Home About Blog Media Free Courses Workshops

Password Cracking

Hashcat for the Win

Cracking Passwords

This workshop utilizes knowledge about Linux, Windows and computer hardware. Participants will need a system they have administrative control over to install and run various software in order to learn how to effectively crack Windows passwords.

Cracking Terminology

The Old Ways: Rainbowtables

Rainbowtables

Rainbowtables such as Project Rainbowcrack and Free Rainbow Tables require terabyes of fast storage to read from. They are ineffective against passwords with salts. Rainbowtables are very specific to a given password hash and type, and would need to be generated for multiple hash types. They are slow to generate and unable to meet the demand of modern password cracking where being dymanic, agile, flexible and scalable are key. Rainbowtables are static, rigid; to this end, they should only be mentioned as a history lesson, and nothing more.

Hashcat Overview

Hashcat is a powerful GPU password cracker. It is free, open source and available on most Operating Systems. It is agile, scalable and up to date. The Hashcat Wiki is highly recommended to keep open as a reference for this workshop.

You should install the latest version of hashcat on your system or virtual machine:

For higher level processing with GPUs, ensure your video driver is also up to date. Hashcat is able to break a large number of hashes (see the hashes list in the wiki).
Many Hashes For this workshop, we will focus on NTLM.

How NTLM Works

NTLM follows a very basic process:


This process is seen in action on CyberChef: CyberChef Here you can see what is created on CyberChef is what Mimikatz pulls up from a Windows 11 computer:

CyberChef and Mimikatz

Cracking Passwords

For this lab, please download 2020-200_most_used_passwords.txt from this link.

This is a basic layout on how we will use hashcat from the command line. Most of the command will be the same regardless of the OS. Crack the following password using the following example command: First Crack


Hash 1
2d20d252a479f485cdf5e171d93985bf

Submit your answer

When you successfully crack a password, you will notice a couple of things: Results1

Hash 2
5835048ce94ad0564e29a924a03510ef

Submit your answer

Hash 3
9a9d50b11ce8393752db14d0b0e3db08

Submit your answer

Adding Variables

Wordlists can only take you so far since the text files cannot account for various mutations. Hashcat has the functionality to insert variables that don't exist in the wordlist but can help find the hash. Adding Variables

The following hash has one extra digit at the end. Use variables to solve:

Hash 4
d4a1be1776ad10df103812b1a923cde4

Submit your answer

The following hash has four extra characters at the end. Use variables to solve:

Hash 5
4cc8e6e361d943cdd5cd79e0432dfeb0

Submit your answer

Cracking hash5 may result in an odd answer that is not human readable. You will need to convert the hexadecimal result to see what the password is. Results with Hex

Take the hash and convert it in CyberChef as shown below: Converting Hex

The following hash has four extra characters at the beginning. Use variables to solve:

Hash 6
a68aebcd73f000710f795b657363cd11

Submit your answer

Useful Links

Rules

As written in the wiki, this is a complicated attack mode with a wide variety of modifications, making it flexible, accurate and efficient. A simple rule can be using "$1" to append a digit, making password into password1. Here are some other examples:

Generating Rules with maskprocessor

Download and complie or extract the maskprocessor from Github.

maskprocessor

With the software ready for use, run the following command that will make a 3 digit rule file:

./mp64.bin -o append_3_digits.rule '$?d $?d $?d'
Making a rule

This rule file will append three digits to whatever password it is trying to break, and it will do it in succession as shown above. Combine the rule we just created and the wordlist to find the following password:

Hash 7
0b7933c06356e74f24ab406ee0b19b57

Submit your answer

In the same wiki, there is a section on generating rules on the fly.
Using generated rules

Use this part of the wiki to find the following password; you may need to play with various numbers of rules to get the right answer. Don’t give up right away!

