 3383.5 kH/s (0.46ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered……..: 1/1 (100.00%) Digests
Progress………: 14344385/14344385 (100.00%)
Rejected………: 0/14344385 (0.00%)
Restore.Point….: 14340096/14344385 (99.97%)
Restore.Sub.#1…: Salt:0 Amplifier:0–1 Iteration:0–1
Candidates.#1….: $HEX[216361726f6c796e] -> $HEX[042a0337c2a156616d6f732103]
Started: Fri Aug 28 21:58:05 2020
Stopped: Fri Aug 28 21:58:49 2020

At any time during the cracking process, you can hit the “s” key to get a status on the cracking job, which shows that to attempt every password in the rockyou.txt wordlist will take over 1.5 hours. Applying more rounds of the algorithm will increase cracking time exponentially. In the case of hashes such as bcrypt, it is often better to use smaller, more targeted, wordlists.

Task:

Crack the hash… use hashid… it’s md5 then:

Combination Attack

Simply taking two wordlists as inputs and combines them in various combinations… revolutionary.

The ‘--stdout' can be used to combine two wordlists:
hashcat -a 1 --stdout file1 file2

Random note: It’s been a couple days since I did any infosec stuff. Turns out finding a new apartment is a little more difficult than we thought. We’re in a super cheap airbnb place now. Nice but small. Viewed a lot of apartments the last couple days. The one we saw this morning was nice and we’re going to see another promising one here within an hour or so as of writing. Think we’re just going to pull the trigger so we can stop living out of suitcases and start setting up our new little home well before we start the chaos of a new school year! Anyway, back to what you’re here for…

Syntax for a combination attack:

hashcat -a 1 -m <hash type> <hash file> <wordlist1> <wordlist2>

Create md5 first:

echo -n 'secretpassword' | md5sum | cut -f1 -d' '  > combination_md5

Then run hashcat with two wordlists:

hashcat -a 1 -m 0 combination_md5 wordlist1 wordlist2

Task: Combination Attack

Easy. Make the wordlists in basic text files, name ’em what you like. Mode 0 is md5 hash. The text files are the wordlists.

hashcat -a 1 -m 0 *INSERT HASH HERE* word1.txt word2.txt

Mask Attack

Used to generate words matching a specific pattern that is useful when a particular trait such as password length or traits are known.

Below is a screenshot of important mask attack placeholders:

Mask Attack Placeholders

For anyone with photo editing experience, it’s just like creating a masking layer in photoshop… at least in my head. If that confuses you more, just ignore me.

Creating MD5 Hashes

echo -n 'ILFREIGHTabcxy2015' | md5sum | tr -d " -" > md5_mask_example_hash

The Attack-Syntax

hashcat -a 3 -m 0 md5_mask_example_hash -1 01 ‘ILFREIGHT?l?l?l?l?l20?1?d’

Task: Masked Attack

You can see the command I did to crack, then run again with ‘--show' to give you the hash correctly.

Hybrid Attack

Hybrid mode is a variation of the combinator attack, wherein multiple modes can be used together for a fine-tuned wordlist creation. This mode can be used to perform very targeted attacks by creating very customized wordlists. It is particularly useful when you know or have a general idea of the organization’s password policy or common password syntax. The attack mode for the hybrid attack is “6”.

Let’s consider a password such as “football1$”. The example below shows how a wordlist can be used in combination with a mask.

Create hybrid hash with the below command:

echo -n ‘football1$’ | md5sum | tr -d “ -” > hybrid_hash

Hybrid attack using wordlists:

hashcat -a 6 -m 0 hybrid_hash /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt ‘?d?s’

Attack mode ‘7’ is used to prepend characters to a hash given a mask. Below we have created another hash for additional use:

echo -n ‘2015football’ | md5sum | tr -d “ -” > hybrid_hash_prefix

Hybrid attack using wordlists with masks

Syntax

hashcat -a 7 -m 0 hybrid_hash_prefix -1 01 ‘20?1?d’ /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

Task:

Identify the hash using hashid (SHA-1), find the hashcat mode and ta-daaaa…

Working with Wordlists

During an assessment, we may retrieve one or more password hashes that are crucial to the engagement’s success. Despite our best attempts, these hashes cannot be cracked with common wordlists using the dictionary, combination, mask, or hybrid attacks covered in the prior sections. It may be necessary to create a custom, targeted wordlist to achieve our goal in these instances.

