Skip to content

Password Cracking

To identify a hash type you can use name-that-hash (with hashcat/john hints) (the web-app is here) or the old hash-identifier <hash> (interactive) or even older hashid <hash>. Hashes may have a prefix or a fixed length which makes them easy to identify via hashcat example hashes. For other hashes you need to take the context and application into account to identify the hash type.

Here are some online services which can help crack hashes using rainbow tables.

Wordlists are needed to crack hashes. They can be found on kali under /usr/share/wordlists. A more advanced collection is seclists from Daniel Miessler which can be installed via apt install -y seclists.

To get the rockyou.txt you can use seclists and then extract it with cd /usr/share/seclists/Passwords/Leaked-Databases;tar xvzf rockyou.txt.tar.gz;mv rockyou.txt /usr/share/. This will extract the file and move it to /usr/share/wordlists/rockyou.txt for easy access.

hashcat

example hashes: https://hashcat.net/wiki/doku.php?id=example_hashes

hashcat -a 0 -m 18200 /tmp/hash.txt ~/Downloads/passwordlist.txt

john the ripper

John the Ripper is able to crack hashes either with guessing or with wordlists. To crack hashes from various sources you can utilize *2john tools to convert them into an hash that john the ripper understands.

sudo updatedb;locate -i -r ".*2john" will list all installed converters.

some of them are: * /usr/sbin/gpg2john * /usr/sbin/keepass2john * /usr/sbin/rar2john * /usr/sbin/vncpcap2john * /usr/sbin/wpapcap2john * /usr/sbin/zip2john * /usr/share/john/7z2john.pl * /usr/share/john/enpass2john.py * /usr/share/john/filezilla2john.py * /usr/share/john/itunes_backup2john.pl * /usr/share/john/known_hosts2john.py * /usr/share/john/lastpass2john.py * /usr/share/john/libreoffice2john.py * /usr/share/john/mozilla2john.py * /usr/share/john/ssh2john.py * This onlineservice will convert them online, but be aware that the hashes are then public.

Automatic cracking

john --wordlist=[path to wordlist] [path to file]

Specific format cracking

hashid <hash>
john --list=formats | grep -i "md5"
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt

Single Crack mode

In single crack mode john will take a username and mangles it based on rules to generate passwords. For eg. mike it would create Mike, m1ke, mike! etc.

john --single --format=<format> hash_to_crack.txt

Be aware that the hash in the hash_to_crack.txt must be prefixed with the username. eg. username:hash. In case of a passwd/shadow file john will take the username, homedir name and other information to build the word mangling rules.

Special rules

In John you can define special rules how the word mangeling will generate passwords. Jumbo John, the community extended version, will come with a lot of different rules which can be queried via john --list=rules or via less /etc/john/john.conf (List.Rules:*).

More information about the rules: * https://www.openwall.com/john/doc/RULES.shtml * https://tryhackme.com/room/johntheripper0 -> Custom Rules

To use this rules you need to define it:

john --single --format=<format> --rule=<rule> hash_to_crack.txt

specific attacks

Cracking passwd/shadow files

John needs to have booth passwd and shadow file combined into the same hash.txt file. to achieve this we can utilize unshadow [path to passwd] [path to shadow]. Then use john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txt to crack it.

Zip2John

zip2john [options] [zip file] > [zip hash file]
john --wordlist=<wordlist> [zip hash file]
unzip [zip file] -d [target dir]

Rar2John

rar2john [options] [rar file] > [rar hash file]
john --wordlist=<wordlist> [rar hash file]
unrar x [rar file]

Ssh2John

python /usr/share/john/ssh2john.py [id rsa file] > [id rsa hash file]
john --wordlist=<wordlist> [id rsa hash file]
ssh <user>@<host> -i [id rsa file]
> [id rsa password]