Hash 8
90749e62700405119900c5b08fa0d907

Submit your answer

Masks

Mask attacks are a more specific version of brute force. We use certain candidate keyspaces to crack more efficiently. Masks are simple strings that use placeholders, with a question mark and a static letter to define the variable. Built in Character Sets

The following hash can be cracked with a mask only; you don't need the wordlist. This password contains 4 lowercase letters:

Hash 9
0cb6948805f797bf2a82807973b89537

Submit your answer

The following password has 3 digits and lowercase letters; there is no need for the wordlist

Hash 10
d184d178a697c52b013b89dbae499e47

Submit your answer

The following password has 7 uppercase letters and 1 digit (though not in that order); it is a word from the wordlist, but you don't need the wordlist to solve.

Hash 11
ba829364e85a90058d72f743bf1f74d1

Submit your answer

Hashcat has some built in rules and masks for you to use. Find them in the program's folders:
Built in rules and masks

TrustedSec's Hate_crack repository has some masks that you can use as well:
hatecrack github

Advanced Attack: PRINCE

PRINCE (PRobability INfinite Chained Elements) takes one input wordlist and builds “chains” of combined words automatically. It is simple to use, requires no monitoring by the hacker, any extensions or syntax knowledge. The tool builds its own wordlist, hybrid, keyboard walks/passphrases and brute force for you. Download from Github here; this thread is also useful to understand PRINCE. As with the prior tool, you'll need to compile or extract to run.
Prince Processor on Github

NOTE FOR MAC USERS: this issue explains what you need to do in order to get the tool working on macOS. macOS issue

If you ran the princeprocessor against the wordlist we have been using in this workshop, what is the result?
See output from princeprocessor

Seeing what results from sending a wordlist into princeprocessor, we will do that again, but also pipe that output into hashcat to solve the following hash: solving a hash using prince

Hash 12
62eff0d7a31f10efe18ed415e670bb3c

Submit your answer

Use the same command, but change the wordlist to use Permutations/1337speak.txt instead to solve the following hash:

Hash 13
a70e26df450807870e97435c39832595

Submit your answer

Password Analysis

Historical Tips

20-60-20 Rule

The following chart shows how most passwords are sorted by difficulty.
20 60 20 rule

Cracking Methodology

  1. Extract hashes: Pull hashes from target, identify hashing function
  2. Format hashes: Prepare hashes for your tool’s preferred method
  3. Evaluate hash strength: If slow hash, you need to be more selective of dictionaries and attacks used; if fast, be more liberal with attack strategy
  4. Calculate cracking rig capabilities: Baseline your rig to better assess its capabilities against a specific hash
  5. Formulate plan: Create an attack plan based on known/unknown knowledge
  6. Analyze passwords: Analyze results for any clues/patterns from cracked hashes to aid the success in the remaining
  7. Custom attacks: Leverage the new knowledge to fine tune the attack to the target user’s behavior or preferences
  8. Advanced attacks: Use more advanced tools to dig deeper
  9. Repeat until solved

Basic Cracking Playbook

  1. Custom wordlist: Compile your known plain text passwords into a custom wordlist file
  2. Custom wordlist + rules: Run your custom wordlist with permutation rules for variations
  3. Dictionary/wordlist: Look for common passwords and leaked passwords in a well-known list
  4. Dictionary/Wordlist + rules: Add permutation rules to your dictionary looking for subtle changes
  5. Custom wordlist + rules: Add any newly discovered passwords to custom wordlist and add permutation rules
  6. Mask: Use hashcat’s masks to search keyspace for common password lengths and patterns
  7. Hybrid Dictionary + Mask: Look for larger variations of common words/known passwords by appending/prepending masks to those candidates
  8. Custom wordlist + rules: Add any newly discovered passwords back to custom wordlist and add permutation rules, looking for subtle variations
  9. Combo: Individually combine dictionary password candidates together to form new candidates
  10. Custom hybrid attack: Add any newly discovered passwords back to custom wordlist
  11. Custom mask attack: Custom mask attacks based on currently cracked passwords
  12. Brute force: When all else fails; be selective on how large a keyspace your rig can adequately brute-force. Above 8 chars is harder due to hardware limitations and password entropy/complexity

