Cracking Hashes
Tools like John, Hashcat can be used to crack hashes.
Identifying Hashes#
Use these common markers to identify types manually:
- Length & Character Clues
- 32 Characters: MD5, NTLM, or LM. (Hex characters (0)-(9), (a)-(f))
- 40 Characters: SHA-1. (Hex characters)
- 56 Characters: SHA-224.
- 64 Characters: SHA-256.
- 96 Characters: SHA-384.
- 128 Characters: SHA-512
- Formatting & Prefixes
$(dollar sign): Indicates a salted hash.$1$= MD5 Crypt$2a$,$2y$,$2b$= bcrypt$5$= SHA-256 Crypt$6$= SHA-512 Crypt
=(equals sign): Often indicates a Base64 encoded string, such as a WordPress$P$hash or SHA-512 crypt.
We can also use various tools to identify the hash.
Online hash identifiers
Command line tools:
- hash-identifier ↗, a Python tool that is super easy to use and will tell you what different types of hashes the one you enter is likely to be.
- To use hash-identifier, you can use
wgetorcurlto download the Python filehash-id.pyfrom its GitLab page ↗. Then, launch it withpython3 hash-id.pyand enter the hash you’re trying to identify. It will give you a list of the most probable formats.
- To use hash-identifier, you can use
- hash-id ↗
Cracking Windows Authentication Hashes#
Authentication hashes are the hashed versions of passwords stored by operating systems; it is sometimes possible to crack them using our brute-force methods.
MS Windows passwords are hashed using NTLM, a variant of MD4. They’re visually identical to MD4 and MD5 hashes, so it’s very important to use context to determine the hash type.
On MS Windows, password hashes are stored in the SAM (Security Accounts Manager). MS Windows tries to prevent normal users from dumping them, but tools like mimikatz exist to circumvent MS Windows security. Notably, the hashes found there are split into NT hashes and LM hashes.
NThash is the hash format modern Windows operating system machines use to store user and service passwords. It’s also commonly referred to as NTLM, which references the previous version of Windows format for hashing passwords known as LM, thus NT/LM.
A bit of history: the NT designation for Windows products originally meant New Technology. It was used starting with Windows NT to denote products not built from the MS-DOS Operating System. Eventually, the “NT” line became the standard Operating System type to be released by Microsoft, and the name was dropped, but it still lives on in the names of some Microsoft technologies.
In Windows, SAM (Security Account Manager) is used to store user account information, including usernames and hashed passwords. You can acquire NTHash/NTLM hashes by dumping the SAM database on a Windows machine, using a tool like Mimikatz, or using the Active Directory database: NTDS.dit. You may not have to crack the hash to continue privilege escalation, as you can often conduct a “pass the hash” attack instead, but sometimes, hash cracking is a viable option if there is a weak password policy.
Cracking Hashes from /etc/shadow#
The /etc/shadow file is the file on Linux machines where password hashes are stored. It also stores other information, such as the date of last password change and password expiration information. It contains one entry per line for each user or user account of the system. This file is usually only accessible by the root user, so you must have sufficient privileges to access the hashes. However, if you do, there is a chance that you will be able to crack some of the hashes.
You can crack hashes from shadow file using John by doing Unshadowing.
Cracking SSH Key Passwords#
Unless configured otherwise, you authenticate your SSH login using a password. However, you can configure key-based authentication, which lets you use your private key, id_rsa, as an authentication key to log in to a remote machine over SSH. However, doing so will often require a password to access the private key. We can use John with ssh2john to crack this password to allow authentication over SSH using the key.