Lab 4.4: Cracking with John the Ripper and Hashcat
Objectives
- To use John the Ripper to crack some hashes from Windows and Linux
- To use Hashcat to crack password hashes from Windows and Linux systems
- To analyze how Hashcat rules files can help crack hashes more successfully
- To compare Hashcat’s performance with that of John the Ripper
Lab Setup
You’ll simply need to have your Slingshot Linux image booted for this lab.
Lab – Step-by-Step Instructions
Step 1. Benchmark John
John the Ripper (John) has already been installed in your VM. Let's first invoke John in test mode.
sec560@slingshot:~$ john --test
It will take a minute or so to run, but you will see its performance for all supported password schemes.
Step 2. Cracking Windows hashes with John
We will now crack some hashes in a sam.txt file included on the course Slingshot Linux image. (This file was originally dumped from a Windows machine.)
By default, John will focus on the LANMAN hashes. Let's run John against the sam.txt file as follows:
sec560@slingshot:~$ cd coursefiles sec560@slingshot:~/coursefiles$ john sam.txt Loaded 13 password hashes with no different salts (LM [DES 128/128 SSE2-16]) Press 'q' or Ctrl-C to abort, almost any other key for status EILRAHC (charlie) INTERNE (dizzy:1) VIRGINI (monk:1) NEWPASS (ted) A (monk:2) CRACKME (Administrator) T12 (dizzy:2)
As it is running, press the Spacebar to get a c/s reading to determine its approximate speed.
Note that the passwords that John cracks are in ALL CAPS. That's because LANMAN converts everything to uppercase. Also, note how John cracks the first seven characters of a LANMAN password separately from the second seven characters, treating each half as though it was a different password. The first half of the password is indicated by the username:1, and the second half is username:2.
After a minute or two, stop John by pressing CTRL-C or q.
Press the Up arrow and run the command again. Notice on this second run that the same passwords are not cracked!
sec560@slingshot:~/coursefiles$ john sam.txt Loaded 13 password hashes with no different salts (LM [DES 128/128 SSE2-16]) Remaining 6 password hashes with no different salts Press 'q' or Ctrl-C to abort, almost any other key for status
If John has cracked a password, it won't attempt to crack the password again.
Press CTRL-C or q to stop John.
To see the full passwords (stitching together the two seven-character pieces of the LANMAN password) that John was able to crack, we can run it with the --show option:
sec560@slingshot:~/coursefiles$ john --show sam.txt Administrator:CRACKME:500:A5C67174B2A219D1AAD3B435B51404EE:363DD639AD34B6C5153C0F51165AB830::: charlie:EILRAHC:1007:380B4695FE1449EBAAD3B435B51404EE:03F9CC43288014DEE4FA4B190D9CA948::: dizzy:INTERNET12:1008:3EACDEE7E4395079BE516DA459FE4E65:1274D7B32A9ABDDA01A5067FE9FBB32B::: Guest:NO PASSWORD:501:NO PASSWORD*********************:NO PASSWORD*********************::: monk:VIRGINIA:1009:AF83DBF0052EE4717584248B8D2C9F9E:A65C3DA63FDB6CA22C172B13169D62A5::: ted:NEWPASS:1006:09EEAB5AA415D6E4AAD3B435B51404EE:18DA6C2895C549E266745951D5DC66CB::: 8 password hashes cracked, 6 left
This command searches inside the john.pot file for the hashes in sam.txt so that it can print the full passwords associated with the users. Let's take a look at the file by running the command below:
sec560@slingshot:~/coursefiles$ cat ~/.john/john.pot $LM$380b4695fe1449eb:EILRAHC $LM$3eacdee7e4395079:INTERNE $LM$af83dbf0052ee471:VIRGINI $LM$09eeab5aa415d6e4:NEWPASS $LM$7584248b8d2c9f9e:A $LM$a5c67174b2a219d1:CRACKME $LM$be516da459fe4e65:T12
On modern systems, it is rare to have LM password hashes. Let's use John and crack the NT hash by running the following command:
sec560@slingshot:~/coursefiles$ john --format=nt sam.txt Using default input encoding: UTF-8 Loaded 8 password hashes with no different salts (NT [MD4 128/128 AVX 4x3]) Warning: no OpenMP support for this hash type, consider --fork=2 Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status eilrahc (charlie) Almost done: Processing the remaining buffered candidate passwords, if any. Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist virginia (monk) newpass (ted) Proceeding with incremental:ASCII crackme (Administrator)
Press CTRL-C or q to stop the cracking process. You'll see the cracking process is slower here. Remember, with the LM format the password is converted to uppercase and split. The NT format does not convert the password nor does it split the password. This means that the password is harder to crack.
