Hash Crack: Password Cracking Manual (v2.0) Crack

Hash%20Crack%20-%20Password%20Cracking%20Manual

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 163

DownloadHash Crack: Password Cracking Manual (v2.0) Crack
Open PDF In BrowserView PDF
Hash Crack. Copyright © 2017 Netmux LLC
All rights reserved. Without limiting the rights under the copyright reserved above, no part of this
publication may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any
form or by any means (electronic, mechanical, photocopying, recording, or otherwise) without prior
written permission.
ISBN-10: 1975924584
ISBN-13: 978-1975924584

Netmux and the Netmux logo are registered trademarks of Netmux, LLC. Other
product and company names mentioned herein may be the trademarks of their
respective owners. Rather than use a trademark symbol with every occurrence of a
trademarked name, we are using the names only in an editorial fashion and to the
benefit of the trademark owner, with no intention of infringement of the trademark.
The information in this book is distributed on an “As Is” basis, without warranty.
While every precaution has been taken in the preparation of this work, neither the
author nor Netmux LLC, shall have any liability to any person or entity with respect
to any loss or damage caused or alleged to be caused directly or indirectly by the
information contained in it.
While every effort has been made to ensure the accuracy and legitimacy of the
references, referrals, and links (collectively “Links”) presented in this book/ebook,
Netmux is not responsible or liable for broken Links or missing or fallacious
information at the Links. Any Links in this book to a specific product, process,
website, or service do not constitute or imply an endorsement by Netmux of same, or
its producer or provider. The views and opinions contained at any Links do not
necessarily express or reflect those of Netmux.

TABLE OF CONTENTS
Intro
Required Software
Core Hash Cracking Knowledge
Cracking Methodology
Basic Cracking Playbook
Cheat Sheets
Extract Hashes
Password Analysis
Dictionary / Wordlist
Rules & Masks
Foreign Character Sets
Advanced Attacks
Cracking Concepts
Common Hash Examples
Appendix
-Terms
-Online Resources

-John The Ripper Menu
-Hashcat Menu
-Hash Cracking Benchmarks
-Hash Cracking Speed

INTRO
This manual is meant to be a reference guide for cracking tool usage and supportive
tools that assist network defenders and pentesters in password recovery (cracking).
This manual will not be covering the installation of these tools, but will include
references to their proper installation, and if all else fails, Google. Updates and
additions to this manual are planned yearly as advancements in cracking evolve.
Password recovery is a battle against math, time, cost, and human behavior; and
much like any battle, the tactics are constantly evolving.

ACKNOWLEDGEMENTS
This community would not enjoy the success and diversity without the following
community members and contributors:
Alexander ‘Solar Designer’ Peslvak, John The Ripper Team, & Community
Jens ‘atom’ Steube, Hashcat Team, & Devoted Hashcat Forum Community
Jeremi ‘epixoip’ Gosney
Korelogic & the Crack Me If You Can Contest
Robin ‘DigiNinja’ Wood (Pipal & CeWL)
CynoSure Prime Team
Chris ‘Unix-ninja’ Aurelio
Per Thorsheim (PasswordsCon)
Blandyuk & Rurapenthe (HashKiller Contest)
Peter ‘iphelix’ Kacherginsky (PACK)
Royce ‘tychotithonus’ Williams
‘Waffle’
And many, many, many more contributors. If a name was excluded from the above
list please reach out and the next version will give them their due credit.
Lastly, the tools, research, and resources covered in the book are the result of
people’s hard work. As such, I HIGHLY encourage all readers to DONATE to help
assist in their efforts. A portion of the proceeds from this book will be distributed to

the various researchers/projects.
Suggestions or comments, send your message to hashcrack@netmux.com

REQUIRED SOFTWARE
In order to follow many of the techniques in this manual, you will want to install the
following software on your Windows or *NIX host. This book does not cover how to
install said software and assumes you were able to follow the included links and
extensive support websites.
HASHCAT v3.6 (or newer)
https://hashcat.net/hashcat/
JOHN THE RIPPER (v1.8.0 JUMBO)
http://www.openwall.com/john/
PACK V0.0.4 (Password Analysis and Cracking Toolkit)
http://thesprawl.org/projects/pack/
Hashcat-utils v1.7
https://hashcat.net/wiki/doku.php?id=hashcat_utils
Additionally you will need dictionaries/wordlists and highly recommend the below
sources:
WEAKPASS DICTIONARY
https://weakpass.com/wordlist
CRACKSTATION DICTIONARY
https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm
SKULL SECURITY WORDLISTS
https://wiki.skullsecurity.org/index.php?title=Passwords
Throughout the manual, generic names have been given to the various inputs
required in a cracking commands structure. Legend description is below:
COMMAND STRUCTURE LEGEND

