Skip to main content

hashcat: Notes

hashcat - Advanced password recovery utility

Source code on GitHub: https://github.com/hashcat/hashcat

Install hashcat on Fedora Workstation 32

[tuyen@g73jh ~]$ sudo dnf install hashcat
[sudo] password for tuyen:
Last metadata expiration check: 0:14:06 ago on Tue 16 Mar 2021 10:19:22 AM +07.
Dependencies resolved.
========================================================================================================================
 Package                        Architecture        Version                                  Repository            Size
========================================================================================================================
Installing:
 hashcat                        x86_64              6.1.1-1.fc32                             updates              1.9 M
Installing dependencies:
 hwloc-libs                     x86_64              2.0.4-3.fc32                             fedora               2.0 M
 libclc                         x86_64              0.2.0-17.git9f6204e.fc32                 fedora               8.0 M
 minizip-compat                 x86_64              1.2.11-21.fc32                           fedora                32 k
 opencl-filesystem              noarch              1.0-11.fc32                              fedora               7.3 k
Installing weak dependencies:
 hashcat-doc                    noarch              6.1.1-1.fc32                             updates              1.5 M
 mesa-libOpenCL                 x86_64              20.2.3-1.fc32                            updates              342 k
 pocl                           x86_64              1.5-3.fc32                               updates              8.0 M

Transaction Summary
========================================================================================================================
Install  8 Packages

Total download size: 22 M
Installed size: 142 M
Is this ok [y/N]: y

Example brute force md5 hash

# cat robot.md5
c3fcd3d76192e4007dfb496cca67e13b

# hashcat -m 0 -a 0 robot.md5 /usr/share/wordlists/rockyou.txt --status --quiet
c3fcd3d76192e4007dfb496cca67e13b:abcdefghijklmnopqrstuvwxyz
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: c3fcd3d76192e4007dfb496cca67e13b
Time.Started.....: Wed Dec 23 15:37:00 2020 (0 secs)
Time.Estimated...: Wed Dec 23 15:37:00 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1480.8 kH/s (0.44ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 40960/14344385 (0.29%)
Rejected.........: 0/40960 (0.00%)
Restore.Point....: 36864/14344385 (0.26%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: holabebe -> loserface1

Example of Linux ssh password

# hashid < buddy
Analyzing '$6$3GvJsNPG$ZrSFprHS13divBhlaKg1rYrYLJ7m1xsYRKxlLh0A1sUc/6SUd7UvekBOtSnSyBwk3vCDqBhrgxQpkdsNN6aYP1'
[+] SHA-512 Crypt

# hashcat -h | grep 512
   1700 | SHA2-512                                         | Raw Hash
  17600 | SHA3-512                                         | Raw Hash
    600 | BLAKE2b-512                                      | Raw Hash
  11800 | GOST R 34.11-2012 (Streebog) 512-bit, big-endian | Raw Hash
  18000 | Keccak-512                                       | Raw Hash
  21000 | BitShares v0.x - sha512(sha512_bin(pass))        | Raw Hash
   1710 | sha512($pass.$salt)                              | Raw Hash, Salted and/or Iterated
   1720 | sha512($salt.$pass)                              | Raw Hash, Salted and/or Iterated
   1740 | sha512($salt.utf16le($pass))                     | Raw Hash, Salted and/or Iterated
   1730 | sha512(utf16le($pass).$salt)                     | Raw Hash, Salted and/or Iterated
   1750 | HMAC-SHA512 (key = $pass)                        | Raw Hash, Authenticated
   1760 | HMAC-SHA512 (key = $salt)                        | Raw Hash, Authenticated
  11850 | HMAC-Streebog-512 (key = $pass), big-endian      | Raw Hash, Authenticated
  11860 | HMAC-Streebog-512 (key = $salt), big-endian      | Raw Hash, Authenticated
  12100 | PBKDF2-HMAC-SHA512                               | Generic KDF
  20200 | Python passlib pbkdf2-sha512                     | Generic KDF
   6500 | AIX {ssha512}                                    | Operating System
  19200 | QNX /etc/shadow (SHA512)                         | Operating System
   7100 | macOS v10.8+ (PBKDF2-SHA512)                     | Operating System
   1800 | sha512crypt $6$, SHA512 (Unix)                   | Operating System
  22200 | Citrix NetScaler (SHA512)                        | Operating System
   1711 | SSHA-512(Base64), LDAP {SSHA512}                 | FTP, HTTP, SMTP, LDAP Server
  13711 | VeraCrypt RIPEMD160 + XTS 512 bit                | Full-Disk Encryption (FDE)