It is necessary to spend time refining a wordlist because the success rate heavily depends on it. Wordlists can be obtained from various sources and customized based on the target and further fine-tuned using rules. Wordlists can be found for passwords, usernames, file names, payloads, and many other data types. The SecLists repository also contains many wordlists useful for username enumeration password identification.

Crunch

Crunch creates wordlists based on given parameters.

Syntax given below:

crunch <minimum length> <maximum length> <charset> -t <pattern> -o <output file>

The “-t” option is used to specify the pattern for generated passwords. The pattern can contain “@,” representing lower case characters, “,” (comma) will insert upper case characters, “%” will insert numbers, and “^” will insert symbols.

Use the following command to make a wordlist of words between 4 and 8 characters using the default character set:

crunch 4 8 -o wordlist

Using a pattern:

crunch 17 17 -t ILFREIGHT201%@@@@ -o wordlist

Using specified repetition (guess this person’s birthday):

crunch 12 12 -t 10031998@@@@ -d 1 -o wordlist

CUPP (hello old friend)

Remember this from our other password related shenanigans? If you don’t, go back and check out my posts!

Common User Password Profiler is good for making usernames or passwords based on some basic questions and common patterns involving this information.

To run in interactive mode remember:

python3 cupp.py -i

It will then prompt you to answer basic questions like name/dob/spouse/children names etc.

Remember the ‘-l’ flag can be used to introduce 1337 (leet) mode.

KWPROCESSOR

Creates wordlists based on keyboard walks (common patterns on a keyboard).

Example syntax:

kwp -s 1 basechars/full.base keymaps/en-us.keymap routes/2-to-10-max-3-direction-changes.route

The command above generates words with characters reachable while holding shift (-s), using the full base, the standard en-us keymap, and 3 direction changes route.

Princeprocessor

PRobability INfinite Chained Elements as an algorithm based password guesser using the PRINCE algorithm.

Princeprocessor — Forming Wordlist

AWildRavenclaw@htb[/htb]$ ./pp64.bin -o wordlist.txt < words

The command above writes the output words to a file named wordlist.txt. By default, princeprocessor only outputs words up to 16 in length. This can be controlled using the “ — pw-min” and “ — pw-max” arguments.

./pp64.bin — pw-min=10 — pw-max=25 -o wordlist.txt < words

Above is a password generating command containing responses between 10 and 25 characters.

./pp64.bin — elem-cnt-min=3 -o wordlist.txt < words

The above command gives passwords with options like ‘dogdogdog’.

CeWL

Spiders/scrapes websites to create custom wordlists.

cewl -d <depth to spider> -m <minimum word length> -w <output wordlist> <url of website>
cewl -d 5 -m 8 -e http://inlanefreight.com/blog -w wordlist.txt

Above, the command scrapes the url with a depth of 5 and denerates words with a minimum length of 8.

Hashcat — Previously Cracked Hashes

The following command uses previously cracked passwords to create themed wordlists for further use:

cut -d: -f 2- ~/hashcat.potfile

Hashcat-utils

See here for additional repos… for example:

Maskprocessor can append special characters to the end of a word:

/mp64.bin Welcome?

Working with rules

Some common hashcat functions for custom rules

A full list of rules can be found here.

Words of length less than N can be rejected with >N, while words greater than N can be rejected with <N. A list of rejection rules can be found here.

Note: Reject rules only work either with hashcat-legacy, or when using -j or -k with Hashcat. They will not work as regular rules (in a rule file) with Hashcat.

