Password Cracking

In this module, we’ll cover a basic attack method: password cracking. Here’s a scenario:

  • Attacker takes over a less important system, like a Windows computer, an IoT device, or a standalone server.

  • The attacker grabs all the system's password hashes.

  • The attacker keeps cracking password hashes until they find the original passwords.

  • The attacker uses stolen passwords to access important targets.

We'll look at how to use Hashcat for password cracking. Hashcat is a fast and powerful tool that supports many password hash types and uses GPUs for better performance. It offers different attack modes and can automatically modify password lists to improve cracking success. Created by Jens Steube and Gabriele Gristina, Hashcat works on Windows, Linux, and UNIX systems. We can find it at hashcat.net.

Hashcat Attack Modes

Attack ModeArgumentFeature

Straight

-a 0

Use a dictionary wordlist, trying each word as a potential password

Combinator

-a 1

Use a dictionary wordlist, append each word to every other word as a potential password (specify 2 dictionaries or the same file twice)

Brute-force (mask attack)

-a 3

Specify a pattern of passwords and Hashcat tries each. Complex syntax but very powerful!

Hybrid Wordlist + Mask

-a 6

Combines wordlist and mask attack (append mask to each word in wordlist)

Hybrid Mask + Wordlist

-a 7

Same as mode 6, prepend mask to each word in wordlist

Hashcat has six attack modes:

  1. Straight: Uses a wordlist where each word is tried as a password. This is the default mode.

  2. Combinator: Combines words from two wordlists or the same list twice to guess passwords.

  3. Brute-force (mask): Tries passwords based on a specific pattern we set, useful for complex passwords.

  4. Hybrid Wordlist + Mask: Adds a pattern to each word from the wordlist.

  5. Hybrid Mask + Wordlist: Adds a pattern in front of each word from the wordlist.

  6. Association: Uses hints like usernames or cracked passwords to quickly test against hashed passwords.

Autodetect Password Hash Types

Hashcat has six attack modes. To crack a password, Hashcat needs to know the hash type. We can set the hash type manually with the -m option or let Hashcat detect it automatically. Hash modes are numbered from two to five digits. We can use hashcat -h to see all supported modes, or hashcat -h | grep string to find specific ones, like hashcat -h | grep oracle for Oracle-related hash modes.

$ hashcat --identify hashes.txt

Hashcat tries to figure out the hash type by checking the hash length or format. If there are multiple hash types in a file, Hashcat will list them and ask you to choose one. If there's only one hash and Hashcat thinks it knows the type, it will start cracking it automatically. To test the hash type without cracking, use the --identify option.

Let's jump into a Lightning Labs event to reinforce this learning objective.

1) There are many ways to hash passwords. Let's start with an example from a Linux system. Display the contents of the password hash in the file linuxuser.

cat linuxuser

2) Using a simple command-line, Hashcat will use a file with one or more password hashes and a wordlist to identify the hash type and start cracking the password. Try it now:

hashcat linuxuser wordlist

3) Hashcat can be a bit noisy by default. Re-run the previous command, this time adding --quiet to suppress some of the output.

hashcat --quiet linuxuser wordlist

In this output, Hashcat points out that we didn't specify a hash mode with -m, so it used mode autodetect to select a hash mode automatically.

Since the hash file is well-structured and uses the $1 marker, Hashcat detects this hash type as md5crypt (mode 500).

4) Let's take a look at another sample hash file, this time taken from an Apache web server used to password-protect a directory. Display the contents of the htpasswd file.

cat htpasswd

This file is similarly-configured to a UNIX password hash, but uses a different hash type marker of $apr1. This marker indicates an Apache-specific hash function.

5) Try to crack the password in the htpasswd hash file using Hashcat.

hashcat --quiet htpasswd wordlist

Here, Hashcat is not successful in performing hash mode autodetection. However, we can help Hashcat by indicating that the hash value in the hash file also includes a username.

6) Re-run the previous command, this time adding --username to tell Hashcat to expect a username in addition to the hash itself.

hashcat --quiet --username htpasswd wordlist

This time Hashcat correctly identifies the hash mode as an Apache MD5 hash, and cracks the password.

When using Hashcat autodetect, if the hash file includes username information, you can supply --username to help Hashcat decode the data. While it isn't always needed, it doesn't hurt to specify --username when the hash file includes username information.

