Hashes

Online Databases

LM, NTLM, md2, md4, md5, md5(md5_hex), md5-half, sha1, sha224, sha256, sha384, sha512, ripeMD160, whirlpool, MySQL 4.1+ (sha1(sha1_bin)), QubesV3.1BackupDefaults

NT Hash (SAM)

Pull Hashes Decryption From Online Sources

Unix password

`/etc/shadow`

cry0l1t3

:

$6$wBRzy$...SNIP...x9cDWUxW1

:

18937

:

0

:

99999

:

7

:

Username

Encrypted password

Last PW change

Min. PW age

Max. PW age

Warning period

Inactivity period

Expiration date

Unused

$<type>$<salt>$<hashed>

Cryptographic Hash Algorithm

$1$

$2a$

$2y$

Eksblowfish

$5$

$6$

$sha1$

$y$

$gy$

$7$

$argon2i$ ...

Argon2

Crack /etc/shadow hashes

cat hash             
user:$1$CrackMe$U93**********UP9iUxGVIvq/:18439:0:99999:7:::

john hash --wordlist=/usr/share/wordlists/rockyou.txt

Hash Identifier

Online:

root:x:0:0:root:/root:/bin/bash

See Privilege escalation - Linux

/etc/passwd

$ cat /etc/passwd

...SNIP...
htb-student:x:1000:1000:,,,:/home/htb-student:/bin/bash

htb-student:

x:

1000:

,,,:

/home/htb-student:

/bin/bash

<username>:

<password>:

<uid>:

<gid>:

<comment>:

<home directory>:

<cmd executed after logging in>

Cracking Linux Credentials

Unshadow

$ sudo cp /etc/passwd /tmp/passwd.bak 
$ sudo cp /etc/shadow /tmp/shadow.bak 
$ unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

Create custom password list

PassGAN

Bash

for i in $(cat pwlist.txt); do echo $i; echo ${i}2019; echo ${i}2020; done > pwd.txt

kwprocessor

Hashcat generating rule-based Wordlist

$ cat custom.rule

:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@

$ hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
$ cat mut_password.list

password
Password
passw0rd
Passw0rd
p@ssword
P@ssword
P@ssw0rd
password!
Password!
passw0rd!
p@ssword!
Passw0rd!
P@ssword!
p@ssw0rd!
P@ssw0rd!

Hashcat Existing Rules

$ ls /usr/share/hashcat/rules/

best64.rule                  specific.rule
combinator.rule              T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
d3ad0ne.rule                 T0XlC-insert_space_and_special_0_F.rule
dive.rule                    T0XlC-insert_top_100_passwords_1_G.rule
generated2.rule              T0XlC.rule
generated.rule               T0XlCv1.rule
hybrid                       toggles1.rule
Incisive-leetspeak.rule      toggles2.rule
InsidePro-HashManager.rule   toggles3.rule
InsidePro-PasswordsPro.rule  toggles4.rule
leetspeak.rule               toggles5.rule
oscommerce.rule              unix-ninja-leetspeak.rule
rockyou-30000.rule

Try best64.rule first

OneRuleToRuleThemAll

hashcat --attack-mode 0 --rules-file OneRuleToRuleThemAll.rule --hash-type 1000 hash /usr/share/wordlists/rockyou.txt

Crunch

Cupp

CeWL

$ cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist
$ wc -l inlane.wordlist

326

Improve the custom wordlist

As we all know few password are just simple words. Many use numbers and special characters. To improve our password list we can use john the ripper. We can input our own rules, or we can just use the standard john-the-ripper rules

john ---wordlist=inlane.wordlist --rules --stdout > wordlist-modified.txt

Source: https://github.com/lamontns/pentest/blob/master/password-related-attacks/generating-custom-password-lists.md

Rainbow Tables - SHA1

RainbowCrack

VM - VMWare and VirtualBox encryption

John The Ripper

$ john --format=<hash_type> <hash or hash_file>

John will output the cracked passwords to the console and the file "john.pot" (~/.john/john.pot) to the current user's home directory.

