We saw from our previous article How to install Hashcat. Also we saw the use of Hashcat with pre-bundled examples. Now, Lets crack the passwords on your Linux machines, A real world example!
Create a User on Linux
Firstly on a terminal window, create a user and set a password for it as shown below. You can also follow How to Create a Linux User Account manually. You can set the password as : qwerty for this example purpose.
[root@cloud2 ~]# useradd ramya [root@cloud2 ~]# passwd ramya Changing password for user ramya. New password: Retype new password: passwd: all authentication tokens updated successfully.
Viewing the Password Hash
On the terminal window, execute the below command to view the generated hash for the password “qwerty” for the user ramya.
[root@cloud2 ~]# tail -n 1 /etc/shadow ramya:$6$6SA.1X/l$JkVyIvJu.JAN6g8gIHyh9FWj3rAQ...yAf5hLFltzi1624A4rtcuxluzg75hh2bSGqv2bPZHaQYGHvD/ziOUD0:16790:0:99999:7:::
Finding your Salt Value
Looking at the above hash value, following the username “ramya“, The $6$ value indicates the type 6 password hash (SHA512). The characters after $6$, up to next $ indicates the salt.
In the above, the SALT is : 6SA.1X/l
Follow this article to know more about What is password hashing, How Hashes are Cracked, SALTS and its use cases etc.,
How to find the Hashing Algorithm used on Linux
The hashing algorithm is defined in the file: /etc/login.defs. Search for the word “ENCRYPT_METHOD” to find the hashing algorithm defined:
[root@cloud2 ~]# grep -rn ENCRYPT_METHOD /etc/login.defs 65:ENCRYPT_METHOD SHA512
As you see, my Linux box uses SHA-512 hash type.
Extracting the Hash from the file /etc/shadow and creating a Hash File
[root@cloud2 ~]# tail /etc/shadow | grep "ramya" | awk -F':' '{print $2}' >> password.hashInsert one ore more hashes on a separate line for cracking multiple hashes at a time in the password.hash file.
List of common passwords available online
Well, we shall use a list of common passwords for cracking our hashes. The Common passwords can be downloaded from the below links:
From John the Ripper tool: John.txt.bz2
From Cain & Abel : Cain.txt.bz2
500 Common Passwords : 500-worst-passwords.txt.bz2
370 Banned Twitter Passwords: twitter-banned.txt.bz2
You can also get few more passwords which were leaked or stolen from famous web sites like phpbb, myspace, hotmail etc., from here.
Firstly, lets try with only 500 common passwords.
Download the 500 Common Passwords
[root@cloud2 ~]# wget http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt.bz2
[root@cloud2 ~]# bunzip 500-worst-passwords.txt.bz2
Cracking the Hash using Hashcat
Basic usage of hashcat is as follows:
[root@cloud2 ~]# hashcat [options] hashfile [mask|wordfiles|directories]
Options:
-m, --hash-type=NUM -a, --atack-mode=NUM -o, --ouput-file=NUM --remove Enable remove of hash once it is cracked.
We saw from above that our hash is of type 6. So we shall use : –hash-type=1800. If your /etc/login.defs uses MD5, then the hash type would be –hash-type=500 and like wise for other hash types. Few of them are shown below:
100 = SHA1 500 = md5crypt, MD5(Unix) 1400 = SHA256 1700 = SHA512 1800 = SHA-512(Unix)
As we are trying the dictionary based cracking, we shall use the attack mode as –atack-mode=0.The other attack modes are:
0 = Straight 1 = Combination 2 = Toggle-Case 3 = Brute-force 4 = Permutation 5 = Table-Lookup 8 = Prince
You can get the list of Hash-Type and attack-modes using the help of hashcat.
Lets output the found hashes to a new file called found.txt and remove the corresponding hash from the file password.hash. So finally the command would be:
[root@cloud2 ~]# hashcat -m 1800 -a 0 password.hash 500-worst-passwords.txt Initializing hashcat v2.00 with 2 threads and 32mb segment-size...
Added hashes from file password.hash: 1 (1 salts) Activating quick-digest mode for single-hash with salt
$6$EeKhjLd3$ogjAhHz5KFkcTUH6h5LP7j3HFhd83DL8KFXKbWQiisahKmexoA71yuJuM1MmbA.ZGU/qySl0xoo2FNqG6NNlv.:qwerty
All hashes have been recovered
Input.Mode: Dict (500-worst-passwords.txt) Index.....: 1/1 (segment), 500 (words), 3493 (bytes) Recovered.: 1/1 hashes, 1/1 salts Speed/sec.: - plains, 131 words Progress..: 132/500 (26.40%) Running...: 00:00:00:01 Estimated.: 00:00:00:02
Started: Mon Dec 21 12:14:20 2015 Stopped: Mon Dec 21 12:14:21 2015
[root@cloud2 ~]# cat found.txt $6$EeKhjLd3$ogjAhHz5KFkcTUH6h5LP7j3HFhd83DL8KFXKbWQiisahKmexoA71yuJuM1MmbA.ZGU/qySl0xoo2FNqG6NNlv.:qwerty
From the above computation, we were able to crack the hash and You would see the hash, with the cracked password “qwerty” at the end, as shown above:
Lets create many accounts with little complex passwords. Now lets crack these hashes with a broader range of dictionary passwords obtained from the multiple lists:
[root@cloud2 ~]# wget http://downloads.skullsecurity.org/passwords/john.txt.bz2 [root@cloud2 ~]# wget http://downloads.skullsecurity.org/passwords/cain.txt.bz2 [root@cloud2 ~]# wget http://downloads.skullsecurity.org/passwords/twitter-banned.txt.bz2 [root@cloud2 ~]# wget http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt.bz2 [root@cloud2 ~]# bunzip2 john.txt.bz2 500-worst-passwords.txt.bz2 twitter-banned.txt.bz2 cain.txt.bz2 [root@cloud2 ~]# cat john.txt 500-worst-passwords.txt twitter-banned.txt cain.txt >> dictionary-passwords.txt
Now we are having a huge list of passwords which people normally use in the file: dictionary-passwords.txt
Now lets test our new hashes against these many passwords.
[root@cloud2 ~]#hashcat -m 1800 -a 0 -o found.txt --remove password.hash dictionary-passwords.txt Initializing hashcat v2.00 with 2 threads and 32mb segment-size... Added hashes from file password.hash: 2 (2 salts) [s]tatus [p]ause [r]esume [b]ypass [q]uit => r Input.Mode: Dict (/tmp/dictionary-passwords.txt) Index.....: 1/1 (segment), 310683 (words), 3177794 (bytes) Recovered.: 0/2 hashes, 0/2 salts Speed/sec.: 251 plains, 125 words Progress..: 310683 /310683 (100.00%) Running...: 00:00:41:13 Estimated.: --:--:--:-- Started: Tue Dec 22 06:48:06 2015 Stopped: Tue Dec 22 07:29:19 2015
Fortunately, the new hashes couldn’t be cracked! Which means you need to increase your password base even more…
i get it now 🙂
HI
I have the following password in my cfg file
$1$D6mt6GZX$labm5GNkzFEUc/vMwBxo.0
what is this password