In this case, we have both the LM and NT password hash. The LM hash cracked very quickly and gave us the uppercase password. We can use this uppercase password with the NT password to recover the original password. If we look back, we can see that we did crack the LM hash for dizzy, but we did not crack the NT hash. We can use a tool in Metasploit to help complete the crack so we can get the case-sensitive password. First, let's take a look at dizzy's line from the sam.txt file.
sec560@slingshot:~/coursefiles$ grep dizzy sam.txt dizzy:1008:3EACDEE7E4395079BE516DA459FE4E65:1274D7B32A9ABDDA01A5067FE9FBB32B:::
As you'll remember, the first hash is the LM hash and the second is the NT hash. We'll use the NT hash and the uppercase password with the Metasploit lm2ntcrack.rb tool. Run the command below to obtain the case-sensitive password for dizzy.
sec560@slingshot:~/coursefiles$ cd sec560@slingshot:~$ /opt/metasploit-framework/tools/password/lm2ntcrack.rb -t NTLM -p INTERNET12 -a 1274D7B32A9ABDDA01A5067FE9FBB32B [*] Correct password provided : internet12
The password for dizzy is internet12.
Step 3: Cracking Linux passwords with John
Now try cracking some Linux passwords.
To generate these passwords, first add some accounts to our machine with the useradd command. Each account will have a default shell set to /usr/sbin/nologin so that no one can use these accounts to log in to the machine:
sec560@slingshot:~$ sudo useradd charlie -s /usr/sbin/nologin sec560@slingshot:~$ sudo useradd dizzy -s /usr/sbin/nologin sec560@slingshot:~$ sudo useradd ted -s /usr/sbin/nologin sec560@slingshot:~$ sudo useradd monk -s /usr/sbin/nologin
Now set a password for each account: Use a password of eilrahc (that's charlie backward). Enter it twice.
sec560@slingshot:~$ sudo passwd charlie Enter new UNIX password: eilrahc Retype new UNIX password: eilrahc passwd: password updated successfully
Use a password of internet12 for dizzy.
sec560@slingshot:~$ sudo passwd dizzy Enter new UNIX password: internet12 Retype new UNIX password: internet12 passwd: password updated successfully
Use a password of newpass for ted.
sec560@slingshot:~$ sudo passwd ted Enter new UNIX password: newpass Retype new UNIX password: newpass passwd: password updated successfully
Use a password of virginia for monk.
sec560@slingshot:~$ sudo passwd monk Enter new UNIX password: virginia Retype new UNIX password: virginia passwd: password updated successfully
Now that we've created the accounts and set their passwords, let's make a copy of the /etc/passwd and /etc/shadow files for John to crack:
sec560@slingshot:~$ cp /etc/passwd passwd_copy sec560@slingshot:~$ sudo cat /etc/shadow > shadow_copy
Note: The second command above will take a copy of
/etc/shadowand a copy that we can read as our regular user.
Then use the unshadow script to combine account info from passwd_copy with password information from shadow_copy, storing the results in combined.txt:
sec560@slingshot:~$ unshadow passwd_copy shadow_copy > combined.txt
Then run John against the combined file:
sec560@slingshot:~$ john combined.txt --format=crypt
Your output will look similar to this:
sec560@slingshot:~$ john combined.txt --format=crypt Using default input encoding: UTF-8 Loaded 6 password hashes with 6 different salts (crypt, generic crypt(3) [?/64]) Loaded hashes with cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) varying from 2 to 6 Loaded hashes with cost 2 (algorithm specific iterations) varying from 1 to 5000 Will run 2 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status eilrahc (charlie) Almost done: Processing the remaining buffered candidate passwords, if any. Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist bond007 (jim) virginia (monk) newpass (ted)
Let it run for a minute or two, then press CTRL-C or q to quit. It should crack the charlie password (because it is merely the login username backward), the ted password, and the monk password (because newpass and virginia are in the dictionary). The dizzy password of internet12 may crack given enough time. Clearly, though, we've seen how Linux/UNIX SHA-512 password representations take longer to crack than the LANMAN hashes, which crack almost instantly. Also note that John will use its default wordlist if we do not specify one.
If you haven’t changed the sec560 password on the Slingshot image, it will likewise crack rather quickly, as the password matches the account name.
