Password Cracking
In this module, we’ll cover a basic attack method: password cracking. Here’s a scenario:
Attacker takes over a less important system, like a Windows computer, an IoT device, or a standalone server.
The attacker grabs all the system's password hashes.
The attacker keeps cracking password hashes until they find the original passwords.
The attacker uses stolen passwords to access important targets.
We'll look at how to use Hashcat for password cracking. Hashcat is a fast and powerful tool that supports many password hash types and uses GPUs for better performance. It offers different attack modes and can automatically modify password lists to improve cracking success. Created by Jens Steube and Gabriele Gristina, Hashcat works on Windows, Linux, and UNIX systems. We can find it at hashcat.net.
Hashcat Attack Modes
Straight
-a 0
Use a dictionary wordlist, trying each word as a potential password
Combinator
-a 1
Use a dictionary wordlist, append each word to every other word as a potential password (specify 2 dictionaries or the same file twice)
Brute-force (mask attack)
-a 3
Specify a pattern of passwords and Hashcat tries each. Complex syntax but very powerful!
Hybrid Wordlist + Mask
-a 6
Combines wordlist and mask attack (append mask to each word in wordlist)
Hybrid Mask + Wordlist
-a 7
Same as mode 6, prepend mask to each word in wordlist
Hashcat has six attack modes:
Straight: Uses a wordlist where each word is tried as a password. This is the default mode.
Combinator: Combines words from two wordlists or the same list twice to guess passwords.
Brute-force (mask): Tries passwords based on a specific pattern we set, useful for complex passwords.
Hybrid Wordlist + Mask: Adds a pattern to each word from the wordlist.
Hybrid Mask + Wordlist: Adds a pattern in front of each word from the wordlist.
Association: Uses hints like usernames or cracked passwords to quickly test against hashed passwords.
Autodetect Password Hash Types
Hashcat has six attack modes. To crack a password, Hashcat needs to know the hash type. We can set the hash type manually with the -m
option or let Hashcat detect it automatically. Hash modes are numbered from two to five digits. We can use hashcat -h
to see all supported modes, or hashcat -h | grep string
to find specific ones, like hashcat -h | grep oracle
for Oracle-related hash modes.
Hashcat tries to figure out the hash type by checking the hash length or format. If there are multiple hash types in a file, Hashcat will list them and ask you to choose one. If there's only one hash and Hashcat thinks it knows the type, it will start cracking it automatically. To test the hash type without cracking, use the --identify
option.
Let's jump into a Lightning Labs event to reinforce this learning objective.
1) There are many ways to hash passwords. Let's start with an example from a Linux system. Display the contents of the password hash in the file linuxuser.
2) Using a simple command-line, Hashcat will use a file with one or more password hashes and a wordlist to identify the hash type and start cracking the password. Try it now:
3) Hashcat can be a bit noisy by default. Re-run the previous command, this time adding --quiet to suppress some of the output.
In this output, Hashcat points out that we didn't specify a hash mode with -m, so it used mode autodetect to select a hash mode automatically.
Since the hash file is well-structured and uses the $1 marker, Hashcat detects this hash type as md5crypt (mode 500).
4) Let's take a look at another sample hash file, this time taken from an Apache web server used to password-protect a directory. Display the contents of the htpasswd file.
This file is similarly-configured to a UNIX password hash, but uses a different hash type marker of $apr1. This marker indicates an Apache-specific hash function.
5) Try to crack the password in the htpasswd hash file using Hashcat.
Here, Hashcat is not successful in performing hash mode autodetection. However, we can help Hashcat by indicating that the hash value in the hash file also includes a username.
6) Re-run the previous command, this time adding --username to tell Hashcat to expect a username in addition to the hash itself.
This time Hashcat correctly identifies the hash mode as an Apache MD5 hash, and cracks the password.
When using Hashcat autodetect, if the hash file includes username information, you can supply --username
to help Hashcat decode the data. While it isn't always needed, it doesn't hurt to specify --username
when the hash file includes username information.
7) Sometimes a file will have multiple hash types in one file. Let's see how Hashcat mode autodetect handles that situation. Display the contents of the shadow file.
8) This file has 4 entries, each with a different hash type. Use Hashcat mode autodetect on the file.
Hashcat recognizes that there are multiple hash types and displays the list of matching hash modes. To continue, you need to select the hash mode you want to attack with -m.
9) Repeat the previous command, this time specifying hash mode 7400 (sha256crypt).
Note that Hashcat uses the specified hash mode to crack the password, but warns about the other hashes, and how they don't match the specified hash mode. This is OK, but recognize that to crack the remaining hash types you will need to specify the correct hash mode values.
Hashcat Attack Modes ⎼ By Example
Hashcat has six attack modes. To see how it works, we'll use data from a hacked Windows server. We can try this yourself on Windows or Linux. Let's download the hash file from https://www.willhackforsushi.com/sec504/hashes.txt and the wordlist from https://www.willhackforsushi.com/sec504/words.txt.
