Hashes
Online Databases
LM, NTLM, md2, md4, md5, md5(md5_hex), md5-half, sha1, sha224, sha256, sha384, sha512, ripeMD160, whirlpool, MySQL 4.1+ (sha1(sha1_bin)), QubesV3.1BackupDefaults
NT Hash (SAM)
Pull Hashes Decryption From Online Sources
Unix password
/etc/shadow
/etc/shadowcry0l1t3
:
$6$wBRzy$...SNIP...x9cDWUxW1
:
18937
:
0
:
99999
:
7
:
:
:
Username
Encrypted password
Last PW change
Min. PW age
Max. PW age
Warning period
Inactivity period
Expiration date
Unused
$<type>$<salt>$<hashed>
Crack /etc/shadow hashes
cat hash
user:$1$CrackMe$U93**********UP9iUxGVIvq/:18439:0:99999:7:::john hash --wordlist=/usr/share/wordlists/rockyou.txtHash Identifier
apt install hashid
hashid --john 22edc41d491015e81f67da568fb2726cf739c42b2974d32d2f41163af4ccb1a3Online:
root:x:0:0:root:/root:/bin/bashSee Privilege escalation - Linux
Linux/etc/passwd
$ cat /etc/passwd
...SNIP...
htb-student:x:1000:1000:,,,:/home/htb-student:/bin/bashhtb-student:
x:
1000:
1000:
,,,:
/home/htb-student:
/bin/bash
<username>:
<password>:
<uid>:
<gid>:
<comment>:
<home directory>:
<cmd executed after logging in>
Cracking Linux Credentials
Unshadow
$ sudo cp /etc/passwd /tmp/passwd.bak
$ sudo cp /etc/shadow /tmp/shadow.bak
$ unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hasheshashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.crackedCreate custom password list
Username listsPassword listsPassGAN
Bash
for i in $(cat pwlist.txt); do echo $i; echo ${i}2019; echo ${i}2020; done > pwd.txt
kwprocessor
Hashcat generating rule-based Wordlist
$ cat custom.rule
:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@$ hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
$ cat mut_password.list
password
Password
passw0rd
Passw0rd
p@ssword
P@ssword
P@ssw0rd
password!
Password!
passw0rd!
p@ssword!
Passw0rd!
P@ssword!
p@ssw0rd!
P@ssw0rd!Hashcat Existing Rules
$ ls /usr/share/hashcat/rules/
best64.rule specific.rule
combinator.rule T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
d3ad0ne.rule T0XlC-insert_space_and_special_0_F.rule
dive.rule T0XlC-insert_top_100_passwords_1_G.rule
generated2.rule T0XlC.rule
generated.rule T0XlCv1.rule
hybrid toggles1.rule
Incisive-leetspeak.rule toggles2.rule
InsidePro-HashManager.rule toggles3.rule
InsidePro-PasswordsPro.rule toggles4.rule
leetspeak.rule toggles5.rule
oscommerce.rule unix-ninja-leetspeak.rule
rockyou-30000.ruleTry best64.rule first
OneRuleToRuleThemAll
hashcat --attack-mode 0 --rules-file OneRuleToRuleThemAll.rule --hash-type 1000 hash /usr/share/wordlists/rockyou.txtCrunch
Password lists
Cupp
Password listsCeWL
$ cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist
$ wc -l inlane.wordlist
326Improve the custom wordlist
As we all know few password are just simple words. Many use numbers and special characters. To improve our password list we can use john the ripper. We can input our own rules, or we can just use the standard john-the-ripper rules
john ---wordlist=inlane.wordlist --rules --stdout > wordlist-modified.txtRainbow Tables - SHA1
RainbowCrack
VM - VMWare and VirtualBox encryption
John The Ripper
$ john --format=<hash_type> <hash or hash_file>John will output the cracked passwords to the console and the file "john.pot" (~/.john/john.pot) to the current user's home directory.
