Pass the hash : https://beta.hackndo.com/pass-the-hash/
John the reaper : https://medium.com/secstudent/using-john-the-ripper-with-lm-hashes-f757bd4fb094
https://medium.com/@benichmt1/secretsdump-demystified-bfd0f933dd9b
Outils
Identifier
hashid
> <Coller le hash>
[+] <Result>
[+] <Result>
[+] <Result>
Attaque par dictionnaire
hashcat :
hashcat -a 0 -m <mode> <hash> <wordlist>
#exemple
hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt
-m : hash mode , algorithme à utiliser. On peut obtenir la liste des modes via hashcat -h
Attaque par BruteForce
hashcat -a 3 -m <mode> <hash> <hash-cat-expression>
#exemple
hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d
NTLM/LM Hash
john --format=NT --rules -w=<wordlist> <hash-file>
#> cat <hash-file>
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
Le premier champ contient le nom d’utilisateur et le deuxième champ contient le SID, une identification numérique. Si le troisième champ ne contient pas aad3b, c’est un hash hachage LM. John est très doué pour les casser. Pour que John se concentre sur le crack d’un hash LM, utilisez plutôt l’argument suivant :
--format=LM
WordPress MD5
echo "<hash>" > ./hash.txt
hashcat -m 400 ./hash.txt /usr/share/wordlists/rockyou.txt
# -m 400 == MD5 (WordPress)
Hashcat
Hash commun
| ID | Description |
|---|---|
| 900 | MD4 |
| 0 | MD5 |
| 5100 | Half MD5 |
| 100 | SHA1 |
| 10800 | SHA-384 |
| 1400 | SHA-256 |
| 1700 | SHA-512 |
Hash Linux (/etc/shadow)
| ID | Description |
|---|---|
| 500 | md5crypt $1$, MD5(Unix) |
| 3200 | bcrypt $2*$, Blowfish(Unix) |
| 7400 | sha256crypt $5$, SHA256(Unix) |
| 1800 | sha512crypt $6$, SHA512(Unix) |
Hash Windows
| ID | Description |
|---|---|
| 3000 | LM |
| 1000 | NTLM |
Hash d’application
| ID | Description |
|---|---|
| 400 | WordPress (sha256crypt) |
| 3200 | Joomla (bcrypt) |
Hash protection de fichier commun
| ID | Description |
|---|---|
| 11600 | 7-Zip |
| 12500 | RAR3-hp |
| 13000 | RAR5 |
| 13200 | AxCrypt |
| 13300 | AxCrypt in-memory SHA1 |
| 13600 | WinZip |
| 9700 | MS Office <= 2003 $0/$1, MD5 + RC4 |
| 9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1 |
| 9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2 |
| 9800 | MS Office <= 2003 $3/$4, SHA1 + RC4 |
| 9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1 |
| 9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2 |
| 9400 | MS Office 2007 |
| 9500 | MS Office 2010 |
| 9600 | MS Office 2013 |
| 10400 | PDF 1.1 – 1.3 (Acrobat 2 – 4) |
| 10410 | PDF 1.1 – 1.3 (Acrobat 2 – 4), collider #1 |
| 10420 | PDF 1.1 – 1.3 (Acrobat 2 – 4), collider #2 |
| 10500 | PDF 1.4 – 1.6 (Acrobat 5 – 8) |
| 10600 | PDF 1.7 Level 3 (Acrobat 9) |
| 10700 | PDF 1.7 Level 8 (Acrobat 10 – 11) |
| 16200 | Apple Secure Notes |
Hash de base de données
| ID | Description | Example |
|---|---|---|
| 12 | PostgreSQL | a6343a68d964ca596d9752250d54bb8a:postgres |
| 131 | MSSQL (2000) | 0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578 |
| 132 | MSSQL (2005) | 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe |
| 1731 | MSSQL (2012, 2014) | 0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375 |
| 200 | MySQL323 | 7196759210defdc0 |
| 300 | MySQL4.1/MySQL5 | fcf7c1b8749cf99d88e5f34271d636178fb5d130 |
| 3100 | Oracle H: Type (Oracle 7+) | 7A963A529D2E3229:3682427524 |
| 112 | Oracle S: Type (Oracle 11+) | ac5f1e62d21fd0529428b84d42e8955b04966703:38445748184477378130 |
| 12300 | Oracle T: Type (Oracle 12+) | 78281A9C0CF626BD05EFC4F41B515B61D6C4D95A250CD4A605CA0EF97168D670EBCB5673B6F5A2FB9CC4E0C0101E659C0C4E3B9B3BEDA846CD15508E88685A2334141655046766111066420254008225 |
| 8000 | Sybase ASE | 0xc00778168388631428230545ed2c976790af96768afa0806fe6c0da3b28f3e132137eac56f9bad027ea2 |
Cracking NTLM hashes
After grabbing or dumping the NTDS.dit and SYSTEM registry hive or dumping LSASS memory from a Windows box, you will often end up with NTLM hashes.
