# Password Cracking In this module, we’ll cover a basic attack method: password cracking. Here’s a scenario: * Attacker takes over a less important system, like a Windows computer, an IoT device, or a standalone server. * The attacker grabs all the system's password hashes. * The attacker keeps cracking password hashes until they find the original passwords. * The attacker uses stolen passwords to access important targets. We'll look at how to use Hashcat for password cracking. Hashcat is a fast and powerful tool that supports many password hash types and uses GPUs for better performance. It offers different attack modes and can automatically modify password lists to improve cracking success. Created by Jens Steube and Gabriele Gristina, Hashcat works on Windows, Linux, and UNIX systems. We can find it at [hashcat.net](https://hashcat.net/hashcat). ## Hashcat Attack Modes
Attack ModeArgumentFeature
Straight-a 0Use a dictionary wordlist, trying each word as a potential password
Combinator-a 1Use a dictionary wordlist, append each word to every other word as a potential password (specify 2 dictionaries or the same file twice)
Brute-force (mask attack)-a 3Specify a pattern of passwords and Hashcat tries each. Complex syntax but very powerful!
Hybrid Wordlist + Mask-a 6Combines wordlist and mask attack (append mask to each word in wordlist)
Hybrid Mask + Wordlist-a 7Same as mode 6, prepend mask to each word in wordlist
Hashcat has six attack modes: 1. **Straight**: Uses a wordlist where each word is tried as a password. This is the default mode. 2. **Combinator**: Combines words from two wordlists or the same list twice to guess passwords. 3. **Brute-force (mask)**: Tries passwords based on a specific pattern we set, useful for complex passwords. 4. **Hybrid Wordlist + Mask**: Adds a pattern to each word from the wordlist. 5. **Hybrid Mask + Wordlist**: Adds a pattern in front of each word from the wordlist. 6. **Association**: Uses hints like usernames or cracked passwords to quickly test against hashed passwords. ## Autodetect Password Hash Types Hashcat has six attack modes. To crack a password, Hashcat needs to know the hash type. We can set the hash type manually with the `-m` option or let Hashcat detect it automatically. Hash modes are numbered from two to five digits. We can use `hashcat -h` to see all supported modes, or `hashcat -h | grep string` to find specific ones, like `hashcat -h | grep oracle` for Oracle-related hash modes. ```bash $ hashcat --identify hashes.txt ``` Hashcat tries to figure out the hash type by checking the hash length or format. If there are multiple hash types in a file, Hashcat will list them and ask you to choose one. If there's only one hash and Hashcat thinks it knows the type, it will start cracking it automatically. To test the hash type without cracking, use the `--identify` option. Let's jump into a Lightning Labs event to reinforce this learning objective. 1\) There are many ways to hash passwords. Let's start with an example from a Linux system. Display the contents of the password hash in the file linuxuser. ```bash cat linuxuser ```
2\) Using a simple command-line, Hashcat will use a file with one or more password hashes and a wordlist to identify the hash type and start cracking the password. Try it now: ```bash hashcat linuxuser wordlist ```
3\) Hashcat can be a bit noisy by default. Re-run the previous command, this time adding --quiet to suppress some of the output. ```bash hashcat --quiet linuxuser wordlist ```
In this output, Hashcat points out that we didn't specify a hash mode with -m, so it used mode autodetect to select a hash mode automatically. Since the hash file is well-structured and uses the $1 marker, Hashcat detects this hash type as md5crypt (mode 500). 4\) Let's take a look at another sample hash file, this time taken from an Apache web server used to password-protect a directory. Display the contents of the htpasswd file. ```bash cat htpasswd ```
This file is similarly-configured to a UNIX password hash, but uses a different hash type marker of $apr1. This marker indicates an Apache-specific hash function. 5\) Try to crack the password in the htpasswd hash file using Hashcat. ```bash hashcat --quiet htpasswd wordlist ```
Here, Hashcat is not successful in performing hash mode autodetection. However, we can help Hashcat by indicating that the hash value in the hash file also includes a username. 6\) Re-run the previous command, this time adding --username to tell Hashcat to expect a username in addition to the hash itself. ```bash hashcat --quiet --username htpasswd wordlist ```
This time Hashcat correctly identifies the hash mode as an Apache MD5 hash, and cracks the password. When using Hashcat autodetect, if the hash file includes username information, you can supply `--username` to help Hashcat decode the data. While it isn't always needed, it doesn't hurt to specify `--username` when the hash file includes username information. 7\) Sometimes a file will have multiple hash types in one file. Let's see how Hashcat mode autodetect handles that situation. Display the contents of the shadow file. ```bash cat shadow ```
8\) This file has 4 entries, each with a different hash type. Use Hashcat mode autodetect on the file. ```bash hashcat --quiet shadow wordlist ```
Hashcat recognizes that there are multiple hash types and displays the list of matching hash modes. To continue, you need to select the hash mode you want to attack with -m. 9\) Repeat the previous command, this time specifying hash mode 7400 (sha256crypt). ```bash hashcat --quiet -m 7400 shadow wordlist ```
