Cracking Password

Here I will not include hashcat as it's never worked for me or maybe I don't know how to use it properly, sorry for inconvenient :(

Identify hash

In kali,

hash-identifier <<HASH>>

hashid <<HASH>>

Note: also try putting hash in single quotes

Online,

• https://www.tunnelsup.com/hash-analyzer/

• http://www.onlinehashcrack.com/hash-identification.php

• https://md5hashing.net/hash_type_checker

Online tools

findmyhash

findmyhash LM -h 6c3d4c343f999422aad3b435b51404ee:bcd477bfdb45435a34c6a38403ca4364

Cracking

• Crackstation https://crackstation.net/

• Hashkiller https://hashkiller.co.uk/

• Hashes, WPA2 captures, and archives MSOffice, ZIP, PDF <https://www.onlinehashcrack.com/>

• Google hashes Search pastebin.

MD5 Hash

john --wordlist=/usr/share/wordlists/rockyou.txt -format=Raw-MD5 /root/Desktop/john.txt

/etc/shadow root hashes

$ echo '$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVl aXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0' > hash.txt'

$ john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.t xt hash.txt

Linux shadow passwd

$ unshadow passwd-file.txt shadow-file.txt > unshadowed.txt

$ john --rules --wordlist=wordlist.txt unshadowed.txt

id_rsa

# First convert the private key into hash format with ssh2john
ssh2john id_rsa > id_rsa.hash

# And then use john to crack it -
john --wordlist=darkweb2017-top10.txt id_rsa.hash

Window SAM file

john --wordlist=/usr/share/john/password.lst /root/Desktop/hashes.txt

Others file format

zip

fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip

zip2john file.zip > zip.john

john zip.john

Use zip2john and crack the pasword

7z

cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z

#Download and install requirements for 7z2john

wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl

apt-get install libcompress-raw-lzma-perl

./7z2john.pl file.7z > 7zhash.john

PDF

apt-get install pdfcrack

pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
#pdf2john didnt worked well, john didnt know which hash type was

#To permanently decrypt the pdf

sudo apt-get install qpdf

qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf

JWT

git clone https://github.com/Sjord/jwtcrack.git

cd jwtcrack

#Bruteforce using crackjwt.py

python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

#Bruteforce using john

python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john

john jwt.john #It does not work with Kali-John

NTLM cracking

Get-LocalUser

We can use various commands to extract passwords from the system. One of the most common Mimikatz commands is sekurlsa::logonpasswords, which attempts to extract plaintext passwords and password hashes from all available sources. Since this generates a huge amount of output, we'll instead use lsadump::sam, which will extract the NTLM hashes from the SAM. For this command, we must first enter token::elevate to elevate to SYSTEM user privileges.

We must have the SeDebugPrivilege access right enabled for sekurlsa::logonpasswords and lsadump::sam. We'll enable this with privilege::debug.

.\mimikatz.exe

# privilege::debug

# token::elevate

# lsadump::sam

Format:USUARIO:ID:HASH_LM:HASH_NT:::

john --wordlist=/usr/share/wordlists/rockyou.txt --fomrat=NT file_NTLM.hashes

hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot

For this example we'll use the rockyou.txt wordlist with the best64.rule rule file, which contains 64 effective rules.

Let's provide all arguments and values to the hashcat command to start the cracking process.

kali@kali:~/attack$ hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

NTLM Simple Cracking:

hashcat -m 1000 user.hash /usr/share/wordlists/rockyou.txt --force

user.hash content:

2892d26cdf84d7a70e2eb3b9f05c425e

Keepass

sudo apt-get install -y kpcli #Install keepass tools like keepass2john

keepass2john file.kdbx > hash #The keepass is only using password

keepass2john -k <file-password> file.kdbx > hash # The keepas is also using a file as a needed credential

#The keepass can use password and/or a file as credentials, if it is using both you need to provide them to keepass2john

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Hashcat more info:

Since many users simply append a "1" to a password that requires a numerical value, let's create a rule file containing $1 to append a "1" to all passwords in our wordlist. We'll create a demo.rule with this rule function. We need to escape the special character "$" to echo it into the file correctly.

kali@kali:~/attack$ echo \$1 > demo.rule

Now, we can use hashcat with our wordlist mutation, providing the rule file with -r, and --stdout, which starts Hashcat in debugging mode. In this mode, Hashcat will not attempt to crack any hashes, but merely display the mutated passwords.

kali@kali:~/attack$ hashcat -r demo.rule --stdout demo.txt

The listing shows that a "1" was appended to each password according to the rule function $1.

In demo1.rule, the rule functions are on the same line separated by a space. In this case, Hashcat will use them consecutively on each password of the wordlist. The result is that the first character of each password is capitalized AND a "1" is appended to each password.

In demo2.rule the rule functions are on separate lines. Hashcat interprets the second rule function, on the second line, as new rule. In this case, each rule is used separately, resulting in two mutated passwords for every password from the wordlist.

kali@kali:~/attack$ cat demo1.rule     
$1 c
       
kali@kali:~/attack$ hashcat -r demo1.rule --stdout demo.txt
Password1
Iloveyou1
Princess1
Rockyou1
Abc1231

kali@kali:~/attack$ cat demo2.rule   
$1
c

kali@kali:~/attack$ hashcat -r demo2.rule --stdout demo.txt
password1
Password
iloveyou1
Iloveyou
princess1
Princess
...

