During the post exploitation phase of a pentesting it is common that you will find hashed passwords. In order to obtain the actual password you will need to crack them.
Before trying to crack a hash, you must think about which approach best fits your need.
- Dictionary attack: Uses all words in a dictionary or text file.
- Hybrid attack: Based on the words of a dictionary, creates a new set of possible passwords by performing permutations, changing characters or adding numbers and symbols to the existing words. This can be achieved by using rules on certain tools.
- Brute force: Generates all possible passwords up to a certain length from a set of characters, taking a lot of time to break a password.
- Rainbow tables: Rainbow tables can be described as a huge list of pre-computed hashes of all possible password combinations for a given algorithm that retrieves passwords pretty quickly. However, they may be ineffective against password hashing that uses salting without taking the salting into account.
There are several webs with huge databases of already cracked hashes, avoiding cracking the hashes manually.
Moreover, searching the hash on Google could provide you with the cracked password.
Hashcat is the fastest passwords recovery multi-platform tool, supporting CPU, GPU and hardware accelerators for better performance. Furthermore, it comes with different modes and the ability to create rules, generating better wordlists.
Obtain the mode for the specified hash.
hashcat -h | grep NTLM
5500 | NetNTLMv1 / NetNTLMv1+ESS | Network Protocols
5600 | NetNTLMv2 | Network Protocols
1000 | NTLM
hashcat -m <MODE> <HASHES.TXT> <WORDLIST> [-r <RULE>]
hashcat -m <MODE> <HASHES.TXT> <WORDLIST> -r /opt/OneRuleToRuleThemAll.rule
Hashcat comes with custom rules which modified the words in the dictionary.
hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt -r /opt/OneRuleToRuleThemAll.rule
JohnTheRipper is another password recovery tool, which main difference between hashcat is that John is more a CPU tool and Hashcat is a GPU tool. However, it does not mean it is worse, for certain hashes John performs better than Hashcat and there are hashes supported by john that hashcat does not.
You can list JohnTheRipper's allowed formats with the following command.
To start brute-forcing:
john -w=<WORDLIST> hash.txt
Several programs are capable of obtaining the hash of encrypted files for a later brute force on john the ripper. As an example, here are some of them.
You can find them with the following command:
fcrackzip -v -u -D -p <WORDLIST> <FILE.ZIP>