7) Sometimes a file will have multiple hash types in one file. Let's see how Hashcat mode autodetect handles that situation. Display the contents of the shadow file.

cat shadow

8) This file has 4 entries, each with a different hash type. Use Hashcat mode autodetect on the file.

hashcat --quiet shadow wordlist

Hashcat recognizes that there are multiple hash types and displays the list of matching hash modes. To continue, you need to select the hash mode you want to attack with -m.

9) Repeat the previous command, this time specifying hash mode 7400 (sha256crypt).

hashcat --quiet -m 7400 shadow wordlist

Note that Hashcat uses the specified hash mode to crack the password, but warns about the other hashes, and how they don't match the specified hash mode. This is OK, but recognize that to crack the remaining hash types you will need to specify the correct hash mode values.

Hashcat Attack Modes ⎼ By Example

Hashcat has six attack modes. To see how it works, we'll use data from a hacked Windows server. We can try this yourself on Windows or Linux. Let's download the hash file from https://www.willhackforsushi.com/sec504/hashes.txt and the wordlist from https://www.willhackforsushi.com/sec504/words.txt.

wget https://www.willhackforsushi.com/sec504/hashes.txt
wget https://www.willhackforsushi.com/sec504/words.txt

Straight Attack

The Straight attack mode, used with the -a 0 option, tries passwords from a list, one per line. If the password is in the list, Hashcat will find it quickly.

hashcat -m 1000 -a 0 hashes.txt words.tx

Combinator Attack

The Combinator attack mode uses -a 1. It combines words from two lists: a small list and a large list. For example, it uses the printf tool to create a file with words like SANS, sans, STI, sti, dog, and cat, each on a new line. It then combines each word from one list with each word from the other list.

printf "SANS\nsans\nSTI\nsti\ndog\ncat" >words2.txt
hashcat -m 1000 -a 1 hashes.txt words.txt words2.txt

Combining words like this greatly boosts the number of possible passwords. For example, even though the words.txt file has 384 million passwords, the total number of guesses is 2.304 billion (384 million times 6 for each word in words2.txt). Hashcat was able to crack the password !@#$%^&*()sans.

Mask Attack

Hashcat's brute-force attack (mask attack) involves setting the format of the password you want to crack. Instead of using a list of words, Hashcat tries every possible password that fits your specified pattern.

A mask attack is useful when an attacker knows the password rules of an organization. For example, if the rule says passwords must be at least 8 characters long and include one lowercase letter, one uppercase letter, and one number, the attacker can use this information to try and guess the password more effectively.

With this policy, users often create passwords with a capital letter at the start followed by numbers, like Jennifer11 or Tcpking1111. To crack these types of passwords, you can use Hashcat masks for various lengths. For example, to target passwords with an uppercase letter, five lowercase letters, and two numbers, use the Hashcat mask: ?u?l?l?l?l?l?d?d. It might seem complex, but it's effective.

$ hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?l?l?d?d

hashcat (v5.1.0) starting...
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: Tesla K80, 2860/11441 MB allocatable, 13MCU
b38bfcc8eb6b29a8efa9c81e22ac55cc:Tcpsyn02
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: NTLM
Hash.Target......: hashes.txt
Time.Started.....: Wed Mar 13 18:10:20 2019 (13 secs)
Time.Estimated...: Wed Mar 13 18:10:33 2019 (0 secs)
Guess.Mask.......: ?u?l?l?l?l?l?d?d [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2268.1 MH/s (0.83ms) @ Accel:64 Loops:32 Thr:1024 Vec:1

In the Hashcat mask attack, we use a mask to try different password patterns: one uppercase letter (?u), five lowercase letters (?l?l?l?l?l), and two numbers (?d?d). This pattern cracks the password in 13 seconds. If it doesn’t work for all passwords, an attacker might try a different pattern, like one uppercase letter, six lowercase letters, and a special character (?u?l?l?l?l?l?l?s). Being creative and keeping track of used patterns helps in matching common password rules.

Hybrid Wordlist + Mask Attack

The Hashcat Hybrid Wordlist + Mask attack combines a wordlist attack with a mask attack, adding a mask (like special characters followed by digits) to each word in the list. We used the mask ?s?d, and it cracked the victim's password in a few minutes.

hashcat -m 1000 -a 6 hashes.txt words.txt ?s?d

Hybrid Mask + Wordlist Attack

Finally, the Hybrid Mask + Wordlist attack operates similarly, except that the mask is prepended to each word in the wordlist file.

hashcat -m 1000 -a 7 hashes.txt ?d?d?d?d words.txt

Hashcat Potfile, Show, Left, User

When Hashcat cracks a password, it saves the plaintext password in a file called hashcat.potfile. This file is stored in Hashcat's profile directory, usually found at ~/.hashcat, ~/.local/share/hashcat, or where Hashcat is installed.

