Backlink: reference-notes-readme
General Hash Cracking
Empty Password in NT hash:
31d6cfe0d16ae931b73c59d7e0c089c0
Hash Formats
Usually password format is set to $id$salt$hashed, the $id is the algorithm used On GNU/Linux as follows:
- $1$ is MD5 | MD5 (Unix) | -m 500
- $2a$ is Blowfish
- $2y$ is Blowfish
- $5$ is SHA-256
- $6$ is SHA-512 | sha512crypt (Unix) | -m 1800
- $apr1$ is Apache MD5 | -m 1600
$ansible$is Ansible | -m 16900
Other hashcat | Hash Correlations:
- SHA-256 | -m 1400
- MD5 (no salt) | -m 0
Dump Hashes with Mimikatz
Commands
privilege::debug
sekurlsa::logonPasswords
Dump Hashes Manually:
Windows:
reg save hklm\SAM c:\sam
reg save hklm\SYSTEM c:\system
reg save hklm\SECURITY c:\security
From <security - How to dump the Windows SAM file while the system is running? - Super User>
Linux:
cat /etc/shadow
Dump Hashes w/NTDS
When you don't have access to the registry hives needed to dump HKLM\SECURITY, but you do have the whoami /all SeBackupPrivilege, you should be able to dump the NTDS.dit file. See HTB Blackfield for the exact process and required DLLs to import etc.
Rebuild Registry Dump:
Used when hashes were dumped with NTDS.dit.
python /var/lib/impacket/examples/secretsdump.py -sam sam -security security -system system -hashes lmhash:nthash LOCAL -output hashes
From <security - How to dump the Windows SAM file while the system is running? - Super User>
secretsdump.py -ntds ntds.did -system system -hashes lmhash:nthash LOCAL -output hashes
Add hashes to main hash files:
Windows:
cat nt.hashes >> ../../../../nt.hashes
Linux:
cat shadow.hashes >> ../../../../shadow.hashes
Crack new hashes:
Windows:
hashcat -m 1000 -a 0 --username nt.hashes /usr/share/wordlists/rockyou.txt -r ~/cybersecurity/Tools/host-tools/wordlists/hob064.rule
Linux (running with rules could take up to 16 days):
hashcat -m 1800 -a 0 --username --session beta shadow.hashes /usr/share/wordlists/rockyou.txt -r /usr/share/wordlists/hob064.rule
Display cracked passwords:
Windows:
hashcat --show --username nt.hashes | awk -F ":" '{print $1":"$3}'
Linux:
hashcat --show --username shadow.hashes | awk -F ":" '{print $1":"$3}'
Add cracked passwords to master lists:
Windows:
hashcat --show --username nt.hashes | awk -F ":" '{print $1":"$3}' >> credentials-local.txt && sort -u -o credentials-local.txt credentials-local.txt
hashcat --show --username nt.hashes | awk -F ":" '{print $3}' >> passwords-local.txt && sort -u -o passwords-local.txt passwords-local.txt
Linux:
hashcat --show --username shadow.hashes | awk -F ":" '{print $1":"$3}' >> credentials-local.txt && sort -u -o credentials-local.txt credentials-local.txt
hashcat --show --username shadow.hashes | awk -F ":" '{print $3}' >> passwords-local.txt && sort -u -o passwords-local.txt passwords-local.txt
Crack Hashes Example Commands:
LM Hash:
john --format=lm hash.txt
hashcat -m 3000 -a 3 hash.txt
NTHash (aka NTLM, used for pass-the-hash technique)"
john --format=nt hash.txt
hashcat -m 1000 -a 3 hash.txt
NTLMv1:
john --format=netntlm hash.txt
hashcat -m 5500 -a 3 hash.txt
NTLMv2:
john --format=netntlmv2 hash.txt
hashcat -m 5600 -a 3 hash.txt
Specific File Types
ZIP/RAR Files
JtR
First we need to get a valid hash out of the file.
<zip|rar>2john <zip|rar file> > hash.txt
Then we can run john on the newly acquired hash.
john --format=<zip|rar> --wordlist=/usr/share/wordlists/rockyou.txt <hashfile>
fcrackzip
No conversion is required as it is using john.
crackzip -u -D -p '/usr/share/wordlists/rockyou.txt' <zip_file>
id_rsa Keys
JtR
First we need to get a valid hash out of the file.
python /usr/share/john/ssh2john.py ./id_rsa > id_rsa.hash
Then we can run john on the newly generated hash.
john --wordlist=/usr/share/wordlists/rockyou.txt <hashfile>
Cisco Password Types
Cisco to Hash type Table
| Cisco Password | Crackability | Best speed | John the Ripper | Hashcat |
|---|---|---|---|---|
| Type 0 | instant | instant | n/a | n/a |
| Type 7 | instant | instant | n/a | n/a |
| Type 4 | easy | 26.4 million per second | --format=Raw-SHA256 | -m 5700 |
| Type 5 | medium | 1.2 million per second | --format=md5crypt | -m 500 |
| Type 8 | hard | 11.6 thousand per second | --format=pbkdf2-hmac-sha256 | -m 9200 |
| Type 9 | very hard | 1.8 thousand per second | --format=scrypt | -m 9300 |
Type 0
Cisco password type 0 is basically clear text password. There is no encryption nor obfuscation. It is the oldest and the most insecure method of storing passwords in Cisco devices. It should never be used.
The following example shows type 0 password found in a Cisco configuration:
username admin privilege 15 password 0 P@ssw0rd
As you can see, there is really nothing to crack or decrypt. We can clearly see that the admin user has a password of P@ssw0rd.
