Cracking
Introduction
During the post exploitation phase of a pentesting it is common that you will find hashed passwords. In order to obtain the actual password you will need to crack them.
Types of Attack
Before trying to crack a hash, you must think about which approach best fits your need.
Dictionary attack: Uses all words in a dictionary or text file.
Hybrid attack: Based on the words of a dictionary, creates a new set of possible passwords by performing permutations, changing characters or adding numbers and symbols to the existing words. This can be achieved by using rules on certain tools.
Brute force: Generates all possible passwords up to a certain length from a set of characters, taking a lot of time to break a password.
Rainbow tables: Rainbow tables can be described as a huge list of pre-computed hashes of all possible password combinations for a given algorithm that retrieves passwords pretty quickly. However, they may be ineffective against password hashing that uses salting without taking the salting into account.
Webs
There are several webs with huge databases of already cracked hashes, avoiding cracking the hashes manually.
Moreover, searching the hash on Google could provide you with the cracked password.
Hashcat
Hashcat is the fastest passwords recovery multi-platform tool, supporting CPU, GPU and hardware accelerators for better performance. Furthermore, it comes with different modes and the ability to create rules, generating better wordlists.
Obtain the mode for the specified hash.
Execute:
Because hashcat has a lot of features and rules can be complicated to generate, you can check this hashcat cheatsheet your pentests.
Rules
Hashcat comes with custom rules which modified the words in the dictionary.
John
JohnTheRipper is another password recovery tool, which main difference between hashcat is that John is more a CPU tool and Hashcat is a GPU tool. However, it does not mean it is worse, for certain hashes John performs better than Hashcat and there are hashes supported by john that hashcat does not.
You can list JohnTheRipper's allowed formats with the following command.
To start brute-forcing:
Conversor
Several programs are capable of obtaining the hash of encrypted files for a later brute force on john the ripper. As an example, here are some of them.
keepass2john
rar2john
zip2john
ssh2john
cisco2john
You can find them with the following command:
fcrackzip
Because John is slow at cracking zips, you can use fcrackzip which performs better.
Last updated