Presentation Slides
Password Cracking Basics
For CTF Competitions
Preface - Different Representations of ASCII
These are not passwords, rather different representations of the letters.
| Base | Encoding | ASCII | Result Text | Note |
|---|---|---|---|---|
| 2 | Binary | Moon | 01001101 01101111 01101111 01101110 | Digits 0-1 |
| 8 | Octal | Magic | 115 141 147 151 143 | Digits 0-7 |
| 10 | Decimal | Sunset | 83 117 110 115 101 116 | Digits 0-9 |
| 16 | Hex | Elements | 45 6C 65 6D 65 6E 74 73 | Digits 0-9 and A-F |
| 64 | Base64 | Celestial! | Q2VsZXN0aWFsIQ== | a-z, A-Z, 0-9. = or == as padding |
Why do passwords need to be “cracked”?
Passwords are hashed
- One-way function - cannot easily get password from hash
- Given the same input, always gives the same output
- No two inputs give the same output
If you hit “Forgot Password” and were emailed your password back, think again about using that service.
Password Salting
Passwords are often “salted”
- Random data added as an input to the hashing algorithm
- Different salt per-password
- Salt is saved next to hash and isn’t secret
| Algorithm | To Be Hashed | Hashed Value |
|---|---|---|
| md5(“Cyber”) | Cyber | 046e43ea3926a2f12f416a870f995a62 |
| md5(“Cyber”+“hSgcC”) | CyberhSgcC | 79cca74badfe10909be5fd43a61e2f30 |
| md5(“Cyber”+“FQnJK”) | CyberFQnLK | 02401e65e4eb1f305e3cb6ae921198b6 |
Approaches
- Hash Tables
- Brute Force
- Dictionary
Hash Tables
Hash tables are precomputed lookup tables of passwords and their hashed variants which leads to near-instant decoding of hashes.
- Makes cracking common passwords trivial
- Salting would make these tables impossibly big
Brute Force
Try every combination of characters for increasing lengths
- Might take a few lifetimes of the universe for longer passwords
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789
!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
+ Foreign Language Characters
Dictionary Attacks
- Words are easy to remember
- People like remembering passwords
RockYou
- Social Media Widget Maker Company
- Easy SQL Injection
- Stored 32 million user’s passwords in plaintext
- This was dumb, even in 2009
Common Hash Types
| Hash-Name | Example Hash |
|---|---|
| MD5 | 7ebc76247f2dc80d490199fad2113358 |
| SHA1 | 2fc8f79f194c7a080bb629cf0a04f0c5cf653387 |
| md5crypt | $1$oFJabixr$P3CVha87xhby59qf2Hkpq/ |
| NT:LM | 9BC9CDAFDFDBFDF55BFA81527A37D05E:F6332EE5142AC368C401F065B6F57E69 |
List of Example Hashes
Name That Hash
- There are multiple tools for identifying hashes, this is just one of them
Online Hash Cracking Services
http://rainbowtables.it64.com/
- Cracks LM Hashes
https://hashes.com/en/decrypt/hash/
- Looks up MD5, SHA1, NTLM, SHA256, SHA512
- Looks up LM, NTLM, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, whirlpool
ophcrack
ophcrack is a free Windows (LM/NTLM) password cracker using Rainbow Tables
| Table | Charset | Length | GiB |
|---|---|---|---|
| XP Free Small | [0-9],[a-z],[A-Z] | 1-14 | .7 |
| XP Special* | [0-9],[a-z],[A-Z], !"#$%&’()*+,-./:;<=>?@[\]^_`{|}~ | 1-14 | 7.5 |
| Vista Proba 60G | [0-9],[a-z],[A-Z], !"#$%&’()*+,-./:;<=>?@[\]^_`{|}~ | 5-10 | 60 |
| Vista SpecialXL | [0-9],[a-z],[A-Z], !"#$%&’()*+,-./:;<=>?@[\]^_`{|}~ | 1-7 | 107 |
| Vista eightXL | [0-9],[a-z],[A-Z], !"#$%&’()*+,-./:;<=>?@[\]^_`{|}~ | 8 | 2007 |
John The Ripper
CPU Password Cracker
- 7z2john
- zip2john
- pdf2john
- office2john
Hashcat
GPU Accelerated Password Cracker
- Fast
- Can use multiple GPUs
- Multiple Attack Types
Hashcat Attack Modes
| Mode # | Attack Type | Method |
|---|---|---|
| 0 | Dictionary Attack | Tries every password in the list |
| 1 | Combinator Attack | Combines words from multiple wordlists |
| 3 | Mask Attack | Smart brute-forcing |
| 6 | Hybrid Attack | Wordlist + a mask |
| 7 | Hybrid Attack | A mask + Wordlist |
Picking a Wordlist
- RockYou
- Find one online
- Make your own list
- Scrape Wikipedia Articles
- Kaggle (Dataset Website)
Hashcat Arguments
Specify hash type with -m #
Specify attack mode with -a #
Speedup Arguments
-Ouses “optimized kernels”. Limits max length.-w #sets the workload profile- 1 is Low
- 2 is Normal
- 3 is High - Will lag system GUI
- 4 is “Nightmare” - Will lag system GUI
Dictionary Attack (Mode 0)
hashcat -m 0 -a 0 MD5_Hash_File.txt wordlist.txt
password
Combinator Attack (Mode 1)
hashcat -m 0 -a 1 MD5_Hash_File.txt animal_names.txt city_names.txt
WolfChicago
Mask Attacks (Mode 3)
hashcat -m 0 -a 3 MD5_Hash_File.txt CTF-?u?u?u?u-?d?d?d?d
CTF-AAAA-0000 through CTF-ZZZZ-9999
| Charset | Chars | Charset | Chars |
|---|---|---|---|
| ?l | abcd….xyz | ?u | ABCD….XYZ |
| ?d | 0123456789 | ?h | 0123456789abcdef |
| ?H | 0123456789ABCDEF | ?s | !"#$%&’()*+,-./:;<=>?@[\]^_`{|}~ |
| ?a | ?l?u?d?s | ?b | 0x00 - 0xff |
Hybrid Attacks (Mode 6)
hashcat -m 0 -a 6 MD5_Hash_File.txt wordlist.txt ?d?d?d?d
password0000 through lastpassword9999
Hybrid Attacks (Mode 7)
hashcat -m 0 -a 7 MD5_Hash_File.txt ?d?d?d?d wordlist.txt
0000password through 9999lastpassword
Rules
Works on Dictionary Attacks and Hybrid Attacks
- OneRuleToRuleThemAll (Universal Rule)
- Pantagrule (Universal Rule)
- toggles# (Toggles upper/lowercase of a word)
- leetspeak (l33t)
hashcat -m 0 -r leetspeak.rule -r toggles1.rule -a 0 MD5_Hash_File.txt wordlist.txt
Passw0rd pa55woRd
aircrack-ng
Crack WEP/WPA-PSK passwords
aircrack-ng -w dictionary.txt wireless.cap
hcxtools
Convert wireless captures to JtR/Hashcat
Useful Links
Wordlist Sites
Hashcat Rules
>> Home