Crack The Hash

Pass the hash : https://beta.hackndo.com/pass-the-hash/

John the reaper : https://medium.com/secstudent/using-john-the-ripper-with-lm-hashes-f757bd4fb094

https://medium.com/@benichmt1/secretsdump-demystified-bfd0f933dd9b

Outils

Identifier

hashid 
> <Coller le hash>

[+] <Result>
[+] <Result>
[+] <Result>

Attaque par dictionnaire

hashcat :

hashcat -a 0 -m <mode> <hash> <wordlist>
#exemple
hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt

-m : hash mode , algorithme à utiliser. On peut obtenir la liste des modes via hashcat -h

Attaque par BruteForce

hashcat -a 3 -m <mode> <hash> <hash-cat-expression>
#exemple
hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d

NTLM/LM Hash

john --format=NT --rules -w=<wordlist> <hash-file>
#> cat <hash-file>
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

Le premier champ contient le nom d’utilisateur et le deuxième champ contient le SID, une identification numérique. Si le troisième champ ne contient pas aad3b, c’est un hash hachage LM. John est très doué pour les casser. Pour que John se concentre sur le crack d’un hash LM, utilisez plutôt l’argument suivant :

--format=LM

WordPress MD5

echo "<hash>" > ./hash.txt
hashcat -m 400 ./hash.txt /usr/share/wordlists/rockyou.txt
# -m 400 == MD5 (WordPress)


Hashcat

Hash commun

ID Description
900 MD4
0 MD5
5100 Half MD5
100 SHA1
10800 SHA-384
1400 SHA-256
1700 SHA-512

Hash Linux (/etc/shadow)

ID Description
500 md5crypt $1$, MD5(Unix)
3200 bcrypt $2*$, Blowfish(Unix)
7400 sha256crypt $5$, SHA256(Unix)
1800 sha512crypt $6$, SHA512(Unix)

Hash Windows

ID Description
3000 LM
1000 NTLM

Hash d’application

ID Description
400 WordPress (sha256crypt)
3200 Joomla (bcrypt)

Hash protection de fichier commun

ID Description
11600 7-Zip
12500 RAR3-hp
13000 RAR5
13200 AxCrypt
13300 AxCrypt in-memory SHA1
13600 WinZip
9700 MS Office <= 2003 $0/$1, MD5 + RC4
9710 MS Office <= 2003 $0/$1, MD5 + RC4, collider #1
9720 MS Office <= 2003 $0/$1, MD5 + RC4, collider #2
9800 MS Office <= 2003 $3/$4, SHA1 + RC4
9810 MS Office <= 2003 $3, SHA1 + RC4, collider #1
9820 MS Office <= 2003 $3, SHA1 + RC4, collider #2
9400 MS Office 2007
9500 MS Office 2010
9600 MS Office 2013
10400 PDF 1.1 – 1.3 (Acrobat 2 – 4)
10410 PDF 1.1 – 1.3 (Acrobat 2 – 4), collider #1
10420 PDF 1.1 – 1.3 (Acrobat 2 – 4), collider #2
10500 PDF 1.4 – 1.6 (Acrobat 5 – 8)
10600 PDF 1.7 Level 3 (Acrobat 9)
10700 PDF 1.7 Level 8 (Acrobat 10 – 11)
16200 Apple Secure Notes

Hash de base de données

ID Description Example
12 PostgreSQL a6343a68d964ca596d9752250d54bb8a:postgres
131 MSSQL (2000) 0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578
132 MSSQL (2005) 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
1731 MSSQL (2012, 2014) 0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375
200 MySQL323 7196759210defdc0
300 MySQL4.1/MySQL5 fcf7c1b8749cf99d88e5f34271d636178fb5d130
3100 Oracle H: Type (Oracle 7+) 7A963A529D2E3229:3682427524
112 Oracle S: Type (Oracle 11+) ac5f1e62d21fd0529428b84d42e8955b04966703:38445748184477378130
12300 Oracle T: Type (Oracle 12+) 78281A9C0CF626BD05EFC4F41B515B61D6C4D95A250CD4A605CA0EF97168D670EBCB5673B6F5A2FB9CC4E0C0101E659C0C4E3B9B3BEDA846CD15508E88685A2334141655046766111066420254008225
8000 Sybase ASE 0xc00778168388631428230545ed2c976790af96768afa0806fe6c0da3b28f3e132137eac56f9bad027ea2

Cracking NTLM hashes

After grabbing or dumping the NTDS.dit and SYSTEM registry hive or dumping LSASS memory from a Windows box, you will often end up with NTLM hashes.

Path Description
C:\Windows\NTDS\ntds.dit Active Directory database
C:\Windows\System32\config\SYSTEM Registry hive containing the key used to encrypt hashes

And using Impacket to dump the hashes

impacket-secretsdump -system SYSTEM -ntds ntds.dit -hashes lmhash:nthash LOCAL -outputfile ntlm-extract

You can crack the NTLM hash dump usign the following hashcat syntax:

hashcat64 -m 1000 -a 0 -w 4 --force --opencl-device-types 1,2 -O d:\hashsample.hash "d:\WORDLISTS\realuniq.lst" -r OneRuleToRuleThemAll.rule

Benchmark using a Nvidia 2060 GTX: Speed: 7000 MH/s Recovery Rate: 12.47% Elapsed Time: 2 Hours 35 Minutes

Cracking Hashes from Kerboroasting – KRB5TGS

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. KRB5TGS – Kerberoasting Service Accounts that use SPN Once you have identified a Kerberoastable service account (Bloodhound? Powershell Empire? – likely a MS SQL Server Service Account), any AD user can request a krb5tgs hash from it which can be used to crack the password.

Based on my benchmarking, KRB5TGS cracking is 28 times slower than NTLM.

Hashcat supports multiple versions of the KRB5TGS hash which can easily be identified by the number between the dollar signs in the hash itself.

  • 13100 – Type 23 – $krb5tgs$23$
  • 19600 – Type 17 – $krb5tgs$17$
  • 19700 – Type 18 – $krb5tgs$18$
  • 18200 – ASREP Type 23 – $krb5asrep$23$

KRB5TGS Type 23 – Crackstation humans only word list with OneRuleToRuleThemAll mutations rule list.

hashcat64 -m 13100 -a 0 -w 4 --force --opencl-device-types 1,2 -O d:\krb5tgs.hash d:\WORDLISTS\realhuman_phill.txt -r OneRuleToRuleThemAll.rule	

Benchmark using a Nvidia 2060 GTX: Speed: 250 MH/s Elapsed Time: 9 Minutes

Cracking NTLMv2 Hashes from a Packet Capture

You may be asked to recover a password from an SMB authentication (NTLMv2) from a Packet Capture. The following is a 9-step process for formatting the hash correctly to do this. https://research.801labs.org/cracking-an-ntlmv2-hash/

To crack linux hashes you must first unshadow them

unshadow passwd-file.txt shadow-file.txt

unshadow passwd-file.txt shadow-file.txt > unshadowed.txt

Crack a zip password

zip2john Zipfile.zip | cut -d ':' -f 2 > hashes.txt
hashcat -a 0 -m 13600 hashes.txt /usr/share/wordlists/rockyou.txt

Hashcat appears to have issues with some zip hash formats generated from zip2john. You can fix this by editing the zip hash contents to align with the example zip hash format found on the hash cat example page: $zip2$*0*3*0*b5d2b7bf57ad5e86a55c400509c672bd*d218*0**ca3d736d03a34165cfa9*$/zip2$

John seems to accept a wider range of zip formats for cracking.