Chapter 7: System Hacking
Stage 4 of a hack: Exploitation
Cracking for Fun and System Penetration
I will supply you with several wordlists and hash lists.
John the Ripper
Kali’s built-in wordlists: /usr/share/wordlists/rockyou.txt.gz etc.
“How to crack passwords using john the ripper in kali linux”
Create a simple text file with a hashed password (which is “password”):
echo -n "password" | md5sum | tr -d " -" >> /root/testhash.txt
Now use the RockYou wordlist to crack the password:
john --format=raw-md5 /usr/share/wordlists/rockyou.txt.gz /root/testhash.txt
Requires 4 arguments:
-m or –hash-type (use –help to list hash types; use -m 1000 for Windows NT hashes
Example hashes: https://hashcat.net/wiki/doku.php?id=example_hashes
-a or –attack-mode (method: dictionary, brute-force; use -a 0 to use a dictionary attack)
[filename|hash] (hashes to crack, e.g. ./hashes/ntlm.txt; you can supply a single hash directly)
[dictionary|mask|directory] (A wordlist, mask or directory containing wordlist(s), e.g. rockyou.txt)
See this really excellent step-by-step example:
“HOW TO CRACK MD5 HASHES USING HASHCAT”:
Exercise: Dictionary Attack
Hashcat doesn’t support compressed lists, so unzip Kali’s supplied RockYou wordlist, /usr/share/wordlists/rockyou.txt.gz:
I will supply you with a hash file called
win.hash. In your (root’s) home directory (/root), create a folder called hashlists and place the file inside it.
Now run hashcat to crack these hashes, using the RockYou wordlist:
hashcat -m 1000 -a 0 --force ./hashlists/win.hash /usr/share/wordlists/rockyou.txt
Cracked hashes go into
hashcat.potfile in the user’s home directory, in a folder named .hashcat.
Exercise: Rule Set Permutations
Rule Sets allow permutations like “Airplane1 to Airplane59”.
For deep details see this page:
Rule Set rules are in /usr/share/hashcat/rules/, for example the
best64.rule rule list.
Use this command to crash the hashes in win.hash:
hashcat -m 1000 -a 0 --force --show ./hashlists/win.hash /usr/share/wordlists/rockyou.txt
Exercise: Mask Attack
See this explanation straight from the Hashcat people:
And see this page for examples (halfway down the page):
You will need at least these four options for hashcat:
hashcat-binary attack-mode hash-file mask
hashcat -a 3 hash.file ?a?a?a
?d Digit (repeat 5 times for 5 places)
?l lowercase letter
?u uppercase letter
?s special char
?a all character sets
For example, look for all three-character passwords:
hashcat -m 1000 -a 3 ./testhash.txt ?a?a?a
Up to 7 chars is reasonable, 8 takes days, 9 takes years (on generic hardware).
What would the command be to look for all five-character passwords?
Exercise: Combinator Attacks
Use two wordlists, or the same wordlist twice, and try all possible combinations:
hashcat -m 1000 -a 1 ./testhash.txt [wordlist1] [wordlist2]
The LinkedIn hashdump and more instructions: