Back to Posts

Cracking Creds

Posted in Pentesting

Checkout Slayer Labs!
Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -


Cracking

You’ve found a hash and now you want to crack it? First, it’s important to find what sort of hash type you’re working with. You may know from experience and where you obtained the hash, but it’s always good to double check.

You can check manually on the web - do a quick Ctrl+F for your hashes unique pattern to identify. Here are a few excellent resources for hashcat and John the Ripper.

    https://hashcat.net/wiki/doku.php?id=example_hashes
    http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats

Otherwise you can use hash-identifier in Kali.

root@kali:/home# hash-identifier 
---snip---
   #########################################################################

   -------------------------------------------------------------------------
 HASH: $1$28772684$iEwNOgGugqO9.bIz5sk8k/

Possible Hashs:
[+]  MD5(Unix)

Once you have your hash Identified it’s time to start crackin’


Hashcat

Personally my favorite cracking utility. In the more recent versions of hashcat, it has combined the use of the host machines CPU and/or GPU to crack the hash. If you have a strong GPU, hashcat will use the GPU’s power to speed up the cracking process. There are multiple attack modes to choose from and accepts plenty of hash-types.

An example below is cracking a WPA2 hash that was captured on test lab. A few modern versions of netgear wireless routers use the same naming convention for their default passwords. Easier than trying to type in 50+ alphanumeric chars in printed 2pt font, but would seem complex enough to keep as default password. The format is adjective+noun+3digits which someone has created a wordlist for in the wild.

Using hashcat’s mode of wordlist + mask an attacker can use this password list and the digits (?d) parameters. The ?d parameter will use digits 0-9 against each entry in a given wordlist. With our knowledge of the hash-type (WPA2) and password format we can now fire up hashcat and grab a cup of coffee. It’s also not a bad idea to have a GPU temp monitoring app running, just in case something goes wonky and your precious GPU overheats.

C:\hashcat>hashcat64.exe -m 2500 -a 6 net.hccap NetgearKiller.dict ?d?d?d
hashcat (v3.20) starting...

OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
* Device #1: AMD Phenom(tm) II X4 955 Processor, skipped

OpenCL Platform #2: NVIDIA Corporation
======================================
* Device #2: GeForce GTX 970, 1024/4096 MB allocatable, 13MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable Optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD

Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 75c

Cache-hit dictionary stats NetgearKiller.dict: 171561917 bytes, 10926977 words, 10926977000 keyspace


[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>

When hashcat is complete use the show command to see if there are any successful cracks.

C:\hashcat>hashcat64.exe -m 2500 -a 6 net.hccap zzz.txt ?d?d?d --show
LABROUTER:6cb0ceae2d5f:b0a737b80817:stinkybox310

Looks like we get a successful hit of stinkybox310

Custom Cyber Ranges >>

https://slayerlabs.com

Read Next

Netshell