Introduction

During the post exploitation phase of a pentesting it is common that you will find hashed passwords. In order to obtain the actual password you will need to crack them.

Types of Attack

Before trying to crack a hash, you must think about which approach best fits your need.

• Dictionary attack: Uses all words in a dictionary or text file.

• Hybrid attack: Based on the words of a dictionary, creates a new set of possible passwords by performing permutations, changing characters or adding numbers and symbols to the existing words. This can be achieved by using rules on certain tools.

• Brute force: Generates all possible passwords up to a certain length from a set of characters, taking a lot of time to break a password.

• Rainbow tables: Rainbow tables can be described as a huge list of pre-computed hashes of all possible password combinations for a given algorithm that retrieves passwords pretty quickly. However, they may be ineffective against password hashing that uses salting without taking the salting into account.

Webs

There are several webs with huge databases of already cracked hashes, avoiding cracking the hashes manually.

• Crackstation

• Tunnelsup

• Md5online

• Hashkiller

Moreover, searching the hash on Google could provide you with the cracked password.

Hashcat

Hashcat is the fastest passwords recovery multi-platform tool, supporting CPU, GPU and hardware accelerators for better performance. Furthermore, it comes with different modes and the ability to create rules, generating better wordlists.

Obtain the mode for the specified hash.

hashcat -h | grep NTLM 
5500 | NetNTLMv1 / NetNTLMv1+ESS   | Network Protocols
5600 | NetNTLMv2                   | Network Protocols
1000 | NTLM

Execute:

hashcat -m <MODE> <HASHES.TXT> <WORDLIST> [-r <RULE>]
hashcat -m <MODE> <HASHES.TXT> <WORDLIST> -r /opt/OneRuleToRuleThemAll.rule

Because hashcat has a lot of features and rules can be complicated to generate, you can check this hashcat cheatsheet your pentests.

Rules

Hashcat comes with custom rules which modified the words in the dictionary.

hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt -r /opt/OneRuleToRuleThemAll.rule

John

JohnTheRipper is another password recovery tool, which main difference between hashcat is that John is more a CPU tool and Hashcat is a GPU tool. However, it does not mean it is worse, for certain hashes John performs better than Hashcat and there are hashes supported by john that hashcat does not.

You can list JohnTheRipper's allowed formats with the following command.

john --list=formats

To start brute-forcing:

john -w=<WORDLIST> hash.txt

Conversor

Several programs are capable of obtaining the hash of encrypted files for a later brute force on john the ripper. As an example, here are some of them.

• keepass2john

• rar2john

• zip2john

• ssh2john

• cisco2john

You can find them with the following command:

locate <format>2john

fcrackzip

Because John is slow at cracking zips, you can use fcrackzip which performs better.

fcrackzip -v -u -D -p <WORDLIST> <FILE.ZIP>