{"id":1774,"date":"2024-11-18T14:56:21","date_gmt":"2024-11-18T19:56:21","guid":{"rendered":"https:\/\/www.peteonsoftware.com\/?p=1774"},"modified":"2024-11-18T14:56:21","modified_gmt":"2024-11-18T19:56:21","slug":"cracking-hashes","status":"publish","type":"post","link":"https:\/\/www.peteonsoftware.com\/index.php\/2024\/11\/18\/cracking-hashes\/","title":{"rendered":"Cracking Hashes"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.peteonsoftware.com\/images\/202410\/cracking_a_hash.jpg\" alt=\"An image of a potato being cracked like an egg.\" title=\"An image of a potato being cracked like an egg.\" style=\"float:left;margin:.5rem;\">This is the third post in a three-part series that I&#8217;m writing as a way to introduce Cryptographic Hashes from an Offensive Security perspective.  The <a href=\"https:\/\/www.peteonsoftware.com\/index.php\/2024\/09\/11\/what-are-cryptographic-hashes\/\">first post<\/a> explained what hashes are, the <a href=\"https:\/\/www.peteonsoftware.com\/index.php\/2024\/10\/03\/identifying-cryptographic-hashes\/\">second post<\/a> explained how you would go about figuring out what kind of hash you&#8217;re working with, and this post is about trying to figure out how to crack the hash.  Cracking hashes is the process of reverse-engineering or brute-forcing the hash to recover the original data, such as passwords. This final post in our offensive security series will walk you through how to crack hashes, with a focus on using <em>John the Ripper<\/em>, but we\u2019ll also touch on other tools like <em>Hashcat<\/em>.<\/p>\n<h4>What Does It Mean to Crack a Hash?<\/h4>\n<p>Cracking a hash means finding the original data (like a password) that was transformed into the hash. Since cryptographic hash functions are designed to be one-way, cracking usually involves one of these approaches:<\/p>\n<ul>\n<li><strong>Brute Force<\/strong>: Trying every possible combination of characters until a match is found.<\/li>\n<li><strong>Dictionary Attack<\/strong>: Using a precompiled list of possible passwords (a dictionary) and hashing each one to see if it matches the target hash.<\/li>\n<li><strong>Rainbow Tables<\/strong>: Precomputed tables of common hashes and their corresponding plaintext values, used to crack hashes more quickly.<\/li>\n<li><strong>Hybrid Attack<\/strong>: A combination of dictionary and brute force methods, where slight variations of known words are tried.<\/li>\n<\/ul>\n<h4>John the Ripper<\/h4>\n<p><em>John the Ripper<\/em> is one of the most popular and powerful tools for cracking hashes. It&#8217;s a highly versatile password cracker that supports a wide range of hash formats and is available on many platforms. Its community has developed numerous plug-ins and wordlists to extend its functionality, making it the go-to tool for many security professionals.<\/p>\n<p>Let&#8217;s take a look at how to use <em>John the Ripper<\/em> to crack different types of hashes.<\/p>\n<h4>Step-by-Step Guide: Cracking Hashes with John the Ripper<\/h4>\n<p>1. <strong>Identify the Hash Type<\/strong><br \/>\nBefore starting the cracking process, you need to identify the hash type. In previous blog posts, we discussed how to identify a hash based on its format and length. If you know the type of hash, you can optimize your cracking efforts.<\/p>\n<p>2. <strong>Install John the Ripper<\/strong><br \/>\nIf you don&#8217;t already have <em>John the Ripper<\/em> installed, you can install it on most Linux systems using:<\/p>\n<pre>\r\nsudo apt-get install john\r\n<\/pre>\n<p>For other systems, you can download the latest version from the official <a href=\"https:\/\/www.openwall.com\/john\/\">John the Ripper website<\/a>.<\/p>\n<p>3. <strong>Prepare the Hashes for Cracking<\/strong><br \/>\nCreate a text file containing the hashes you want to crack. Ensure that each hash is on a new line. Save the file as something like &#8216;hashes.txt&#8217;.  