Crack Password

Hossam Shady
+201003425890
 Crack Password

▪ In this module we would know all the techniques to crack the

password of services and protocols
▪ Then we would know how to crack the hash with many types
▪ There are many tools that we would know as :
▪ Hydra , crunch , hashcat , john etc...
 Crack Password

▪ First thing you can consider that you found service ssh or ftp
open on ports 22 , 21
▪ And when trying to access these services with root or admin found
that it is protected with password
▪ Now we need to crack this password then we would ues :
 Crack Password

▪ First we need to scan the open ports over the ip :

▪ Found Open Port 2222 with service ssh enabled

 Crack Password

▪ Now we need to search for good wordlist to work with :

▪ There is wordlist called [Link] , you can download it from
google then use it :
 Crack Password

▪ After running hydra , which is used in brute forcing the

passwords , found the password for accessing ssh server
▪ There are another ways to find passwords related to the site or
the company as :
▪ [Link] (taken by fbi)
▪ [Link]
▪ [Link]
 Crack Password

▪ Another way to find proper credentials , we can execute the

password spraying by putting one password and trying to brute
force the username as :
 Crack Password

▪ Suppose that you got blocked while brute forcing the password ,
then you can try to put valid true credentials every 10 cases
 Crack Password

▪ Suppose you found HTTP login page and need to find the password :
▪ We can use many tools as :
▪ 1- Hydra
▪ 2- burpsuite intruder
▪ 3- burpsuite turbo intruder
▪ 4- ffuf
▪ Etc . . .
 Crack Password

▪ 1- Hydra : found login page as :

 Crack Password

▪ And also you would use hydra and wordlist called [Link]
▪ But we need to know the invalid password gets what error :
Crack Password
 Crack Password

▪ Content
 Crack Password

▪ Hydra can be used in Password Discovery or Password Spraying

▪ And can use
▪ 2- Burpsuite Inruder by using proper wordlist in burpsuite and
then filter the passwords with the status code and the response
size
 Crack Password

▪ Content
 Crack Password

▪ Content
 Crack Password

▪ Now we need to know more about hash and Encryption cracking

▪ JtR is more of a CPU-based cracking tool, which also supports
GPUs, while Hashcat is mainly a GPU-based cracking tool that also
supports CPUs. JtR can be run without any additional drivers
using only CPUs for password cracking.
▪ Hashcat requires OpenCL17 or CUDA18 for the GPU cracking process.
For most algorithms, a GPU is much faster than a CPU since modern
GPUs contain thousands of cores, each of which can share part of
the workload. However, some slow hashing algorithms (like
bcrypt19) work better on CPUs.
 Crack Password

▪ The keyspace consists of the character set to the power of the

amount of characters or length of the original information
(password).
▪ For example, if we use the lower-case Latin alphabet (26
characters), upper case alphabet (26 characters), and the numbers
from 0 to 9 (10 characters), we have a character set of 62
possible variations for every character.
▪ If we are faced with a five-character password, we are facing 62
to the power of five possible passwords containing these five
characters.
 Crack Password

▪ We now need to know how many guesses they are to crack a password
consists of 5 characters
 Crack Password

▪ Now we need to know more about hashcat :

 Crack Password

▪ Content
 Crack Password

▪ Content
 Crack Password

▪ The benchmark displays hash rates for all supported modes of

Hashcat.
▪ The listing above is shortened, since Hashcat supports many hash
algorithms.
▪ For now, we are only interested in MD5, SHA1, and SHA-256. The
values of the hash rates are in MH/s in which 1 MH/s equals
1,000,000 hashes per second.
▪ Note that results will vary on different hardware. Let's make a
note of the hash rates shown in the CPU benchmark in this Listing
and run a GPU benchmark so we can compare the results.
Crack Password
 Crack Password

▪ Let's compare our GPU and CPU hash rates.

 Crack Password

▪ In this example, we'll calculate the cracking time for SHA256

with the keyspace of 916,132,832, which we calculated previously.
▪ We already know that 1 MH/s equals 1,000,000 hashes per second.
Therefore, we can again use Python to calculate CPU and GPU
cracking times.
▪ The first command uses the SHA-256 hash rate of the CPU
calculated in Listing 7, and the second command uses the SHA-256
hash rate of the GPU calculated in Listing.
▪ The output format of our calculations will be in seconds.
 Crack Password

▪ The output shows that we can calculate all possible hashes for
this keyspace in under one second with a GPU, and in
approximately seven seconds on a CPU
 Crack Password

▪ Let's use the same character set but with an increased password
length of 8 and 10 to get a better understanding for how cracking
time scales versus password length.
▪ For this, we'll use the GPU hash rate for SHA-256 for our
calculations
Crack Password
 Crack Password

▪ Mutating Wordlists:
▪ Password policies, which have grown in prevalence in recent
years, dictate a minimum password length and the use of character
derivations including upper and lower case letters, special
characters, and numerical values.
 Crack Password

▪ Let’s install seclists with [Link] file inside it :

▪ # sudo apt update
▪ # sudo apt install git -y
▪ # git clone [Link]
/usr/share/seclists
▪ # cd /usr/share/seclists/Passwords/Leaked-Databases/
▪ # tar -xvf [Link]
▪ # cat [Link] | wc
 Crack Password

▪ You would find [Link] then need to edit the content inside
that file by
 Crack Password

▪ we'll remove all number sequences (which don't fit the password
policy) from [Link] by using sed with ^1 referring to all lines
starting with a "1", deleting them with d, and doing the editing
in place with -i.
 Crack Password

▪ The Hashcat Wiki2 provides a list of all possible rule functions

with examples.
▪ If we want to add a character, the simplest form is to prepend or
append it.
▪ We can use the $ function to append a character or ^ to prepend a
character.
▪ Both of these functions expect one character after the function
selector. For example, if we want to prepend a "3" to every
password in a file, the corresponding rule function would be ^3.
 Crack Password