Because we haven't cleared out the john.pot file, as we ran John several times, it has stored our results of the password cracking we’ve done. Look at the john.pot file that stores this status using these commands:
sec560@slingshot:~$ cat .john/john.pot $LM$380b4695fe1449eb:EILRAHC $LM$3eacdee7e4395079:INTERNE $LM$09eeab5aa415d6e4:NEWPASS $LM$7584248b8d2c9f9e:A $LM$af83dbf0052ee471:VIRGINI $LM$a5c67174b2a219d1:CRACKME $LM$be516da459fe4e65:T12 $NT$03f9cc43288014dee4fa4b190d9ca948:eilrahc $NT$a65c3da63fdb6ca22c172b13169d62a5:virginia $NT$18da6c2895c549e266745951d5dc66cb:newpass $1$4BOwIk/E$Cdu.HVgjed5lZZdbwqpEq0:sec560 $6$q9jXernb$jDbB86022/5mRtLrhnp4qtGypy8XSummIHeW6UjJHeHujszUXuA5whpmr9nmM3T5qGE27/5ldAUyznYjDMEJS/:eilrahc $6$aP/h83LB$v.IDO3qoNrX5KPl85DdN2vx8piZQlC56Htz2pYt8DrioMG5JiJPRxIL59ZQeHlJi1g5YlAXd8kZPtEngawFr50:bond007 $6$q1BymiXE$rNCOFQ.3C9I.NhhLSzx190cROwo9CXFSe6qCnsKJknFh/qgz/mp/DdtMBQJoiR65T2Pd3AIYEABk9xWSUpm7u0:virginia $6$4ICP8BW7$Bouy2hckPGaOsZPTePw1bCMF6DXi8hR5IDWmYhcmSIdGkvZ9566YqUVyru3jQRrwvCZLmJX1rFQhWOXBy04vP1:newpass
Note particularly that there is one line for each password that was cracked. No account name is included—just the password information is stored. The john.pot file includes the password hash type (LM for LANMAN, NT for NTLM, and 6 for SHA-512), followed by the salt (only for Linux/UNIX), followed by the password hash, followed by the password itself.
Because John has cracked these passwords already, it won't crack them again, unless we delete the john.pot file or remove the associated password.
Step 3. Hashcat basics
Let’s invoke Hashcat with the --help option so that we can see the built-in documentation of Hashcat. Because it is quite voluminous, let’s pipe it through less to paginate it:
sec560@slingshot:~$ hashcat --help | less
Page through Hashcat’s command line flags—there are a HUGE number of options here. In this lab, we’ll explore some of the most useful.
In the output, we can see that Hashcat requires a -m followed by a hash-type, which is a number that selects from the over 275 types of hashes we can crack. We’ll explore some specific hash types soon. But before we look at that, let’s consider the -a option for attack mode, meaning the way in which Hashcat will use its dictionary. The -a option supports the following values:
- 0: Straight. This mode uses the dictionary words as they appear in their dictionary, with rules applied to them as specified by the
-roption (if present). - 1: Combination. This mode will take each word in the dictionary and append it to each word in the dictionary, essentially squaring the number of potential passwords from a word file. It will also apply the rules indicated by the
-roption (if present) to the resulting combined words. - 3: Brute Force. This mode tries all potential passwords in a given keyspace, iterating through all characters.
- 6: Hybrid + Mask. This mode uses a dictionary but then applies a brute force alteration against it, masking off certain characters of the original dictionary word to prevent changes.
For our work in this lab, we’ll use -a 0 as the most straightforward and common form of attack. Later in the lab, we’ll use the -r option to specify rules that will do word mangling against the dictionary, while still applying our attack type 0.
Next, let’s search for the specific numbers associated with given hash types so that we can indicate which ones to use with the -m option. We can simply pipe the output of Hashcat’s help through grep to look for some common hash types. Let’s start with looking for LANMAN hashes, abbreviated as LM by Hashcat:
sec560@slingshot:~$ hashcat --help | grep LM 5500 | NetNTLMv1 | Network Protocols 5500 | NetNTLMv1+ESS | Network Protocols 5600 | NetNTLMv2 | Network Protocols 3000 | LM | Operating Systems 1000 | NTLM | Operating Systems u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
In your output, you should see a line that says "3000 | LM..." This indicates that to crack LANMAN hashes, we invoke Hashcat with -m 3000. We can also see the numbers that Hashcat associates with NTLMv1 and NTLMv2 in its output here as well because each matches the LM that we grepped for.