Here are the contents of a hashes.txt file that I set up for easy cracking.<\/p>\n<pre>\r\n5f4dcc3b5aa765d61d8327deb882cf99\r\n098f6bcd4621d373cade4e832627b4f6\r\n<\/pre>\n<p>4. <strong>Run John the Ripper<\/strong><\/p>\n<p>To start cracking, run the following basic command where &#8211;wordlist represents the wordlist you want to use.  Cultivating and collecting good wordlists is an important skill and hobby in offensive security.  Lists like the <a href=\"https:\/\/www.kaggle.com\/datasets\/wjburns\/common-password-list-rockyoutxt\">leak from the RockYou breach<\/a> (with its 14 million+ passwords) are very common to use in Capture the Flag (CTF) and training boxes.  There are lists that are much bigger and better that you can find online.  Also, if you do decent Open Source Intelligence (OSINT) on your targets, you may very well create targeted\/curated lists to use.  Things like variations on your target&#8217;s pets&#8217; names, kids&#8217; names, favorite teams, etc.  For example, &#8220;Spot, Sp0t, $p0t, Steelers, $teelers, $teeler$, $t33ler$&#8221; and so on.  There are many tools (including John) to help you take a word and generate all of those permutations for you.<\/p>\n<pre>\r\n\/\/ --wordlist: This option tells John to use a dictionary file (wordlist) of potential passwords.\r\njohn --wordlist=\/path\/to\/wordlist.txt hashes.txt\r\n<\/pre>\n<p>John will attempt to match the hashes in your file against the passwords in your wordlist. If a match is found, John will output the cracked password.<\/p>\n<p>5. <strong>Use Predefined Hash Formats<\/strong><br \/>\nSometimes, John may not automatically recognize the hash format. If you know the hash type, you can specify it explicitly with the <em>&#8211;format<\/em> option.<\/p>\n<p>For example, to crack an MD5 hash, try the following.  Since our hashes.txt file contains MD5 hashes, I&#8217;ll show the actual output.  This was almost instantaneous:<\/p>\n<pre>\r\n$ john --format=raw-md5 --wordlist=\/usr\/share\/wordlists\/rockyou.txt hashes.txt\r\nUsing default input encoding: UTF-8\r\nLoaded 2 password hashes with no different salts (Raw-MD5 [MD5 256\/256 AVX2 8x3])\r\nWarning: no OpenMP support for this hash type, consider --fork=12\r\nPress 'q' or Ctrl-C to abort, almost any other key for status\r\npassword         (?)\r\ntest             (?)\r\n2g 0:00:00:00 DONE (2024-11-18 14:00) 100.0g\/s 8313Kp\/s 8313Kc\/s 8332KC\/s tyson4..tauruz\r\nUse the \"--show --format=Raw-MD5\" options to display all of the cracked passwords reliably\r\nSession completed.\r\n<\/pre>\n<p>For NTLM hashes (commonly used in Windows systems):<\/p>\n<pre>\r\njohn --format=nt hashes.txt\r\n<\/pre>\n<p><strong>Common Formats:<\/strong><\/p>\n<ul>\n<li><strong>MD5<\/strong>: &#8211;format=raw-md5<\/li>\n<li><strong>SHA-1<\/strong>: &#8211;format=raw-sha1<\/li>\n<li><strong>NTLM<\/strong>: &#8211;format=nt<\/li>\n<li><strong>bcrypt<\/strong>: &#8211;format=bcrypt<\/li>\n<\/ul>\n<p>6. <strong>Brute Force Cracking<\/strong><br \/>\nIf a dictionary attack fails or you don&#8217;t have a good wordlist, you can use <em>brute force<\/em>. This method tries all possible combinations of characters, but it can take a long time depending on the complexity of the password.<\/p>\n<p>Example command:<\/p>\n<pre>\r\n\/\/ --incremental: This option tells John to perform a brute force attack.\r\njohn --incremental hashes.txt\r\n<\/pre>\n<p>7. <strong>Checking Cracked Passwords<\/strong><br \/>\nOnce the cracking process is complete (or if you want to check progress), you can use the following command to display the cracked passwords.  Since we already cracked these above, this is my output when I run this command:<\/p>\n<pre>\r\n\/\/ --show tells John to show the passwords, \r\n\/\/ --format is usually needed to reliably see the results.