Identify types of password hashes and apply various techniques to efficiently determine plain text passwords. Most passwords are stored in a hash format and the cracking tools can use brute-force or some sort of dictionary (wordlist) as input.
- Encoding, Encryption and Hashing:
- Encoding – transpose data into an efficient publicly available format for processing (e.g., base64, hex, file conversions, etc.)
- Encryption – transpose data into a format for confidentiality using secret keys that must be protected (e.g., AES, RSA, etc.)
- Hash – one-way encryption algorithm performed on data (message) to produce a separate hash number (aka checksum) which is used to verify data integrity.
- Password Formats:
- plain Text (aka cleartext) – data that is transmitted or stored unencrypted (‘in the clear’).
- Password hash – approach for storing passwords in the format
$id$salt$hashwhere the id is the hashing algorithm.
- Salt – random data added to hashed data, passwords or passphrases to safeguard passwords in plain text storage.
- Other Related Concepts:
- Rainbow Table – precomputed table for reversing hash functions, usually for cracking password hashes.
- Dictionary (Wordlist) – Large lists of commonly used words and phrases used as input into a dictionary attack.
- Linux Passwd & Shadow Files:
Recommended CTF Password Cracking Steps:
- CFT PW challenges frequently involve Hash cracking using Hashcat with special wordlists, masks and/or rules applied.
- Read the challenge carefully for clues.
- Determine how and where the Password is stored.
- The hash format is most common.
- Linux Hash ID, Salt and Hashed Passwords are stored in the /etc/shadow file.
- Determine the Hash type to set the Hash mode in hashcat (e.g., SHA, MD4, MD5, etc)
- look at /etc/shadow file or ….
- Use Hash-Identifier (Kali)
- Identify any PW rules – that can be applied to the character set (e.g., length, alpha/numeric characters , upper/lower case, special characters, special words, etc.)
- Determine HashCat Attack mode:
- Dictionary (-a 0)
- Combination (-a 1)
- Mask (-a 3)
- Hybrid (-a 6 and -a 7)
- Identify Wordlist needed for Dictionary , Combination and Hybrid mode) e.g., rockyou.txt, etc)
- Store passwords in an input file (e.g., [PW_FILE]
- Setup and Run Hashcat (apply attack mode, hash id, input file, word list & mask) – see examples below
Recommended CTF Tools
- Hash Cracking:
- Password Cracking:
- John the Ripper – Linux, Unix and OS X, Win; Tool can detect weak PWs.
- Rockyou.txt WordList – contains 14m unique PWs used in 32m accounts. Part of Kali installation.
- frackzip (Kali Tool) – crack zip file passwords with dictionary attack.
- Wfuzz– web app PW cracking tool using brute force. Also finds hidden directories, servlets and scripts.
- THC Hydra– fast NW logon PW cracking tool. Win, Linux, BSD, Solaris and OS X and various protocols.
- Ophcrack – open-source (GPL licensed) program that cracks Windows (Windows XP, 7 or Vista) log-in passwords by using LM hashes through rainbow tables.
- dnsmap.txt -> /usr/share/dnsmap/wordlist_TLAs.txt
- fasttrack.txt -> /usr/share/set/src/fasttrack/wordlist.txt
- fern-wifi -> /usr/share/fern-wifi-cracker/extras/wordlists
- metasploit -> /usr/share/metasploit-framework/data/wordlists
- nmap.lst -> /usr/share/nmap/nselib/data/passwords.lst
- sqlmap.txt -> /usr/share/sqlmap/txt/wordlist.txt
- wfuzz -> /usr/share/wfuzz/wordlist
- hascat -> /usr/share/wordlists/rockyou.txt
- Password Cracking by Nikita Zaitsev
- Cracking Salted Hashes pdf –
- Youtube: Passwords & hash functions (Simply Explained) (7:27)
- Youtube: NCL Summer Live – Cracking Password Hashes – Aug 19 2021 (01:06:27)
- Youtube: Brute Force Attacks – CompTIA Network+ N10-007 – 4.4 (02:03)
- Why do you need to Salt and Hash passwords? by Phillip Brown
- Youtube: COMPTIA SECURITY+ SY0-501 TRAINING COURSE (section 6.1 – Cryptography)
- Youtube: Passwords: Am i a joke to you? #JohntheRipper (44:27)
- Password cracking with John the Ripper on Linux
- Challenge Examples and Example Wordlists