This tutorial covers the process of password cracking in a real-world scenario. The main reasons you might need to crack a password is to get credentials during a penetration test or when evaluating intelligence. Both scenarios will happen and having the ability to crack the hash with the tools you have access to is imperative.
Passwords can be obtained in many ways, but for the most part you will be given some sort of hash of the password. The hash is a one way function that will result in a unique fingerprint or signature for every word or file; change one thing and the hash is completely different. Hashcat is a fast way to attack the hash. A oneway hash is just that one way and cannot be reversed; however a computer can run through a massive list of words and hashes looking for a match pretty quickly. Hashcat is touted as the worlds fastest password recovery tool. We will look at the basic functionality today and try to crack some md5 hash’s. There are multiple examples in the Hashcat directory that you can get familiar with and in the future I will make another video covering some more complex examples. Lets get started with an example on Kali Linux in the lab environment, and as a bonus we will do one on Windows 10.
Lets create a password file
We will generate our own password list to simulate what we may receive in daily operations. The scenario we are using is that our pentesters have been able to extract a list of password hashes from a web application and want us to see if we can recover the passwords from the hashes. The task of actually creating the list is straight forward in Linux and that is what we will be using. Open kali Linux in the virtual lab environment. From a terminal window type the following:
echo -n "columbia" | md5sum |tr -d " -" >> target-hashes.txt
What is happening here is we are using the echo command to send the string “columbia” to the command md5sum while suppressing the line feed. This is so it does not get included in the md5 hash. The tr command is getting rid of the – at the end of the md5 hash that is generated. The output is finally appended to the target-hashes.txt file. Do this about five or six more times replacing “columbia” with various other words that might be used as a password.
Recovering the passwords
Now that we have our simulated password file its time to recover the passwords with Hashcat. The first thing we will need to do is extract the rockyou wordlist in Kali. This is just a bZip file and can be extracted by typing the following command:
bzip2 -d rouckyou.bz2
The file is in /usr/share/wordlists along with various other wordlists that we will get into in later tutorials. Hashcat has many options and can crack complex passwords using custom rules but for this tutorial we are going to keep it simple. We will get to the advanced use in future videos. The tool has two main options we are going to be concerned with right now; hash modes and attack mode. Running Hashcat with the –help option will get a list of all the options. Hash mode will specify what type of hashes you are going to recover, in our case we have md5 hashes so we will choose -m 0 for md5. If you are unsure what type of hash you have there is a “hash-identifier” tool that will try to help you figure it out. Attack mode is easier with only a few options, we will use a straight attack by specifying the -a 0 option. Now lets get onto recovering some passwords, type the following in at the command line:
hashcat -m 0 -a 0 target-hashes.txt /usr/share/wordlists/rockyou.txt -O
This should run for a bit, time will depend on how complex the passwords are. When it is done you can check the hashcat.potfile for a list of what Hashcat was able to recover, it will have the hash and password seperated by a colon like so:
Windows has the same command syntax just the location of the binaries will be different. Check out the video to see it in action on both Windows and Linux.