To determine the hash type number needed to crack salted MD5 Linux hashes (also known as md5crypt), please run:
sec560@slingshot:~$ hashcat --help | grep md5crypt
500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) | Operating Systems
Here we see that we should invoke Hashcat with -m 500 to crack these hashes, which are associated with "Operating Systems". Finally, let’s look for how to specify SHA512 hashes by running the following command:
sec560@slingshot:~$ hashcat --help | grep sha512
1710 | sha512($pass.$salt) | Raw Hash, Salted and/or Iterated
1720 | sha512($salt.$pass) | Raw Hash, Salted and/or Iterated
1730 | sha512(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
1740 | sha512($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
1800 | sha512crypt $6$, SHA512 (Unix) | Operating Systems
6500 | AIX {ssha512} | Operating Systems
We can see that for SHA512 passwords within operating systems, Hashcat uses -m 1800.
Let’s now do some performance benchmarking, starting with -m 3000, which is for LANMAN hashes. Note that we’ll invoke Hashcat with the -w 3 flag, meaning that we want a Workload Profile (-w) number 3. The various options for -w include:
- 1: Low. Minimal impact on GUI performance and low power consumption
- 2: Default. Noticeable impact on GUI and economic power consumption
- 3: High. High power consumption and potentially unresponsive GUI
- 4: Nightmare. Insane power consumption and a headless server because the GUI will not have enough CPU or GPU to respond
For this lab, we’ll use -w 3 because we can often reasonably get about 30% higher performance and the GUI will be responsive enough for us to conduct the lab.
Next, let’s perform some performance measures of Hashcat for common hashing algorithms.
We’ll start with a benchmark to see the performance for cracking hash type -m 3000, also known as LM or LANMAN.
sec560@slingshot:~$ hashcat -w 3 --benchmark -m 3000 hashcat (v5.1.0) starting in benchmark mode... VMware: No 3D enabled (0, Success). clGetDeviceIDs(): CL_DEVICE_NOT_FOUND clGetDeviceIDs(): CL_DEVICE_NOT_FOUND OpenCL Platform #1: Intel(R) Corporation ======================================== * Device #1: Intel(R) Core(TM) i7-6770HQ CPU @ 2.60GHz, 499/1999 MB allocatable, 2MCU OpenCL Platform #2: Mesa, skipped or no OpenCL compatible devices found. Benchmark relevant options: =========================== * --workload-profile=3 Hashmode: 3000 - LM Speed.#1.........: 37468.9 kH/s (55.52ms) @ Accel:1024 Loops:1024 Thr:1 Vec:4
Here you can see the performance in kilohashes per second (kH/s). Please record the speed of LANMAN cracking on your system with Hashcat:
|
|______________________________________________________
Next, let’s look at the performance of cracking salted MD5 (md5crypt) hashes by running:
sec560@slingshot:~$ hashcat -w 3 --benchmark -m 500 hashcat (v5.1.0) starting in benchmark mode... VMware: No 3D enabled (0, Success). clGetDeviceIDs(): CL_DEVICE_NOT_FOUND clGetDeviceIDs(): CL_DEVICE_NOT_FOUND OpenCL Platform #1: Intel(R) Corporation ======================================== * Device #1: Intel(R) Core(TM) i7-6770HQ CPU @ 2.60GHz, 499/1999 MB allocatable, 2MCU OpenCL Platform #2: Mesa, skipped or no OpenCL compatible devices found. Benchmark relevant options: =========================== * --workload-profile=3 Hashmode: 500 - md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) (Iterations: 1000) Speed.#1.........: 5623 H/s (90.01ms) @ Accel:512 Loops:500 Thr:1 Vec:4
Please record the speed of md5crypt cracking on your system with Hashcat:
|
|______________________________________________________
And finally, let’s look at the performance characteristics of sha512crypt, the $6$ hashes associated with some Linux machines:
sec560@slingshot:~$ hashcat -w 3 --benchmark -m 1800 hashcat (v5.1.0) starting in benchmark mode... VMware: No 3D enabled (0, Success). clGetDeviceIDs(): CL_DEVICE_NOT_FOUND clGetDeviceIDs(): CL_DEVICE_NOT_FOUND OpenCL Platform #1: Intel(R) Corporation ======================================== * Device #1: Intel(R) Core(TM) i7-6770HQ CPU @ 2.60GHz, 499/1999 MB allocatable, 2MCU OpenCL Platform #2: Mesa, skipped or no OpenCL compatible devices found. Benchmark relevant options: =========================== * --workload-profile=3 Hashmode: 1800 - sha512crypt $6$, SHA512 (Unix) (Iterations: 5000) Speed.#1.........: 609 H/s (83.41ms) @ Accel:512 Loops:256 Thr:1 Vec:2
Please record the speed of sha512crypt cracking on your system with Hashcat:
|
|______________________________________________________
Notice how LANMAN cracking has the highest performance, with md5crypt being slower, and sha512crypt being even slower. Please do compare the LANMAN and md5crypt time frames to those that you wrote down for John the Ripper in Lab 5.1. Depending on your hardware, you may find that John is faster or Hashcat is faster. The point here is to use whichever is fastest on your given hardware for the given hash types you encounter during a penetration test.