Hash Format

Example Command

Description

afs

john --format=afs hashes_to_crack.txt

AFS (Andrew File System) password hashes

bfegg

john --format=bfegg hashes_to_crack.txt

bfegg hashes used in Eggdrop IRC bots

john --format=bf hashes_to_crack.txt

Blowfish-based crypt(3) hashes

bsdi

john --format=bsdi hashes_to_crack.txt

BSDi crypt(3) hashes

crypt(3)

john --format=crypt hashes_to_crack.txt

Traditional Unix crypt(3) hashes

des

john --format=des hashes_to_crack.txt

Traditional DES-based crypt(3) hashes

dmd5

john --format=dmd5 hashes_to_crack.txt

DMD5 (Dragonfly BSD MD5) password hashes

dominosec

john --format=dominosec hashes_to_crack.txt

IBM Lotus Domino 6/7 password hashes

EPiServer SID hashes

john --format=episerver hashes_to_crack.txt

EPiServer SID (Security Identifier) password hashes

hdaa

john --format=hdaa hashes_to_crack.txt

hdaa password hashes used in Openwall GNU/Linux

hmac-md5

john --format=hmac-md5 hashes_to_crack.txt

hmac-md5 password hashes

hmailserver

john --format=hmailserver hashes_to_crack.txt

hmailserver password hashes

ipb2

john --format=ipb2 hashes_to_crack.txt

Invision Power Board 2 password hashes

krb4

john --format=krb4 hashes_to_crack.txt

Kerberos 4 password hashes

krb5

john --format=krb5 hashes_to_crack.txt

Kerberos 5 password hashes

john --format=LM hashes_to_crack.txt

LM (Lan Manager) password hashes

lotus5

john --format=lotus5 hashes_to_crack.txt

Lotus Notes/Domino 5 password hashes

mscash

john --format=mscash hashes_to_crack.txt

MS Cache password hashes

mscash2

john --format=mscash2 hashes_to_crack.txt

MS Cache v2 password hashes

mschapv2

john --format=mschapv2 hashes_to_crack.txt

MS CHAP v2 password hashes

mskrb5

john --format=mskrb5 hashes_to_crack.txt

MS Kerberos 5 password hashes

mssql05

john --format=mssql05 hashes_to_crack.txt

MS SQL 2005 password hashes

mssql

john --format=mssql hashes_to_crack.txt

MS SQL password hashes

mysql-fast

john --format=mysql-fast hashes_to_crack.txt

MySQL fast password hashes

mysql

john --format=mysql hashes_to_crack.txt

MySQL password hashes

mysql-sha1

john --format=mysql-sha1 hashes_to_crack.txt

MySQL SHA1 password hashes

NETLM

john --format=netlm hashes_to_crack.txt

NETLM (NT LAN Manager) password hashes

NETLMv2

john --format=netlmv2 hashes_to_crack.txt

NETLMv2 (NT LAN Manager version 2) password hashes

NETNTLM

john --format=netntlm hashes_to_crack.txt

NETNTLM (NT LAN Manager) password hashes

NETNTLMv2

john --format=netntlmv2 hashes_to_crack.txt

NETNTLMv2 (NT LAN Manager version 2) password hashes

NEThalfLM

john --format=nethalflm hashes_to_crack.txt

NEThalfLM (NT LAN Manager) password hashes

md5ns

john --format=md5ns hashes_to_crack.txt

md5ns (MD5 namespace) password hashes

nsldap

john --format=nsldap hashes_to_crack.txt

nsldap (OpenLDAP SHA) password hashes

ssha

john --format=ssha hashes_to_crack.txt

ssha (Salted SHA) password hashes

john --format=nt hashes_to_crack.txt

NT (Windows NT) password hashes

openssha

john --format=openssha hashes_to_crack.txt

OPENSSH private key password hashes

oracle11

john --format=oracle11 hashes_to_crack.txt

Oracle 11 password hashes

oracle

john --format=oracle hashes_to_crack.txt

Oracle password hashes

pdf

john --format=pdf hashes_to_crack.txt

PDF (Portable Document Format) password hashes

phpass-md5

john --format=phpass-md5 hashes_to_crack.txt

PHPass-MD5 (Portable PHP password hashing framework) password hashes

phps

john --format=phps hashes_to_crack.txt

PHPS password hashes

pix-md5

john --format=pix-md5 hashes_to_crack.txt

Cisco PIX MD5 password hashes

john --format=po hashes_to_crack.txt

Po (Sybase SQL Anywhere) password hashes

rar

