Hashcat - Cracking MD5 and NTLM Hashes

-
Today we'll be exploring Hashcat -- "the world’s fastest and most advanced password recovery utility". This, along with similar tools, should be used only for password recovery, pentest engagements, CTFs, etc and never for illegal purposes.

I could write an entire series about the capabilities Hashcat provides, but we will cover a few basic examples for now (besides, Hashcat does a pretty good job of that themselves):
  1. Crack MD5 hashes using the rockyou.txt wordlist.
  2. Crack NTLM hashes using the rockyou.txt wordlist.
  3. Crack NTLM hashes using a mask attack (modified brute force).

I'll be using Kali Linux as Hashcat comes pre-installed, but Hashcat can run on Windows, macOS, and other Linux distributions as well.

As you'll see, I'll be using some lists of hashes I made previously. Tools to generate hashes using dozens of algorithms are available online -- just save the output as a text file if you want to follow along.


Cracking MD5 Hashes Using rockyou.txt Wordlist

I've generated a list of MD5 hashes from a list of simple passwords, and we will use Hashcat to crack this list of MD5 hashes.

using a wordlist to crack md5 hashes

Before hitting Enter, let's break down this command:

 hashcat calls the hashcat program
 -m specify the hash type
 0 '0' after '-m' indicates a hash type of MD5
 -a specify the attack mode
 0 '0' after '-a' indicates an attack mode of "Straight" (wordlist)
 -ospecify where to output results
 /home/cody/Desktop/cracked_secrets.txtpreceded by '-o', the file_path+file_name of where to store the output of the cracked hashes.
 /home/cody/Desktop/secure_passwords.txtlist of hashes
 /usr/share/wordlists/rockyou.txtfull path and filename for the wordlist we are using

Now that we know what the parameters are doing, let's press Enter.

secure_passwords.txt successfully cracked using rockyou.txt wordlist

After some time, Hashcat successfully cracked the MD5 hashes!

Now let's see the contents of the generated cracked_secrets.txt.

contents of cracked_secrets.txt

There are the plain-text passwords along with their MD5 hashes!

For the sake of simplicity and clarity if you're following along, subsequent sections will use the same passwords but different hashing algorithms. Since different hashing algorithms will be used, you shouldn't have to clear your potfile, but this is where it's located in case you have a need (~/.hashcat/hashcat.potfile). For example, if repeating these tests you'll want to clear this file between tests (otherwise your cracking results will be instantaneous since Hashcat already has these passwords cracked).

clear the contents of ~/.hashcat/hashcat.potfile


Cracking NTLM Hashes Using rockyou.txt Wordlist


Now let's repeat the process with a more commonly found hash (MD5 and SHA-1 are both considered insecure at this point and have largely been replaced with SHA-256) -- NTLM.

Here we have the contents on the secure_passwords_ntlm.txt file which we'll be trying to crack.

contents of secure_passwords_ntlm.txt


We'll use the same command as we did for the MD5 hashes, but we will swap the -m 0 for -m 1000. We'll also need specify the different text files.

hashcat -m 1000 -a 0 -o /home/cody/Desktop/cracked_secrets_ntlm.txt /home/cody/Desktop/secure_passwords_ntlm.txt /usr/share/wordlists/rockyou.txt

using a wordlist to crack ntlm hashes


We can see that the NTLM hashes were also successfully cracked! This a perfect example of why everyone should use a secure password.

secure_passwords_ntlm.txt successfully cracked using rockyou.txt wordlist


The contents of cracked_secrets_ntlm.txt. Again, these are the same passwords used in the MD5 hash listing, but the hashes are different as expected.

contents of cracked_secrets_ntlm.txt

Cracking NTLM Hashes Using Mask (Modified Brute-Force)

Now onto what makes Hashcat unique -- mask attacks. Specifically, mask attacks that are much faster than traditional brute-force attacks (due to intelligent guessing and providing a framework for hashcat to use -- you can read more about this at the Hashcat website) and they utilize your GPU instead of your CPU.

For this example I've trimmed the secure_passwords file down to one NTLM hash.

The syntax here is slightly different from when we use a wordlist, but the core of it is the same. I've highlighted the changed areas (other than file names) below in red:

hashcat -m 1000 -a 1000 -o /home/cody/Desktop/cracked_secrets_ntlm_mask.txt /home/cody/Desktop/secure_passwords_ntlm_mask.txt ?l?l?l?l?l?d

The ?l and ?d used are representative of character sets:
  • ?l = abcdefghijklmnopqrstuvwxyz
  • ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • ?d = 0123456789
  • ?h = 0123456789abcdef
  • ?H = 0123456789ABCDEF
  • ?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  • ?a = ?l?u?d?s
  • ?b = 0x00 - 0xff

So what our command breaks down to is that we are guessing for a password that is 6 characters long -- 5 lower case characters followed by 1 number. This drastically reduces the amount of time required to crack the hash. Adding any amount of "unknown" to this process (password length, password complexity, or both) increases the amount of time it will take to crack the hash.

using a mask to crack NTLM hashes


The mask attack took slightly longer than the wordlist attack (as expected), but not much. Granted our password wasn't secure by any standard. We can see below the status of Cracked, along with other information including the mask used.

secure_passwords_ntlm_mask.txt successfully cracked using mask


Here we can see the contents of the cracked_secrets_ntlm_mask.txt contains the NTLM hash and the corresponding plaintext password.

contents of cracked_secrets_ntlm_mask.txt


What we've done here just scratches the surface of Hashcat, and I'd like to do another write-up at some point regarding more advanced features. Maybe put my RTX 2070 SUPER to the test on passwords more secure than potat0! If there's anything specific you'd like to see let me know in the comment section below.


Comments

Post a Comment

Popular Posts

Configuring Secure Ciphers Suites and TLS

-
Image
Hey everyone, today we're back on cipher suites. If you want a refresher of TLS and secure cipher suites overall, check out my previous post . There are many instances in which you'll need to edit cipher suites on a system -- compliance efforts, CIS benchmarks, or simply ensuring your system doesn't use insecure suites. There are a few ways to go about this and I'll detail two of them now: IIS Crypto and the Windows registry. IIS Crypto My favorite way of editing TLS versions and cipher suites is using IIS Crypto . IIS Crypto allows you to select your desired TLS/SSL version, cipher suites, and backup the registry, all with a few mouse clicks. Only downside is that it's Windows only (even the command line version). This is what IIS Crypto will look like on an unmodified Windows 10 system. Note the separate  Server Protocols  and  Client Protocols  sections. These are important to keep straight depending on what system is listening for connections and what system is
Read more

Configuring SSH Key Based Authentication

-
Image
Overview Most personal computers and many organizations running Linux servers utilize password-based authentication. This is what most of us are used to -- you enter a username and password in order to authenticate your account and gain access to a system. While straightforward and commonplace, this isn't the best solution in most cases. Today I'll be explaining why key based authentication is more convenient, more secure, and allows for automation of tasks without saving credentials in plain-text in a text file. Key based authentication involves the use of private and public keys ( public-key cryptography ). The private key is stored on the client and the public key is stored on the server in a special file ( ~/.ssh/authorized_keys ). This allows any system with the corresponding private key to login to the server where we just stored the public key. Our steps are: Generate key pair (public / private key). Transfer public key and add it to the authorized_keys file on the remot
Read more