Hash Crack: Password Cracking Manual (v2.0) Crack

Hash%20Crack%20Password%20Cracking%20Manual

Hash_Crack_-_Password_Cracking_Manual

Joshua%20Picolet-Hash%20Crack_%20Password%20Cracking%20Manual-CreateSpace%20IPP%20(2017)

Hash%20Crack%20Password%20Cracking%20Manual

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 179

DownloadHash Crack: Password Cracking Manual (v2.0) Crack
Open PDF In BrowserView PDF
Hash Crack. Copyright © 2017 Netmux LLC
All rights reserved. Without limiting the rights under the copyright reserved above, no part of this
publication may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form
or by any means (electronic, mechanical, photocopying, recording, or otherwise) without prior written
permission.
ISBN-10: 1975924584
ISBN-13: 978-1975924584

Netmux and the Netmux logo are registered trademarks of Netmux, LLC. Other
product and company names mentioned herein may be the trademarks of their
respective owners. Rather than use a trademark symbol with every occurrence of
a trademarked name, we are using the names only in an editorial fashion and to
the benefit of the trademark owner, with no intention of infringement of the
trademark.
The information in this book is distributed on an “As Is” basis, without warranty.
While every precaution has been taken in the preparation of this work, neither
the author nor Netmux LLC, shall have any liability to any person or entity with
respect to any loss or damage caused or alleged to be caused directly or
indirectly by the information contained in it.
While every effort has been made to ensure the accuracy and legitimacy of the
references, referrals, and links (collectively “Links”) presented in this
book/ebook, Netmux is not responsible or liable for broken Links or missing or
fallacious information at the Links. Any Links in this book to a specific product,
process, website, or service do not constitute or imply an endorsement by
Netmux of same, or its producer or provider. The views and opinions contained
at any Links do not necessarily express or reflect those of Netmux.

TABLE OF CONTENTS
Intro
Required Software
Core Hash Cracking Knowledge
Cracking Methodology
Basic Cracking Playbook
Cheat Sheets
Extract Hashes
Password Analysis
Dictionary / Wordlist
Rules & Masks
Foreign Character Sets
Advanced Attacks
Cracking Concepts
Common Hash Examples
Appendix
-Terms
-Online Resources
-John The Ripper Menu

-Hashcat Menu
-Hash Cracking Benchmarks
-Hash Cracking Speed

INTRO
This manual is meant to be a reference guide for cracking tool usage and
supportive tools that assist network defenders and pentesters in password
recovery (cracking). This manual will not be covering the installation of these
tools, but will include references to their proper installation, and if all else fails,
Google. Updates and additions to this manual are planned yearly as
advancements in cracking evolve. Password recovery is a battle against math,
time, cost, and human behavior; and much like any battle, the tactics are
constantly evolving.

ACKNOWLEDGEMENTS
This community would not enjoy the success and diversity without the following
community members and contributors: Alexander ‘Solar Designer’ Peslvak,
John The Ripper Team, & Community Jens ‘atom’ Steube, Hashcat Team, &
Devoted Hashcat Forum Community Jeremi ‘epixoip’ Gosney
Korelogic & the Crack Me If You Can Contest Robin ‘DigiNinja’ Wood (Pipal &
CeWL) CynoSure Prime Team
Chris ‘Unix-ninja’ Aurelio
Per Thorsheim (PasswordsCon)
Blandyuk & Rurapenthe (HashKiller Contest) Peter ‘iphelix’ Kacherginsky
(PACK) Royce ‘tychotithonus’ Williams ‘Waffle’
And many, many, many more contributors. If a name was excluded from the
above list please reach out and the next version will give them their due credit.
Lastly, the tools, research, and resources covered in the book are the result of
people’s hard work. As such, I HIGHLY encourage all readers to DONATE to
help assist in their efforts. A portion of the proceeds from this book will be
distributed to the various researchers/projects.
Suggestions or comments, send your message to hashcrack@netmux.com