Next, let’s look at Hashcat’s ability to show performance benchmarks for all of its hash algorithms. We won’t let this command finish running because it will take quite a while to run through the enormous number of algorithms supported by Hashcat. Instead, let it run for two or three algorithms and then hit CTRL-C to stop it.
sec560@slingshot:~$ hashcat -w 3 -b --benchmark-all hashcat (v5.1.0) starting in benchmark mode... VMware: No 3D enabled (0, Success). clGetDeviceIDs(): CL_DEVICE_NOT_FOUND clGetDeviceIDs(): CL_DEVICE_NOT_FOUND OpenCL Platform #1: Intel(R) Corporation ======================================== * Device #1: Intel(R) Core(TM) i7-6770HQ CPU @ 2.60GHz, 499/1999 MB allocatable, 2MCU OpenCL Platform #2: Mesa, skipped or no OpenCL compatible devices found. Benchmark relevant options: =========================== * --benchmark-all * --workload-profile=3 Hashmode: 0 - MD5 Speed.#1.........: 20912.3 kH/s (49.95ms) @ Accel:1024 Loops:512 Thr:1 Vec:4 Hashmode: 10 - md5($pass.$salt) Speed.#1.........: 13914.1 kH/s (75.16ms) @ Accel:1024 Loops:512 Thr:1 Vec:4 Hashmode: 11 - Joomla < 2.5.18 Speed.#1.........: 13418.3 kH/s (77.93ms) @ Accel:1024 Loops:512 Thr:1 Vec:4
Step 4: Cracking with Hashcat
We’ll use Hashcat to crack the passwords from the sam.txt file in the coursefiles directory and use John the Ripper's password list.
Invoke Hashcat with a Workload Profile of 3 (-w 3) to use as much computing power as it can while still preserving some GUI access, with attack mode zero (-a 0) to use our dictionary as is to crack hash type 3000, which is LANMAN (-m 3000), storing our output results in a file called cracked.txt (-o cracked.txt). We’ll then specify our sam.txt file to crack and our password.lst as our dictionary, as follows:
sec560@slingshot:~$ hashcat -w 3 -a 0 -m 3000 -o cracked.txt coursefiles/sam.txt /opt/password.lst hashcat (v5.1.0) starting... VMware: No 3D enabled (0, Success). clGetDeviceIDs(): CL_DEVICE_NOT_FOUND clGetDeviceIDs(): CL_DEVICE_NOT_FOUND OpenCL Platform #1: Intel(R) Corporation ======================================== * Device #1: Intel(R) Core(TM) i7-6770HQ CPU @ 2.60GHz, 499/1999 MB allocatable, 2MCU OpenCL Platform #2: Mesa, skipped or no OpenCL compatible devices found. Hashfile '/home/sec560/coursefiles/sam.txt' on line 4 (Guest:...PASSWORD*********************:::): Token encoding exception Hashes: 16 digests; 14 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 ... output truncated for brevity ...
When Hashcat finishes running, let’s look at our results, first in the cracked.txt file:
sec560@slingshot:~$ cat cracked.txt aad3b435b51404ee: 7584248b8d2c9f9e:A 3eacdee7e4395079:INTERNE 09eeab5aa415d6e4:NEWPASS af83dbf0052ee471:VIRGINI sec560@slingshot:~$ sec560@slingshot:~$ sec560@slingshot:~$ cat ~/cracked.txt aad3b435b51404ee: 7584248b8d2c9f9e:A 3eacdee7e4395079:INTERNE 09eeab5aa415d6e4:NEWPASS af83dbf0052ee471:VIRGINI
Here you can see that Hashcat cracked several of our passwords, including the blank password (which has a LANMAN hash starting with aad3b43…). We should also look at our potfile, as follows:
sec560@slingshot:~$ cat .hashcat/hashcat.potfile aad3b435b51404ee: 7584248b8d2c9f9e:A 3eacdee7e4395079:INTERNE 09eeab5aa415d6e4:NEWPASS af83dbf0052ee471:VIRGINI
Here we can see that our hashcat.potfile contains the exact same result as our cracked.txt file. That’s because we’ve run Hashcat only once. If we were to crack additional passwords and store their results using -o in another file, the hashcat.potfile will still have all the results from all of Hashcat’s runs, each appended to the other. In other words, hashcat.potfile is Hashcat’s long-term memory of what it has already cracked.