Example Rule Creation

c so0 si1 se3 ss5 sa@ $2 $0 $1 $9

This capitalises the first letter of a word then does a little ‘leetspeak’ magic and appends 2019 to the end of the words on our list.

echo ‘so0 si1 se3 ss5 sa@ c $2 $0 $1 $9’ > rule.txt

Above, is how you create a text file for this rule which can be saved and used by inserting this line of text into your wordlist.

hashcat -r rule.txt test.txt --stdout

This rule prints ‘debugs’ our rule (thanks to the -r flag) to make sure it does what we want using a ‘standard output’ flag. It uses the rule.txt file applied to our test.txt password file.

Generating SHA1 Hash

echo -n ‘St@r5h1p2019’ | sha1sum | awk ‘{print $1}’ | tee hash

Cracking the SHA1 Hash

hashcat -a 0 -m 100 hash /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -r rule.txt

Cracking Common Hashes

Common Hash Types

Common hashes seen in pentesting scenarios

Here is the full list maintained by Hashcat devs.

Task: Decode 7106812752615cdfe427e01b98cd4083

Honestly, just play with the rules it’s stupid and impractical. If there’s some logical way to tune it, let me know!

Cracking Miscellaneous Files & Hashes

I’m installing JohnTheRipper on my VM but not using it as I don’t feel like reconfiguring my memory on my laptop for the VM sooooo deal with it.

Here’s what you need to set it up:

AWildRavenclaw@htb[/htb]$ sudo git clone https://github.com/magnumripper/JohnTheRipper.git
AWildRavenclaw@htb[/htb]$ cd JohnTheRipper/src
AWildRavenclaw@htb[/htb]$ sudo ./configure && make

Task: Crack the ZIP File

Use linux unzip command then https://hashes.com/en/johntheripper/zip2john to get:

$7z$0$19$0$$8$9c7684c204c437fa0000000000000000$1098215690$112$106$7395978cad9ad8b18aef51ba2f9dcf909a1bff70d240b1c8e98dffabd352d69a1f37978e5df0179860d0fe4754721ae3cbbee1b558d93cd27e0b2959efe44a00305f982527d19584d62bcf8c23cf89e24fd19db844108e452a26d4a8343d504fc3063744d081db1492ea1cdef7a9b983
Use: hashcat -a 0 -m 11600 hash.txt /usr/share/wordlists/rockyou.txt --show
$7z$0$19$0$$8$9c7684c204c437fa0000000000000000$1098215690$112$106$7395978cad9ad8b18aef51ba2f9dcf909a1bff70d240b1c8e98dffabd352d69a1f37978e5df0179860d0fe4754721ae3cbbee1b558d93cd27e0b2959efe44a00305f982527d19584d62bcf8c23cf89e24fd19db844108e452a26d4a8343d504fc3063744d081db1492ea1cdef7a9b983:123456789a

Gets you the password for the file… how creative ‘123456789a’

Open the file with that password and you get your flag:

For a minute I thought that would be another hash I needed to crack…

Cracking Wireless (WPA/WPA2) Handshakes with Hashcat

Capturing a WPA/WPA2 handshake is key to an internal wireless assessment. Wireless networks in a corporate setting are typically not segmented correctly and so are easily open to attack.

Hashcat can be used to successfully crack both the MIC (4-way handshake) and PMKID (1st packet/handshake).

Cracking MIC

To perform an offline hacking attack like this, a 4-way handshake needs to be captured. This is done by sending de-authentication frames to force a client to disconnect from the access point (AP). When the client reauthenticates (usually automatically), the attacker can attempt to sniff out the WPA 4-way handshake without their knowledge. This handshake is a collection of keys exchanged during the authentication process between the client and the associated AP.

These keys are used to generate a common key called the Message Integrity Check (MIC) used by an AP to verify that each packet has not been compromised and received in its original state.

Illustration of 4-way handshake from HTB: Academy module page

Cap2hccapx — Syntax

AWildRavenclaw@htb[/htb]$ ./cap2hccapx.bin
usage: ./cap2hccapx.bin input.cap output.hccapx [filter by essid] [additional network essid:bssid]

Cap2hccapx — Convert To Crackable File

./cap2hccapx.bin corp_capture1–01.cap mic_to_crack.hccapx

Hashcat — Cracking WPA Handshakes

hashcat -a 0 -m 22000 mic_to_crack.hccapx /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

Cracking PMID

This attack can be performed against wireless networks that use WPA/WPA2-PSK (pre-shared key) and allows us to obtain the PSK being used by the targeted wireless network by attacking the AP directly. The attack does not require deauthentication (deauth) of any users from the target AP. The PMK is the same as in the MIC (4-way handshake) attack but can generally be obtained faster and without interrupting any users.