REQUIRED SOFTWARE
In order to follow many of the techniques in this manual, you will want to install
the following software on your Windows or *NIX host. This book does not
cover how to install said software and assumes you were able to follow the
included links and extensive support websites.
HASHCAT v3.6 (or newer)
https://hashcat.net/hashcat/
JOHN THE RIPPER (v1.8.0 JUMBO)
http://www.openwall.com/john/
PACK V0.0.4 (Password Analysis and Cracking Toolkit)
http://thesprawl.org/projects/pack/
Hashcat-utils v1.7
https://hashcat.net/wiki/doku.php?id=hashcat_utils
Additionally you will need dictionaries/wordlists and highly recommend the
below sources: WEAKPASS DICTIONARY
https://weakpass.com/wordlist
CRACKSTATION DICTIONARY
https://crackstation.net/buy-crackstation-wordlist-password-crackingdictionary.htm
SKULL SECURITY WORDLISTS
https://wiki.skullsecurity.org/index.php?title=Passwords
Throughout the manual, generic names have been given to the various inputs
required in a cracking commands structure. Legend description is below:
COMMAND STRUCTURE LEGEND

hashcat = Generic representation of the various Hashcat binary names john =
Generic representation of the John the Ripper binary names #type = Hash type;
which is an abbreviation in John or a number in Hashcat hash.txt = File
containing target hashes to be cracked dict.txt = File containing
dictionary/wordlist
rule.txt = File containing permutation rules to alter dict.txt input passwords.txt
= File containing cracked password results outfile.txt = File containing results of
some functions output Lastly, as a good reference for testing various hash types
to place into your “hash.txt” file, the below sites contain all the various hashing
algorithms and example output tailored for each cracking tool: HASHCAT
HASH FORMAT EXAMPLES
https://hashcat.net/wiki/doku.php?id=example_hashes
JOHN THE RIPPER HASH FORMAT EXAMPLES
http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats
http://openwall.info/wiki/john/sample-hashes

CORE HASH CRACKING KNOWLEDGE
ENCODING vs HASHING vs ENCRYPTING
Encoding = transforms data into a publicly known scheme for usability Hashing
= one-way cryptographic function nearly impossible to reverse Encrypting =
mapping of input data and output data reversible with a key CPU vs GPU
CPU = 2-72 cores mainly optimized for sequential serial processing GPU =
1000’s of cores with 1000’s of threads for parallel processing CRACKING
TIME = KEYSPACE / HASHRATE
Keyspace: charset^length (?a?a?a?a = 95^4 = 81,450,625)
Hashrate: hashing function / hardware power (bcrypt / GTX1080 = 13094 H/s)
Cracking Time: 81,450,625 / 13094 H/s = 6,220 seconds
*Keyspace displayed and Hashrate vary by tool and hardware used
SALT = random data that’s used as additional input to a one-way
function ITERATIONS = the number of times an algorithm is run
over a given hash HASH IDENTIFICATION: there isn’t a
foolproof method for identifying which hash function was used by
simply looking at the hash, but there are reliable clues (i.e. $6$
sha512crypt). The best method is to know from where the hash was
extracted and identify the hash function for that software.
DICTIONARY/WORDLIST ATTACK = straight attack uses a precompiled
list of words, phrases, and common/unique strings to attempt to match a
password.
BRUTE-FORCE ATTACK = attempts every possible combination of a given
character set, usually up to a certain length.
RULE ATTACK = generates permutations against a given wordlist by
modifying, trimming, extending, expanding, combining, or skipping words.
MASK ATTACK = a form of targeted brute-force attack by using placeholders
for characters in certain positions (i.e. ?a?a?a?l?d?d).

HYBRID ATTACK = combines a Dictionary and Mask Attack by taking input
from the dictionary and adding mask placeholders (i.e. dict.txt ?d?d?d).
CRACKING RIG = from a basic laptop to a 64 GPU cluster, this is the
hardware/ platform on which you perform your password hash attacks.
EXPECTED RESULTS
Know your cracking rig’s capabilities by performing benchmark testing and
don’t assume you can achieve the same results posted by forum members
without using the exact same dictionary, attack plan, or hardware setup.
Cracking success largely depends on your ability to use resources efficiently and
make calculated trade-offs based on the target hash.
DICTIONARY/WORDLIST vs BRUTE-FORCE vs ANALYSIS
Dictionaries and brute-force are not the end all be all to crack hashes. They are
merely the beginning and end of an attack plan. True mastery is everything in the
middle, where analysis of passwords, patterns, behaviors, and policies affords
the ability to recover that last 20%. Experiment with your attacks and research
and compile targeted wordlists with your new knowledge. Do not rely heavily on
dictionaries because they can only help you with what is “known” and not the
unknown.