Storing cracked passwords and their hashes in the potfile helps Hashcat skip re-cracking and lets you review results. Use --show to see cracked passwords from the potfile and --left to view hashes that weren't cracked. Adding --user shows usernames with the passwords or hashes. Since the potfile contains sensitive data, use a secure file deletion tool like GNU shred when you're done.

$ hashcat -m 1000 windows.hashes --left --user

chippisley:c8c5be17a9c744ff004c38dd637a328e
mhutton:6018d7fc83d35f003afab9c56dbec55c

Preparation: Disable LANMAN Authentication

You can stop LANMAN hashes from being saved on a system by setting the NoLMHash registry key. Once set, LANMAN hashes won't be stored when users change their passwords.

Preparation: Password Complexity Tools

You can check how weak passwords are in your organization by using ntdsutil and Hashcat to audit them. For more insights, use the Domain Password Audit Tool (DPAT) from GitHub.

In Windows, you can enforce password complexity using the Active Directory Users and Computers tool. Here's how:

  1. Right-click the domain and choose "Properties."

  2. Go to the "Group Policy" tab.

  3. Open the "Default Domain Policy."

  4. Navigate to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.

  5. Enable "Passwords must meet complexity requirements."

These settings will take effect the next time policies are applied to your domain controllers.

To prevent brute force attacks and password cracking, password length is more important than using a mix of character types. Setting a minimum password length of 20 or 30 characters encourages users to create passphrases, which are easier to remember and type, and harder to crack than short, complex passwords. On UNIX systems, PAM (Pluggable Authentication Modules) is used to enforce password rules or connect to external authentication systems like RADIUS, Kerberos, or MFA tools like Cisco Duo, Okta, or RSA.

Avoid 90-day password reset policies. While it seems like a good idea to change passwords often, it usually leads to weaker passwords or people writing them down. Many organizations still follow this outdated practice from old NIST guidelines,

Deploy Multi-Factor Authentication

There are three ways to stop password hash cracking: use strong passwords, protect password hashes with security tools, or make the hashes useless to attackers. While the first two are easier, they don't fully solve the issue. The best solution is using multi-factor authentication (MFA), which requires two or more ways to verify identity.

Lab 3.3: Hashcat

In this lab exercise, we will conduct an assessment of domain passwords for the Falsimentis wholly-owned subsidiary Wardrobe99. We will use Hashcat to recover the password hash data retrieved from the Wardrobe99 domain controller.

For the rst part of this lab exercise, we'll add some temporary users with passwords to the Slingshot Linux system.

sudo addtmpusers

Now let's copy the /etc/shadow file to our home directory for password cracking.

sudo cp /etc/shadow slingshot.hashes
sudo chown sec504:sec504 slingshot.hashes

Now let's identity the type of the password hashes using --identify argument.

hashcat slingshot.hashes --identify

When we use the --identify argument, Hashcat looks at the file we specify and shows which hash modes it finds in that file. We can then pick a hash mode to use with -m in our next Hashcat attack.

Let's use Hashcat to crack passwords, starting with the easiest type: DES crypt (descrypt) hashes. We'll work through each hash mode listed before.

hashcat -a 0 -m 1500 slingshot.hashes /usr/share/wordlists/passwords.txt

Let's break down this command:

  • -a 0: Run a straight attack, like cracking password hashes with a list of possible passwords.

  • -m 1500 : Use hash mode 1500 (DES crypt password hashes)

A "token length exception" warning in Hashcat means it can't read a password hash for the chosen hash mode. Usually, this happens with accounts that don’t have a password hash, like the root account, so these warnings can be safely ignored.

In the previous Hashcat command, we might have seen the cracked password. We can get that info later using the Hashcat --show command.

hashcat -m 1500 slingshot.hashes --show

By removing the attack type and the password list, then add --show. Hashcat will then read the cracked passwords and show each hash with its cracked password, separated by a colon.

Let's add --user to display the username, the password hash, and the cracked password.

hashcat -m 1500 slingshot.hashes --show --user

This output helps us by showing the username for each cracked password quickly.