hashcat = Generic representation of the various Hashcat binary names
john = Generic representation of the John the Ripper binary names
#type = Hash type; which is an abbreviation in John or a number in Hashcat
hash.txt = File containing target hashes to be cracked
dict.txt = File containing dictionary/wordlist
rule.txt = File containing permutation rules to alter dict.txt input
passwords.txt = File containing cracked password results
outfile.txt = File containing results of some functions output
Lastly, as a good reference for testing various hash types to place into your
“hash.txt” file, the below sites contain all the various hashing algorithms and
example output tailored for each cracking tool:
HASHCAT HASH FORMAT EXAMPLES
https://hashcat.net/wiki/doku.php?id=example_hashes
JOHN THE RIPPER HASH FORMAT EXAMPLES
http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats
http://openwall.info/wiki/john/sample-hashes

CORE HASH CRACKING KNOWLEDGE
ENCODING vs HASHING vs ENCRYPTING
Encoding = transforms data into a publicly known scheme for usability
Hashing = one-way cryptographic function nearly impossible to reverse
Encrypting = mapping of input data and output data reversible with a key
CPU vs GPU
CPU = 2-72 cores mainly optimized for sequential serial processing
GPU = 1000’s of cores with 1000’s of threads for parallel processing
CRACKING TIME = KEYSPACE / HASHRATE
Keyspace: charset^length (?a?a?a?a = 95^4 = 81,450,625)
Hashrate: hashing function / hardware power (bcrypt / GTX1080 = 13094 H/s)
Cracking Time: 81,450,625 / 13094 H/s = 6,220 seconds
*Keyspace displayed and Hashrate vary by tool and hardware used
SALT = random data that’s used as additional input to a one-way function
ITERATIONS = the number of times an algorithm is run over a given hash
HASH IDENTIFICATION: there isn’t a foolproof method for identifying which
hash function was used by simply looking at the hash, but there are reliable clues
(i.e. $6$ sha512crypt). The best method is to know from where the hash was
extracted and identify the hash function for that software.
DICTIONARY/WORDLIST ATTACK = straight attack uses a precompiled list of
words, phrases, and common/unique strings to attempt to match a password.
BRUTE-FORCE ATTACK = attempts every possible combination of a given
character set, usually up to a certain length.
RULE ATTACK = generates permutations against a given wordlist by modifying,
trimming, extending, expanding, combining, or skipping words.
MASK ATTACK = a form of targeted brute-force attack by using placeholders for

characters in certain positions (i.e. ?a?a?a?l?d?d).
HYBRID ATTACK = combines a Dictionary and Mask Attack by taking input
from the dictionary and adding mask placeholders (i.e. dict.txt ?d?d?d).
CRACKING RIG = from a basic laptop to a 64 GPU cluster, this is the hardware/
platform on which you perform your password hash attacks.
EXPECTED RESULTS
Know your cracking rig’s capabilities by performing benchmark testing and don’t
assume you can achieve the same results posted by forum members without using
the exact same dictionary, attack plan, or hardware setup. Cracking success largely
depends on your ability to use resources efficiently and make calculated trade-offs
based on the target hash.
DICTIONARY/WORDLIST vs BRUTE-FORCE vs ANALYSIS
Dictionaries and brute-force are not the end all be all to crack hashes. They are
merely the beginning and end of an attack plan. True mastery is everything in the
middle, where analysis of passwords, patterns, behaviors, and policies affords the
ability to recover that last 20%. Experiment with your attacks and research and
compile targeted wordlists with your new knowledge. Do not rely heavily on
dictionaries because they can only help you with what is “known” and not the
unknown.

CRACKING METHODOLOGY
Following is basic cracking methodology broken into steps, but the process is subject
to change based on current/future target information uncovered during the cracking
process.
1-EXTRACT HASHES
Pull hashes from target, identify hashing function, and properly format output for
your tool of choice.
2-FORMAT HASHES
Format your hashes based on your tool’s preferred method. See tool documentation
for this guidance. Hashcat, for example, on each line takes : OR just
the plain .
3-EVALUATE HASH STRENGTH
Using the Appendix table “Hash Cracking Speed (Slow-Fast)” assess your target
hash and it’s cracking speed. If it’s a slow hash, you will need to be more selective at
what types of dictionaries and attacks you perform. If it’s a fast hash, you can be
more liberal with your attack strategy.
4-CALCULATE CRACKING RIG CAPABILITIES
With the information from evaluating the hash strength, baseline your cracking rig’s
capabilities. Perform benchmark testing using John The Ripper and/or Hashcat’s
built-in benchmark ability on your rig.
john --test
hashcat -b
Based on these results you will be able to better assess your attack options by
knowing your rigs capabilities against a specific hash. This will be a more accurate
result of a hash’s cracking speed based on your rig. It will be useful to save these
results for future reference.
5-FORMULATE PLAN
Based on known or unknown knowledge begin creating an attack plan. Included on
the next page is a “Basic Cracking Playbook” to get you started.