Good! We have adapted the demo1.rule rule file to two of the three password policies. Let's work on the third and add a special character. We'll start with "!", which is a very common special character.

Based on this assumption, we'll add $! to our rule file. Since we want all rule functions applied to every password, we need to specify the functions on the same line. Again, we will demonstrate this with two different rule files to stress the concept of combining rule functions. In the first rule file we'll add $! to the end of the first rule. In the second rule file we'll add it at the beginning of the rule.

kali@kali:~/attack$ cat demo1.rule     
$1 c $!

kali@kali:~/attack$ hashcat -r demo1.rule --stdout demo.txt
Password1!
Iloveyou1!
Princess1!
Rockyou1!
Abc1231!

kali@kali:~/attack$ cat demo2.rule   
$! $1 c

kali@kali:~/attack$ hashcat -r demo2.rule --stdout demo.txt
Password!1
Iloveyou!1
Princess!1
Rockyou!1
Abc123!1

The output shows that demo1.rule mutates passwords by appending first the "1" and then "!". The other rule file, demo2.rule, appends "!" first and then the "1". This shows us that the rule functions are applied from left to right in a rule.

The rule contained in demo1.rule mutates the passwords of our wordlist to fulfill the requirements of the password policy.

Now that we have a basic understanding of rules and how to create them, let's crack a hash with a rule-based attack. In this demonstration, let's assume that we retrieved the MD5 hash "f621b6c9eab51a3e2f4e167f2dasd6860" from a target system. We'll use the rockyou.txt wordlist, and modify it for a password policy requiring an upper case letter, a numerical value, and a special character.

Let's create a rule file to address this password policy. As before, we'll use the c rule function for the capitalization of the first letter. Furthermore, we also use "!" again as special character. For the numerical values we'll append the (ever-popular) "1", "2", and "123" followed by the special character.

kali@kali:~/attack$ cat crackme.txt     
f621b6c9eab51a3e2f4e167f2dasd6860

kali@kali:~/attack$ cat demo3.rule   
$1 c $!
$2 c $!
$1 $2 $3 c $!

Next, we can run Hashcat. We will disable debugging by removing the --stdout argument. Instead, we'll specify -m, which sets the hash type. In this demonstration, we want to crack MD5, which is hash type 0, which we retrieved from the Hashcat hash example page. After the hash type, we'll provide the target MD5 hash file (crackme.txt) and the rockyou.txt wordlist. Then, we'll specify -r to provide our demo3.rule. Since our Kali VM does not have access to a GPU, we'll also enter --force to ignore related warnings from Hashcat.

kali@kali:~/attack$ hashcat -m 0 crackme.txt /usr/share/wordlists/rockyou.txt -r demo3.rule --force

Instead of manually creating rules, we can also use rules provided by Hashcat or other sources. Hashcat includes a variety of effective rules in /usr/share/hashcat/rules:

kali@kali:~/attack$ ls -la /usr/share/hashcat/rules/

Based on the analysis, we'll create our rules. We'll use c for the capitalization of the first letter and $1 $3 $7 for the numerical values. To address the special characters, we'll create rules to append the different special characters $!, $@, and $#.

kali@kali:~/attack$ cat ssh.rule
c $1 $3 $7 $!
c $1 $3 $7 $@
c $1 $3 $7 $#

John the Ripper:

/usr/share/john/ssh2john.py mario.key > sshkey.txt

To be able to use the previously created rules in JtR, we need to add a name for the rules and append them to the /etc/john/john.conf configuration file. For this demonstration, we'll name the rule sshRules with a "List.Rules" rule naming syntax (as shown in Listing 34). We'll use sudo and sh -c to append the contents of our rule file into /etc/john/john.conf.

kali@kali:~/attack$ cat ssh.rule
[List.Rules:sshRules]
c $1 $3 $7 $!
c $1 $3 $7 $@
c $1 $3 $7 $#

kali@kali:~/attack$ sudo sh -c 'cat /home/kali/attack/ssh.rule >> /etc/john/john.conf'

Now that we've successfully added our sshRules to the JtR configuration file, we can use john to crack the passphrase in the final step of our methodology. We'll define our wordlist with --wordlist=ssh.passwords, select the previously created rule with --rules=sshRules, and provide the hash of the private key as the final argument, ssh.hash.

kali@kali:~/attack$ john --wordlist=ssh.passwords --rules=sshRules ssh.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Umbrella137!     (?)     
1g 0:00:00:00 DONE (2022-05-30 11:19) 1.785g/s 32.14p/s 32.14c/s 32.14C/s Window137!..Umbrella137#
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

We successfully cracked the private key passphrase! Excellent!

As expected, the "Nutrella137!" password satisfied the password policy requirements and also matched brave personal preferences and habits. This is no surprise, since users rarely change their password patterns.

Now, let's use the passphrase to SSH into the target system.

kali@kali:~/attack$ ssh -i id_rsa -p 2222 [email protected]
Enter passphrase for key 'id_rsa':
Welcome to Alpine!

d12dasd:~$

We successfully connected to the target system by providing the correct passphrase to the private key.