To identify a hash type you can use name-that-hash (with hashcat/john hints) (the web-app is here) or the old
hash-identifier <hash> (interactive) or even older
Hashes may have a prefix or a fixed length which makes them easy to identify via hashcat example hashes.
For other hashes you need to take the context and application into account to identify the hash type.
Here are some online services which can help crack hashes using rainbow tables.
Wordlists are needed to crack hashes.
They can be found on kali under
A more advanced collection is seclists from Daniel Miessler which can be installed via
apt install -y seclists.
To get the
rockyou.txt you can use seclists and then extract it with
cd /usr/share/seclists/Passwords/Leaked-Databases;tar xvzf rockyou.txt.tar.gz;mv rockyou.txt /usr/share/.
This will extract the file and move it to
/usr/share/wordlists/rockyou.txt for easy access.
example hashes: https://hashcat.net/wiki/doku.php?id=example_hashes
hashcat -a 0 -m 18200 /tmp/hash.txt ~/Downloads/passwordlist.txt
john the ripper¶
John the Ripper is able to crack hashes either with guessing or with wordlists. To crack hashes from various sources you can utilize *2john tools to convert them into an hash that john the ripper understands.
sudo updatedb;locate -i -r ".*2john" will list all installed converters.
some of them are: * /usr/sbin/gpg2john * /usr/sbin/keepass2john * /usr/sbin/rar2john * /usr/sbin/vncpcap2john * /usr/sbin/wpapcap2john * /usr/sbin/zip2john * /usr/share/john/7z2john.pl * /usr/share/john/enpass2john.py * /usr/share/john/filezilla2john.py * /usr/share/john/itunes_backup2john.pl * /usr/share/john/known_hosts2john.py * /usr/share/john/lastpass2john.py * /usr/share/john/libreoffice2john.py * /usr/share/john/mozilla2john.py * /usr/share/john/ssh2john.py * This onlineservice will convert them online, but be aware that the hashes are then public.
john --wordlist=[path to wordlist] [path to file]
Specific format cracking¶
hashid <hash> john --list=formats | grep -i "md5" john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt
Single Crack mode¶
In single crack mode john will take a username and mangles it based on rules to generate passwords.
mike it would create
john --single --format=<format> hash_to_crack.txt
Be aware that the hash in the hash_to_crack.txt must be prefixed with the username.
In case of a passwd/shadow file john will take the username, homedir name and other information to build the word mangling rules.
In John you can define special rules how the word mangeling will generate passwords.
Jumbo John, the community extended version, will come with a lot of different rules which can be queried via
john --list=rules or via
less /etc/john/john.conf (List.Rules:*).
To use this rules you need to define it:
john --single --format=<format> --rule=<rule> hash_to_crack.txt
Cracking passwd/shadow files¶
John needs to have booth passwd and shadow file combined into the same hash.txt file.
to achieve this we can utilize
unshadow [path to passwd] [path to shadow].
john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txt to crack it.
zip2john [options] [zip file] > [zip hash file] john --wordlist=<wordlist> [zip hash file] unzip [zip file] -d [target dir]
rar2john [options] [rar file] > [rar hash file] john --wordlist=<wordlist> [rar hash file] unrar x [rar file]
python /usr/share/john/ssh2john.py [id rsa file] > [id rsa hash file] john --wordlist=<wordlist> [id rsa hash file] ssh <user>@<host> -i [id rsa file] > [id rsa password]