6-ANALYZE PASSWORDS
After successfully cracking a sufficient amount of hashes analyze the results for any
clues or patterns. This analysis may aid in your success on any remaining hashes.
7-CUSTOM ATTACKS
Based on you password analysis create custom attacks leveraging those known clues
or patterns. Examples would be custom mask attacks or rules to fit target users’
behavior or preferences.
8-ADVANCED ATTACKS
Experiment with Princeprocessor, custom Markov-chains, maskprocessor, or custom
dictionary attacks to shake out those remaining stubborn hashes. This is where your
expertise and creativity really come into play.
9-REPEAT
Go back to STEP 4 and continue the process over again, tweaking dictionaries,
mask, parameters, and methods. You’re in the grind at this point and need to rely on
skill and luck.

BASIC CRACKING PLAYBOOK
This is only meant as a basic guide to processing hashes and each scenario will
obviously be unique based on external circumstances. For this attack plan we will
assume we know the password hashes are raw MD5 and assume we have already
captured some plain text passwords of users. If we had no knowledge of plain text
passwords we would most likely skip to DICTIONARY/WORDLIST attacks.
Lastly, since MD5 is a “Fast” hash we can be more liberal with our attack plan.
1-CUSTOM WORDLIST
First compile your known plain text passwords into a custom wordlist file. Pass this
to your tool of choice as a straight dictionary attack.
hashcat -a 0 -m 0 -w 4 hash.txt custom_list.txt
2-CUSTOM WORDLIST + RULES
Run your custom wordlist with permutation rules to crack slight variations.
hashcat -a 0 -m 0 -w 4 hash.txt custom_list.txt -r best64.rule --loopback
3 -DICTIONARY/WORDLIST
Perform a broad dictionary attack, looking for common passwords and leaked
passwords in well known dictionaries/wordlists.
hashcat -a 0 -m 0 -w 4 hash.txt dict.txt
4-DICTIONARY/WORDLIST + RULES
Add rule permutations to the broad dictionary attack, looking for subtle changes to
common words/phrases and leaked passwords.
hashcat -a 0 -m 0 -w 4 hash.txt dict.txt -r best64.rule --loopback
5-CUSTOM WORDLIST + RULES
Add any newly discovered passwords to your custom wordlist and run an attack
again with permutation rules, looking any other subtle variations.
awk -F “:” ‘{print $2}’ hashcat.potfile >> custom_list.txt
hashcat -a 0 -m 0 -w 4 hash.txt custom_list.txt -r dive.rule --loopback

6-MASK
Now we will use mask attacks included with Hashcat to search the keyspace for
common password lengths and patterns, based on the RockYou dataset.
hashcat -a 3 -m 0 -w 4 hash.txt rockyou-1-60.hcmask
7-HYBRID DICTIONARY + MASK
Using a dictionary of your choice, conduct hybrid attacks looking for larger
variations of common words or known passwords by appending/prepending masks
to those candidates.
hashcat -a 6 -m 0 -w 4 hash.txt dict.txt rockyou-1-60.hcmask
hashcat -a 7 -m 0 -w 4 hash.txt rockyou-1-60.hcmask dict.txt
8-CUSTOM WORDLIST + RULES
Add any newly discovered passwords back to your custom wordlist and run an attack
again with permutation rules looking any other subtle variations.
awk -F “:” ‘{print $2}’ hashcat.potfile >> custom_list.txt
hashcat -a 0 -m 0 -w 4 hash.txt custom_list.txt -r dive.rule --loopback
9-COMBO
Using a dictionary of your choice, perform a combo attack by individually
combining the dictionary’s password candidates together to form new candidates.
hashcat -a 1 -m 0 -w 4 hash.txt dict.txt dict.txt
10-CUSTOM HYBRID ATTACK
Add any newly discovered passwords back to your custom wordlist and perform a
hybrid attack against those new acquired passwords.
awk -F “:” ‘{print $2}’ hashcat.potfile >> custom_list.txt
hashcat -a 6 -m 0 -w 4 hash. txt custom_list.txt rockyou-1-60.hcmask
hashcat -a 7 -m 0 -w 4 hash. txt rockyou-1-60.hcmask custom_list.txt
11-CUSTOM MASK ATTACK
By now the easier, weaker passwords may have fallen to cracking, but still some
remain. Using PACK (on pg.51) create custom mask attacks based on your currently
cracked passwords. Be sure to sort out masks that match the previous rockyou-160.hcmask list.