Note that Hashcat uses the specified hash mode to crack the password, but warns about the other hashes, and how they don't match the specified hash mode. This is OK, but recognize that to crack the remaining hash types you will need to specify the correct hash mode values. ## Hashcat Attack Modes ⎼ By Example Hashcat has six attack modes. To see how it works, we'll use data from a hacked Windows server. We can try this yourself on Windows or Linux. Let's download the hash file from and the wordlist from . ```bash wget https://www.willhackforsushi.com/sec504/hashes.txt wget https://www.willhackforsushi.com/sec504/words.txt ``` ## Straight Attack The Straight attack mode, used with the -a 0 option, tries passwords from a list, one per line. If the password is in the list, Hashcat will find it quickly. ```bash hashcat -m 1000 -a 0 hashes.txt words.tx ```
## Combinator Attack The Combinator attack mode uses `-a 1`. It combines words from two lists: a small list and a large list. For example, it uses the `printf` tool to create a file with words like SANS, sans, STI, sti, dog, and cat, each on a new line. It then combines each word from one list with each word from the other list. ```bash printf "SANS\nsans\nSTI\nsti\ndog\ncat" >words2.txt hashcat -m 1000 -a 1 hashes.txt words.txt words2.txt ```
Combining words like this greatly boosts the number of possible passwords. For example, even though the `words.txt` file has 384 million passwords, the total number of guesses is 2.304 billion (384 million times 6 for each word in `words2.txt`). Hashcat was able to crack the password `!@#$%^&*()sans`. ## Mask Attack Hashcat's brute-force attack (mask attack) involves setting the format of the password you want to crack. Instead of using a list of words, Hashcat tries every possible password that fits your specified pattern. A mask attack is useful when an attacker knows the password rules of an organization. For example, if the rule says passwords must be at least 8 characters long and include one lowercase letter, one uppercase letter, and one number, the attacker can use this information to try and guess the password more effectively. With this policy, users often create passwords with a capital letter at the start followed by numbers, like Jennifer11 or Tcpking1111. To crack these types of passwords, you can use Hashcat masks for various lengths. For example, to target passwords with an uppercase letter, five lowercase letters, and two numbers, use the Hashcat mask: ?u?l?l?l?l?l?d?d. It might seem complex, but it's effective. ```bash $ hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?l?l?d?d hashcat (v5.1.0) starting... OpenCL Platform #1: NVIDIA Corporation ====================================== * Device #1: Tesla K80, 2860/11441 MB allocatable, 13MCU b38bfcc8eb6b29a8efa9c81e22ac55cc:Tcpsyn02 Approaching final keyspace - workload adjusted. Session..........: hashcat Status...........: Exhausted Hash.Type........: NTLM Hash.Target......: hashes.txt Time.Started.....: Wed Mar 13 18:10:20 2019 (13 secs) Time.Estimated...: Wed Mar 13 18:10:33 2019 (0 secs) Guess.Mask.......: ?u?l?l?l?l?l?d?d [8] Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 2268.1 MH/s (0.83ms) @ Accel:64 Loops:32 Thr:1024 Vec:1 ``` In the Hashcat mask attack, we use a mask to try different password patterns: one uppercase letter (?u), five lowercase letters (?l?l?l?l?l), and two numbers (?d?d). This pattern cracks the password in 13 seconds. If it doesn’t work for all passwords, an attacker might try a different pattern, like one uppercase letter, six lowercase letters, and a special character (?u?l?l?l?l?l?l?s). Being creative and keeping track of used patterns helps in matching common password rules. ## Hybrid Wordlist + Mask Attack The Hashcat Hybrid Wordlist + Mask attack combines a wordlist attack with a mask attack, adding a mask (like special characters followed by digits) to each word in the list. We used the mask `?s?d`, and it cracked the victim's password in a few minutes. ```bash hashcat -m 1000 -a 6 hashes.txt words.txt ?s?d ```
## Hybrid Mask + Wordlist Attack Finally, the Hybrid Mask + Wordlist attack operates similarly, except that the mask is prepended to each word in the wordlist file. ```bash hashcat -m 1000 -a 7 hashes.txt ?d?d?d?d words.txt ```
## Hashcat Potfile, Show, Left, User When Hashcat cracks a password, it saves the plaintext password in a file called `hashcat.potfile`. This file is stored in Hashcat's profile directory, usually found at `~/.hashcat`, `~/.local/share/hashcat`, or where Hashcat is installed. Storing cracked passwords and their hashes in the potfile helps Hashcat skip re-cracking and lets you review results. Use `--show` to see cracked passwords from the potfile and `--left` to view hashes that weren't cracked. Adding `--user` shows usernames with the passwords or hashes. Since the potfile contains sensitive data, use a secure file deletion tool like GNU shred when you're done. ```bash $ hashcat -m 1000 windows.hashes --left --user chippisley:c8c5be17a9c744ff004c38dd637a328e mhutton:6018d7fc83d35f003afab9c56dbec55c ``` ## Preparation: Disable LANMAN Authentication You can stop LANMAN hashes from being saved on a system by setting the NoLMHash registry key. Once set, LANMAN hashes won't be stored when users change their passwords.