Potfile

The potilfe stores what passwords were found by hashcat. The default potfile does not differentiate between hash types; it only stores all hashes found in the order they were found. You can use

--potfile-path=/path/to/potfile
to specifically select where you want hashes saved, for example, saving all the SHA1 hashes in one potfile and all the NTLM in another.
Contents of the potfile

Distributed Cracking Software

Cracking Challenges:

Submit your answers at this link. Use the hints at the bottom of each section to help you if you get stuck.

Challenge Number NTLM Hash Challenge Number NTLM Hash Challenge Number NTLM Hash
1
774d222fd2128b6802f2586deb544681
4
002af721365d3098143821fdbeb68618
7
b9b9ec843c3b2965e2ad62d847822cd4
2
41ff752227c53858fc0fc9c90dbe4d5b
5
f80256d11073cc29f23cc0cd48df0cc3
8
498b372b1ae46c1b70e0b842f68b621c
3
3904b0ffab933fceb6e1734190839903
6
73752df67783192d0eb7a10c7d7b3f8d
9
83487ef3b85d39dcd3a0a73328c5974e
Set 1, Hint 1

Challenges 1-3 are based on one of the words from the first wordlist we used in the workshop.

Set 1, Hint 2

Challenges 1-3 are permutations on the word "monkey".

Set 2, Hint 1

Challenges 4-6 are combinations of common words and a single digit.

Set 2, Hint 2

Challenges 4-6 should be quickly solveable with a wordlist and appending a mask digit.

Set 3, Hint 1

Challenges 7-9 are are phone numbers.

Challenge Number NTLM Hash Challenge Number NTLM Hash Challenge Number NTLM Hash
10
00a08d9372a3546d0292bb65d3945acb
13
00046ff8f504f4f921cd68b77c04fff5
16
00216511f59f814b8864481fd377be39
11
058c61e6208217e954c4735ab6a3f109
14
0047602fc375c506482010bc998e2ef5
17
008d4dd9b8ef094ceddf4cbf01f37831
12
01c5a6518a83da30b8752b6488547516
15
05ce20143ce083278fe34aa4ad3b7708
18
018fdf097faeed03c37c9894fc533063
Set 4, Hint 1

Challenges 10-12 are short phrases.

Set 4, Hint 2

Challenges 10-12 are breakfast food related.

Set 4, Hint 3

Challenges 10-12 one password has a special character, another has a digit.Between all three, there are only two captial letters.

Set 5, Hint 1

Challenges 13-15 are used by system/network administrators.

Set 5, Hint 2

Challenges 13-15 all contain the lowercase word "admin".

Set 5, Hint 3

Challenges 13-15 all have the word "admin" and contain digits. Only one has a special character.

Set 6, Hint 1

Challenges 16-18 are all iPhone related passwords

Set 6, Hint 2

Challenges 16-18 are passwords that express how the user feels about the iPhone.

Set 6, Hint 3

Challenges 16-18 are passphrases with digits and no special characters.

Challenge Number NTLM Hash Challenge Number NTLM Hash Challenge Number NTLM Hash
19
0000076d1e4487f9e82a5c39dcd23394
22
00479948a0d0d0d801c0705cbbcf4cf3
25
00010e0b5de686f44a79d706a032e62d
20
00000787244575a85fa642eb9963e4a2
23
009bb868b3ebc09fd9b0559a9e1bd21c
26
023b73920ad2321294da1a06daa3bf97
21
00000790734052dbdf030e40338f51cf
15
022a6e54c2b124eb4291da495e6626f5
27
0479871d7b684e5a7331528d64cae7fe
Set 7, Hint 1

Challenges 19-21 three word passphrases.

Set 8, Hint 1

Challenges 22-24 are all related to laptop.

Set 9, Hint 1

Challenges 25-27 are all related to dojo.