Wednesday, February 27, 2013

Crack Hashes using Hashcat

In this tutorial will describe the main options of Hashcat. Will explain the basic operation of using it to crack Hashes Passwords (LM, NTML, MD5, etc) with different attack methods such as Brute-Force attack, Combinator attack, Dictionary attack, Hybrid attack and much more.

About Hashcat

Hashcat is the world’s fastest CPU-based password recovery tool.
While it's not as fast as its GPU counterparts oclHashcat-plus and oclHashcat-lite, large lists can be easily split in half with a good dictionary and a bit of knowledge of the command switches.

(Note: For the Purpose of this tutorial BackBox (Based on Ubuntu) as OS and the latest version of Hashcat will be used.)

Download - Install HashCat

Download one of the latest version of Hashcat both for Linux and Windows platforms (Hashcat-gui) from the official page.

(Note:All Windows and Linux versions should work on both 32 and 64 bit.)

Next we will extract the .7z file typing the following command:


7zr e hashcat-0.42.7z
(Note: p7zip package required to uncompress the file.)

Options - Explanation

All options are case sensitive, can be abbreviated as long as the abbreviations are unambiguous,

Basic usage of hashcat is as follows:


hashcat [options] hashfile [mask|wordfiles|directories]
=======
Options
=======

* General:

  -m,  --hash-type=NUM               Hash-type, see references below
  -a,  --attack-mode=NUM             Attack-mode, see references below
  -V,  --version                     Print version
  -h,  --help                        Print help
       --eula                        Print EULA
       --quiet                       Suppress output

* Misc:

       --hex-salt                    Assume salt is given in hex
       --hex-charset                 Assume charset is given in hex

* Files:

  -p,  --seperator=CHAR              Define seperator char for hashlists/outfile
  -o,  --output-file=FILE            output-file for recovered hashes
       --output-format=NUM           0 = hash:pass
                                     1 = hash:hex_pass
                                     2 = hash:pass:hex_pass
       --remove                      Enable remove of hash once it is cracked
       --stdout                      stdout mode
       --disable-potfile             do not write potfile
       --debug-file=FILE             debug-file
       --debug-mode=NUM              1 = save finding rule (hybrid only)
                                     2 = save original word (hybrid only)
  -e,  --salt-file=FILE              salts-file for unsalted hashlists

* Resources:

  -c,  --segment-size=NUM            Size in MB to cache from the wordfile
  -n,  --threads=NUM                 number of threads
  -s,  --words-skip=NUM              skip number of words (for resume)
  -l,  --words-limit=NUM             limit number of words (for distributed)

* Rules:

  -r,  --rules-file=FILE             Rules-file use: -r 1.rule
  -g,  --generate-rules=NUM          Generate NUM random rules
       --generate-rules-func-min=NUM Force NUM functions per random rule min
       --generate-rules-func-max=NUM Force NUM functions per random rule max

* Custom charsets:

  -1,  --custom-charset1=CS          User-defined charsets
  -2,  --custom-charset2=CS          Example:
  -3,  --custom-charset3=CS          --custom-charset1=?dabcdef
  -4,  --custom-charset4=CS          Sets charset ?1 to 0123456789abcdef

* Toggle-Case attack-mode specific:

       --toggle-min=NUM              number of alphas in dictionary minimum
       --toggle-max=NUM              number of alphas in dictionary maximum

* Mask-attack attack-mode specific:

       --pw-min=NUM                  Password-length minimum
       --pw-max=NUM                  Password-length maximum

* Permutation attack-mode specific:

       --perm-min=NUM                Filter words shorter than NUM
       --perm-max=NUM                Filter words larger than NUM

* Table-Lookup attack-mode specific:

  -t,  --table-file=FILE             table file
       --table-min=NUM               number of chars in dictionary minimum
       --table-max=NUM               number of chars in dictionary maximum

==========
References
==========

* Built-in charsets:

   ?l = abcdefghijklmnopqrstuvwxyz
   ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
   ?d = 0123456789
   ?s =  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
   ?a = ?l?u?d?s
   ?h = 8 bit characters from 0xc0 - 0xff
   ?D = 8 bit characters from german alphabet
   ?F = 8 bit characters from french alphabet
   ?R = 8 bit characters from russian alphabet

* Attack modes:

    0 = Straight
    1 = Combination
    2 = Toggle-Case
    3 = Brute-force
    4 = Permutation
    5 = Table-Lookup

* Hash types:

    0 = MD5
   10 = md5($pass.$salt)
   20 = md5($salt.$pass)
   50 = HMAC-MD5 (key = $pass)
   60 = HMAC-MD5 (key = $salt)
  100 = SHA1
  110 = sha1($pass.$salt)
  120 = sha1($salt.$pass)
  150 = HMAC-SHA1 (key = $pass)
  160 = HMAC-SHA1 (key = $salt)
  200 = MySQL
  300 = MySQL4.1/MySQL5
  400 = phpass, MD5(Wordpress), MD5(phpBB3)
  500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
  800 = SHA-1(Django)
  900 = MD4
 1000 = NTLM
 1100 = Domain Cached Credentials, mscash
 1400 = SHA256
 1410 = sha256($pass.$salt)
 1420 = sha256($salt.$pass)
 1450 = HMAC-SHA256 (key = $pass)
 1460 = HMAC-SHA256 (key = $salt)
 1600 = md5apr1, MD5(APR), Apache MD5
 1700 = SHA512
 1710 = sha512($pass.$salt)
 1720 = sha512($salt.$pass)
 1750 = HMAC-SHA512 (key = $pass)
 1760 = HMAC-SHA512 (key = $salt)
 1800 = SHA-512(Unix)
 2600 = Double MD5
 3300 = MD5(Sun)
 3500 = md5(md5(md5($pass)))
 3610 = md5(md5($salt).$pass)
 3710 = md5($salt.md5($pass))
 3810 = md5($salt.$pass.$salt)
 3910 = md5(md5($pass).md5($salt))
 4010 = md5($salt.md5($salt.$pass))
 4110 = md5($salt.md5($pass.$salt))
 4210 = md5($username.0.$pass)
 4300 = md5(strtoupper(md5($pass)))
 4400 = md5(sha1($pass))
 4500 = sha1(sha1($pass))
 4600 = sha1(sha1(sha1($pass)))
 4700 = sha1(md5($pass))
 4800 = MD5(Chap)
 5000 = SHA-3(Keccak)