Of special importance above is that Hashcat DID NOT crack the password for the charlie account, which John the Ripper DID crack in our earlier lab. That’s because Hashcat does not use usernames in its cracking operation like John does, and charlie has a password of eilrahc (which is charlie spelled backward). We can approximate John’s use of a username as a potential password by creating a small dictionary file that includes usernames from the sam file. Let’s do that utilizing the Linux cut command, which carves apart files. Start by looking at the sam.txt file:
sec560@slingshot:~$ cat coursefiles/sam.txt Administrator:500:A5C67174B2A219D1AAD3B435B51404EE:363DD639AD34B6C5153C0F51165AB830::: charlie:1007:380B4695FE1449EBAAD3B435B51404EE:03F9CC43288014DEE4FA4B190D9CA948::: dizzy:1008:3EACDEE7E4395079BE516DA459FE4E65:1274D7B32A9ABDDA01A5067FE9FBB32B::: Guest:501:NO PASSWORD*********************:NO PASSWORD*********************::: IUSR_BETTY:1001:44BBEBA9892785E7E130321F8EE908E4:B3FCCBDD70138057477303221118715A::: IWAM_BETTY:1002:A47109F6BCCBF54BD2E55FDA509B7966:C2DA00DE320C442799D03053EFF7819D::: monk:1009:AF83DBF0052EE4717584248B8D2C9F9E:A65C3DA63FDB6CA22C172B13169D62A5::: ted:1006:09EEAB5AA415D6E4AAD3B435B51404EE:18DA6C2895C549E266745951D5DC66CB::: TsInternetUser:1000:AAC70116CB404F310EB3621B7749050D:5E20E67E47C007014D05B54ADACA11BC:::
Here you can see that the username is the first item in this colon-delimited file. Please run the cut command with the -d option to specify a delimiter of : (-d:), pulling out field 1 (-f 1) from the sam.txt file.
sec560@slingshot:~$ cut -d: -f 1 coursefiles/sam.txt Administrator charlie dizzy Guest IUSR_BETTY IWAM_BETTY monk ted TsInternetUser
You should see just the usernames on the screen. Let’s store those results in a file called names.txt:
sec560@slingshot:~$ cut -d: -f 1 coursefiles/sam.txt > names.txt sec560@slingshot:~$ cat names.txt Administrator charlie dizzy Guest IUSR_BETTY IWAM_BETTY monk ted TsInternetUser
And now let’s invoke Hashcat, adding our names.txt file as a second dictionary in the command invocation. It’s really convenient that Hashcat simply allows us to append multiple dictionary files to its command line.
sec560@slingshot:~$ hashcat -w 3 -a 0 -m 3000 -o cracked.txt coursefiles/sam.txt /opt/password.lst names.txt
When Hashcat is finished running, let’s look at our cracked.txt and hashcat.potfile files:
sec560@slingshot:~$ cat cracked.txt aad3b435b51404ee: 7584248b8d2c9f9e:A 3eacdee7e4395079:INTERNE 09eeab5aa415d6e4:NEWPASS af83dbf0052ee471:VIRGINI sec560@slingshot:~$ cat .hashcat/hashcat.potfile aad3b435b51404ee: 7584248b8d2c9f9e:A 3eacdee7e4395079:INTERNE 09eeab5aa415d6e4:NEWPASS af83dbf0052ee471:VIRGINI
Sadly, we still do not see the eilrahc password. That’s because while we DID use a wordlist with the word charlie in it, Hashcat does not automatically mangle the words like John the Ripper does. We need to apply such an operation using our rules files. Let’s look at the available rules files that Hashcat comes with:
sec560@slingshot:~$ ls ls -l /usr/local/share/doc/hashcat/rules/ Incisive-leetspeak.rule InsidePro-HashManager.rule InsidePro-PasswordsPro.rule T0XlC-insert_00-99_1950-2050_toprules_0_F.rule T0XlC-insert_space_and_special_0_F.rule T0XlC-insert_top_100_passwords_1_G.rule T0XlC.rule T0XlCv1.rule best64.rule combinator.rule d3ad0ne.rule dive.rule generated.rule generated2.rule hybrid leetspeak.rule oscommerce.rule rockyou-30000.rule specific.rule toggles1.rule toggles2.rule toggles3.rule toggles4.rule toggles5.rule unix-ninja-leetspeak.rule
As you can see, Hashcat has a lot of different rules files. Let’s look at one of the most useful, best64.rule:
sec560@slingshot:~$ cat /usr/local/share/doc/hashcat/rules/best64.rule ## nothing, reverse, case... base stuff : r u T0 ## simple number append $0 $1 $2 $3 $4 $5 $6 $7 $8 $9 ## special number append $0 $0 $0 $1 $0 $2 $1 $1 ... output trucated for brevity ...
