This page looks best with JavaScript enabled

Password cracking with HashCat

 ·  🎃 kr0m

Hashcat is a password cracking software, which is known to be the fastest in the world. It supports various encryption algorithms, several cracking techniques, and can also use graphics cards as computing units (OpenCL/CUDA).

If we are going to use the version compatible with OpenCL/CUDA, we must recompile the graphics card driver and install the necessary tools. In my case, it is an NVIDIA card:

echo “>=x11-drivers/nvidia-drivers-340.76 uvm” » /etc/portage/package.use/nvidia
emerge x11-drivers/nvidia-drivers
echo “=dev-util/nvidia-cuda-toolkit-6.5.14 NVIDIA-CUDA” > /etc/portage/package.license/nvidia
emerge dev-util/nvidia-cuda-toolkit

To test it, we will generate a user in the system whose password is alfaexploit.

useradd test00
passwd test00
alfaexploit
grep test00 /etc/shadow

test00:$6$bwbfkx6h$1qPTzJWY.mK71F0MjLA5iihgUpr/AJmp0CPZY1qUhe46cWyZDzmJketQYfX.MIYY/vQw5Cyg877GZDbWmX3Mn/:16641:0:99999:7:::

The hash in a Linux system consists of several elements:

$6$bwbfkx6h$1qPTzJWY.mK71F0MjLA5iihgUpr/AJmp0CPZY1qUhe46cWyZDzmJketQYfX.MIYY/vQw5Cyg877GZDbWmX3Mn/
  • $6: Hash type, in this case SHA-512
  • $bwbfkx6h: Salt grain, a string of random characters used as input in the encryption algorithm. Some systems store the salt grains separately, thus increasing security. Hashcat allows indicating a separate salt grain file.
  • $1qPTzJWY.mK71F0MjLA5iihgUpr/AJmp0CPZY1qUhe46cWyZDzmJketQYfX.MIYY/vQw5Cyg877GZDbWmX3Mn/: Hash of the password combined with the salt grain.

To be able to crack the password, it is necessary to indicate to hashcat what type of encryption it is. A quick way to do this is by consulting the following link with examples:
http://hashcat.net/wiki/doku.php?id=example_hashes

The main algorithms are:

  • $0 = DES
  • $1 = MD5 Hashing
  • $2 = Blowfish
  • $2A = eksblowfish
  • $5 = SHA256
  • $6 = SHA512

Another way to find out the hash type is through this Python script (which I will also host on my own server in case it is removed from the Internet):

wget https://raw.githubusercontent.com/SmeegeSec/HashTag/master/HashTag.py
wget www.alfaexploit.com/files/HashTag.py

We check that it is indeed SHA512 and it also indicates the ID to use in hashcat:

python HashTag.py -sh ‘$6$bwbfkx6h$1qPTzJWY.mK71F0MjLA5iihgUpr/AJmp0CPZY1qUhe46cWyZDzmJketQYfX.MIYY/vQw5Cyg877GZDbWmX3Mn/’

[*] sha512crypt, SHA512(Unix) - Hashcat Mode 1800

Depending on whether we are going to use the graphics card or not, we must download one version or another:

GPU

cd /usr/src
wget http://hashcat.net/files/cudaHashcat-1.36.7z
wget www.alfaexploit.com/files/cudaHashcat-1.36.7z
emerge app-arch/p7zip
p7zip -d cudaHashcat-1.36.7z
cd cudaHashcat-1.36

CPU

cd /usr/src
wget http://hashcat.net/files/hashcat-0.50.7z
wget www.alfaexploit.com/files/hashcat-0.50.7z
p7zip -d hashcat-0.50.7z
cd hashcat-0.50

We can see the different supported algorithms with:
GPU

./cudaHashcat64.bin -h

CPU

./hashcat-cli64.bin -h

We generate the hash file and the dictionary:

vi hash

$6$bwbfkx6h$1qPTzJWY.mK71F0MjLA5iihgUpr/AJmp0CPZY1qUhe46cWyZDzmJketQYfX.MIYY/vQw5Cyg877GZDbWmX3Mn/
vi dict
1
2
3
alfaexploit

To hashcat, you have to indicate the hash type: 1800, the cracking technique to use: 0, the hash file, and the dictionary file:

GPU

./cudaHashcat64.bin -m 1800 -a 0 hash dict

ERROR: Shader Model 1.0 - 1.3 based GPU detected. Support for CUDA was dropped by NVidia.

My graphics card is no longer supported by CUDA :(

CPU

./hashcat-cli64.bin -n 2 -m 1800 -a 0 hash dict

$6$bwbfkx6h$1qPTzJWY.mK71F0MjLA5iihgUpr/AJmp0CPZY1qUhe46cWyZDzmJketQYfX.MIYY/vQw5Cyg877GZDbWmX3Mn/:alfaexploit

All hashes have been recovered
Input.Mode: Dict (dict)
Index.....: 1/1 (segment), 4 (words), 18 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, - words
Progress..: 4/4 (100.00%)
Running...: 00:00:00:01
Estimated.: --:--:--:--

NOTE: -n 2 allows me to use both cores of my core2duo

Cracking modes:

0 = Straight: Simply runs all the words in the dictionary against the hash list, having a good dictionary will increase the chances of recovering the hash.
1 = Combination: Combines the words in the given dictionary. Example: aa bb -> aa, bb, aabb, bbaa
2 = Toggle-Case: Changes all lowercase letters to uppercase and vice versa. Digits and special characters are ignored.
3 = Brute-force: Brute force should be used as a last resort, it is not effective against long passwords and can consume a lot of time, we must indicate the min/max length to try and the charset.
4 = Permutation: Takes the letters of a word and rearranges them. Example: abc becomes abc, acb, bca, bac.
5 = Table-Lookup: Breaks the word in the dictionary into individual characters and applies a rule defined in table-file=FILE to each one. For example, password is broken down into each character: p a s s w o r d.

Then hashcat looks in the table for the rules that should be applied to each character. In this case our table would be:

vi tabla.table

a=a
a=A
p=p
p=P
o=o
o=O
o=0 (cero)

Now each matching character will be changed and tested. So for each a -> a and A will be tested, for each p -> p and P will be tested and for each o -> o, O and 0 will be tested.

For this type of attack, we must indicate the table file and the min/max length of the words in the dictionary, by default it does not check words longer than 10 characters.

--table-file=./tabla.table --table-min=1 --table-max=20

On this website, we can find a good list of dictionaries:
http://hashcrack.blogspot.com.es/p/wordlist-downloads_29.html

If you liked the article, you can treat me to a RedBull here