Password cracking is the process of exposing passwords from data stored on a computer or transmitted over a network. Common techniques include brute force attacks that try all possible password guesses against a cryptographic hash of the password. John the Ripper and Hashcat are popular password cracking tools that can perform brute force cracking of various hashed password formats from Linux, Windows, and other systems. The tools allow generating wordlists and combining techniques to improve cracking efficiency.
2. 2
Password Cracking and Hash
Password Cracking
Password cracking is the process of exposure passwords from data that have been stored in the
computer or transmitted over the network.
A common approach (brute-force attack) is to try guesses repeatedly for the password and check
them against an available cryptographic hash of the password.
The purpose of password cracking is to gain unauthorized access to a system.
Hash
Hash it is a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size (a
hash) and is designed to be a one-way function(nonreversible), that is a function which is
infeasible to invert.
The only way to recreate the input data from an ideal cryptographic hash function's output is to
attempt a brute-force search of possible inputs to see if they produce a match, or use a rainbow
table of matched hashes.
3. 3
John The Ripper
John The Ripper
John the Ripper is a free password cracking (brute force) software tool created for Linux.
It is one of the most popular password testing and breaking programs as it combines a number of
password crackers into one package, autodetects password hash types, and includes a
customizable cracker.
It can be run against various encrypted password formats including several crypt password hash
types most commonly found on various for example: DES, MD5, Blowfish, Kerberos AFS, and LM
hash. Additional modules have extended its ability to include MD4-based password hashes and
passwords stored in LDAP, MySQL, and others.
The main function of john the ripper is the ability to preform a true brute-force attack which
means john will not stop until it cracks the password or manually stopped.
4. 4
John The Ripper - Example
Example for cracking local users passwords in Linux.
extract the users and passwords(hash) and run a brute-force.
type the command below:
John /etc/passwd /etc/shadow
/etc/passwd is holding the users.
/etc/shadow is holding the passwords.
5. 5
Hashcat
Hashcat
Hashcat is a free password cracking (brute force) software tool.
is the self-proclaimed world’s fastest password recovery tool.
Hashcat is cross-platform software and can come in CPU-based or GPU-based variants.
Examples of hashcat-supported hashing algorithms are Microsoft LM hashes, MD4, MD5, SHA-family, Unix Crypt
formats, MySQL, and Cisco PIX.
The benefits of Hashcat is the ability to take a number of word list and combined them to get a better efficiency
and higher chance of cracking the password.
6. Hashcat - Example
Use Hashcat to crack NTLM hash,
save the hash into a file, generate a
password file (rockyou.txt for example),and
with the command below we are cracking
the hash:
Hashcat –m 1000 –a 0 ntlm.txt rcokyou.txt
-a, --attack-mode | 0 (Straight)
-m, --hash-type | 1000 (NTLM type)
In our example the password is: 123456.
6
7. 7
Hash Differences
Windows Hash
In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols that
provides authentication, integrity, and confidentiality to users.
NTLM hashes are stored in the Security Account Manager (SAM) database and in Domain Controller's
NTDS.dit database.
Some of the services authenticate with the NTLM directly, it gives us the ability to authenticate with
the hash without the need of using a password (pass the hash).
Net-NTLM hashes are used for network authentication (they are derived from a challenge/response
algorithm and are based on the user's NT hash).
From a pentesting perspective:
You CAN perform Pass-The-Hash attacks with NTLM hashes.
You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes.
Linux Hash
/etc/shadow is the file holding all the user’s passwords, the password combined with
algorithm and salt.
The algorithms are available are: md5, blowfish, sha256, sha512 etc.
Salt is a randomly generated characters to safeguard against rainbow table attacks.