| Path | Description |
|---|---|
| C:\Windows\NTDS\ntds.dit | Active Directory database |
| C:\Windows\System32\config\SYSTEM | Registry hive containing the key used to encrypt hashes |
And using Impacket to dump the hashes
impacket-secretsdump -system SYSTEM -ntds ntds.dit -hashes lmhash:nthash LOCAL -outputfile ntlm-extract
You can crack the NTLM hash dump usign the following hashcat syntax:
hashcat64 -m 1000 -a 0 -w 4 --force --opencl-device-types 1,2 -O d:\hashsample.hash "d:\WORDLISTS\realuniq.lst" -r OneRuleToRuleThemAll.rule
Benchmark using a Nvidia 2060 GTX: Speed: 7000 MH/s Recovery Rate: 12.47% Elapsed Time: 2 Hours 35 Minutes
Cracking Hashes from Kerboroasting – KRB5TGS
A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. KRB5TGS – Kerberoasting Service Accounts that use SPN Once you have identified a Kerberoastable service account (Bloodhound? Powershell Empire? – likely a MS SQL Server Service Account), any AD user can request a krb5tgs hash from it which can be used to crack the password.
Based on my benchmarking, KRB5TGS cracking is 28 times slower than NTLM.
Hashcat supports multiple versions of the KRB5TGS hash which can easily be identified by the number between the dollar signs in the hash itself.
- 13100 – Type 23 – $krb5tgs$23$
- 19600 – Type 17 – $krb5tgs$17$
- 19700 – Type 18 – $krb5tgs$18$
- 18200 – ASREP Type 23 – $krb5asrep$23$
KRB5TGS Type 23 – Crackstation humans only word list with OneRuleToRuleThemAll mutations rule list.
hashcat64 -m 13100 -a 0 -w 4 --force --opencl-device-types 1,2 -O d:\krb5tgs.hash d:\WORDLISTS\realhuman_phill.txt -r OneRuleToRuleThemAll.rule
Benchmark using a Nvidia 2060 GTX: Speed: 250 MH/s Elapsed Time: 9 Minutes
Cracking NTLMv2 Hashes from a Packet Capture
You may be asked to recover a password from an SMB authentication (NTLMv2) from a Packet Capture. The following is a 9-step process for formatting the hash correctly to do this. https://research.801labs.org/cracking-an-ntlmv2-hash/
To crack linux hashes you must first unshadow them
unshadow passwd-file.txt shadow-file.txt
unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
Crack a zip password
zip2john Zipfile.zip | cut -d ':' -f 2 > hashes.txt
hashcat -a 0 -m 13600 hashes.txt /usr/share/wordlists/rockyou.txt
Hashcat appears to have issues with some zip hash formats generated from zip2john. You can fix this by editing the zip hash contents to align with the example zip hash format found on the hash cat example page:
$zip2$*0*3*0*b5d2b7bf57ad5e86a55c400509c672bd*d218*0**ca3d736d03a34165cfa9*$/zip2$
John seems to accept a wider range of zip formats for cracking.