The whitespace above is ignored, but it helps to make it more readable. The $0 $0 means password0password0.
In this rule file, you see that each word is attempted as is (:), reversed (r), and all uppercase (u), and the case of the first character is toggled (T0). Additionally, each word ($) is taken and a single digit applied to the end of it ($0 up to $9). We then have each word with a digit repeated twice ($0 $0), remembering that whitespace is ignored. The rules in this file go on and on and are often quite clever. Let’s apply them to our cracking attempt with the -r option specifying this rules file:
sec560@slingshot:~$ hashcat -w 3 -a 0 -m 3000 -o cracked.txt coursefiles/sam.txt names.txt /opt/password.lst -r /usr/local/share/doc/hashcat/rules/best64.rule
When that finishes running, let’s look at our results:
sec560@slingshot:~$ cat cracked.txt aad3b435b51404ee: 7584248b8d2c9f9e:A 3eacdee7e4395079:INTERNE 09eeab5aa415d6e4:NEWPASS af83dbf0052ee471:VIRGINI 380b4695fe1449eb:EILRAHC be516da459fe4e65:T12 sec560@slingshot:~$ cat .hashcat/hashcat.potfile aad3b435b51404ee: 7584248b8d2c9f9e:A 3eacdee7e4395079:INTERNE 09eeab5aa415d6e4:NEWPASS af83dbf0052ee471:VIRGINI 380b4695fe1449eb:EILRAHC be516da459fe4e65:T12
You should now see that the EILRAHC password successfully cracked! In this way, we’ve shown that adding a username file to our dictionary list can be quite useful with Hashcat, and applying a rule can be even more useful. With both together, we were able to successfully crack charlie’s hash, mimicking the capability of John the Ripper. But remember that Hashcat can support MANY more algorithms than John the Ripper can, plus, on some hardware, Hashcat has greater performance.
Step 5: Cracking Linux passwords with Hashcat
Finally, let’s apply our technique to cracking another type of hash, specifically the $6$ hashes associated with sha512crypt, like those for new accounts created on Slingshot Linux. Remember, Hashcat does NOT use usernames or GECOS fields in its cracking operation, so we do not need that information from /etc/passwd.
As we mentioned earlier in this course, it can be very helpful to take already-cracked passwords and add them to a dictionary file so that we do not have to apply word-mangling rules to them again before rediscovering the password when it is hashed using a different algorithm. In other words, we’ve already mangled some words and cracked their hashes, so why mangle those words again if we come up against the same password with a different hash algorithm? We’ll be more efficient if we take the mangled words and add them to our wordlist file. Let’s do that, utilizing the cut command on the colon-delimited shadow file to pull out field 2, storing the results in a file called clear.txt:
sec560@slingshot:~$ cat cracked.txt aad3b435b51404ee: 7584248b8d2c9f9e:A 3eacdee7e4395079:INTERNE 09eeab5aa415d6e4:NEWPASS af83dbf0052ee471:VIRGINI 380b4695fe1449eb:EILRAHC be516da459fe4e65:T12 sec560@slingshot:~$ cut -d: -f 2 cracked.txt > clear.txt sec560@slingshot:~$ cat clear.txt A INTERNE NEWPASS VIRGINI EILRAHC T12
Here we can see that the file clear.txt contains the passwords we’ve already cracked.