* Specific hash types:

  101 = nsldap, SHA-1(Base64), Netscape LDAP SHA
  111 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
  121 = SMF > v1.1
  122 = OS X v10.4, v10.5, v10.6
  131 = MSSQL
  141 = EPiServer 6.x
 1722 = OS X v10.7
 1731 = MSSQL 2012
 2611 = vBulletin < v3.8.5
 2711 = vBulletin > v3.8.5
 2811 = IPB2+, MyBB1.2+


Examples - Brute Force / Mask Attack

The following commands creates the following password candidates:

?l?l?l?l?l?l?l?l
keyspace: aaaaaaaa - zzzzzzzz
-1 ?l?d ?1?1?1?1?1
keyspace: aaaaa - 99999
password?d
keyspace: password0 - password9
?l?u ?1?l?l?l?l?l19?d?d
keyspace: aaaaaa1900 - Zzzzzz1999
?dabcdef -2 ?l?u ?1?1?2?2?2?2?2
keyspace: 00aaaaa - ffZZZZZ
-a 3 -1 efghijklmnop ?1?1?1
keyspace: eee - ppp

In this part of tutorial will create and crack a Hash .txt file which will include the following MD5 Hash code:

D9DA8170E8BC9F27B2D32A6C9A6C697D

Will write the following command to crack the .txt file using Mask Attack method:
./oclHashcat-plus64.bin -m0 -1 ?l?l?l?l?l /Desktop/Hash_Codes.txt -o /Desktop/m_a_HashCode.txt
(Note: oclHashcat Plus used for mask attack method) 

Examples - Dictionary Attack

On this part will write the following command specifying the hash-type, the input file which contain the Hash code and the wordlist (Tut: create your own wordlist). The .txt file contains an unknown hash code. So in terminal will not specify the hash type but will leave the hashcat tool to locate it.  
./hashcat-cli64.bin /Desktop/Hash_Codes.txt /Desktop/my_wordlist.txt
Initializing hashcat v0.42 by atom with 8 threads and 32mb segment-size...

Added hashes from file /Desktop/Hash_Codes.txt: 1 (1 salts)
Activating quick-digest mode for single-hash

NOTE: press enter for status-screen

Input.Mode: Dict (/Desktop/my_wordlist.txt)
Index.....: 1/68 (segment), 4963340 (words), 33550340 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 84.72M plains, 84.72M words
Progress..: 4963340/4963340 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--

::

Input.Mode: Dict (/Desktop/my_wordlist.txt)
Index.....: 33/68 (segment), 4193792 (words), 33550336 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 75.69M plains, 75.69M words
Progress..: 4193792/4193792 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--
8743b52063cd84097a65d1633f5c74f5:hashcat
All hashes have been recovered 
Also we can save the output result using the -o option.

./hashcat-cli64.bin /Desktop/Hash_Codes.txt /Desktop/my_wordlist.txt -o /Desktop/m_a_HashCode.txt
So if check the  m_a_HashCode.txt file will have the following results:

4a07984233455de37df803fef57d5a36:hashc@t
7435e4b5e029dc217b5a1471fab2e7e6:pr1v@cy


At this point will use the -m option to specify the hash type. The .txt file contains SHA256 hash code, so the syntax of the command line is:
./hashcat-cli64.bin -m1400 /Desktop/Hash_Codes.txt /Desktop/my_wordlist.txt
Initializing hashcat v0.42 by atom with 8 threads and 32mb segment-size...

Added hashes from file /Desktop/Hash_Codes.txt: 1 (1 salts)
Activating quick-digest mode for single-hash

NOTE: press enter for status-screen

Input.Mode: Dict (/Desktop/my_wordlist.txt)
Index.....: 1/68 (segment), 4963340 (words), 33550340 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 20.30M plains, 20.30M words
Progress..: 4963340/4963340 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--

::

Input.Mode: Dict (/Desktop/my_wordlist.txt)
Index.....: 44/68 (segment), 4193792 (words), 33550336 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 18.89M plains, 18.89M words
Progress..: 4193792/4193792 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--
9ba845252f35a559df9522d7f7e1e9ba2d69f6fe59e706d0623fae04a9425f33:pr1v@cy
All hashes have been recovered
(1#Note: 1400 is the code for SHA256 hash type)

(2#Note: hashcat used for dictionary attack method)


(3#Note: onlinehashcrack.com used to generate passwords to MD5/SHA256 format)

Conclusion

The are a lot of ways and things we can do to pass a hash code file. This tutorial describes the basic things we can do to create/generate and crack a simple .txt file which include MD5/SHA256 Hashes. The best way is to try every parameter on a virtual environment, creating our Hash codes and wordlists to figure out what every option does before proceed to real hash .txt files.

Designed and Created by Liatsis Fotis for liatsisfotis.com



Download Tutorial (PDF)