Straight Attack
The Straight attack mode, used with the -a 0 option, tries passwords from a list, one per line. If the password is in the list, Hashcat will find it quickly.
Combinator Attack
The Combinator attack mode uses -a 1
. It combines words from two lists: a small list and a large list. For example, it uses the printf
tool to create a file with words like SANS, sans, STI, sti, dog, and cat, each on a new line. It then combines each word from one list with each word from the other list.
Combining words like this greatly boosts the number of possible passwords. For example, even though the words.txt
file has 384 million passwords, the total number of guesses is 2.304 billion (384 million times 6 for each word in words2.txt
). Hashcat was able to crack the password !@#$%^&*()sans
.
Mask Attack
Hashcat's brute-force attack (mask attack) involves setting the format of the password you want to crack. Instead of using a list of words, Hashcat tries every possible password that fits your specified pattern.
A mask attack is useful when an attacker knows the password rules of an organization. For example, if the rule says passwords must be at least 8 characters long and include one lowercase letter, one uppercase letter, and one number, the attacker can use this information to try and guess the password more effectively.
With this policy, users often create passwords with a capital letter at the start followed by numbers, like Jennifer11 or Tcpking1111. To crack these types of passwords, you can use Hashcat masks for various lengths. For example, to target passwords with an uppercase letter, five lowercase letters, and two numbers, use the Hashcat mask: ?u?l?l?l?l?l?d?d. It might seem complex, but it's effective.
In the Hashcat mask attack, we use a mask to try different password patterns: one uppercase letter (?u), five lowercase letters (?l?l?l?l?l), and two numbers (?d?d). This pattern cracks the password in 13 seconds. If it doesn’t work for all passwords, an attacker might try a different pattern, like one uppercase letter, six lowercase letters, and a special character (?u?l?l?l?l?l?l?s). Being creative and keeping track of used patterns helps in matching common password rules.
Hybrid Wordlist + Mask Attack
The Hashcat Hybrid Wordlist + Mask attack combines a wordlist attack with a mask attack, adding a mask (like special characters followed by digits) to each word in the list. We used the mask ?s?d
, and it cracked the victim's password in a few minutes.
Hybrid Mask + Wordlist Attack
Finally, the Hybrid Mask + Wordlist attack operates similarly, except that the mask is prepended to each word in the wordlist file.
Hashcat Potfile, Show, Left, User
When Hashcat cracks a password, it saves the plaintext password in a file called hashcat.potfile
. This file is stored in Hashcat's profile directory, usually found at ~/.hashcat
, ~/.local/share/hashcat
, or where Hashcat is installed.
Storing cracked passwords and their hashes in the potfile helps Hashcat skip re-cracking and lets you review results. Use --show
to see cracked passwords from the potfile and --left
to view hashes that weren't cracked. Adding --user
shows usernames with the passwords or hashes. Since the potfile contains sensitive data, use a secure file deletion tool like GNU shred when you're done.
Preparation: Disable LANMAN Authentication
You can stop LANMAN hashes from being saved on a system by setting the NoLMHash registry key. Once set, LANMAN hashes won't be stored when users change their passwords.
Preparation: Password Complexity Tools
You can check how weak passwords are in your organization by using ntdsutil
and Hashcat to audit them. For more insights, use the Domain Password Audit Tool (DPAT) from GitHub.
In Windows, you can enforce password complexity using the Active Directory Users and Computers tool. Here's how:
Right-click the domain and choose "Properties."
Go to the "Group Policy" tab.
Open the "Default Domain Policy."
Navigate to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
Enable "Passwords must meet complexity requirements."
These settings will take effect the next time policies are applied to your domain controllers.
To prevent brute force attacks and password cracking, password length is more important than using a mix of character types. Setting a minimum password length of 20 or 30 characters encourages users to create passphrases, which are easier to remember and type, and harder to crack than short, complex passwords. On UNIX systems, PAM (Pluggable Authentication Modules) is used to enforce password rules or connect to external authentication systems like RADIUS, Kerberos, or MFA tools like Cisco Duo, Okta, or RSA.
Avoid 90-day password reset policies. While it seems like a good idea to change passwords often, it usually leads to weaker passwords or people writing them down. Many organizations still follow this outdated practice from old NIST guidelines,
Deploy Multi-Factor Authentication
There are three ways to stop password hash cracking: use strong passwords, protect password hashes with security tools, or make the hashes useless to attackers. While the first two are easier, they don't fully solve the issue. The best solution is using multi-factor authentication (MFA), which requires two or more ways to verify identity.
Lab 3.3: Hashcat
In this lab exercise, we will conduct an assessment of domain passwords for the Falsimentis wholly-owned subsidiary Wardrobe99. We will use Hashcat to recover the password hash data retrieved from the Wardrobe99 domain controller.