Now let’s use Hashcat to crack some Linux hashes with the following options:
The options used are:
-w 3: Wordload "High"-a: Brute force attack mode-m 1800: Hash mode of "sha512crypt $6$, SHA512 (Unix)"-o cracked: Outfile for recovered hashesshadow_copy: The file containing hashes- 3 Wordlists:
names.txtclear.txt/opt/password.lst
-r /usr/local/share/doc/hashcat/rules/best64.rule: Mangling rules file
Run the following command:
sec560@slingshot:~$ hashcat -w 3 -a 0 -m 1800 -o cracked.txt shadow_copy names.txt clear.txt /opt/password.lst -r /usr/local/share/doc/hashcat/rules/best64.rule
The options used are:
-w 3: Wordload "High"-a: Brute force attack mode-m 1800: Hash mode of "sha512crypt $6$, SHA512 (Unix)"-o cracked: Outfile for recovered hashesshadow_copy: The file containing hashes- 3 Wordlists:
names.txtclear.txt/opt/password.lst
-r /usr/local/share/doc/hashcat/rules/best64.rule: Mangling rules file
As it runs, you’ll see that Hashcat is parsing the file, looking for the hash type of 1800 (which is indicated by the $6$ preceding a SHA512 hash). When it sees a line without such a hash, Hashcat says, "Signature unmatched", and moves on. Once it finds the $6$ hash, it will begin trying to crack it. You can hit the s key to get the status, which will also be displayed on the screen periodically. When it finishes running, let’s look at our results:
sec560@slingshot:~$ cat cracked.txt aad3b435b51404ee: 7584248b8d2c9f9e:A 3eacdee7e4395079:INTERNE 09eeab5aa415d6e4:NEWPASS af83dbf0052ee471:VIRGINI 380b4695fe1449eb:EILRAHC be516da459fe4e65:T12 $6$s0y9cFKh$RXp3whwBHWSUD3x9eDFHJ5k8ebtDHqRlEBJK5DmgMTEFexXxOKAQjvbm3lcpa1DdN4xBzQKHDryfP3AgVYghG0:internet12 sec560@slingshot:~$ cat .hashcat/hashcat.potfile aad3b435b51404ee: 7584248b8d2c9f9e:A 3eacdee7e4395079:INTERNE 09eeab5aa415d6e4:NEWPASS af83dbf0052ee471:VIRGINI 380b4695fe1449eb:EILRAHC be516da459fe4e65:T12 $6$s0y9cFKh$RXp3whwBHWSUD3x9eDFHJ5k8ebtDHqRlEBJK5DmgMTEFexXxOKAQjvbm3lcpa1DdN4xBzQKHDryfP3AgVYghG0:internet12
Here you can see that the $6$ hash for charlie, with a unique salt created by your system when you set charlie’s password, has successfully cracked.
We have now seen how we can create specialized dictionaries of usernames and already-cracked passwords to improve the success rate of Hashcat in cracking passwords.
Step 6: Wrap up
To finish the lab, let’s remove the various artifacts we created during the lab, including successfully cracked passwords, the hash files we created, and the custom dictionaries:
sec560@slingshot:~$ rm cracked.txt sec560@slingshot:~$ rm names.txt sec560@slingshot:~$ rm clear.txt sec560@slingshot:~$ rm passwd_copy sec560@slingshot:~$ rm shadow_copy sec560@slingshot:~$ rm combined.txt sec560@slingshot:~$ rm .hashcat/hashcat.potfile sec560@slingshot:~$ rm .john/john.pot
Now that we’ve finished this lab, delete the accounts we created on our Linux machine with the userdel command:
sec560@slingshot:~$ sudo userdel charlie sec560@slingshot:~$ sudo userdel dizzy sec560@slingshot:~$ sudo userdel ted sec560@slingshot:~$ sudo userdel monk
Conclusion
In this lab, we both ran John to crack Windows and Linux password hashes and we analyzed the john.pot file to see how John stores successfully cracked password hashes. Each of these techniques is useful for penetration testers to discern passwords and use them for gaining deeper access into target environments.
Additionally, we have leveraged Hashcat to crack Windows and Linux password hashes, analyzing some of the performance characteristics of Hashcat and comparing them to John the Ripper. For a penetration test, a tester should evaluate the performance of John the Ripper and Hashcat on the given available hardware and determine which one will crack passwords more quickly for the specific hash types encountered in the penetration test. We’ve also looked at how we can apply word-mangling rules to our Hashcat runs and how we can leverage usernames and already-cracked passwords to create new dictionaries of potential passwords for Hashcat. Each of these techniques is highly useful in real-world penetration testing.