CRACKING METHODOLOGY
Following is basic cracking methodology broken into steps, but the process is
subject to change based on current/future target information uncovered during
the cracking process.
1-EXTRACT HASHES
Pull hashes from target, identify hashing function, and properly format output for
your tool of choice.
2-FORMAT HASHES
Format your hashes based on your tool’s preferred method. See tool
documentation for this guidance. Hashcat, for example, on each line takes
: OR just the plain .
3-EVALUATE HASH STRENGTH
Using the Appendix table “Hash Cracking Speed (Slow-Fast)” assess your target
hash and it’s cracking speed. If it’s a slow hash, you will need to be more
selective at what types of dictionaries and attacks you perform. If it’s a fast hash,
you can be more liberal with your attack strategy.
4-CALCULATE CRACKING RIG CAPABILITIES
With the information from evaluating the hash strength, baseline your cracking
rig’s capabilities. Perform benchmark testing using John The Ripper and/or
Hashcat’s built-in benchmark ability on your rig.
john --test
hashcat -b
Based on these results you will be able to better assess your attack options by
knowing your rigs capabilities against a specific hash. This will be a more
accurate result of a hash’s cracking speed based on your rig. It will be useful to
save these results for future reference.
5-FORMULATE PLAN
Based on known or unknown knowledge begin creating an attack plan. Included

on the next page is a “Basic Cracking Playbook” to get you started.
6-ANALYZE PASSWORDS
After successfully cracking a sufficient amount of hashes analyze the results for
any clues or patterns. This analysis may aid in your success on any remaining
hashes.
7-CUSTOM ATTACKS
Based on you password analysis create custom attacks leveraging those known
clues or patterns. Examples would be custom mask attacks or rules to fit target
users’ behavior or preferences.
8-ADVANCED ATTACKS
Experiment with Princeprocessor, custom Markov-chains, maskprocessor, or
custom dictionary attacks to shake out those remaining stubborn hashes. This is
where your expertise and creativity really come into play.
9-REPEAT
Go back to STEP 4 and continue the process over again, tweaking dictionaries,
mask, parameters, and methods. You’re in the grind at this point and need to rely
on skill and luck.

BASIC CRACKING PLAYBOOK
This is only meant as a basic guide to processing hashes and each scenario will
obviously be unique based on external circumstances. For this attack plan we
will assume we know the password hashes are raw MD5 and assume we have
already captured some plain text passwords of users. If we had no knowledge of
plain text passwords we would most likely skip to DICTIONARY/WORDLIST
attacks. Lastly, since MD5 is a “Fast” hash we can be more liberal with our
attack plan.
1-CUSTOM WORDLIST
First compile your known plain text passwords into a custom wordlist file. Pass
this to your tool of choice as a straight dictionary attack.
hashcat -a 0 -m 0 -w 4 hash.txt custom_list.txt
2-CUSTOM WORDLIST + RULES
Run your custom wordlist with permutation rules to crack slight variations.
hashcat -a 0 -m 0 -w 4 hash.txt custom_list.txt -r best64.rule --loopback
3 -DICTIONARY/WORDLIST
Perform a broad dictionary attack, looking for common passwords and leaked
passwords in well known dictionaries/wordlists.
hashcat -a 0 -m 0 -w 4 hash.txt dict.txt
4-DICTIONARY/WORDLIST + RULES
Add rule permutations to the broad dictionary attack, looking for subtle changes
to common words/phrases and leaked passwords.
hashcat -a 0 -m 0 -w 4 hash.txt dict.txt -r best64.rule --loopback
5-CUSTOM WORDLIST + RULES
Add any newly discovered passwords to your custom wordlist and run an attack
again with permutation rules, looking any other subtle variations.
awk -F “:” ‘{print $2}’ hashcat.potfile >> custom_list.txt

hashcat -a 0 -m 0 -w 4 hash.txt custom_list.txt -r dive.rule --loopback
6-MASK
Now we will use mask attacks included with Hashcat to search the keyspace for
common password lengths and patterns, based on the RockYou dataset.
hashcat -a 3 -m 0 -w 4 hash.txt rockyou-1-60.hcmask
7-HYBRID DICTIONARY + MASK
Using a dictionary of your choice, conduct hybrid attacks looking for larger
variations of common words or known passwords by appending/prepending
masks to those candidates.
hashcat -a 6 -m 0 -w 4 hash.txt dict.txt rockyou-1-60.hcmask
hashcat -a 7 -m 0 -w 4 hash.txt rockyou-1-60.hcmask dict.txt
8-CUSTOM WORDLIST + RULES
Add any newly discovered passwords back to your custom wordlist and run an
attack again with permutation rules looking any other subtle variations.
awk -F “:” ‘{print $2}’ hashcat.potfile >> custom_list.txt
hashcat -a 0 -m 0 -w 4 hash.txt custom_list.txt -r dive.rule --loopback
9-COMBO
Using a dictionary of your choice, perform a combo attack by individually
combining the dictionary’s password candidates together to form new
candidates.
hashcat -a 1 -m 0 -w 4 hash.txt dict.txt dict.txt
10-CUSTOM HYBRID ATTACK
Add any newly discovered passwords back to your custom wordlist and perform
a hybrid attack against those new acquired passwords.
awk -F “:” ‘{print $2}’ hashcat.potfile >> custom_list.txt
hashcat -a 6 -m 0 -w 4 hash. txt custom_list.txt rockyou-1-60.hcmask
hashcat -a 7 -m 0 -w 4 hash. txt rockyou-1-60.hcmask custom_list.txt
11-CUSTOM MASK ATTACK
By now the easier, weaker passwords may have fallen to cracking, but still some

