Hash Cracking

The Hacker's 5-Step Framework

Toxsec

Jun 22, 2024

Extract Hashes

Get the hashes from wherever they live — database dumps, config files, SAM files, shadow files, whatever.

Identify + Format Hashes

Use tools like:

hashid <hash>
hash-identifier <hash>

Prepare the Wordlist

Don’t just throw rockyou at it and pray. Instead:

Use rule-based mutations
Match known password policy
Leverage default creds or leaked dumps
Customize if you know the user profile (e.g., local language, org-specific terms)

Attack the Hash

# find the hashcat mode
hashcat --help |grep -i <hash>

# crack the hash
hashcat -m <mode> hash.txt wordlist.txt

# crach the hash with ruleset
hashcat -m <mode> hash.txt wordlist.txt -r rulefile.rule

Keepass

keepass2john <file>.kdbx > keepass.hash
hashcat --help | grep -i "KeePass"
hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force

SSH

ssh2john id_rsa > ssh.hash

cat ssh.hash
id_rsa:$sshng$6$16$7059e78a8d3764ea1e883fcdf592feb7$1894$6f70656e7373682d6b65792d7631000000000a6165733235362d6374720000000662637279707400000018000000107059e78a8d3...

hashcat -h |grep -i "ssh" |grep "\$6"
22921 | RSA/DSA/EC/OpenSSH Private Keys ($6$)

NTLM

# Solid rule set and wordlist for most hashes
hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

NTLMv2

# NTLMv2
hashcat -m 5600 -a 0 crackme.txt /usr/share/wordlists/rockyou.txt --force

# Hash example captured via responder:
[SMB] NTLMv2-SSP Username : ZA\svcFileCopy
[SMB] NTLMv2-SSP Hash     : svcFileCopy::ZA:9028c9cf54a8c4f9:3789A89C234381A04AE7474D8761611A:01010000000000008025F857F3E3DB016429581A5B894AAD0000000002000800560037004A00420001001E00570049004E002D0042004300340030004F0056005600390049004B00440004003400570049004E002D0042004300340030004F0056005600390049004B0044002E00560037004A0042002E004C004F00430041004C0003001400560037004A0042002E004C004F00430041004C0005001400560037004A0042002E004C004F00430041004C00070008008025F857F3E3DB01060004000200000008003000300000000000000000000000002000005759E3EA2CB1C4A8AF965E119ADAA535895EACC6A7AE04C15AFCCA58F9A78FE80A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00350030002E00320035002E0033000000000000000000

Linux

# grab /etc/passwd >> PASSWORD-FILE
# grab /etc/shadow >> SHADOW-FILE

# unshadow PASSWORD-FILE SHADOW-FILE >> crackme.txt
# john crackme.txt --wordlist=/usr/share/wordlists/rockyou.txt

ToxSec - Bug Bounty Hunting

Discussion about this post