hashcat -a 3 -m 0 -w 4 hash.txt custom_masks.hcmask
12-BRUTE-FORCE
When all else fails begin a standard brute-force attack, being selective as to how
large a keyspace your rig can adequately brute-force. Above 8 characters this is
typically pointless due to hardware limitations and password entropy/ complexity.
hashcat -a 3 -m 0 -w 4 hash.txt -i ?a?a?a?a?a?a?a?a

JOHN THE RIPPER CHEAT SHEET
ATTACK MODES
BRUTEFORCE ATTACK
john --format=#type hash. txt
DICTIONARY ATTACK
john --format=#type --wordlist=dict.txt hash.txt
MASK ATTACK
john --format=#type --mask=?l?l?l?l?l?l hash.txt -min-len=6
INCREMENTAL ATTACK
john --incremental hash.txt
DICTIONARY + RULES ATTACK
john --format=#type --wordlist=dict.txt --rules
RULES
--rules=Single
--rules=Wordlist
--rules=Extra
--rules=Jumbo
--rules=KoreLogic
--rules=All
INCREMENT
--incremental=Digits
--incremental=Lower
--incremental=Alpha
--incremental=Alnum
PARALLEL CPU or GPU
LIST OpenCL DEVICES
john --list=opencl-devices
LIST OpenCL FORMATS
john --list=formats --format=opencl
MULTI-GPU (example 3 GPU’s)

john --format= hash.txt --wordlist=dict.txt --rules --dev=<#> -fork=3
MULTI-CPU (example 8 cores)
john --wordlist=dict.txt hash.txt --rules --dev=<#> --fork=8
MISC
BENCHMARK TEST
john --test
SESSION NAME
john hash.txt --session=example_name
SESSION RESTORE
john --restore=example_name
SHOW CRACKED RESULTS
john hash.txt --pot= --show
WORDLIST GENERATION
john --wordlist=dict.txt --stdout --external:[filter name] > out.txt
BASIC ATTACK METHODOLOGY
1- DEFAULT ATTACK
john hash.txt
2- DICTIONARY + RULES ATTACK
john --wordlist=dict.txt --rules
3- MASK ATTACK
john --mask=?l?l?l?l?l?l hash.txt -min-len=6
4- BRUTEFORCE INCREMENTAL ATTACK
john --incremental hash.txt

HASHCAT CHEAT SHEET
ATTACK MODES
DICTIONARY ATTACK
hashcat -a 0 -m #type hash.txt dict.txt
DICTIONARY + RULES ATTACK
hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt
COMBINATION ATTACK
hashcat -a 1 -m #type hash.txt dict1.txt dict2.txt
MASK ATTACK
hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a
HYBRID DICTIONARY + MASK
hashcat -a 6 -m #type hash.txt dict.txt ?a?a?a?a
HYBRID MASK + DICTIONARY
hashcat -a 7 -m #type hash.txt ?a?a?a?a dict.txt
RULES
RULEFILE -r
hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt
MANIPULATE LEFT -j
hashcat -a 1 -m #type hash.txt left_dict.txt right_dict.txt -j 

Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Author                          : Joshua Picolet
Create Date                     : 2017:09:22 13:02:31+00:00
Producer                        : calibre 3.8.0 [https://calibre-ebook.com]
Description                     : 
Title                           : Hash Crack: Password Cracking Manual (v2.0)
Publisher                       : 
Creator                         : Joshua Picolet
Subject                         : 
Date                            : 2017:09:17 00:00:00+03:00
Language                        : en
Identifier Scheme               : mobi-asin
Identifier                      : B075QWTYPM
Metadata Date                   : 2017:09:22 16:02:31.515000+03:00
Timestamp                       : 2017:09:22 16:02:16.101000+03:00
Title sort                      : Hash Crack: Password Cracking Manual (v2.0)
Author sort                     : Picolet, Joshua
Page Count                      : 163
EXIF Metadata provided by EXIF.tools

Navigation menu