How to crack/recover passwords with Hashcat Brute Force • CHIT

Tutorial on how to crack/recover a password using a Hashcat brute force attack. Hashcat is a very sophisticated tool that is used to decrypt hashes. It is one of the fastest password cracker because it uses the GPU of the graphic card to speed up the process. With Hashcat you can “crack/recover” any password, also those of WordPress for example, you just have to get the hash file.

How to Identify the Hash Algorithm Type

To crack/recover a hash file you must first know what type of hashing algorithm was used. To find out you just have to observe the first two characters of the code, see table below.

Characters	Hashing Algorithm
$0	DES
$1	MD5 Hashing
$2	Blowfish
$2A	Eksblowfish
$5	SHA256
$6	SHA512

If the code begins with $6 it means that the used algorithm is Sha512. There are also programs such as hashid that can be useful to identify the type of “hashing algorithm”.

Run the “hashcat -help” command and take a look under “hash modes”, there is a list of identification numbers to be used. In our example – we will crack a Linux System user password with hashcat brute force – the number to be used is 1800.

  15900 | DPAPI masterkey file v2                          | Operating Systems
  12800 | MS-AzureSync  PBKDF2-HMAC-SHA256                 | Operating Systems
   1500 | descrypt, DES (Unix), Traditional DES            | Operating Systems
  12400 | BSDi Crypt, Extended DES                         | Operating Systems
    500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)        | Operating Systems
   3200 | bcrypt $2*$, Blowfish (Unix)                     | Operating Systems
   7400 | sha256crypt $5$, SHA256 (Unix)                   | Operating Systems
   1800 | sha512crypt $6$, SHA512 (Unix)                   | Operating Systems
    122 | macOS v10.4, MacOS v10.5, MacOS v10.6            | Operating Systems
   1722 | macOS v10.7                                      | Operating Systems
   7100 | macOS v10.8+ (PBKDF2-SHA512)                     | Operating Systems
   6300 | AIX {smd5}                                       | Operating Systems
   6700 | AIX {ssha1}                                      | Operating Systems

Hashcat Attack Mode

Number	Description
0	Vocabulary Attack
1	Combination
3	Brute Force Attack
6	Hybrid Attack

Hashcat Charset and Mask

Hashcat Charset

The sets of characters available are lowercase, uppercase, numbers and special characters.

  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  d | 0123456789
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff

So, to crack a password that is composed of lowercase letters, use ?l, for uppercase letters ?u, for numbers ?d etc. For example, if you want to “crack” a password using lowercase, uppercase and numbers you can use “-1 ?l ?u ?d ?1?1?1?1”. If you want to use all possible characters use ?a.

Hashcat Mask

The mask is used to define the number of characters of the password to crack as well as the type to use.

An example of a mask for a password composed of 4 lowercase letters could be this: “?l?l?l”.

Cracking Linux System password with Hashcat

For this example on how to crack Linux System passwords with Hashcat we will create a test user.

WORKSTATION:~ # useradd testuser
WORKSTATION:~ # passwd testuser
New password: 
BAD PASSWORD: it does not contain enough DIFFERENT characters
BAD PASSWORD: is too simple
Retype new password: 
passwd: password updated successfully
WORKSTATION:~ #

The next step is to create a hash file. Passwords in Linux are stored in an encrypted way in the /etc/shadow file, in modern systems, using the Algorithm hashing SHA512.

Now, to create the file we need we have to extract this information –the hash of the password– from the /etc/shadow file with the following command:

WORKSTATION:~ # tail -n1 /etc/shadow 
testuser:$6$CPtgtq4iPZ0cMSlt$A5Ev4HXwH2ZDzrWNhHgfO1ZZ7ceNIGwTCnnwSXOhcuOVm09FqvPOZgPhRp9DpKC3WsA7FDWOq4B8JAyMoaWcT/:19622:0:99999:7:::
WORKSTATION:~ # cd $HOME
WORKSTATION:~ # tail -n1 /etc/shadow > testuser.hash

Once the hash file is created you can proceed. To crack the password contained in the file run the following command:

:~ # hashcat -m 1800 -a 3 testuser.hash ?l?l?l?l?l
hashcat (v3.00) starting...
Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Uses-64-Bit
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 75c

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => s

Session.Name...: hashcat
Status.........: Running
Input.Mode.....: Mask (?l?l?l?l?l) [5]
Hash.Target....: $6$3jszVVeWR0jP6Bpr$eVtWKvj3KjQXUvIpz286Q...
Hash.Type......: sha512crypt, SHA512(Unix)
Time.Started...: Tue Jan 15 21:02:08 2019 (29 secs)
Time.Estimated.: Tue Jan 15 21:28:50 2019 (26 mins, 7 secs)
Speed.Dev.#1...:     7444 H/s (11.61ms)
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 215040/11881376 (1.81%)
Rejected.......: 0/215040 (0.00%)
Restore.Point..: 0/456976 (0.00%)
HWMon.Dev.#1...: Temp: 60c Fan: 39%

$6$3jszVVeWR0jP6Bpr$eVtWKvj3KjQXUvIpz286QNRl1bs5EAcq6gBG.z.TvbJVjYetM0byqyb7rwFKQwkYnIag80QF4HqUBreIhY0Mz1:test9
                                                          
Session.Name...: hashcat
Status.........: Cracked
Input.Mode.....: Mask (?l?l?l?l?l) [5]
Hash.Target....: $6$3jszVVeWR0jP6Bpr$eVtWKvj3KjQXUvIpz286Q...
Hash.Type......: sha512crypt, SHA512(Unix)
Time.Started...: Tue Jan 15 21:02:08 2019 (2 mins, 23 secs)
Speed.Dev.#1...:     7469 H/s (11.59ms)
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 1075200/11881376 (9.05%)
Rejected.......: 0/1075200 (0.00%)
Restore.Point..: 35840/456976 (7.84%)

Started: Tue Jan 15 21:02:08 2019
Stopped: Tue Jan 15 21:04:38 2019 
:~ #