## Preparation: Password Complexity Tools You can check how weak passwords are in your organization by using `ntdsutil` and Hashcat to audit them. For more insights, use the Domain Password Audit Tool (DPAT) from [GitHub](https://github.com/clr2of8/DPAT). In Windows, you can enforce password complexity using the Active Directory Users and Computers tool. Here's how: 1. Right-click the domain and choose "Properties." 2. Go to the "Group Policy" tab. 3. Open the "Default Domain Policy." 4. Navigate to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy. 5. Enable "Passwords must meet complexity requirements." These settings will take effect the next time policies are applied to your domain controllers. To prevent brute force attacks and password cracking, password length is more important than using a mix of character types. Setting a minimum password length of 20 or 30 characters encourages users to create passphrases, which are easier to remember and type, and harder to crack than short, complex passwords. On UNIX systems, PAM (Pluggable Authentication Modules) is used to enforce password rules or connect to external authentication systems like RADIUS, Kerberos, or MFA tools like Cisco Duo, Okta, or RSA. Avoid 90-day password reset policies. While it seems like a good idea to change passwords often, it usually leads to weaker passwords or people writing them down. Many organizations still follow this outdated practice from old NIST guidelines, ## Deploy Multi-Factor Authentication There are three ways to stop password hash cracking: use strong passwords, protect password hashes with security tools, or make the hashes useless to attackers. While the first two are easier, they don't fully solve the issue. The best solution is using multi-factor authentication (MFA), which requires two or more ways to verify identity.
## Lab 3.3: Hashcat In this lab exercise, we will conduct an assessment of domain passwords for the Falsimentis wholly-owned subsidiary Wardrobe99. We will use Hashcat to recover the password hash data retrieved from the Wardrobe99 domain controller. For the rst part of this lab exercise, we'll add some temporary users with passwords to the Slingshot Linux system. ```bash sudo addtmpusers ``` Now let's copy the /etc/shadow file to our home directory for password cracking. ```bash sudo cp /etc/shadow slingshot.hashes sudo chown sec504:sec504 slingshot.hashes ```
Now let's identity the type of the password hashes using `--identify` argument. ```bash hashcat slingshot.hashes --identify ```
When we use the `--identify` argument, Hashcat looks at the file we specify and shows which hash modes it finds in that file. We can then pick a hash mode to use with `-m` in our next Hashcat attack. Let's use Hashcat to crack passwords, starting with the easiest type: DES crypt (descrypt) hashes. We'll work through each hash mode listed before. ```bash hashcat -a 0 -m 1500 slingshot.hashes /usr/share/wordlists/passwords.txt ```
Let's break down this command: * `-a 0`: Run a straight attack, like cracking password hashes with a list of possible passwords. * `-m 1500` : Use hash mode 1500 (DES crypt password hashes) A "token length exception" warning in Hashcat means it can't read a password hash for the chosen hash mode. Usually, this happens with accounts that don’t have a password hash, like the root account, so these warnings can be safely ignored. In the previous Hashcat command, we might have seen the cracked password. We can get that info later using the Hashcat `--show` command. ```bash hashcat -m 1500 slingshot.hashes --show ```
By removing the attack type and the password list, then add `--show`. Hashcat will then read the cracked passwords and show each hash with its cracked password, separated by a colon. Let's add `--user` to display the username, the password hash, and the cracked password. ```bash hashcat -m 1500 slingshot.hashes --show --user ```
This output helps us by showing the username for each cracked password quickly. The `--left` command shows how many password hashes are still left for the given hash type. ```bash hashcat -m 1500 slingshot.hashes --left --user ```
Next, let's continue to use Hashcat, but change the hash mode to 500 to target the MD5 crypt hashes. ```bash hashcat -a 0 -m 500 slingshot.hashes /usr/share/wordlists/passwords.txt ```
1\) Which usernames did Hashcat recover passwords for? ```bash hashcat -m 500 slingshot.hashes --user --show ```