Hash Format
Example Command
Description
afs
john --format=afs hashes_to_crack.txt
AFS (Andrew File System) password hashes
bfegg
john --format=bfegg hashes_to_crack.txt
bfegg hashes used in Eggdrop IRC bots
bf
john --format=bf hashes_to_crack.txt
Blowfish-based crypt(3) hashes
bsdi
john --format=bsdi hashes_to_crack.txt
BSDi crypt(3) hashes
crypt(3)
john --format=crypt hashes_to_crack.txt
Traditional Unix crypt(3) hashes
des
john --format=des hashes_to_crack.txt
Traditional DES-based crypt(3) hashes
dmd5
john --format=dmd5 hashes_to_crack.txt
DMD5 (Dragonfly BSD MD5) password hashes
dominosec
john --format=dominosec hashes_to_crack.txt
IBM Lotus Domino 6/7 password hashes
EPiServer SID hashes
john --format=episerver hashes_to_crack.txt
EPiServer SID (Security Identifier) password hashes
hdaa
john --format=hdaa hashes_to_crack.txt
hdaa password hashes used in Openwall GNU/Linux
hmac-md5
john --format=hmac-md5 hashes_to_crack.txt
hmac-md5 password hashes
hmailserver
john --format=hmailserver hashes_to_crack.txt
hmailserver password hashes
ipb2
john --format=ipb2 hashes_to_crack.txt
Invision Power Board 2 password hashes
krb4
john --format=krb4 hashes_to_crack.txt
Kerberos 4 password hashes
krb5
john --format=krb5 hashes_to_crack.txt
Kerberos 5 password hashes
LM
john --format=LM hashes_to_crack.txt
LM (Lan Manager) password hashes
lotus5
john --format=lotus5 hashes_to_crack.txt
Lotus Notes/Domino 5 password hashes
mscash
john --format=mscash hashes_to_crack.txt
MS Cache password hashes
mscash2
john --format=mscash2 hashes_to_crack.txt
MS Cache v2 password hashes
mschapv2
john --format=mschapv2 hashes_to_crack.txt
MS CHAP v2 password hashes
mskrb5
john --format=mskrb5 hashes_to_crack.txt
MS Kerberos 5 password hashes
mssql05
john --format=mssql05 hashes_to_crack.txt
MS SQL 2005 password hashes
mssql
john --format=mssql hashes_to_crack.txt
MS SQL password hashes
mysql-fast
john --format=mysql-fast hashes_to_crack.txt
MySQL fast password hashes
mysql
john --format=mysql hashes_to_crack.txt
MySQL password hashes
mysql-sha1
john --format=mysql-sha1 hashes_to_crack.txt
MySQL SHA1 password hashes
NETLM
john --format=netlm hashes_to_crack.txt
NETLM (NT LAN Manager) password hashes
NETLMv2
john --format=netlmv2 hashes_to_crack.txt
NETLMv2 (NT LAN Manager version 2) password hashes
NETNTLM
john --format=netntlm hashes_to_crack.txt
NETNTLM (NT LAN Manager) password hashes
NETNTLMv2
john --format=netntlmv2 hashes_to_crack.txt
NETNTLMv2 (NT LAN Manager version 2) password hashes
NEThalfLM
john --format=nethalflm hashes_to_crack.txt
NEThalfLM (NT LAN Manager) password hashes
md5ns
john --format=md5ns hashes_to_crack.txt
md5ns (MD5 namespace) password hashes
nsldap
john --format=nsldap hashes_to_crack.txt
nsldap (OpenLDAP SHA) password hashes
ssha
john --format=ssha hashes_to_crack.txt
ssha (Salted SHA) password hashes
NT
john --format=nt hashes_to_crack.txt
NT (Windows NT) password hashes
openssha
john --format=openssha hashes_to_crack.txt
OPENSSH private key password hashes
oracle11
john --format=oracle11 hashes_to_crack.txt
Oracle 11 password hashes
oracle
john --format=oracle hashes_to_crack.txt
Oracle password hashes
john --format=pdf hashes_to_crack.txt
PDF (Portable Document Format) password hashes
phpass-md5
john --format=phpass-md5 hashes_to_crack.txt
PHPass-MD5 (Portable PHP password hashing framework) password hashes
phps
john --format=phps hashes_to_crack.txt
PHPS password hashes
pix-md5
john --format=pix-md5 hashes_to_crack.txt