\r\n$ john hashes.txt --show --format=raw-md5\r\n?:password\r\n?:test\r\n\r\n2 password hashes cracked, 0 left\r\n\r\n\/\/ This is what I get with --show only, leaving off the format.  \r\n\/\/ You'll note when I actually cracked these the first time, \r\n\/\/ John had suggested --show with --format and that definitely \r\n\/\/ works better.  I mean, this doesn't even show the right\r\n\/\/ number of hashes corresponding with the file.\r\n$ john hashes.txt --show\r\n0 password hashes cracked, 4 left\r\n<\/pre>\n<p>This will list all the hashes that have been successfully cracked and their corresponding plaintext passwords.<\/p>\n<h4>Advanced John the Ripper Techniques<\/h4>\n<p><strong>Hybrid Attacks<\/strong>: You can combine dictionary and brute force attacks using <em>rules<\/em>. This allows John to try slight variations on the words in your dictionary (e.g., adding numbers, changing case).<\/p>\n<pre>\r\njohn --wordlist=\/path\/to\/wordlist.txt --rules hashes.txt\r\n<\/pre>\n<p><strong>Custom Mask Attacks<\/strong>: If you know part of the password format (e.g., passwords are always 8 characters and include numbers), you can customize John&#8217;s brute force method with masks.<\/p>\n<h4>Other Tools for Cracking Hashes<\/h4>\n<p>While <em>John the Ripper<\/em> is one of the most popular tools, there are other tools worth mentioning:<\/p>\n<p><em>Hashcat<\/em> is another powerful hash-cracking tool known for its speed and GPU support. Hashcat can perform various types of attacks, including brute force, dictionary, and hybrid attacks.<\/p>\n<p>Example Hashcat command for MD5 cracking using our example hashes.txt file<\/p>\n<pre>\r\n\/\/ -m 0: Specifies the hash type (MD5).\r\n\/\/ -a 0: Specifies the attack mode (dictionary).\r\n\/\/ -o cracked.txt: The output file for cracked passwords.\r\n\r\n$ hashcat -m 0 -a 0 -o cracked.txt hashes.txt \/usr\/share\/wordlists\/rockyou.txt\r\nhashcat (v6.2.6) starting\r\n\r\nOpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]\r\n============================================================================================================================================\r\n* Device #1: cpu-haswell-13th Gen Intel(R) Core(TM) i7-1355U, 2802\/5669 MB (1024 MB allocatable), 12MCU\r\n\r\nMinimum password length supported by kernel: 0\r\nMaximum password length supported by kernel: 256\r\n\r\nHashes: 2 digests; 2 unique digests, 1 unique salts\r\nBitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5\/13 rotates\r\nRules: 1\r\n\r\nOptimizers applied:\r\n* Zero-Byte\r\n* Early-Skip\r\n* Not-Salted\r\n* Not-Iterated\r\n* Single-Salt\r\n* Raw-Hash\r\n\r\nATTENTION! Pure (unoptimized) backend kernels selected.\r\nPure kernels can crack longer passwords, but drastically reduce performance.\r\nIf you want to switch to optimized kernels, append -O to your commandline.\r\nSee the above message to find out about the exact limits.\r\n\r\nWatchdog: Hardware monitoring interface not found on your system.\r\nWatchdog: Temperature abort trigger disabled.\r\n\r\nHost memory required for this attack: 3 MB\r\n\r\nDictionary cache built:\r\n* Filename..: \/usr\/share\/wordlists\/rockyou.txt\r\n* Passwords.: 14344392\r\n* Bytes.....: 139921507\r\n* Keyspace..: 14344385\r\n* Runtime...: 1 sec\r\n\r\n\r\nSession..........: hashcat\r\nStatus...........: Cracked\r\nHash.Mode........: 0 (MD5)\r\nHash.Target......: hashes.txt\r\nTime.Started.....: Mon Nov 18 14:08:32 2024 (0 secs)\r\nTime.Estimated...: Mon Nov 18 14:08:32 2024 (0 secs)\r\nKernel.Feature...: Pure Kernel\r\nGuess.Base.......: File (\/usr\/share\/wordlists\/rockyou.txt)\r\nGuess.Queue......: 1\/1 (100.00%)\r\nSpeed.#1.........:  2446.1 kH\/s (0.31ms) @ Accel:512 Loops:1 Thr:1 Vec:8\r\nRecovered........: 2\/2 (100.00%) Digests (total), 2\/2 (100.00%) Digests (new)\r\nProgress.........: 172032\/14344385 (1.20%)\r\nRejected.........: 0\/172032 (0.00%)\r\nRestore.Point....: 165888\/14344385 (1.16%)\r\nRestore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1\r\nCandidate.Engine.: Device Generator\r\nCandidates.