Password Cracking - Hashcat

Three password cracking techniques that can be used with the password cracking tool hashcat. The three techniques are:

• Dictionary based attacks

• Combinator attacks

• Mask attacks

Hashcat a popular hash cracking utility.

Change to the directory where it is installed to run it.  Below is hashcat being run with the –help switch.

Generate some test MD5 hashes.

repeat the same for other passwords:

MydogSnickers

Fall2021

F@ll2021

You can also get string hashes in powershell. Powershell has a popular Get-Filehash cmdlet but that won’t work if you simply want the hash of a string. The function below allows you to get a string hash.

At this point you will want the hashes in a txt file (below target_hashes.txt). This is essentially your stolen password hashes file that you are trying to crack.

The below PowerShell function gets the MD5 string of the hash and appends it to the target_hashes.txt file.

One issue you may run into later is ‘Token Length Exception’ error.

A solution for this was to convert the target_hashes.txt file to UTF-8 encoding in a text editor like Notepad++.

Next you will want wordlists to run against. There is a very popular downloadable word list on the Internet called rockyou.txt.

Running the hashcat dictionary attack on hashes in target_hashes.txt y=using the rockyou.txt word list.

E:\hashcat-6.2.4>hashcat -m 0 -a 0 -o cracked.txt target_hashes.txt rockyou.txt

-m 0 = MD5 hashes

-a 0 = attack type – 0 = Dictionary type

-o = outputfile for cracked hashes (cracked.txt)

Attacking different types of hashes

The below command with -m 100 (not -m 0 which is MD5 hashes) uses the SHA1 algorithm.

E:\hashcat-6.2.4>hashcat -m 100 -a 0 -o cracked.txt target_hashesSHA1.txt rockyou.txt

Below change the powershell function to hash the string ‘Snickers’ using SHA1 and outputting to a file target_hashesSHA1.txt.

-m 100 switch equals SHA1.

Results when the hashcat command is run against the sha1 hahses using the rockyou.txt word list.

Successful SHA1 hash match.

Combinator attacks

Combinator attacks combine two word lists together. These attacks can be successful because people commonly combine words to make their passwords. The attack below combines the two word lists Seasons.txt and Years.txt and attempts to crack the target_hashes.txt which had a has of a password Fall2021.

E:\hashcat-6.2.4>hashcat -m 0 -a 1 target_hashes.txt Seasons.txt Years.txt

Attack mode -a 1 = Combination (e.g., Combinator attack).

Many users combine words in their passphrases. Creation of two word lists for this example.

Successful hash crack.

Mask attacks

Mask attacks improve hash cracking based on intelligence you may have about the password. For example, the 1st letter is always a capital letter, or the password always ends with two numbers. We have all seen passwords like this which have a number that could indicate a sequence number or something important like an age, or significant date.

The below hashcat command is a -6 Hybrid Wordlist + Mask attack. It uses the rockyou.tct wordlist bit also adds two digits on the end which are specified by the ?d?d.

hashcat -m 0 -a 6 -m 0 target_hashesMask.txt rockyou.txt ?d?d

Successful hash crack with 2 digit mask at the end of the password.

HashCat Rules

CEWL - generating word Lists

References

HURER-MACKAY, W. (2016, September 19). How To Perform a Combinator Attack Using Hashcat. Retrieved October 16, 2021 from https://www.4armed.com/blog/hashcat-combinator-attack/

Idera. (2017, October 26). Generating MD5 Hashes from Text. Retrieved October 16, 2021 from https://community.idera.com/database-tools/powershell/powertips/b/tips/posts/generating-md5-hashes-from-text (Links to an external site.)

SevenLayers. (2021). HASHCAT MASK ATTACK. Retrieved October 16, 2021 from https://www.sevenlayers.com/index.php/287-hashcat-mask-attack