-
Notifications
You must be signed in to change notification settings - Fork 0
/
password-cracking-2.html
110 lines (100 loc) · 6.83 KB
/
password-cracking-2.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
<!DOCTYPE html>
<html>
<head>
<title>password cracking 2</title>
<link rel="stylesheet" href="css/gruvbox-dark.css"><link rel="stylesheet" href="css/hack.css">
<meta property="og:url" content="https://amar1729.github.io/password-cracking-2.html"/>
<meta property="og:title" content="password cracking 2"/>
<meta property="og:description" content="more password cracking"/>
<meta property="og:site_name" content="amar1729.github.io"/>
</head>
<body class="container hack gruvbox-dark">
<p><a href="https://amar1729.github.io/">homepage</a> - <a href="./tags.html">tags</a> - <a href="https://github.com/Amar1729">github</a> - <a href="https://github.com/Amar1729/Amar1729.github.io">site code</a></p>
<h1 id="more-password-cracking">more password cracking</h1>
<p><em>Oct 31 2017</em></p>
<p>Another example on using <code>john</code> and <code>hashcat</code> to crack passwords from a CTF challenge.</p>
<p><a href="./password-cracking-with-hashcat-1.html">previous pw cracking post</a></p>
<p>In this CTF challenge, we're given the following <code>shadow</code> file:</p>
<pre><code>Ade:706cb8c2abdbf0adbebfbf571c1ae9e1
Christian:7e389b3dd4161c85ffc1f399044fa6a1
Elyse:457bfc6d77b0e262ed8e03e4a545564e
Jenny:44c1d1671a78ab3ff7dd13c3268086d4
Kristy:7f6021304d7b3e6f10a4e86ad0c1ce44
</code></pre><p>and we're told that each of these people are interested in flights. I'm going to assume that these passwords look like flight numbers: <code>[A-Z][A-Z][A-Z][0-9]*</code>.</p>
<p>Since we know (or are we guessing?) what the passwords look like, we'll be using a mask attack to break these hashes. Mask attacks are like brute-force attacks, but they let you narrow down the problem space by focusing on certain characters or character sets.</p>
<h2 id="hashcat">hashcat</h2>
<p>As always, use <code>hashcat --help</code> to see what the tool offers you. In particular, take a look at the <code>Charsets</code> section near the bottom of the help text.</p>
<p>We're going to remove the names from our <code>shadow</code> file, giving us a resultant file <code>hc-shadow</code>:</p>
<pre><code>706cb8c2abdbf0adbebfbf571c1ae9e1
7e389b3dd4161c85ffc1f399044fa6a1
457bfc6d77b0e262ed8e03e4a545564e
44c1d1671a78ab3ff7dd13c3268086d4
7f6021304d7b3e6f10a4e86ad0c1ce44
</code></pre><p>With hashcat, we can use conduct a mask attack like this:</p>
<pre><code># -m 0 specifies --hash-type "MD5" (not always necessary)
# -a 3 specifies --attack-mode "Brute-force"
# ?u is the signifier for any uppercase digit
$ hashcat -m 0 -a 3 hc-shadow '?u?u?u'
</code></pre><p>If you give hashcat this mask, it'll assume all your passwords look like <code>[A-Z][A-Z][A-Z]</code> and only hash those possibilites. However, we need some numbers at the end of our passwords too:</p>
<pre><code>$ hashcat -a 3 hc-shadow '?u?u?u?d'
/*
snip
*/
Approaching final keyspace - workload adjusted.
