0-Cracking.md

Cracking

Hash identify

hash-identifier
# or haiti-hash
gem install haiti-hash
# or name-that-hash
pip3 install name-that-hash

Hashcat

hashcat -h | grep -i lm

# crack windows hash (NTLM)
hashcat -a 0 -m 1000 pass.txt /usr/share/wordlists/rockyou.txt
# crack linux hash (sha512crypt)
hashcat -a 0 -m 1800 pass.txt /usr/share/wordlists/rockyou.txt

• --username: enable ignoring of usernames in hashfile
• --show: show password cracked
• -a: attack mode
• -m: hashtype (hashcat -h | grep <type>)

John the ripper

# crack with format
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john --show hash.txt

• --wordlist: wordlists
• --format: type of the hash (john --list=formats | grep <type>)
• --show: show password cracked
• --pot: store output file

# convert zip hash to crack
zip2john zipfile > hash
# convert rar hash to crack
rar2john zipfile > hash
# convert ssh hash to crack
python2 /usr/share/john/ssh2john.py id_rsa > hash
# combines passwd and shadow to a file
unshadow /etc/passwd /etc/shadow > hash

Fcrackzip

# zip crack password
fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u file.zip

MD5 Hash

# get file hash
md5sum file.exe
# decode message
echo -n "message" | md5sum

SHA256 Hash

# get file hash
sha256sum file.exe
# decode message
echo -n "message" | sha256sum

Base64 Hash

# encode
echo "message" | base64
# decode
base64 /etc/shadow | base64 -d | tail -n4

Generate shadow password

shadow file format

$id$param$salt$encrypted

• $1$ is Message Digest 5 (MD5)
• $2a$ is blowfish
• $5$ is 256-bit Secure Hash Algorithm (SHA-256)
• $6$ is 512-bit Secure Hash Algorithm (SHA-512)
• $y$ (or $7$) is yescrypt
• `none of the above means DES

generate shadow password

# hash in md5
openssl passwd -1 -salt <salt> <password>
# hash in sha-512
mkpasswd -m SHA-512 <password>

• <salt>: salt can be anything (such as name user)