9/24/2024

Password Cracking With Hashcat

 _._     _,-'""`-._
(,-.`._,'(       |\`-/|
    `-.-' \ )-`( , x x)
          `-    \`_`"'-

Hashcat is a command line interface password cracking tool for over 300 hashing algorithms. Hashcat can utilize five possible attack modes including brute-force, dictionary attacks, and more. We will be focusing on dictionary attacks, a more simple and faster attack mode that compares the hashed password to a wordlist rather than brute-force methods which can take a large amount of time and computer resources due to the attacks method of running combinations of random characters through trial and error.

We will be using the rockyou.txt password list. This password list was compiled back in 2009 after a major data breach at RockYou, a social media app and advertising network. The list contains over 14 million unique passwords that are commonly used amongst the general public and is a staple wordlist in the hacker community. You can view and download other password lists from here.

Passwords are usually discovered as hashes. Password hashing is the practice of algorithmically turning a plain-text password into ciphertext, or an irreversibly obfuscated version of itself, as a means of blocking against the threat of password breaches. This process helps secure passwords from the naked eye. There are many types of hashing algorithms including MD5, SHA-1, SHA-256, and hundreds of others. As mentioned earlier, Hashcat can crack over 300 different types of hashing algorithm. Below is a collection of downloadable hashed passwords which can be utilized for practice with Hashcat and the rockyou.txt password list. You can also hash your own passwords using online resources such as the All Hash Generator on Browserling.com.

Hashed Password Samples:
MD5Password.txt
SHA1Password.txt
SHA256Password.txt
CRC32Password.txt
NTLMPassword.txt

Hashcat can be downloaded on various operating systems but is included in the Kali Linux distro. We can crack our first MD5 hashed password in the samples above using the below command in our terminal:

hashcat –m 0 *path to MD5Password.txt* *path to rockyou.txt*

The first option of the command, "-m 0", sets the type of hash you are attempting to crack, 0 being MD5. You can view all the Hashcat hashing algorithms and their dedicated #'s using the command "hashcat --help". For example, 100 is to be used for SHA-1 hashes. If you do not know the hashing algorithm used in the password you are attempting to crack, you can use a hash identifying tool like hash-identifier which is included in Kali Linux distros. 

The second option, "*path to MD5Password.txt*", directs Hashcat to the hashed password file path. For example /home/USERNAME/Downloads/MD5Password.txt, where USERNAME is your username. The final option of the command is the path to the wordlist you are running the attack against. Kali Linux includes many default wordlists, including rockyou.txt, in the /usr/share/wordlists path. Please note that you will need to unzip the rockyou.txt.gz directory on your machine if you haven't already by using the gunzip command.

Let's run the command and see what Hashcat comes up with:

hashcat -m 0 /root/Downloads/MD5Password.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-haswell-AMD Ryzen 5 4600H with Radeon Graphics, 1425/2914 MB (512 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

6104df369888589d6dbea304b59a32d4:blink182                 
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 6104df369888589d6dbea304b59a32d4
Time.Started.....: Tue Sep 24 15:54:28 2024 (0 secs)
Time.Estimated...: Tue Sep 24 15:54:28 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     9780 H/s (0.06ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 512/14344385 (0.00%)
Rejected.........: 0/512 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> letmein
Hardware.Mon.#1..: Util: 66%

Started: Tue Sep 24 15:53:52 2024
Stopped: Tue Sep 24 15:54:30 2024

Success! After a few seconds we can see the hashed password, blink182, has been cracked at the line highlighted in orange. Blink-182 fans beware, your password isn't fooling even the most amateur of hackers out there.

Try using Hashcat with the other sample hashed passwords in this post, or hash your own passwords using the All Hash Generator on Browserling.com and see if your passwords are vulnerable to dictionary attacks using the rockyou.txt or other common wordlists. To learn more about Hashcat and it's other features, visit their Wiki here.

No comments:

Post a Comment