RevsUp Lab

RevsUp Lab: Hashcat 01

resources:
Hashcat Wiki
oclHashcat Details
Hashing
Salts
Rainbow Tables

In this lab we will review the components that go into creating hashed passwords, and eventually cracking these passwords with hashcat. We will start with some basic terms and then break down each argument that is passed when running hashcat.

    5f4dcc3b5aa765d61d8327deb882cf99

At this point this seemingly random assortment of letters and numbers should look familiar, this is a password hash. Specifically, this is an MD5 hash of the word "password". The name MD5 describes the specific hashing algorithm used to encrypt the data from normal text to a hash. The output of a hashing algorithm is always the same length, and in the case of MD5 this length is 32. This number comes from the fact that MD5 always produces a 128-bit(16-byte) hash value. One byte of data can be represented by 2 hexadecimal numbers, so 16 x 2 = 32.

    password -> [hashing algorithm] -> hash

Hashing a password is a one way process, you cannot get the original password by reversing the hash. This is why with hashcat, we must simply create hashes until we find one that matches. In this example a straight attack is being performed. This is also referred to as a dictionary attack or a wordlist attack. Every line of a given dictionary is hashed and compared.

    Hash                                       Attempts to crack
    5f4dcc3b5aa765d61d8327deb882cf99            pass     -> 1a1dc91c907325c69271ddf0c944bc72
                                                word     -> c47d187067c6cf953245f128b5fde62a
                                                password -> 5f4dcc3b5aa765d61d8327deb882cf99

Above shows the process of cracking the hash for "password". The "Dictionary" used is only 3 words, so it is very fast. Each word in the dictionary is hashed and then compared to find a match. By having a larger dictionary more passwords can be cracked, however the larger the dictionary the slower the process will take.

    b305cadbb3bce54f3aa59c64fec00dea:salt

This is also a hash of the word "password" using MD5, but notice it is not the same as before. This is due to adding a Salt. A salt is appended or prepended to your original password before hashing and must be stored. By doing this, someone trying to crack your hash must have both the password and the salt you used, because every different salt used will create a unique hash.

    b305cadbb3bce54f3aa59c64fec00dea:salt
    bdc87b9c894da5168059e00ebffb9077:1234
    9241818c20435c6672dac2c4b6e6c071:5678

These are all hashes of "password", each with a different salt.

Dictionary Attack

Now we will look at a sample run of hashcat and look at each argument.

    ./hashcat64.bin -m 0 -a 0 passwords.hash large.dict

Let's look at each argument step by step.
-m lets hashcat know that you are going to give it the type of hashes it is trying to crack, in this case option 0 is raw MD5.
-a tells hashcat that the next number given will specifify the type of attack to run, for this example the attack type in this case is 0, which is a straight dictionary attack.
passwords.hash This is the file that holds the hashes you wish to crack.
large.dict This is the name of the dictionary you wish hashcat to use to crack your hashes.
Other optional arguments can be passed to hashcat based on the type of attack you are performing, such as the --hex-salt argument we have used previously.

Combination Attack

Next we will look at a second attack type known as combinator. This attack makes use of two dictionaries to artificially increase the size of your wordlist. In a straight attack every line of your dictionary is hashed and compared, but unless you have compound words explicitly written in your dictionary, they can not be found. A combinator attack will combine every line in a dictionary with every line of another dictionary. This attack is specified with the -a 1 option and takes in two dictionaries instead of one.

    Dictionary 1          Dictionary 2          Output
        pass                word                password
        hello               1234                pass1234
                                                helloword
                                                hello1234

If you want to make a combination of every word in your file the same dictionary can be used twice. This attack type greatly expands the possible generated hashes that will be compared to your hashed passwords, sacrificing speed for thoroughness. If you want combinations of dictionaries in a different order, you simply swap the places of the two dictionaries in your call to hashcat.

    ./hashcat64.bin -m 0 -a 1 Dictionary1 Dictionary2
    Dictionary 1          Dictionary 2          Output
        pass                word                password
        hello               1234                pass1234
                                                helloword
                                                hello1234

    ./hashcat64.bin -m 0 -a 1 Dictionary2 Dictionary1
    Dictionary 2          Dictionary 1          Output
        word                pass                wordpass
        1234                hello               wordhello
                                                1234pass
                                                1234hello

For example, using your hash.sh script you can do:

./hash.sh sha1sum 3e 56 a9 89 passwordpassword >> test_combo.hash
./hashcat64.bin -m 120 --hex-salt -a 1 test_combo.hash example.dict example.dict

After you have finished the lab, attempt to complete the following questions.
(1) Why does having a larger dictionary make cracking passwords slower?
(2) Why must a salt be stored if it is used to create a hash?
(3) Why do salts help protect against rainbow table attacks?
(4) If you have a file full of 1000 hashes and you try to crack them with a dictionary of 10,000,000 words, in the worst case scenario how many times does hashcat need to perform a hash? (hint: worst case scenario means hashcat goes through the entire dictionary with no success)
(5) If hashcat is running at a speed of 300 MHashes/s, how long will it take to finish the process from the previous problem?
(6) What is the hashing type specified in this run of hashcat? Also, there is an error among these arguments, what is it?

    ./hashcat64.bin -m 100 -a 0 --hex-salt passwords.hash large.dict

(7) Create 10 passwords that consist of a combination of two words and save them into a file. Run hashMultiPass on that file using a hashing algorithm of your choosing, and perform a combination attack on the hashed passwords.