Answer: prosa, ayoshie, and ejonah 2\) Which usernames did Hashcat not recover passwords for? ```bash hashcat -m 500 slingshot.hashes --user --left ```
Answer: ghajsson, rlucian, and jviktori Next, we’ll use Hashcat techniques to crack passwords from a Windows domain. Let's use Hashcat to check the strength of Windows domain passwords. First, run the `secretsdump.py` script to extract password hashes from the Active Directory database (NTDS.dit) and the SYSTEM registry. Then, use Hashcat to recover the passwords. ```bash secretsdump.py -system registry/SYSTEM -ntds "Active Directory/ntds.dit" LOCAL -outputfile w99 -history ```
An attacker might ignore old passwords since they can't access current systems. However, cracking these old passwords can reveal patterns, which can help in password reuse attacks. ```bash ls w99* ```
We'll focus on the password hashes in the w99.ntds. Before cracking passwords, let's check the password hash file for LANMAN hashes. We can use the `awk` command with `sort` and `uniq` in Linux to count how many unique LANMAN hashes are in the `w99.ntds` file. ```bash cat w99.ntds | awk -F: '{print $3}' | sort | uniq -c ```
The result shows only one hash, the empty LANMAN password (aad3b435b51404eeaad3b435b51404ee), so we can skip LANMAN cracking and focus on NT hashes instead. The w99.ntds file contains NT passwords for all domain users, including machine accounts. Machine account passwords are long, random, and change often, making them hard to crack. To speed up Hashcat, it's best to exclude these from the password hash list. Machine account names end in $ followed by the colon delimiter. Let's remove these accounts using sed. ```bash sed -i '/$:/d' w99.ntds ```
Let's break down this command: * `sed -i` : directly edit a file in place. * `'/$:/d'`: Finds any line containing "$:" (like WIN-93C2ORV5KSP$: for a domain machine account) and deletes that line. ### Crack NT Passwords - Basic Wordlist Next, let's start Hashcat to crack NT passwords using auto-detect hash mode and a wordlist attack (attack type 0). ```bash hashcat -a 0 w99.ntds /usr/share/wordlists/passwords.txt ```
Let's examine the cracked passwords again with Hashcat's `--show` command. ```bash hashcat w99.ntds --show --user ```
Many user accounts have "\_history" followed by a number. This is the format secretsdump.py uses to show old passwords from NTDS data, making them easy to process with Hashcat. ### Crack NT Passwords - Mask Attack Hashcat's mask attack lets us define a password pattern, and Hashcat will try every possible password that fits that pattern. Since the Wardrobe99 passwords are from a Windows Active Directory, we can assume they follow basic Windows password rules, which include: * At least 8 characters in length * At least one uppercase letter * At least one lowercase letter * At least one digit Users usually create passwords with an initial uppercase letter, followed by lowercase letters, and ending with a digit, totaling 8 characters. Not everyone follows this pattern, but we can use Hashcat to test passwords matching this pattern without needing a wordlist. Hashcat's mask attack uses symbols to show the format of each password position: * ?l = abcdefghijklmnopqrstuvwxyz * ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ * ?d = 0123456789 * ?s = !"#$%&'()\*+,-./:;<=>?@\[]^\_\`{|}\~ * ?a = ?l?u?d?s * ?b = 0x00 - 0x Let's try the mask attack on the Wardrobe99 passwords. ```bash hashcat -a 3 w99.ntds ?u?l?l?l? l?l?l?d ```
The mask value ?u?l?l?l?l?l?l?d finds 83 more passwords from the hash list. Hashcat gets 410 passwords in total, but only counts unique ones. Attackers often use different mask patterns to find even more passwords. ### Crack NT Passwords - Wordlist & Rules We've tried a simple wordlist attack and a Hashcat mask attack. Another method is using a wordlist attack with a rules file that creates common password variations. ```bash hashcat -a 0 w99.ntds /usr/share/wordlists/passwords.txt -r /opt/hashcat/rules/best64.rule ```
The best64 rule tries 64 variations of each word in the list, like reversing it or changing letter cases, to see if it matches the target hash. This finds 10 more user passwords for the Wardrobe99 domain. This lab shows how attackers use Hashcat to recover Windows domain passwords. Defenders can use the same steps to check user passwords for security. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faresbltagy.gitbook.io/footprintinglabs/sans-sec504-and-labs/book-three/password-cracking.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.