john --format=rar hashes_to_crack.txt

RAR (WinRAR) password hashes

raw-md4

john --format=raw-md4 hashes_to_crack.txt

Raw MD4 password hashes

raw-md5

john --format=raw-md5 hashes_to_crack.txt

Raw MD5 password hashes

raw-md5-unicode

john --format=raw-md5-unicode hashes_to_crack.txt

Raw MD5 Unicode password hashes

raw-sha1

john --format=raw-sha1 hashes_to_crack.txt

Raw SHA1 password hashes

raw-sha224

john --format=raw-sha224 hashes_to_crack.txt

Raw SHA224 password hashes

raw-sha256

john --format=raw-sha256 hashes_to_crack.txt

Raw SHA256 password hashes

raw-sha384

john --format=raw-sha384 hashes_to_crack.txt

Raw SHA384 password hashes

raw-sha512

john --format=raw-sha512 hashes_to_crack.txt

Raw SHA512 password hashes

salted-sha

john --format=salted-sha hashes_to_crack.txt

Salted SHA password hashes

sapb

john --format=sapb hashes_to_crack.txt

SAP CODVN B (BCODE) password hashes

sapg

john --format=sapg hashes_to_crack.txt

SAP CODVN G (PASSCODE) password hashes

sha1-gen

john --format=sha1-gen hashes_to_crack.txt

Generic SHA1 password hashes

skey

john --format=skey hashes_to_crack.txt

S/Key (One-time password) hashes

ssh

john --format=ssh hashes_to_crack.txt

SSH (Secure Shell) password hashes

sybasease

john --format=sybasease hashes_to_crack.txt

Sybase ASE password hashes

xsha

john --format=xsha hashes_to_crack.txt

xsha (Extended SHA) password hashes

zip

john --format=zip hashes_to_crack.txt

ZIP (WinZip) password hashes

john --wordlist=<wordlist_file> --rules <hash_file>

John - Incremental mode

John - SHA-256

john --format=sha256 hashes_to_crack.txt

John - /etc/shadow - SHA-512

┌─[xor@parrot]─[~/Téléchargements]
└──╼ $ls
passwd  rockyou.txt  rockyou.txt.bz2  shadow
┌─[xor@parrot]─[~/Téléchargements]
└──╼ $unshadow passwd shadow > mypasswd
┌─[xor@parrot]─[~/Téléchargements]
└──╼ $john --wordlist=rockyou.txt mypasswd
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password1        (root)
1g 0:00:00:01 DONE (2019-08-21 15:20) 0.9615g/s 123.0p/s 123.0c/s 123.0C/s 123456..diamond
Use the "--show" option to display all of the cracked passwords reliably
Session completed

John - SSH Private Key - RSA

root@Host-001:~/Bureau# vim id_rsa 
root@Host-001:~/Bureau# python /usr/share/john/ssh2john.py id_rsa > id_rsa_hash.txt
root@Host-001:~/Bureau# john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txt

John - Windows NTLM

hashdump format = User Name: RID: LM-HASH Value: NT-HASH value

john hash /usr/share/wordlists/rockyou.txt --format=NT

https://weakpass.com/pre-computed

John - ASREPRoast

john.exe --wordlist=C:\path\to\10k-worst-pass.txt C:\path\to\asrephashes.txt

John - Password Safe - psafe3 file

# /opt/tools/john/run/pwsafe2john.py Backup.psafe3 > backup.hash
# john backup.hash --wordlist=/usr/share/wordlists/rockyou.txt

Hashcat

Hashcat - Generic hash types

hashcat --example-hashes | less

Crunch Wordlist Generator - Create Single Characters

crunch 12 12 -f "/usr/share/crunch/charset.lst" mixalpha-numeric-all -t abracadabra@

With bash:

for i in {1..20}; do echo "password$i"; done

SHA1

echo 'd033e22ae348aeb5660fc2140aec35850c4da997' > admin_hash_sha1.txt

hashcat --hash-type 100 --attack-mode 0 admin_hash_sha1.txt /usr/share/wordlists/rockyou.txt

Wordpress - Phpass - $P$

hashcat -m 400 phpass.hash /usr/share/wordlists/rockyou.txt

sha512crypt $6$, SHA512 (Unix) - /etc/shadow

$6$52450745$k5ka2p8bFuSmoVT1tzOyyuaREkkKBcCNqoDKzYiJL9RaE8yMnPgh2XzzF0NDrUhgrcLwg78xs1w5pJiypEdFX/

hashcat --hash-type 1800 --attack-mode 0 michael.hash /usr/share/wordlists/rockyou.txt

IPMI

General

hashcat -m 7300 ipmi.txt

python3 ipmipwner.py --host 10.129.154.218 -u admin -c python -pW /usr/share/wordlists/rockyou.txt -oH hash -oC crackedHash