Cisco PIX MD5 password hashes
po
john --format=po hashes_to_crack.txt
Po (Sybase SQL Anywhere) password hashes
rar
john --format=rar hashes_to_crack.txt
RAR (WinRAR) password hashes
raw-md4
john --format=raw-md4 hashes_to_crack.txt
Raw MD4 password hashes
raw-md5
john --format=raw-md5 hashes_to_crack.txt
Raw MD5 password hashes
raw-md5-unicode
john --format=raw-md5-unicode hashes_to_crack.txt
Raw MD5 Unicode password hashes
raw-sha1
john --format=raw-sha1 hashes_to_crack.txt
Raw SHA1 password hashes
raw-sha224
john --format=raw-sha224 hashes_to_crack.txt
Raw SHA224 password hashes
raw-sha256
john --format=raw-sha256 hashes_to_crack.txt
Raw SHA256 password hashes
raw-sha384
john --format=raw-sha384 hashes_to_crack.txt
Raw SHA384 password hashes
raw-sha512
john --format=raw-sha512 hashes_to_crack.txt
Raw SHA512 password hashes
salted-sha
john --format=salted-sha hashes_to_crack.txt
Salted SHA password hashes
sapb
john --format=sapb hashes_to_crack.txt
SAP CODVN B (BCODE) password hashes
sapg
john --format=sapg hashes_to_crack.txt
SAP CODVN G (PASSCODE) password hashes
sha1-gen
john --format=sha1-gen hashes_to_crack.txt
Generic SHA1 password hashes
skey
john --format=skey hashes_to_crack.txt
S/Key (One-time password) hashes
ssh
john --format=ssh hashes_to_crack.txt
SSH (Secure Shell) password hashes
sybasease
john --format=sybasease hashes_to_crack.txt
Sybase ASE password hashes
xsha
john --format=xsha hashes_to_crack.txt
xsha (Extended SHA) password hashes
zip
john --format=zip hashes_to_crack.txt
ZIP (WinZip) password hashes
john --wordlist=<wordlist_file> --rules <hash_file>John - Incremental mode
John - SHA-256
john --format=sha256 hashes_to_crack.txtJohn - /etc/shadow - SHA-512
┌─[xor@parrot]─[~/Téléchargements]
└──╼ $ls
passwd rockyou.txt rockyou.txt.bz2 shadow
┌─[xor@parrot]─[~/Téléchargements]
└──╼ $unshadow passwd shadow > mypasswd
┌─[xor@parrot]─[~/Téléchargements]
└──╼ $john --wordlist=rockyou.txt mypasswd
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password1 (root)
1g 0:00:00:01 DONE (2019-08-21 15:20) 0.9615g/s 123.0p/s 123.0c/s 123.0C/s 123456..diamond
Use the "--show" option to display all of the cracked passwords reliably
Session completedJohn - SSH Private Key - RSA
root@Host-001:~/Bureau# vim id_rsa
root@Host-001:~/Bureau# python /usr/share/john/ssh2john.py id_rsa > id_rsa_hash.txt
root@Host-001:~/Bureau# john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txtJohn - Windows NTLM
hashdump format = User Name: RID: LM-HASH Value: NT-HASH value
john hash /usr/share/wordlists/rockyou.txt --format=NT
https://weakpass.com/pre-computed
John - ASREPRoast
john.exe --wordlist=C:\path\to\10k-worst-pass.txt C:\path\to\asrephashes.txtJohn - Password Safe - psafe3 file
# /opt/tools/john/run/pwsafe2john.py Backup.psafe3 > backup.hash
# john backup.hash --wordlist=/usr/share/wordlists/rockyou.txtHashcat
Hashcat - Generic hash types
hashcat --example-hashes | lessCrunch Wordlist Generator - Create Single Characters
crunch 12 12 -f "/usr/share/crunch/charset.lst" mixalpha-numeric-all -t abracadabra@
With bash:
for i in {1..20}; do echo "password$i"; doneSHA1
echo 'd033e22ae348aeb5660fc2140aec35850c4da997' > admin_hash_sha1.txt hashcat --hash-type 100 --attack-mode 0 admin_hash_sha1.txt /usr/share/wordlists/rockyou.txtWordpress - Phpass - $P$
hashcat -m 400 phpass.hash /usr/share/wordlists/rockyou.txtsha512crypt $6$, SHA512 (Unix) - /etc/shadow
