[ CEH Training ] :: [ Day 3 ]

Chapter 7: System Hacking

Stage 4 of a hack: Exploitation

Cracking for Fun and System Penetration

Hash-cracking communities:
https://hashes.org/crackers.php

Password dictionaries:
https://wiki.skullsecurity.org/Passwords

I will supply you with several wordlists and hash lists.

John the Ripper

Kali’s built-in wordlists: /usr/share/wordlists/rockyou.txt.gz etc.

“How to crack passwords using john the ripper in kali linux”
https://www.youtube.com/watch?v=eAn8dYdn1eY

Exercises

  • Create a simple text file with a hashed password (which is “password”):
echo -n "password" | md5sum | tr -d " -" >> /root/testhash.txt

Now use the RockYou wordlist to crack the password:

john --format=raw-md5 /usr/share/wordlists/rockyou.txt.gz /root/testhash.txt

Hashcat

Requires 4 arguments:

-m or –hash-type (use –help to list hash types; use -m 1000 for Windows NT hashes
Example hashes: https://hashcat.net/wiki/doku.php?id=example_hashes

-a or –attack-mode (method: dictionary, brute-force; use -a 0 to use a dictionary attack)

[filename|hash] (hashes to crack, e.g. ./hashes/ntlm.txt; you can supply a single hash directly)

[dictionary|mask|directory] (A wordlist, mask or directory containing wordlist(s), e.g. rockyou.txt)

See this really excellent step-by-step example:
http://www.adeptus-mechanicus.com/codex/crkpass/crkpass.php

“HOW TO CRACK MD5 HASHES USING HASHCAT”:
https://www.4armed.com/blog/hashcat-crack-md5-hashes/

Exercise: Dictionary Attack

  • Hashcat doesn’t support compressed lists, so unzip Kali’s supplied RockYou wordlist,  /usr/share/wordlists/rockyou.txt.gz:
gunzip  /usr/share/wordlists/rockyou.txt.gz

I will supply you with a hash file called win.hash. In your (root’s) home directory (/root), create a folder called hashlists and place the file inside it.

  • Now run hashcat to crack these hashes, using the RockYou wordlist:
hashcat -m 1000 -a 0 --force ./hashlists/win.hash /usr/share/wordlists/rockyou.txt

Cracked hashes go into hashcat.potfile in the user’s home directory, in a folder named .hashcat.

Exercise: Rule Set Permutations

Rule Sets allow permutations like “Airplane1 to Airplane59”.

For deep details see this page:
https://www.4armed.com/blog/hashcat-rule-based-attack/

Rule Set rules are in /usr/share/hashcat/rules/, for example the best64.rule rule list.

  • Use this command to crash the hashes in win.hash:
hashcat -m 1000 -a 0 --force --show ./hashlists/win.hash /usr/share/wordlists/rockyou.txt

Exercise: Mask Attack

See this explanation straight from the Hashcat people:
https://hashcat.net/wiki/doku.php?id=mask_attack

And see this page for examples (halfway down the page):
https://www.4armed.com/blog/perform-mask-attack-hashcat/

You will need at least these four options for hashcat:

hashcat-binary attack-mode hash-file mask

For instance:

hashcat -a 3 hash.file ?a?a?a

?d Digit (repeat 5 times for 5 places)

?l lowercase letter

?u uppercase letter

?s special char

?a all character sets

For example, look for all three-character passwords:

hashcat -m 1000 -a 3 ./testhash.txt ?a?a?a

Up to 7 chars is reasonable, 8 takes days, 9 takes years (on generic hardware).

  • What would the command be to look for all five-character passwords?

Exercise: Combinator Attacks

Use two wordlists, or the same wordlist twice, and try all possible combinations:

hashcat -m 1000 -a 1 ./testhash.txt [wordlist1] [wordlist2]

The LinkedIn hashdump and more instructions:
http://adeptus-mechanicus.com/codex/linkhap/linkhap.php

https://www.unix-ninja.com/p/Exploiting_masks_in_Hashcat_for_fun_and_profit

Leave a Reply