remain. Using PACK (on pg.51) create custom mask attacks based on your
currently cracked passwords. Be sure to sort out masks that match the previous
rockyou-1-60.hcmask list.
hashcat -a 3 -m 0 -w 4 hash.txt custom_masks.hcmask
12-BRUTE-FORCE
When all else fails begin a standard brute-force attack, being selective as to how
large a keyspace your rig can adequately brute-force. Above 8 characters this is
typically pointless due to hardware limitations and password entropy/
complexity.
hashcat -a 3 -m 0 -w 4 hash.txt -i ?a?a?a?a?a?a?a?a

JOHN THE RIPPER CHEAT SHEET
ATTACK MODES
BRUTEFORCE ATTACK
john --format=#type hash. txt
DICTIONARY ATTACK
john --format=#type --wordlist=dict.txt hash.txt
MASK ATTACK
john --format=#type --mask=?l?l?l?l?l?l hash.txt -min-len=6
INCREMENTAL ATTACK
john --incremental hash.txt
DICTIONARY + RULES ATTACK
john --format=#type --wordlist=dict.txt --rules
RULES
--rules=Single
--rules=Wordlist
--rules=Extra
--rules=Jumbo
--rules=KoreLogic
--rules=All
INCREMENT
--incremental=Digits
--incremental=Lower
--incremental=Alpha
--incremental=Alnum
PARALLEL CPU or GPU
LIST OpenCL DEVICES
john --list=opencl-devices
LIST OpenCL FORMATS
john --list=formats --format=opencl

MULTI-GPU (example 3 GPU’s)
john --format= hash.txt --wordlist=dict.txt --rules --dev=
<#> --fork=3
MULTI-CPU (example 8 cores)
john --wordlist=dict.txt hash.txt --rules --dev=<#> --fork=8
MISC
BENCHMARK TEST
john --test
SESSION NAME
john hash.txt --session=example_name
SESSION RESTORE
john --restore=example_name
SHOW CRACKED RESULTS
john hash.txt --pot= --show
WORDLIST GENERATION
john --wordlist=dict.txt --stdout --external:[filter name] > out.txt
BASIC ATTACK METHODOLOGY

1- DEFAULT ATTACK
john hash.txt
2- DICTIONARY + RULES ATTACK
john --wordlist=dict.txt --rules

3- MASK ATTACK
john --mask=?l?l?l?l?l?l hash.txt -min-len=6

4- BRUTEFORCE INCREMENTAL ATTACK
john --incremental hash.txt

HASHCAT CHEAT SHEET
ATTACK MODES
DICTIONARY ATTACK
hashcat -a 0 -m #type hash.txt dict.txt
DICTIONARY + RULES ATTACK
hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt
COMBINATION ATTACK
hashcat -a 1 -m #type hash.txt dict1.txt dict2.txt
MASK ATTACK
hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a
HYBRID DICTIONARY + MASK
hashcat -a 6 -m #type hash.txt dict.txt ?a?a?a?a
HYBRID MASK + DICTIONARY
hashcat -a 7 -m #type hash.txt ?a?a?a?a dict.txt
RULES
RULEFILE -r
hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt
MANIPULATE LEFT -j
hashcat -a 1 -m #type hash.txt left_dict.txt right_dict.txt -j 

Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Author                          : Joshua Picolet
Create Date                     : 2017:09:27 15:03:19+00:00
Producer                        : calibre 3.7.0 [https://calibre-ebook.com]
Description                     : 
Title                           : Hash Crack: Password Cracking Manual (v2.0)
Publisher                       : 
Creator                         : Joshua Picolet
Subject                         : 
Date                            : 2017:09:17 00:00:00+00:00
Language                        : en
Identifier Scheme               : mobi-asin
Identifier                      : B075QWTYPM
Metadata Date                   : 2017:09:27 15:03:19.938578+00:00
Timestamp                       : 2017:09:27 15:02:39.466100+00:00
Author sort                     : Picolet, Joshua
Page Count                      : 179
EXIF Metadata provided by EXIF.tools

Navigation menu