The Pairwise Master Key Identifier (PMKID) is the AP’s unique identifier to keep track of the Pairwise Master Key (PMK) used by the client. The PMKID is located in the 1st packet of the 4-way handshake and can be easier to obtain since it does not require capturing the entire 4-way handshake. PMKID is calculated with HMAC-SHA1 with the PMK (Wireless network password) used as a key, the string “PMK Name,” MAC address of the access point, and the MAC address of the station. Below is a visual representation of the PMKID calculation:

Visual representation of PMKID calculation from HTB: Academy

To obtain the PMKID hash, extract from the capture (.cap) file using something like hcxpcaptool from hcxtools.

Task:

1. Crack the MIC using the attached .cap file:

hashcat -a 0 -m 22000 -D 1 wpa1.hc22000 /usr/share/wordlists/rockyou.txt --show
92a9fe85d5656281517162c33c0f62b6:cc40d0a4d096:48e244a7c4fb:CORP-WIFI:1212312121
b7703fd2171bec7933ffc900faa6eb5b:cc40d0a4d096:80822381a9c8:CORP-WIFI:rockyou1

2. Crack PMKID using .cap file:

hashcat -a 0 -m 22000 -D 1 13733_1658881181.hc22000 /usr/share/wordlists/rockyou.tx --show

Note: honestly the tools to extract the hash mentioned here I couldn’t get to work properly. Apparently it’s a kali issue. There is this site that does it for you made by the same people. Worked like a charm, no issues whatsoever.

Skills Assessment:

1. Identify the hash type for ‘0c67ac18f50c5e6b9398bfe1dc3e156163ba10ef’ SHA-1
2. What is the cleartext of the above hash?

3. Crack the NetNTLMv2 hash ‘bjones::INLANEFREIGHT:699f1e768bd69c00:5304B6DB9769D974A8F24C4F4309B6BC:0101000000000000C0653150DE09D2010409DF59F277926E000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000300000B14866125D55255DD82C994C0D8AC3D9FF1A3EFDAECBE908F1F91C7BD4B05CF50A001000000000000000000000000000000000000900280063006900660073002F003100390032002E003100360038002E003100390035002E00310032003900000000000000000000000000’

Had to go into PwnBox for this one. No matter what I did with VM settings it was saying not enough memory.

4. Crack the TGS ticket hash. Search the hash identifier to get the hashcat mode (13100)

hashcat -a 0 -m 13100 tgshash.txt /usr/share/wordlists/rockyou.txt — -show

p@ssw0rdadmin

5. Cleartext password for MS Cache 2 hash (remember our -jm flag in hashid, I only just did):

6. Crack the zip file hashes and what’s the most common password?

Here folks not gonna lie, the tools it was suggesting to use, I couldn’t use so I did the painstaking task of just looking and didn’t take me long to be honest.

There was a sub-challenge to fully crack it… no thank I’m FINALLY DONE with this module.

Apologies this took so long. VERY stressful couple of weeks finding a new apartment (we’ve got one now after lots of AirBNB hopping). Still sorting little details out but we’re good. Then there’s the whole ‘hey we live together let’s hang out more,’. We’re good now doing our own thing and start work next week. Well the we have like 3 weeks of ‘prep’ before the kids start, which is wild, but here we are.

I see the useful this in this module but I BLOODY HATED IT. I think a large part of that is the whole moving in with the GF and new country on top of all that so, here we are!

Finally!

Next up… is Intro to Network Traffic Analysis with only two modules left for the ‘Basic Toolkit’ path to be completed (Using Web Proxies) being the last. I’ve already had some experience with both parts of this but I want to make sure my education is thorough. Until next time!