Type 7
This password type uses Vigenère cipher which is essentially a simple alphabetical substitution encryption. The algorithm is reversible and thus it can be deciphered instantly into a plain text without any need for cracking.
The following example shows type 7 password found in a Cisco configuration:
username admin privilege 15 password 7 0236244818115F3348
There are number of freely available tools for decrypting type 7 password. Here are some examples:
https://www.question-defense.com/2011/08/17/perl-script-to-decode-cisco-type-7-password-hash
Python: reverse Cisco type 7 passwords with input from file or stdin · GitHub
GitHub - theevilbit/ciscot7: Cisco Type 7 Password Decrypter
For instance, to decrypt the above type 7 password using Ciscot7 Python script, simply run:
wget https://raw.githubusercontent.com/theevilbit/ciscot7/master/ciscot7.py
python ciscot7.py -d -p 0236244818115F3348
Type 4
This password type was designed around 2013 and the original plan was to use PBKDF2 (Password-Based Key Derivation Function version algorithm. But due to an implementation issue, it somehow ended up being a mere single iteration of SHA256 without salt.
The following example shows type 4 password found in a Cisco configuration:
username admin secret 4 ds4zcEBHQMiiscBff5JmSaUctdI8fVdmGU18HAtxOCw
John the Ripper recognizes this password type as Raw-SHA256. To crack it, we have to first convert it to the following john friendly format and save it in a file:
admin:ds4zcEBHQMiiscBff5JmSaUctdI8fVdmGU18HAtxOCw
Then we can crack it like this using a dictionary, for example:
john --format=Raw-SHA256 --wordlist=/usr/share/wordlists/rockyou.txt --fork 4 hashes.txt
Hashcat recognizes this password type as hash mode 5700. To crack it, we can keep using the same john friendly format Then we can crack it like this using a dictionary, for example:
hashcat -m 5700 --username -O -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
Note that by using the -O parameter (optimized kernels), we will greatly increase the speed. But it will also limit the password length to 31 characters.
Type 5
This password type was introduced around 1992 and it is essentially a 1,000 iteration of MD5 hash with salt. The salt is 4 characters long (32 bits). For modern computers this is not difficult enough and thus in many cases it can be successfully cracked.
The following example shows type 5 password found in a Cisco configuration:
username admin secret 5 $1$jUfy$2TVVXJ8sy.KO8ZhAKfIHt/
John the Ripper recognizes this password type as md5crypt. To crack it, we have to again first convert it to the following john friendly format and save it in a file:
admin:$1$jUfy$2TVVXJ8sy.KO8ZhAKfIHt/
Then we can crack it like this using a dictionary, for example:
john --format=md5crypt --fork=4 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Hashcat recognizes this password type as hash mode 500. To crack it, we can keep using the same john friendly format. Then we can crack it like this using a dictionary, for example:
hashcat -m 500 --username -O -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
Note that by using the -O parameter (optimized kernels), we will greatly increase the speed. But it will also limit the password length to 31 characters.
Type 8
This password type is a proper implementation of the failed password type 4. This time it really uses the PBKDF2 algorithm and 10 character salt (80 bits). Essentially it is 20,000 iterations of SHA256 and this makes it much harder to crack in comparison with the previous password types.
The following example shows type 8 password found in a Cisco configuration:
username admin secret 8 $8$dsYGNam3K1SIJO$7nv/35M/qr6t.dVc7UY9zrJDWRVqncHub1PE9UlMQFs
John the Ripper recognizes this password type as pbkdf2-hmac-sha256. To crack it, we have to again first convert it to the following john friendly format and save it in a file:
admin:$8$dsYGNam3K1SIJO$7nv/35M/qr6t.dVc7UY9zrJDWRVqncHub1PE9UlMQFs
Then we can crack it like this using a dictionary, for example:
john --format=pbkdf2-hmac-sha256 --fork=4 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Hashcat recognizes this password type as hash mode 9200. To crack it, we can keep using the same john friendly format. Then we can crack it like this using a dictionary, for example:
hashcat -m 9200 --username -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
Type 9
This password type uses Scrypt algorithm. Scrypt was specifically designed to make cracking very difficult even on large-scale cracking rigs with many GPUs or hardware ASICs. This is due to the fact that Scrypt requires large amount of memory to perform its function.
The following example shows type 9 password found in a Cisco configuration:
username admin secret 9 $9$nhEmQVczB7dqsO$X.HsgL6x1il0RxkOSSvyQYwucySCt7qFm4v7pqCxkKM
John the Ripper recognizes this password type as scrypt. To crack it, we have to again first convert it to the following john friendly format and save it in a file:
admin:$9$nhEmQVczB7dqsO$X.HsgL6x1il0RxkOSSvyQYwucySCt7qFm4v7pqCxkKM
Then we can crack it like this using a dictionary, for example:
john --format=scrypt --fork=4 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Hashcat recognizes this password type as hash mode 9300. To crack it, we can keep using the same john friendly format. Then we can crack it like this using a dictionary, for example:
hashcat -m 9300 --username -a 0 --force hashes.txt /usr/share/wordlists/rockyou.txt
Note that we have to provide --force parameter since the hash-mode 9300 is marked as unstable for our particular device.
Password Lists
The following are a list of password lists that have been recommended for different boxes and stuff.
Try to iterate through this list, starting with the smallest list then working up to larger ones.
/usr/share/wordlists/rockyou.txt
/usr/share/seclists/Passwords/Common-Credentials/100k-most-used-passwords-NCSC.txt
References
Hashcat Mode Types
https://hashcat.net/wiki/doku.php?id=example_hashes