After some previous posts, I think you guys have know the first thing about how we could pentest our client’s system. But every now and then, I always meet some problems when I could get the client’s hash passwords. Take NTML hashes from a domain controller or if you hack into other websites then you could get their usernames but the passwords are in hash… as an example. So I think we should have an article about this part.
Firstly, we need to know how many ways to use to crack the hash. I think we got there here. They are wordlist, rules and hashing algorithms.
1 . Wordlist
They are a file or a list of files that contain a bunch of common passwords, the software crackers will hash each password and then check if they have matched or not.
I will put some password listes here:
I think this wordlist is well known and it is quite small with 14344392 common passwords. This is the first place you want to check if you want to crack the hash password. It is located at /usr/share/wordlists/ if you use Kali Linux. You need to unzip it before using it.
-Crackstation human only
It contains a lot of passwords from various resourses. This list comes around 64 million passwords.
You guys could download this list from here using Torrent: https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm
-And I put a specail link here: http://wordbook.xyz/download/big/. It includes various type of passwords from different recourses. You guys could download it at anytime.
2 . Rules
If you guys need some modifications with your wordlists, you need use some rules. Just understand the rules make our wordlist better. 😀
With set of rules from here: http://contest-2010.korelogic.com/rules.html
For example, this rule is a quick and dirty way to capitalize certain letters in the word. ( word becomes Word wOrd woRd worD )
# This is a lamer/faster version of --rules:nt [List.Rules:KoreLogicRulesReplaceLettersCaps] /asaA /bsbB /cscC /dsdD /eseE /fsfF /gsgG /hshH /isiI /jsjJ /kskK /lslL /msmM /nsnN /osoO /pspP /qsqQ /rsrR /sssS /tstT /usuU /vsvV /wswW /xsxX /ysyY /zszZ
3 . Hash Algorithms
This hash algorithm is used to create a password hash. For examples, MD5 or SHA1 hash algorithm …
When you select the has algorithm to crack the hash, it will either make our progress faster or exit right away if you chose the wrong algorithm for this hash.
Personally, I usually use two tools in this situation, they are John the Ripper and oclHashcat.
John the Ripper ( JtR )
You guys could have quick look about it from here:
For example, we create a file name test_hash.txt
Then put some hashes in this file.
When we run JtR without any modification, it is pretty slowly.
But with some changes, it works like a charm.
john –format=Raw-MD5 test_hash.txt
We show our cracked passwords.
john –show –format=Raw-MD5 test_hash.txt
They are: monkey and monkey2011.
With my experiences, you guys must practise a lot with this tool to find out how it works. It is not easy like you think. 😀
For more information, you could see the cheatsheet about it from here: https://countuponsecurity.files.wordpress.com/2015/06/jtr-cheatsheetimg.png
First of all, this tool requires graphic processing unit (GPU) to crack passwords. The advantages of using GPUs vs. CPUs are so significant and this can be demonstrated with the use of oclHashcat.
This tool could help us crack NTLMv2 or WPAv2 ( Wifi ). You guys could have download it from here: http://hashcat.net/hashcat/. We can use this tool either on Windows or Linux.
With Kali Linux, we use some following commands:
( When I write this tutorial, the latest version of Hashcat is Hashcat 03.10.7 ).
Then we unzip it
7za x hashcat-3.10.7z
It takes for a while then we see the result.
Then check its help.
I’m so appologize because when I make this tutorial, my computer doesn’t have GPU. :(. So I will show you guys how to use oclHashcat to crack wifi credential later. But I think you guys should try JtR today, it has many options for you to test.
If you guys have any problem when you crack a passwork, just leave a comment here. I will get back to you as soon as possible.