resources:
Hashcat Wiki
oclHashcat Details
Hashing
Salts
Rainbow Tables
In this lab we will review the components that go into creating hashed passwords, and eventually cracking these passwords with hashcat. We will start with some basic terms and then break down each argument that is passed when running hashcat.
5f4dcc3b5aa765d61d8327deb882cf99At this point this seemingly random assortment of letters and numbers should look familiar, this is a password hash. Specifically, this is an MD5 hash of the word "password". The name MD5 describes the specific hashing algorithm used to encrypt the data from normal text to a hash. The output of a hashing algorithm is always the same length, and in the case of MD5 this length is 32. This number comes from the fact that MD5 always produces a 128-bit(16-byte) hash value. One byte of data can be represented by 2 hexadecimal numbers, so 16 x 2 = 32.
password -> [hashing algorithm] -> hashHashing a password is a one way process, you cannot get the original password by reversing the hash. This is why with hashcat, we must simply create hashes until we find one that matches. In this example a straight attack is being performed. This is also referred to as a dictionary attack or a wordlist attack. Every line of a given dictionary is hashed and compared.
Hash Attempts to crack 5f4dcc3b5aa765d61d8327deb882cf99 pass -> 1a1dc91c907325c69271ddf0c944bc72 word -> c47d187067c6cf953245f128b5fde62a password -> 5f4dcc3b5aa765d61d8327deb882cf99Above shows the process of cracking the hash for "password". The "Dictionary" used is only 3 words, so it is very fast. Each word in the dictionary is hashed and then compared to find a match. By having a larger dictionary more passwords can be cracked, however the larger the dictionary the slower the process will take.
b305cadbb3bce54f3aa59c64fec00dea:saltThis is also a hash of the word "password" using MD5, but notice it is not the same as before. This is due to adding a Salt. A salt is appended or prepended to your original password before hashing and must be stored. By doing this, someone trying to crack your hash must have both the password and the salt you used, because every different salt used will create a unique hash.
b305cadbb3bce54f3aa59c64fec00dea:salt bdc87b9c894da5168059e00ebffb9077:1234 9241818c20435c6672dac2c4b6e6c071:5678These are all hashes of "password", each with a different salt.
./cudaHashcat64.bin -m 0 -a 0 passwords.hash large.dictLet's look at each argument step by step.
Dictionary 1 Dictionary 2 Output pass word password hello 1234 pass1234 helloword hello1234If you want to make a combination of every word in your file the same dictionary can be used twice. This attack type greatly expands the possible generated hashes that will be compared to your hashed passwords, sacrificing speed for thoroughness. If you want combinations of dictionaries in a different order, you simply swap the places of the two dictionaries in your call to hashcat.
./cudaHashcat64.bin -m 0 -a 1 Dictionary1 Dictionary2 Dictionary 1 Dictionary 2 Output pass word password hello 1234 pass1234 helloword hello1234 ./cudaHashcat64.bin -m 0 -a 1 Dictionary2 Dictionary1 Dictionary 2 Dictionary 1 Output word pass wordpass 1234 hello wordhello 1234pass 1234helloAfter you have finished the lab, attempt to complete the following questions.
./cudaHashcat64.bin -m 100 -a 0 --hex-salt passwords.hash large.dict(7) Create a file of plaintext passwords called in. Use the hashMultiPass script to create a file full of sha512 hashes called out. Then use hashcat to try and crack these passwords with a straight attack. Repeat this process using sha512(pass.salt) and sha512(salt.pass)
./hashMultiPass -m (hash number) in out ./cudaHashcat64.bin -m (hash number) -a (attack type) out large.dict