$6$52450745$k5ka2p8bFuSmoVT1tzOyyuaREkkKBcCNqoDKzYiJL9RaE8yMnPgh2XzzF0NDrUhgrcLwg78xs1w5pJiypEdFX/ hashcat --hash-type 1800 --attack-mode 0 michael.hash /usr/share/wordlists/rockyou.txtIPMI
IPMI (623 UDP)General
Tool
hashcat -m 7300 ipmi.txtpython3 ipmipwner.py --host 10.129.154.218 -u admin -c python -pW /usr/share/wordlists/rockyou.txt -oH hash -oC crackedHashHP iLO
hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?uExegol:
hashcat -m 7300 ipmi.txt -a 3 '\?1\?1\?1\?1\?1\?1\?1\?1' -1 '?d?u'
SAM - NT hash
$ sudo vim hashestocrack.txt
64f12cddaa88057e06a81b54e73b949b
31d6cfe0d16ae931b73c59d7e0c089c0
6f8c3f4d3869a10f3b4f0522f537fd33
184ecdda8cf1dd238d438c4aea4d560d
f7eb9c06fafaa23c4bcf22ba6781c1e2sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txtOnline
MD5
hashcat -m 500 -a 0 md5-hashes.list rockyou.txtMysql bcrypt Blowfish (Unix) $2*$
MySQL (3306)$2*$echo '$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12' > hash hashcat --hash-type 3200 --attack-mode 0 hash `fzf-wordlists`NTMLv2 - Responder
LLMNR NBT-NS Poisoning[SMB] NTLMv2-SSP Hash : mssqlsvc::WIN-02:1122334455667788:67469E50D72CBD81C0555BA21EBEB8E2:010100000000000000A3B0E53898DA01B9CD8682359BA70F0000000002000800460030004100470001001E00570049004E002D004600490037003800360032004B00420052004F00500004003400570049004E002D004600490037003800360032004B00420052004F0050002E0046003000410047002E004C004F00430041004C000300140046003000410047002E004C004F00430041004C000500140046003000410047002E004C004F00430041004C000700080000A3B0E53898DA0106000400020000000800300030000000000000000000000000300000182E238D049AA0230066AE7B95F47CA65F370AC3AD06C2810BBFBB25BE72ACFD0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00390036000000000000000000
exit
[+] Exiting...hashcat -m 5600 mssqlsvc_hash passwords.list Kerberoast - SPN
KerberoastWhile it is possible to crack AES-128 (type 17) and AES-256 (type 18) TGS tickets using Hashcat, it will typically be significantly more time consuming than cracking an RC4 (type 23) encrypted ticket
$krb5tgs$23$
$krb5tgs$23$hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt If extracted with Mimikatz - Also see Internal Pentest - Kerberoast
python2.7 kirbi2john.py sqldev.kirbiThis will create a file called crack_file.
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcathashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt $krb5tgs$18$
$krb5tgs$18$hashcat -m 19700 aes_to_crack /usr/share/wordlists/rockyou.txtASREPRoast
Misconfigurationhashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt MsCacheV2 - DDC2
// hashcat format
$DCC2$10240#username#7afec****************6d0chashcat64 -a 0 -m 2100 -r /usr/share/hashcat/rules/best64.rule mscachev2.txt passwords\*Convert NetNTLMv1 to NTLM - PTH or Crack
Online
Hash NT obtained - try to break it
NTLMv1 Multitool
$ python3 ntlmv1-multi/ntlmv1.py --ntlmv1 'DEV$::HTB:11EBE0BFBF241EE1D55DD9F5535254FCAF77876B9D200341:11EBE0BFBF241EE1D55DD9F5535254FCAF77876B9D200341:1122334455667788'
Hashfield Split:
['DEV$', '', 'HTB', '11E<-SNIP->341', '11EBE0BF<-SNIP->876B9D200341', '1122334455667788']
Hostname: HTB
Username: DEV$
Challenge: 1122334455667788
LM Response: 11EBE<-SNIP->200341
NT Response: 11EBE<-SNIP->77876B9D200341
CT1: 11E<-SNIP->41EE1
CT2: D55<-SNIP->254FC
CT3: AF7<-SNIP->00341
To Calculate final 4 characters of NTLM hash use:
./ct3_to_ntlm.bin AF7<-SNIP->00341 1122334455667788
To crack with hashcat create a file with the following contents:
11<-SNIP->EE1:1122334455667788
D5<-SNIP->5254FC:1122334455667788
echo "11EB<-SNIP->E1:1122334455667788">>14000.hash