▪ When generating a password with a numerical value, many users

simply add a "1" at the end of an existing password. Therefore,
let's create a rule file containing $1 to append a "1" to all
passwords in our wordlist. We'll create a [Link] with this
rule function. We need to escape the special character "$" to
echo it into the file correctly.
 Crack Password

▪ This example would add this rule inside file which would put
number 1 after every word inside the files
▪ Now, we can use hashcat with our wordlist mutation, providing the
rule file with -r, and --stdout, which starts Hashcat in
debugging mode.
▪ In this mode, Hashcat will not attempt to crack any hashes, but
merely display the mutated passwords.
 Crack Password

▪ In this example , it would add number 1 after every line or word

inside the file called [Link]
 Crack Password

▪ Now let’s talk about rules as :

 Crack Password

▪ Now let’s talk about rules as :

 Crack Password

▪ Content
 Crack Password

▪ Good! We have adapted the [Link] rule file to two of the three
password policies.
▪ Let's work on the third and add a special character. We'll start
with "!", which is a very common special character.
▪ Based on this assumption, we'll add $! to our rule file. Since we
want all rule functions applied to every password, we need to
specify the functions on the same line.
▪ Again, we will demonstrate this with two different rule files to
stress the concept of combining rule functions.
▪ In the first rule file we'll add $! to the end of the first rule.
In the second rule file we'll add it at the beginning of the rule
 Crack Password

▪ Content
 Crack Password
▪ Let's create a rule file to address this password policy. As
before, we'll use the c rule function for the capitalization of
the first letter.
▪ Furthermore, we also use "!" again as special character. For the
numerical values we'll append the (ever-popular) "1", "2", and
"123" followed by the special character.
 Crack Password

▪ Next, we can run Hashcat. We will disable debugging by removing

the --stdout argument.
▪ Instead, we'll specify -m, which sets the hash type. In this
demonstration, we want to crack MD5, which is hash type 0, which
we retrieved from the Hashcat hash example page.
▪ After the hash type, we'll provide the target MD5 hash file
([Link]) and the [Link] wordlist.
▪ Then, we'll specify -r to provide our [Link]. As our Kali VM
doesn't have access to a GPU, we'll also enter --force to ignore
related warnings from Hashcat.
 Crack Password

▪ Content
 Crack Password

▪ Instead of creating rules ourselves, we can also use rules

provided by Hashcat or other sources.
▪ Hashcat includes a variety of effective rules in
/usr/share/hashcat/rules:
 Crack Password

▪ Content
 Crack Password

▪ Cracking Methodology:
▪ We can describe the process of cracking a hash with the following
steps:
1- Extract hashes
2- Format hashes
3- Calculate the cracking time
4- Prepare wordlist
5- Attack the hash
 Identify The Hash

▪ Most hashing algorithms produce hashes of a constant length. The

length of a particular hash can be used to map it to the algorithm
it was hashed with. For example, a hash of 32 characters in length
can be an MD5 or NTLM hash.
▪ Sometimes, hashes are stored in certain formats. For example,
hash:salt or $id$salt$hash
▪ The hash 2fc5a684737ce1bf7b3b239df432416e0dd07357:2025 is a SHA1
hash with the salt of 2025.
 Crack Password

▪ The hash
$6$vb1tLY1qiY$M.1ZCqKtJBxBtZm1gRi8Bbkn39KU0YJW1cuMFzTRANcNKFKR4RmAQ
Vk4rqQQCkaJT6wXqjUkFcA/qNxLyqW.U/
▪ contains three fields delimited by $, where the first field is
the id, i.e., 6.
▪ This is used to identify the type of algorithm used for hashing.
▪ The following list contains some ids and their corresponding
algorithms.
 Crack Password

▪ Here are the Id of every hash identified as :

▪ The next field, vb1tLY1qiY, is the salt used during hashing, and
the final field is the actual hash.
 Crack Password

▪ To Identify the hash with tools :

▪ [Link]
▪ # pip install hashid
▪ # hashid '$apr1$71850310$gh9m4xcAn3MGxogwX/ztb.'
 Crack Password

▪ # hashid '$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f' -m
 Crack Password

▪ There are many sites that can identify the hash as :

▪ [Link]
▪ [Link]
▪ Also there are many tools , you can search ...
 Crack Password

▪ To crack the hash there are many tools , but the most common is :
▪ # hashcat –h

▪ But there are many types of modes in hashcat to crack the hash
as:
 Crack Password

▪ Content
Crack Password
 Crack Password

▪ Suppose that you have hash from kind SHA1

▪ # hashcat -m 100 [Link] /opt/useful/seclists/Passwords/Leaked-
Databases/[Link]
▪ Now let’s take the hash from /etc/shadow file from your linux
system
▪ # sudo cat /etc/shadow
 Crack Password

▪ $6$kIGXtz93GI$7P8RBOsj00QQqCBxwtcdUDldLqi8lcjfymQ2hSKmQpqFrIb9d2T
aN7pnHGS9KsrwEBGpMb5ES7MYEjvgByI4w/
▪ If you looked to the first part $6$ means that hash is SHA256
▪ And if you searched about the mode of SHA256 for the hashcat you
find it 1800
▪ # hashcat -m 1800 [Link] [Link]
 Crack Password

▪ Suppose that you found NTLM hash then it would be cracked under
the mode of 1000 as :
▪ 7100a909c7ff05b266af3c42ec058c33
▪ # hashcat -a 0 -m 1000 [Link] [Link]
 Crack Password

▪ Let’s more forward to crack the NTLM hash

 Crack Password

▪ Content
 Crack Password

▪ Content