New to cybersecurity? Do you want to be on his attacking side? As a member of the red team, you learn many techniques and tactics that help you perform the cyber kill chain activities. One such task is privilege elevation, where you get password hashes.
hashcat is a powerful and versatile tool that brute force stored credentials using known hashes by conducting various attack modes. The article covers this password cracking utility used by penetration testers, system administrators, spies or hackers to find passwords.
What are hashes?
Hash is a one-way mathematical function or unique identifier that returns a fixed-length output, regardless of the size/length of the input. It is therefore an irreversible process that does not require a key as in encryption to decrypt the hash value.
The most common purpose of hashing is to ensure data integrity against tampering during data transmission. The hash properties are as follows:
- Offers fast calculation
- Good algorithms avoid the same output for different inputs
- They are deterministic
- Small changes in the input greatly influence the output hash value
Why use hashcat?
hashcat is a multi-threaded utility that allows you to configure the number of threads and limit execution based on priority. It supports over 300 hashing algorithms such as MD4, MD5, SHA1, SHA512, bcrypt, HMAC-SHA512, NTLM, MySQL, WHIRLPOOL, among others. It is available for all types of operating systems including Windows, Linux, Unix, and BSD.
Ways to crack password hashes using hashcat
hashcat offers a variety of attack modes (Combiner, rule-based, brute-force guessing, hybrid, and dictionary attacks) to provide better coverage. Here is an explanation of some attacks that hashcat uses to crack hashed passwords:
- brute force attack: A brute force attack uses all possible character combinations to determine the exact password. However, it has a limitation of maximum password length and number of characters. Additionally, an advanced level of brute force attack can also optimize time by making complexity assumptions. For example, an advanced brute-force technique might assume that the first character is more likely to be uppercase and numbers are more likely to appear at the end of a password, etc.
- Dictionary attack: A dictionary attack uses a precomputed list of passwords based on information gathered around the target or an observed pattern among users. Therefore, it takes some of the most commonly used passwords and adds a few permutations to them to increase the range.
- hybrid attack: The hybrid is a combination of the attacks described above, as it checks if the password is “crackable” via a dictionary attack and switches to the brute force technique, if it is not possible.
How to install hashcat on Linux
hashcat is available by default in Kali Linux. To install it on Ubuntu and Debian:
sudo apt-get update
sudo apt-get install hashcatOn Fedora, CentOS, and other RHEL-based distributions:
sudo dnf update
sudo dnf install hashcatTo install hashcat on Arch Linux:
sudo pacman -Syu
sudo pacman -S hashcatAfter installation, use the help command to list all available options:
hashcat --helpSome hashcat options and their descriptions are as follows:
| Choice | The description |
|---|---|
| -m | The type of hash with a default value of 0, i.e. MD5 hash |
| -a | Attack type, 0 for direct attack, 2 for combination and 3 for brute force attack |
| -o | Store the cracked password in an output file |
| word list | Requires password list path to match and decrypt hashes |
To note: Before working with hashcat, make sure your system meets its hardware requirements. Check the official website for more details.
Crack hashes from /etc/shadow file in Linux
The /etc/shadow file stores scrambled or hashed values of all user passwords on Linux. It is a critical file with strict access permissions; it is and should only be accessible by the root account.
Therefore, if you encounter readable text /etc/shadow file through any regular user account, you can get hash value of root account and decrypt password hash using hashcat utility.
For demonstration purposes, switch to the root account and create a new user account Alice to understand how hashcat works:
sudo su
sudo useradd -c "Alice" aliceCreate a password using the passwd command:
passwd aliceCheck the hashed password value inside the /etc/shadow file as follows:
cut -d: -f1 /etc/shadow | grep aliceTo go out:
alice:$y$j9T$TANXgpk59y8r3jgPbDl/w/$UqiK6yahwqfyqhcegWLa1.z64TyePP5.VQpUnLqI3VD:19023:0:99999:7::
The hash in the output above starts from “Alice:” from ; save it in a new file hash.txt.
You can go to the hashcat website to identify the type of hash function and the associated reference value. The SHA512 hash mode is usually identified by the $6$ term and has a reference value of 1800.
You can also find the encryption method in the login.defs to file:
grep ENCRYPT_METHOD /etc/login.defs
Next, check the associated value of the hash function using the hashcat command as follows:
hashcat -h | grep sha512
Now use the hashcat utility to decrypt the hash with the -a flag for attack mode, -m hint for hash reference value (because it does not support hash function name), hash.txt file path and a path to the wordlist rockyou.txt.
hashcat -m 1800 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
To go out:
.
.
$y$j9T$TANXgpk59y8r3jgPbDl/w/$UqiK6yahwqfyqhcegWLa1.z64TyePP5.VQpUnLqI3VD:12345
.
.
To note: On Kali Linux, the rockyou.txt the file is available by default in the /usr/share/wordlists phone book. You can also use other wordlists by running the following command in the terminal:
locate wordlists | lessTo go out:
However, for other Linux distributions, you will need to download the rockyou.txt GitHub repository file as follows:
wget https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou-20.txtCrack passwords in Linux with hashcat
A well-constructed authentication system does not store user passwords in plain text and in plain sight, as they can lead to security breaches. A better authentication mechanism stores passwords as hashes in secure and inaccessible files. However, a password cracker such as hashcat is designed to crack or guess passwords using different attack modes.
This article details the ways a penetration tester should know to crack hashed passwords using the hashcat utility. As a red teamer, it is necessary to understand the techniques an attacker can use to compromise authentication controls and provide guidance on covering system vulnerabilities.
Read more
About the Author