44c1d1671a78ab3ff7dd13c3268086d4:MAS2
</code></pre><p>Look at that! We got lucky, and one of our passwords only had one digit at the end. We don't know about the rest though, so let's investigate hashcat's <code>--increment</code> flag.</p>
<p>Using a mask like <code>?d?d?d?d</code> would tell hashcat that all our passwords are exactly four digits. If we also pass <code>--increment</code>, hashcat would try incrementally adding to its mask starting from one, meaning it would try all masks like this:</p>
<pre><code>?d
?d?d
?d?d?d
?d?d?d?d
</code></pre><p>We'd like to try that for our passwords, but you can't combine <code>--increment</code> with a mask that has different character classes in it. There are a couple ways around this, like writing a few charsets into your own small <code>masks.hcmask</code> file, but the quickest I'm comfortable with using the command line is defining your own character set and incrementing on that.</p>
<p>Hashcat allows you to define custom charsets using numbers as flags: <code>-1 '<charset>'</code> defines the first custom set, <code>-2 <charset></code> defines the second, and you can have up to four in a single session.</p>
<p>We'll define one like this: <code>-1 '?u?d'</code> - a charset made up of only uppercase letters and digets - and then run a slightly larger incremental mask attack:</p>
<pre><code>hashcat -1 '?u?d' -a 3 hc-shadow '?1?1?1?1?1?1' --increment
/*
snip
*/
Approaching final keyspace - workload adjusted.
7e389b3dd4161c85ffc1f399044fa6a1:SCX401
7f6021304d7b3e6f10a4e86ad0c1ce44:KLM887
457bfc6d77b0e262ed8e03e4a545564e:AAL126
706cb8c2abdbf0adbebfbf571c1ae9e1:SWG427
</code></pre><p>And just like that, we've cracked the rest of the passwords. You can see all of them with <code>hashcat hc-shadow --show</code>.</p>
<h2 id="john-the-ripper">john the ripper</h2>
<p>With <code>john</code> our approach is similar (make sure to use the more powerful community edition, <code>john-jumbo</code>).</p>
<p>I initially used the following command:</p>
<pre><code>$ john shadow --fork=4 --format=Raw-MD5 --incremental=UpperNum
Using default input encoding: UTF-8
Loaded 5 password hashes with no different salts (Raw-MD5 [MD5 128/128 SSE4.1 4x5])
Node numbers 1-4 of 4 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
MAS2 (Jenny)
AAL126 (Elyse)
KLM887 (Kristy)
SWG427 (Ade)
^C
</code></pre><p>For some reason, <code>john</code> really took a while finding the fifth hash for me, so I just canceled it and ran it by specifying the mask manually:</p>
<pre><code>$ john --pot=john.pot shadow --fork=4 --format=Raw-MD5 -mask='?u?u?u?d?d?d'
Using default input encoding: UTF-8
Loaded 5 password hashes with no different salts (Raw-MD5 [MD5 128/128 SSE4.1 4x5])
Remaining 1 password hash
Node numbers 1-4 of 4 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
SCX401 (Christian)
1 1g 0:00:00:00 DONE (2020-05-29 22:37) 33.33g/s 10517Kp/s 10517Kc/s 10517KC/s ISX401..MJX401
Waiting for 3 children to terminate
4 0g 0:00:00:00 DONE (2020-05-29 22:37) 0g/s 13315Kp/s 13315Kc/s 13315KC/s XWQ777..QQQ777
2 0g 0:00:00:00 DONE (2020-05-29 22:37) 0g/s 12205Kp/s 12205Kc/s 12205KC/s XWQ779..QQQ779
3 0g 0:00:00:00 DONE (2020-05-29 22:37) 0g/s 11563Kp/s 11563Kc/s 11563KC/s XWQ794..QQQ794
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed
</code></pre><h3 id="helpful-resources">helpful resources</h3>
<ul>
<li><a href="https://www.4armed.com/blog/perform-mask-attack-hashcat/">https://www.4armed.com/blog/perform-mask-attack-hashcat/</a></li>
<li><a href="https://countuponsecurity.files.wordpress.com/2016/09/jtr-cheat-sheet.pdf">https://countuponsecurity.files.wordpress.com/2016/09/jtr-cheat-sheet.pdf</a></li>
</ul>
<hr>
<p>~ tags : <a href="./tag-ctf.html">#ctf</a> * <a href="./tag-cracking.html">#cracking</a></p>
</body>
</html>