How to guide for cracking Password Hashes with Hashcat using dictionary method

We saw from our previous article How to install Hashcat. Also we saw the use of Hashcat with pre-bundled examples. Now, Lets crack the passwords on your Linux machines, A real world example!

Create a User on Linux

Firstly on a terminal window, create a user and set a password for it as shown below. You can also follow How to Create a Linux User Account manually. You can set the password as : qwerty for this example purpose.

[root@cloud2 ~]# useradd ramya
[root@cloud2 ~]# passwd ramya
 Changing password for user ramya.
 New password:
 Retype new password:
 passwd: all authentication tokens updated successfully.

Hashcat - A Password Recovery Utility on Linux

Viewing the Password Hash

On the terminal window, execute the below command to view the generated hash for the password “qwerty” for the user ramya.

[root@cloud2 ~]# tail -n 1 /etc/shadow
ramya:$6$6SA.1X/l$JkVyIvJu.JAN6g8gIHyh9FWj3rAQ...yAf5hLFltzi1624A4rtcuxluzg75hh2bSGqv2bPZHaQYGHvD/ziOUD0:16790:0:99999:7:::

Finding your Salt Value

Looking at the above hash value, following the username “ramya“, The $6$ value indicates the type 6 password hash (SHA512). The characters after $6$, up to next $ indicates the salt.

In the above, the SALT is : 6SA.1X/l

Follow this article to know more about What is password hashing, How Hashes are Cracked, SALTS and its use cases etc.,

How to find the Hashing Algorithm used on Linux

The hashing algorithm is defined in the file: /etc/login.defs. Search for the word “ENCRYPT_METHOD” to find the hashing algorithm defined:

[root@cloud2 ~]# grep -rn ENCRYPT_METHOD /etc/login.defs
 65:ENCRYPT_METHOD SHA512

As you see, my Linux box uses SHA-512 hash type.

Extracting the Hash from the file /etc/shadow and creating a Hash File

[root@cloud2 ~]# tail /etc/shadow | grep "ramya" | awk  -F':' '{print $2}' >> password.hash

Insert one ore more hashes on a separate line for cracking multiple hashes at a time in the password.hash file.

List of common passwords available online

Well, we shall use a list of common passwords for cracking our hashes. The Common passwords can be downloaded from the below links:

From John the Ripper tool: John.txt.bz2
From Cain & Abel : Cain.txt.bz2
500 Common Passwords : 500-worst-passwords.txt.bz2
370 Banned Twitter Passwords: twitter-banned.txt.bz2

You can also get few more passwords which were leaked or stolen from famous web sites like phpbb, myspace, hotmail etc., from here.

Firstly, lets try with only 500 common passwords.

Download the 500 Common Passwords

[root@cloud2 ~]# wget http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt.bz2
[root@cloud2 ~]# bunzip 500-worst-passwords.txt.bz2

Cracking the Hash using Hashcat

Basic usage of hashcat is as follows:

[root@cloud2 ~]# hashcat [options] hashfile [mask|wordfiles|directories]

Options:

-m, --hash-type=NUM
 -a, --atack-mode=NUM
 -o, --ouput-file=NUM
 --remove Enable remove of hash once it is cracked.

We saw from above that our hash is of type 6. So we shall use : –hash-type=1800. If your /etc/login.defs uses MD5, then the hash type would be –hash-type=500 and like wise for other hash types. Few of them are shown below:

   100 = SHA1
   500 = md5crypt, MD5(Unix)
   1400 = SHA256
   1700 = SHA512
   1800 = SHA-512(Unix)

As we are trying the dictionary based cracking, we shall use the attack mode as –atack-mode=0.The other attack modes are:

    0 = Straight
    1 = Combination
    2 = Toggle-Case
    3 = Brute-force
    4 = Permutation
    5 = Table-Lookup
    8 = Prince

You can get the list of Hash-Type and attack-modes using the help of hashcat.

Lets output the found hashes to a new file called found.txt and remove the corresponding hash from the file password.hash. So finally the command would be:

[root@cloud2 ~]# hashcat -m 1800 -a 0 password.hash 500-worst-passwords.txt
 Initializing hashcat v2.00 with 2 threads and 32mb segment-size...
Added hashes from file password.hash: 1 (1 salts)
 Activating quick-digest mode for single-hash with salt
$6$EeKhjLd3$ogjAhHz5KFkcTUH6h5LP7j3HFhd83DL8KFXKbWQiisahKmexoA71yuJuM1MmbA.ZGU/qySl0xoo2FNqG6NNlv.:qwerty
All hashes have been recovered
Input.Mode: Dict (500-worst-passwords.txt)
 Index.....: 1/1 (segment), 500 (words), 3493 (bytes)
 Recovered.: 1/1 hashes, 1/1 salts
 Speed/sec.: - plains, 131 words
 Progress..: 132/500 (26.40%)
 Running...: 00:00:00:01
 Estimated.: 00:00:00:02
Started: Mon Dec 21 12:14:20 2015
 Stopped: Mon Dec 21 12:14:21 2015
[root@cloud2 ~]# cat found.txt
$6$EeKhjLd3$ogjAhHz5KFkcTUH6h5LP7j3HFhd83DL8KFXKbWQiisahKmexoA71yuJuM1MmbA.ZGU/qySl0xoo2FNqG6NNlv.:qwerty

From the above computation, we were able to crack the hash and You would see the hash, with the cracked password “qwerty” at the end, as shown above:

Lets create many accounts with little complex passwords. Now lets crack these hashes with a broader range of dictionary passwords obtained from the multiple lists:

[root@cloud2 ~]# wget http://downloads.skullsecurity.org/passwords/john.txt.bz2
[root@cloud2 ~]# wget http://downloads.skullsecurity.org/passwords/cain.txt.bz2
[root@cloud2 ~]# wget http://downloads.skullsecurity.org/passwords/twitter-banned.txt.bz2
[root@cloud2 ~]# wget http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt.bz2
[root@cloud2 ~]# bunzip2 john.txt.bz2 500-worst-passwords.txt.bz2 twitter-banned.txt.bz2 cain.txt.bz2
[root@cloud2 ~]# cat john.txt 500-worst-passwords.txt twitter-banned.txt cain.txt >> dictionary-passwords.txt

Now we are having a huge list of passwords which people normally use in the file: dictionary-passwords.txt

Now lets test our new hashes against these many passwords.

[root@cloud2 ~]#hashcat -m 1800 -a 0 -o found.txt --remove password.hash dictionary-passwords.txt
Initializing hashcat v2.00 with 2 threads and 32mb segment-size...
Added hashes from file password.hash: 2 (2 salts)
[s]tatus [p]ause [r]esume [b]ypass [q]uit => r
Input.Mode: Dict (/tmp/dictionary-passwords.txt)
Index.....: 1/1 (segment), 310683 (words), 3177794 (bytes)
Recovered.: 0/2 hashes, 0/2 salts
Speed/sec.: 251 plains, 125 words
Progress..: 310683 /310683 (100.00%)
Running...: 00:00:41:13
Estimated.: --:--:--:--
Started: Tue Dec 22 06:48:06 2015
Stopped: Tue Dec 22 07:29:19 2015

Fortunately, the new hashes couldn’t be cracked! Which means you need to increase your password base even more…

HAPPY CRACKING!

Updated on September 2, 2017

Was this article helpful?

Related Articles

Comments

  1. HI
    I have the following password in my cfg file
    $1$D6mt6GZX$labm5GNkzFEUc/vMwBxo.0
    what is this password

Leave a Comment