HP iLO

hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

Exegol:

hashcat -m 7300 ipmi.txt -a 3 '\?1\?1\?1\?1\?1\?1\?1\?1' -1 '?d?u'

SAM - NT hash

$ sudo vim hashestocrack.txt

64f12cddaa88057e06a81b54e73b949b
31d6cfe0d16ae931b73c59d7e0c089c0
6f8c3f4d3869a10f3b4f0522f537fd33
184ecdda8cf1dd238d438c4aea4d560d
f7eb9c06fafaa23c4bcf22ba6781c1e2

sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

Online

MD5

hashcat -m 500 -a 0 md5-hashes.list rockyou.txt

Mysql bcrypt Blowfish (Unix) $2*$

echo '$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12' > hash

hashcat --hash-type 3200 --attack-mode 0 hash `fzf-wordlists`

NTMLv2 - Responder

[SMB] NTLMv2-SSP Hash     : mssqlsvc::WIN-02:1122334455667788:67469E50D72CBD81C0555BA21EBEB8E2:010100000000000000A3B0E53898DA01B9CD8682359BA70F0000000002000800460030004100470001001E00570049004E002D004600490037003800360032004B00420052004F00500004003400570049004E002D004600490037003800360032004B00420052004F0050002E0046003000410047002E004C004F00430041004C000300140046003000410047002E004C004F00430041004C000500140046003000410047002E004C004F00430041004C000700080000A3B0E53898DA0106000400020000000800300030000000000000000000000000300000182E238D049AA0230066AE7B95F47CA65F370AC3AD06C2810BBFBB25BE72ACFD0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00390036000000000000000000
exit
[+] Exiting...

hashcat -m 5600 mssqlsvc_hash passwords.list

Kerberoast - SPN

$krb5tgs$23$*: RC4 (type 23) encrypted ticket

$krb5tgs$18$*: AES-256 (Type 18)

While it is possible to crack AES-128 (type 17) and AES-256 (type 18) TGS tickets using Hashcat, it will typically be significantly more time consuming than cracking an RC4 (type 23) encrypted ticket

`$krb5tgs$23$`

hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt

If extracted with Mimikatz - Also see Internal Pentest - Kerberoast

python2.7 kirbi2john.py sqldev.kirbi

This will create a file called crack_file.

sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

`$krb5tgs$18$`

hashcat -m 19700 aes_to_crack /usr/share/wordlists/rockyou.txt

ASREPRoast

hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt

MsCacheV2 - DDC2

// hashcat format
$DCC2$10240#username#7afec****************6d0c

hashcat64 -a 0 -m 2100 -r /usr/share/hashcat/rules/best64.rule mscachev2.txt passwords\*

Convert NetNTLMv1 to NTLM - PTH or Crack

Online

Hash NT obtained - try to break it

NTLMv1 Multitool

$ python3 ntlmv1-multi/ntlmv1.py --ntlmv1 'DEV$::HTB:11EBE0BFBF241EE1D55DD9F5535254FCAF77876B9D200341:11EBE0BFBF241EE1D55DD9F5535254FCAF77876B9D200341:1122334455667788' 
Hashfield Split:
['DEV$', '', 'HTB', '11E<-SNIP->341', '11EBE0BF<-SNIP->876B9D200341', '1122334455667788']

Hostname: HTB
Username: DEV$
Challenge: 1122334455667788
LM Response: 11EBE<-SNIP->200341
NT Response: 11EBE<-SNIP->77876B9D200341
CT1: 11E<-SNIP->41EE1
CT2: D55<-SNIP->254FC
CT3: AF7<-SNIP->00341

To Calculate final 4 characters of NTLM hash use:
./ct3_to_ntlm.bin AF7<-SNIP->00341 1122334455667788

To crack with hashcat create a file with the following contents:
11<-SNIP->EE1:1122334455667788
D5<-SNIP->5254FC:1122334455667788

echo "11EB<-SNIP->E1:1122334455667788">>14000.hash
echo "D55D<-SNIP->254FC:1122334455667788">>14000.hash

To crack with hashcat:
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1

$ echo "11EB<-SNIP->E1:1122334455667788">>14000.hash
$ echo "D55D<-SNIP->254FC:1122334455667788">>14000.hash
$ hashcat -m 14000 -a 3 -1 DES_full.charset --hex-charset 14000.hash '?1?1?1?1?1?1?1?1'