The --left command shows how many password hashes are still left for the given hash type.

hashcat -m 1500 slingshot.hashes --left --user

Next, let's continue to use Hashcat, but change the hash mode to 500 to target the MD5 crypt hashes.

hashcat -a 0 -m 500 slingshot.hashes /usr/share/wordlists/passwords.txt

1) Which usernames did Hashcat recover passwords for?

hashcat -m 500 slingshot.hashes --user --show

Answer: prosa, ayoshie, and ejonah

2) Which usernames did Hashcat not recover passwords for?

hashcat -m 500 slingshot.hashes --user --left

Answer: ghajsson, rlucian, and jviktori

Next, we’ll use Hashcat techniques to crack passwords from a Windows domain.

Let's use Hashcat to check the strength of Windows domain passwords. First, run the secretsdump.py script to extract password hashes from the Active Directory database (NTDS.dit) and the SYSTEM registry. Then, use Hashcat to recover the passwords.

secretsdump.py -system registry/SYSTEM -ntds "Active Directory/ntds.dit" LOCAL -outputfile w99 -history

An attacker might ignore old passwords since they can't access current systems. However, cracking these old passwords can reveal patterns, which can help in password reuse attacks.

ls w99*

We'll focus on the password hashes in the w99.ntds.

Before cracking passwords, let's check the password hash file for LANMAN hashes. We can use the awk command with sort and uniq in Linux to count how many unique LANMAN hashes are in the w99.ntds file.

cat w99.ntds | awk -F: '{print $3}' | sort | uniq -c

The result shows only one hash, the empty LANMAN password (aad3b435b51404eeaad3b435b51404ee), so we can skip LANMAN cracking and focus on NT hashes instead.

The w99.ntds file contains NT passwords for all domain users, including machine accounts. Machine account passwords are long, random, and change often, making them hard to crack. To speed up Hashcat, it's best to exclude these from the password hash list.

Machine account names end in $ followed by the colon delimiter. Let's remove these accounts using sed.

sed -i '/$:/d' w99.ntds

Let's break down this command:

  • sed -i : directly edit a file in place.

  • '/$:/d': Finds any line containing "$:" (like WIN-93C2ORV5KSP$: for a domain machine account) and deletes that line.

Crack NT Passwords - Basic Wordlist

Next, let's start Hashcat to crack NT passwords using auto-detect hash mode and a wordlist attack (attack type 0).

hashcat -a 0 w99.ntds /usr/share/wordlists/passwords.txt

Let's examine the cracked passwords again with Hashcat's --show command.

hashcat w99.ntds --show --user

Many user accounts have "_history" followed by a number. This is the format secretsdump.py uses to show old passwords from NTDS data, making them easy to process with Hashcat.

Crack NT Passwords - Mask Attack

Hashcat's mask attack lets us define a password pattern, and Hashcat will try every possible password that fits that pattern.

Since the Wardrobe99 passwords are from a Windows Active Directory, we can assume they follow basic Windows password rules, which include:

  • At least 8 characters in length

  • At least one uppercase letter

  • At least one lowercase letter

  • At least one digit

Users usually create passwords with an initial uppercase letter, followed by lowercase letters, and ending with a digit, totaling 8 characters. Not everyone follows this pattern, but we can use Hashcat to test passwords matching this pattern without needing a wordlist.

Hashcat's mask attack uses symbols to show the format of each password position:

  • ?l = abcdefghijklmnopqrstuvwxyz

  • ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ

  • ?d = 0123456789

  • ?s = !"#$%&'()*+,-./:;<=>?@[]^_`{|}~

  • ?a = ?l?u?d?s

  • ?b = 0x00 - 0x

Let's try the mask attack on the Wardrobe99 passwords.

hashcat -a 3 w99.ntds ?u?l?l?l? l?l?l?d

The mask value ?u?l?l?l?l?l?l?d finds 83 more passwords from the hash list. Hashcat gets 410 passwords in total, but only counts unique ones. Attackers often use different mask patterns to find even more passwords.

Crack NT Passwords - Wordlist & Rules

We've tried a simple wordlist attack and a Hashcat mask attack. Another method is using a wordlist attack with a rules file that creates common password variations.

hashcat -a 0 w99.ntds /usr/share/wordlists/passwords.txt -r /opt/hashcat/rules/best64.rule

The best64 rule tries 64 variations of each word in the list, like reversing it or changing letter cases, to see if it matches the target hash. This finds 10 more user passwords for the Wardrobe99 domain.

This lab shows how attackers use Hashcat to recover Windows domain passwords. Defenders can use the same steps to check user passwords for security.

PreviousUnderstanding Password HashesNextCloud Spotlight: Insecure Storage

Last updated