Example: Linux password

# hashcat -m 1800 -a 0 buddy /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 5786/5850 MB (2048 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Uses-64-Bit

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 65 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$6$3GvJsNPG$ZrSFprHS13divBhlaKg1rYrYLJ7m1xsYRKxlLh0A1sUc/6SUd7UvekBOtSnSyBwk3vCDqBhrgxQpkdsNN6aYP1:rainbow

Session..........: hashcat
Status...........: Cracked
Hash.Name........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$3GvJsNPG$ZrSFprHS13divBhlaKg1rYrYLJ7m1xsYRKxlLh0...N6aYP1
Time.Started.....: Tue Dec  8 12:22:44 2020 (0 secs)
Time.Estimated...: Tue Dec  8 12:22:44 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      543 H/s (11.06ms) @ Accel:16 Loops:512 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 192/14344385 (0.00%)
Rejected.........: 0/192 (0.00%)
Restore.Point....: 128/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4608-5000
Candidates.#1....: carolina -> november

Started: Tue Dec  8 12:22:42 2020
Stopped: Tue Dec  8 12:22:46 2020

# cat root
$6$rFK4s/vE$zkh2/RBiRZ746OW3/Q/zqTRVfrfYJfFjFc2/q.oYtoF1KglS3YWoExtT3cvA3ml9UtDS8PFzCk902AsWx00Ck.
# hashid < root
Analyzing '$6$rFK4s/vE$zkh2/RBiRZ746OW3/Q/zqTRVfrfYJfFjFc2/q.oYtoF1KglS3YWoExtT3cvA3ml9UtDS8PFzCk902AsWx00Ck.'
[+] SHA-512 Crypt
# hashcat -m 1800 -a 0 root /usr/share/wordlists/rockyou-9.txt --quiet
$6$rFK4s/vE$zkh2/RBiRZ746OW3/Q/zqTRVfrfYJfFjFc2/q.oYtoF1KglS3YWoExtT3cvA3ml9UtDS8PFzCk902AsWx00Ck.:love2fish
#

Example: Brute force shadow file using fasttrack.txt wordlist

# hashcat -m 1800 -a 0 ./shadow /usr/share/wordlists/fasttrack.txt --quiet

$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:secret12
$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:secuirty3
$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:1qaz2wsx
$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:abcd123

Example of Linux ssh login

# hashcat -a 0 -m 1800 root /usr/share/wordlists/rockyou.txt --status --quiet
$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:football
Session..........: hashcat
Status...........: Cracked
Hash.Name........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ...XEVgL.
Time.Started.....: Thu Jan  7 15:07:35 2021 (1 sec)
Time.Estimated...: Thu Jan  7 15:07:36 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      608 H/s (10.32ms) @ Accel:128 Loops:64 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 512/14344385 (0.00%)
Rejected.........: 0/512 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000
Candidates.#1....: 123456 -> letmein
#

Example: Brute force SHA-512($pass.$salt) using rockyou.txt wordlist

# hashcat -m 1710 -a 0 ./hash /usr/share/wordlists/rockyou.txt --quiet
6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05:november16

Brute force Wordpress password hash

hashcat -m 400 -a 0 ./hash /usr/share/wordlists/rockyou.txt --quiet

Practice

Advent of Cyber | Day 3

Labels:

Popular posts from this blog

IIS: Delete cached files on server running IIS

Delete cached files on server running IIS When changing css, javascript files, check to delete if IIS still caches old files in the default folder C:\inetpub\temp\IIS Temporary Compressed Files\<sitename>\$^_gzip_D^\ Apply to: IIS 8.5
Read more

Linux command: du - disk usage

Where have all my storage gone? du summarize disk usage of the set of FILEs, recursively for directories.
Read more

ManageEngine ServiceDesk Plus - Reset password

Let's reset the default administrator's password to 'admin'
Read more