1) Check Crackstation
It will be able to crack very simple hashes.
2) Identify Hash Type (and Salt)
- HashID (https://github.com/psypanda/hashID)
Note: This requires Python.
You can install it like so:
$ pip install hashidSyntax
$ python -m hashid [OPTIONS] [HASH]None of the options are necessary so I won’t write them out. Plus, they’re on the GitHub page.
- https://www.tunnelsup.com/hash-analyzer/ (This one’s ok…)
Note: Careful because it doesn’t seem to identify salts very well even if it seems sure.
- https://hashes.com/en/tools/hash_identifier (This one’s more accurate.)
A small comment: Only the last tool was able to successfully identify an NTLM hash correctly. Remember to use some common sense when dealing with hashes. If you get hashes that are from a Windows machine, you can narrow down your search for example.
What is a salt?
Adding some data to the input of a hash function to guarantee a unique output. This helps to avoid hash collisions and slows down hackers who are brute-forcing credentials.
If we see a database with duplicate hashes, we know that there are no salts. A lot of duplicate hashes could signal that default passwords are still being used.
Salts are useless if they’re not HIDDEN.
3a) John
Crack simple password hashes (WITH NO SALT).
Syntax
$ john [OPTIONS] [HASH FILE]The HASH FILE follows the following syntax:
root:7z2J3pT/HjmkM
user:MNPXFCWHbDSNM
OR
root:vdNPtcyOZKFAU:0:1::/:/bin/sh
guest:QWOovvLrOrb.E:100:10::/usr/guest:/bin/rsh
etcResults can be found in /home/USER/.john/john.pot.
Important Options
--wordlist=(Specify the wordlist you’re going to use in a dictionary attack.)--list=formats | grep [HASH TYPE](Search for the hash type you need for theformatoption.)--format=[HASH TYPE](The hash type you want.)
Note: John typically can identify the hash function but if it doesn’t do so correctly, now you know how to specify it!
3b) Hashcat
Crack password hashes (the best tool for this).
Syntax
hashcat [OPTIONS] [HASH FILE] [DICTIONARY]The HASH FILE follows the syntax decribed in the example hashes page mentioned in the Hash Types section.
When the results appear, check status. If it says cracked, the password has been cracked. If it says, exhausted, then it did everything you told it to do and could not crack it. Cracked passwords are shown at the bottom as “Candidates”.
Important Options
Hash Types (-m)
-m [HASH NUMBER](https://hashcat.net/wiki/doku.php?id=example_hashes)
Attack Modes (-a)
- Dictionary =
-a 0 - Combinator =
-a 1 - Brute-force/Mask =
-a 3 - Hybrid =
-a 6or-a 7
Mask Attacks
A more specific brute-force attack. You need to know certain things about the password like length, etc.
A placeholder can consist of a variable which is indicated by the ? (question mark symbol) followed by one of the built-in charset variable names (l, u, d, s, a), or one of the custom ones (1, 2, 3, 4). A ? (question mark symbol) itself is written as two question mark symbols (??).
Built-in charsets
- ?l = abcdefghijklmnopqrstuvwxyz
- ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
- ?d = 0123456789
- ?h = 0123456789abcdef
- ?H = 0123456789ABCDEF
- ?s = «space»!”#$%&'()*+,-./:;<=>?@[]^_`{|}~
- ?a = ?l?u?d?s
- ?b = 0x00 – 0xff
3c) Hydra
Hydra is best for cracking login credentials (not hashes). Things like SSH, FTP, web pages, etc.
Syntax
Basic:
$ hydra [OPTIONS] [TARGET IP]Against SSH (or any other protocol with a login):
$ hydra [OPTIONS] [TARGET IP] [PROTOCOL]Against a web page:
$ hydra [OPTIONS] [TARGET IP] http-post-form ["PATH_TO_LOGIN_PAGE:BODY_OF_POST_REQUEST:ERROR_MESSAGE"]Important Options
-L(Supply multiple usernames (like in a wordlist) or use-lto supply one username.)-P(Path to dictionary attack wordlist or use-pto supply one password.)