Are you a beginner in the domain of cybersecurity? Do you want to be on its offensive side? As a red teamer, you learn many techniques and tactics that help you perform the cyber kill chain activities. One such task is privilege escalation, where you get hold of password hashes.
hashcat is a powerful and versatile tool that brute forces the stored credentials using known hashes by conducting various modes of attacks. The article covers this password cracking utility used by penetration testers, system administrators, spies, or hackers to find passwords.
What Are Hashes?
Hashing is a one-way mathematical function or unique identifier that returns a fixed-length output irrespective of input size/length. Hence, it is an irreversible process that does not require a key as in encryption to decipher the hash value.
The most common purpose of hashing is to ensure data integrity from tampering during data transmission. The properties of hashing are as follows:
- Offers fast computation
- Good algorithms avoid the same output for different inputs
- They have a deterministic nature
- Small changes in the input significantly influence the output hash value
Why Use hashcat?
hashcat is a multithreaded utility that allows you to configure the number of threads and limit execution based on priority. It supports over 300 hashing algorithms such as MD4, MD5, SHA1, SHA512, bcrypt, HMAC-SHA512, NTLM, MySQL, WHIRLPOOL, among many others. It is available for all types of operating systems, including Windows, Linux, Unix, and BSD.
Ways to Crack Password Hashes Using hashcat
hashcat offers a variety of attack modes (Combinator, Rule-based, Brute-force guessing, hybrid, and dictionary attacks) to provide better coverage. Here is an explanation of some attacks that hashcat uses to crack hashed passwords:
- Brute-force attack: A brute-force attack utilizes all possible character combinations to determine the exact password. However, it has a limitation of maximum password length and number of characters. Moreover, an advanced level of brute-force attack can also optimize time by making complexity assumptions. For instance, an advanced brute-force technique can assume that the first character is more likely to be upper case and digits are most likely to appear at the end of a password, etc.
- Dictionary attack: A dictionary attack utilizes a precomputed list of passwords depending on the information gathered around the target or a pattern observed across users. Hence, it takes some most commonly used passwords and adds some permutations to them to increase the scope.
- Hybrid attack: Hybrid is a combination of the above-discussed attacks, as it checks if the password is “crackable” via a dictionary attack and moves on to the brute-force technique, if not possible.
How to Install hashcat on Linux
hashcat is available by default in Kali Linux. To install it on Ubuntu and Debian:
sudo apt-get update
sudo apt-get install hashcat
On Fedora, CentOS, and other RHEL-based distros:
sudo dnf update
sudo dnf install hashcat
To install hashcat on Arch Linux:
sudo pacman -Syu
sudo pacman -S hashcat
Post-installation, use the help command to list all available options:
Some hashcat options and their description are as follows:
|The type of hash with a default value of 0 i.e. MD5 hash
|Type of attack, 0 for a straight attack, 2 for combination, and 3 for a brute-force attack
|Stores cracked password in an output file
|Requires a path to the wordlist of passwords to match and crack the hashes
Note: Before working with hashcat, ensure your system adheres to its hardware working requirements. Check out the official website for more details.
Crack Hashes From the /etc/shadow File in Linux
The /etc/shadow file stores the garbled or hashed values of all user’s passwords on Linux. It’s a critical file with strict access permissions; it is and must only be accessible by the root account.
Hence, if you come across a readable /etc/shadow file through any regular user account, you can get the hash value of the root account and crack the password hash using the hashcat utility.
For demonstration purposes, change to the root account and create a new user account alice to understand how hashcat works:
sudo useradd -c "Alice" alice
Create a password using the passwd command:
Check the hashed password value inside the /etc/shadow file as follows:
cut -d: -f1 /etc/shadow | grep alice
The hash in the above output begins from “alice:” onwards; save it inside a new file hash.txt.
You can go to the hashcat website to identify the type of hash function and associated reference value. SHA512 hash mode is generally identified by the $6$ term and has a reference value of 1800.
You can also look for the encryption method inside the login.defs file:
grep ENCRYPT_METHOD /etc/login.defs
Then, check the associated value of the hashing function using the hashcat command as follows:
hashcat -h | grep sha512
Now use the hashcat utility to crack the hash with the -a flag for attack mode, -m flag for hash reference value (as it does not support hash function name), hash.txt file path, and a path to the wordlist rockyou.txt.
hashcat -m 1800 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
Note: On Kali Linux, the rockyou.txt file is available by default inside the /usr/share/wordlists directory. You can also use other wordlists by running the following command in the terminal:
locate wordlists | less
However, for other Linux distributions, you will need to download the rockyou.txt file from the GitHub repository as follows:
Cracking Passwords on Linux With hashcat
A well-built authentication system does not store user passwords in plain text and clear sight as they can cause security vulnerabilities. A better authentication mechanism stores passwords as hashes in secure and inaccessible files. However, a password cracker such as hashcat is designed to decipher or guess the passwords using various attack modes.
This article details ways a penetration tester must know to crack hashed passwords using the hashcat utility. As a red teamer, it’s necessary to understand the techniques an attacker can use to compromise the authentication controls and provide guidelines on covering system loopholes.
Do you ignore file hash verification at your own peril? Use these tools to verify the file you’re downloading is safe.
About The Author