#1....: tyson4 -> floryna\r\n\r\nStarted: Mon Nov 18 14:08:19 2024\r\nStopped: Mon Nov 18 14:08:33 2024\r\n\r\n$ cat cracked.txt\r\n5f4dcc3b5aa765d61d8327deb882cf99:password\r\n098f6bcd4621d373cade4e832627b4f6:test\r\n<\/pre>\n<p><strong>Online Hash Cracking Services<\/strong><br \/>\nThere are also online hash-cracking services that can speed up the process, such as:<\/p>\n<p><strong>CrackStation<\/strong>: Free online service for cracking MD5, SHA-1, and other hash types using large dictionaries.  For instance, both of my hashes from above would have been instantly cracked via the CrackStation website.  Here was the output when I put them in:<\/p>\n<table>\n<tr>\n<th>Hash<\/th>\n<th>Type<\/th>\n<th>Result<\/th>\n<\/tr>\n<tr>\n<td>5f4dcc3b5aa765d61d8327deb882cf99<\/td>\n<td>md5<\/td>\n<td>password<\/td>\n<\/tr>\n<tr>\n<td>098f6bcd4621d373cade4e832627b4f6<\/td>\n<td>md5<\/td>\n<td>test<\/td>\n<\/tr>\n<\/table>\n<p><strong>Hashes.com<\/strong>: In their own words, &#8220;Hashes.com is a site dedicated to hash recovery&#8221;.  They are home to many different tools (free and paid) and they also instantly cracked my example hashes with this output:<\/p>\n<pre>\r\nProceeded!\r\n2 hashes were checked: 2 found 0 not found\r\n\r\nFound:\r\n5f4dcc3b5aa765d61d8327deb882cf99:password\r\n098f6bcd4621d373cade4e832627b4f6:test\r\n<\/pre>\n<h4>Best Practices for Hash Cracking<\/h4>\n<ul>\n<li><strong>Use Strong Wordlists<\/strong>: A good wordlist is essential for dictionary attacks. The <em>RockYou.txt<\/em> wordlist is one of the most popular, containing millions of common passwords.<\/li>\n<li><strong>Leverage GPU Power<\/strong>: If possible, use <em>Hashcat<\/em> or <em>John the Ripper<\/em> with GPU acceleration to speed up the cracking process.<\/li>\n<li><strong>Automate Your Workflow<\/strong>: Use scripts to automate the process of identifying and cracking hashes in large datasets.<\/li>\n<li><strong>Understand Legal Boundaries<\/strong>: Cracking hashes should only be done in legal and ethical contexts, such as penetration tests, security audits, or in scenarios where you have permission.<\/li>\n<\/ul>\n<p>Cracking hashes is a critical skill in offensive security, allowing you to recover passwords and understand security vulnerabilities in systems. While <em>John the Ripper<\/em> is a versatile and powerful tool, others like <em>Hashcat<\/em>, <em>CrackStation<\/em>, and <em>Hashes.com<\/em> can complement your efforts depending on the task at hand. With the right tools, techniques, and wordlists, you&#8217;ll be able to crack a wide variety of hash types in the course of your security audits or penetration tests.<\/p>\n<p>Okay, that&#8217;s it.  Hopefully, over the course of this series you&#8217;ve gotten a good basic overview of hashes, how to identify them, and how to begin to think about cracking them.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is the third post in a three-part series that I&#8217;m writing as a way to introduce Cryptographic Hashes from an Offensive Security perspective. The first post explained what hashes are, the second post explained &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[148],"tags":[155,149],"class_list":["post-1774","post","type-post","status-publish","format-standard","hentry","category-offensive-security","tag-cryptography","tag-offensive-security"],"_links":{"self":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1774","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/comments?post=1774"}],"version-history":[{"count":0,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1774\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/media?parent=1774"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/categories?post=1774"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/tags?post=1774"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}