echo "D55D<-SNIP->254FC:1122334455667788">>14000.hash
To crack with hashcat:
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1
$ echo "11EB<-SNIP->E1:1122334455667788">>14000.hash
$ echo "D55D<-SNIP->254FC:1122334455667788">>14000.hash
$ hashcat -m 14000 -a 3 -1 DES_full.charset --hex-charset 14000.hash '?1?1?1?1?1?1?1?1'Other script
$ python deskey_to_ntlm.py --hash dev.hash
[+] CT1 key: 11e<-SNIP->41ee1
[+] CT2 key: d55<-SNIP->1ee1
hashcat -m 14000 des_keys.txt -o des_keys.out -a 3 -1 charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1 -w 3
$ wget https://raw.githubusercontent.com/brannondorsey/naive-hashcat/refs/heads/master/hashcat-3.6.0/charsets/DES_full.charset
$ hashcat -m 14000 des_keys.txt -o des_keys.out -a 3 -1 DES_full.charset --hex-charset '?1?1?1?1?1?1?1?1' -w 3pbkdf2
algo : pbkdf2$50000$50 >> 50000 iterations, salt length 50
Hashcat format:
sha256:<iterations>:<salt_b64>:<hash_b64># echo -n '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16' | base64
OTc5MDcyODBkYzI0ZmU1MTdjNDM0NzViZDIxOGJmYWQ1NmMyNWQ0ZDExMDM3ZDhiNmRhNDQwZWZk
NGQ2OTFhZGZlYWQ0MDMzMGIyYWE2YWFmMWYzMzYyMWQwZDczMjI4ZmMxNg==
# echo -n 'd7cf2c96277dd16d95ed5c33bb524b62' | base64
ZDdjZjJjOTYyNzdkZDE2ZDk1ZWQ1YzMzYmI1MjRiNjI=
# cat emily.hash
sha256:50000:ZDdjZjJjOTYyNzdkZDE2ZDk1ZWQ1YzMzYmI1MjRiNjI=:OTc5MDcyODBkYzI0ZmU1MTdjNDM0NzViZDIxOGJmYWQ1NmMyNWQ0ZDExMDM3ZDhiNmRhNDQwZWZkNGQ2OTFhZGZlYWQ0MDMzMGIyYWE2YWFmMWYzMzYyMWQwZDczMjI4ZmMxNg==
# hashcat -m 10900 emily.hash /usr/share/wordlists/rockyou.txtOr python script
import hashlib
import binascii
def pbkdf2_hash(password, salt, iterations=50000, dklen=50):
hash_value = hashlib.pbkdf2_hmac(
'sha256',
password.encode('utf-8'),
salt,
iterations,
dklen
)
return hash_value
def find_matching_password(dictionary_file, target_hash, salt, iterations=50000, dklen=50):
target_hash_bytes = binascii.unhexlify(target_hash)
with open(dictionary_file, 'r', encoding='utf-8') as file:
for line in file:
password = line.strip()
hash_value = pbkdf2_hash(password, salt, iterations, dklen)
if hash_value == target_hash_bytes:
print(f"Found password: {password}")
return password
print("Password not found.")
return None
salt = binascii.unhexlify('227d873cca89103cd83a976bdac52486')
target_hash = '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16'
dictionary_file = '200worstpass.txt'
find_matching_password(dictionary_file, target_hash, salt)Werkzeug hash
pbkdf2:sha256:600000
Django hash - pbkdf2_sha256$20000$
hashcat -m 10000 --force django.hash /usr/share/wordlists/rockyou.txt Grafana hashes
Cracking SSH private key
deNaive (script)
require 'open3'
if ARGV.size == 2
password_found = false
File.readlines(ARGV[1], chomp: true).each do |password|
Open3.popen3("ssh-keygen -y -f #{ARGV[0]} -P '#{password}'") { |i,o,e,t|
error = e.read.chomp
if error.empty?
puts "\nThe password is: #{password}"
password_found = true
elsif /incorrect passphrase supplied to decrypt private key/.match?(error)
print '.'
else
puts "Error: #{t.value}"
puts error
end
}
break if password_found
end
else
puts "Usage : ruby #{__FILE__} SSH_KEY WORDLIST"
puts "Example: ruby #{__FILE__} ~/.ssh/id_ed25519_crack /usr/share/wordlists/passwords/richelieu-french-top20000.txt"
endruby ssh-bf.rb ~/.ssh/id_ed25519_crack /usr/share/wordlists/passwords/richelieu-french-top20000.txtJohn
$ ssh2john ~/.ssh/id_ed25519_crack > /tmp/hash_jtr.txt
$ john /tmp/hash_jtr.txt -w=/usr/share/wordlists/passwords/richelieu-french-top20000.txt --format=ssh
Last updated