For the rst part of this lab exercise, we'll add some temporary users with passwords to the Slingshot Linux system.
Now let's copy the /etc/shadow file to our home directory for password cracking.
Now let's identity the type of the password hashes using --identify
argument.
When we use the --identify
argument, Hashcat looks at the file we specify and shows which hash modes it finds in that file. We can then pick a hash mode to use with -m
in our next Hashcat attack.
Let's use Hashcat to crack passwords, starting with the easiest type: DES crypt (descrypt) hashes. We'll work through each hash mode listed before.
Let's break down this command:
-a 0
: Run a straight attack, like cracking password hashes with a list of possible passwords.-m 1500
: Use hash mode 1500 (DES crypt password hashes)
A "token length exception" warning in Hashcat means it can't read a password hash for the chosen hash mode. Usually, this happens with accounts that don’t have a password hash, like the root account, so these warnings can be safely ignored.
In the previous Hashcat command, we might have seen the cracked password. We can get that info later using the Hashcat --show
command.
By removing the attack type and the password list, then add --show
. Hashcat will then read the cracked passwords and show each hash with its cracked password, separated by a colon.
Let's add --user
to display the username, the password hash, and the cracked password.
This output helps us by showing the username for each cracked password quickly.
The --left
command shows how many password hashes are still left for the given hash type.
Next, let's continue to use Hashcat, but change the hash mode to 500 to target the MD5 crypt hashes.
1) Which usernames did Hashcat recover passwords for?
Answer: prosa, ayoshie, and ejonah
2) Which usernames did Hashcat not recover passwords for?
Answer: ghajsson, rlucian, and jviktori
Next, we’ll use Hashcat techniques to crack passwords from a Windows domain.
Let's use Hashcat to check the strength of Windows domain passwords. First, run the secretsdump.py
script to extract password hashes from the Active Directory database (NTDS.dit) and the SYSTEM registry. Then, use Hashcat to recover the passwords.
An attacker might ignore old passwords since they can't access current systems. However, cracking these old passwords can reveal patterns, which can help in password reuse attacks.
We'll focus on the password hashes in the w99.ntds.
Before cracking passwords, let's check the password hash file for LANMAN hashes. We can use the awk
command with sort
and uniq
in Linux to count how many unique LANMAN hashes are in the w99.ntds
file.
The result shows only one hash, the empty LANMAN password (aad3b435b51404eeaad3b435b51404ee), so we can skip LANMAN cracking and focus on NT hashes instead.
The w99.ntds file contains NT passwords for all domain users, including machine accounts. Machine account passwords are long, random, and change often, making them hard to crack. To speed up Hashcat, it's best to exclude these from the password hash list.
Machine account names end in $ followed by the colon delimiter. Let's remove these accounts using sed.
Let's break down this command:
sed -i
: directly edit a file in place.'/$:/d'
: Finds any line containing "$:" (like WIN-93C2ORV5KSP$: for a domain machine account) and deletes that line.
Crack NT Passwords - Basic Wordlist
Next, let's start Hashcat to crack NT passwords using auto-detect hash mode and a wordlist attack (attack type 0).
Let's examine the cracked passwords again with Hashcat's --show
command.
Many user accounts have "_history" followed by a number. This is the format secretsdump.py uses to show old passwords from NTDS data, making them easy to process with Hashcat.
Crack NT Passwords - Mask Attack
Hashcat's mask attack lets us define a password pattern, and Hashcat will try every possible password that fits that pattern.
Since the Wardrobe99 passwords are from a Windows Active Directory, we can assume they follow basic Windows password rules, which include:
At least 8 characters in length
At least one uppercase letter
At least one lowercase letter
At least one digit
Users usually create passwords with an initial uppercase letter, followed by lowercase letters, and ending with a digit, totaling 8 characters. Not everyone follows this pattern, but we can use Hashcat to test passwords matching this pattern without needing a wordlist.
Hashcat's mask attack uses symbols to show the format of each password position:
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !"#$%&'()*+,-./:;<=>?@[]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0x
Let's try the mask attack on the Wardrobe99 passwords.
The mask value ?u?l?l?l?l?l?l?d finds 83 more passwords from the hash list. Hashcat gets 410 passwords in total, but only counts unique ones. Attackers often use different mask patterns to find even more passwords.
Crack NT Passwords - Wordlist & Rules
We've tried a simple wordlist attack and a Hashcat mask attack. Another method is using a wordlist attack with a rules file that creates common password variations.
The best64 rule tries 64 variations of each word in the list, like reversing it or changing letter cases, to see if it matches the target hash. This finds 10 more user passwords for the Wardrobe99 domain.
This lab shows how attackers use Hashcat to recover Windows domain passwords. Defenders can use the same steps to check user passwords for security.
Last updated