Other script

$ python deskey_to_ntlm.py --hash dev.hash
[+] CT1 key: 11e<-SNIP->41ee1
[+] CT2 key: d55<-SNIP->1ee1

hashcat -m 14000 des_keys.txt -o des_keys.out -a 3 -1 charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1 -w 3

$ wget https://raw.githubusercontent.com/brannondorsey/naive-hashcat/refs/heads/master/hashcat-3.6.0/charsets/DES_full.charset
$ hashcat -m 14000 des_keys.txt -o des_keys.out -a 3 -1 DES_full.charset --hex-charset '?1?1?1?1?1?1?1?1' -w 3

pbkdf2

algo : pbkdf2$50000$50 >> 50000 iterations, salt length 50

Hashcat format:

sha256:<iterations>:<salt_b64>:<hash_b64>

# echo -n '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16' | base64
OTc5MDcyODBkYzI0ZmU1MTdjNDM0NzViZDIxOGJmYWQ1NmMyNWQ0ZDExMDM3ZDhiNmRhNDQwZWZk
NGQ2OTFhZGZlYWQ0MDMzMGIyYWE2YWFmMWYzMzYyMWQwZDczMjI4ZmMxNg==

# echo -n 'd7cf2c96277dd16d95ed5c33bb524b62' | base64         
ZDdjZjJjOTYyNzdkZDE2ZDk1ZWQ1YzMzYmI1MjRiNjI=

# cat emily.hash
sha256:50000:ZDdjZjJjOTYyNzdkZDE2ZDk1ZWQ1YzMzYmI1MjRiNjI=:OTc5MDcyODBkYzI0ZmU1MTdjNDM0NzViZDIxOGJmYWQ1NmMyNWQ0ZDExMDM3ZDhiNmRhNDQwZWZkNGQ2OTFhZGZlYWQ0MDMzMGIyYWE2YWFmMWYzMzYyMWQwZDczMjI4ZmMxNg==
# hashcat -m 10900 emily.hash /usr/share/wordlists/rockyou.txt

Or python script

import hashlib
import binascii

def pbkdf2_hash(password, salt, iterations=50000, dklen=50):

    hash_value = hashlib.pbkdf2_hmac(

        'sha256',

        password.encode('utf-8'),

        salt,

        iterations,

        dklen

    )

    return hash_value

def find_matching_password(dictionary_file, target_hash, salt, iterations=50000, dklen=50):

    target_hash_bytes = binascii.unhexlify(target_hash)

    with open(dictionary_file, 'r', encoding='utf-8') as file:

        for line in file:

            password = line.strip()

            hash_value = pbkdf2_hash(password, salt, iterations, dklen)

            if hash_value == target_hash_bytes:

                print(f"Found password: {password}")

                return password

    print("Password not found.")

    return None

salt = binascii.unhexlify('227d873cca89103cd83a976bdac52486')

target_hash = '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16'

dictionary_file = '200worstpass.txt'

find_matching_password(dictionary_file, target_hash, salt)

Werkzeug hash

pbkdf2:sha256:600000

Django hash - pbkdf2_sha256$20000$

hashcat -m 10000 --force django.hash /usr/share/wordlists/rockyou.txt

Grafana hashes

Cracking SSH private key

deNaive (script)

require 'open3'

if ARGV.size == 2
  password_found = false

  File.readlines(ARGV[1], chomp: true).each do |password|
    Open3.popen3("ssh-keygen -y -f #{ARGV[0]} -P '#{password}'") { |i,o,e,t|
      error = e.read.chomp
      if error.empty?
        puts "\nThe password is: #{password}"
        password_found = true
      elsif /incorrect passphrase supplied to decrypt private key/.match?(error)
        print '.'
      else
        puts "Error: #{t.value}"
        puts error
      end
    }
    break if password_found
  end
else
  puts "Usage  : ruby #{__FILE__} SSH_KEY WORDLIST"
  puts "Example: ruby #{__FILE__} ~/.ssh/id_ed25519_crack /usr/share/wordlists/passwords/richelieu-french-top20000.txt"
end

ruby ssh-bf.rb ~/.ssh/id_ed25519_crack /usr/share/wordlists/passwords/richelieu-french-top20000.txt

John

$ ssh2john ~/.ssh/id_ed25519_crack > /tmp/hash_jtr.txt
$ john /tmp/hash_jtr.txt -w=/usr/share/wordlists/passwords/richelieu-french-top20000.txt --format=ssh

PreviousCracking NextFiles - Encrypted

Last updated 29 days ago

Was this helpful?