Password Cracking Techniques
Introduction to Password Cracking
Take the password Soccer06! for example. The corresponding MD5 and SHA-256 hashes can be generated with the following commands:
bmdyy@htb:~$ echo -n Soccer06! | md5sum
40291c1d19ee11a7df8495c4cccefdfa -
bmdyy@htb:~$ echo -n Soccer06! | sha256sum
a025dc6fabb09c2b8bfe23b5944635f9b68433ebd9a1a09453dd4fee00766d93 -Introduction to John The Ripper
Single crack mode
Imagine we as attackers came across the file passwd with the following contents:
r0lf:$6$ues25dIanlctrWxg$nZHVz2z4kCy1760Ee28M1xtHdGoy0C2cYzZ8l2sVa1kIa8K9gAcdBP.GI6ng/qA4oaMrgElZ1Cb9OeXO4Fvy3/:0:0:Rolf Sebastian:/home/r0lf:/bin/bashBased on the contents of the file, it can be inferred that the victim has the username r0lf, the real name Rolf Sebastian, and the home directory /home/r0lf. Single crack mode will use this information to generate candidate passwords and test them against the hash. We can run the attack with the following command:
eldeim@htb[/htb]$ john --single passwd
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[...SNIP...] (r0lf)
1g 0:00:00:00 DONE 1/3 (2025-04-10 07:47) 12.50g/s 5400p/s 5400c/s 5400C/s NAITSABESFL0R..rSebastiannaitsabeSr
Use the "--show" option to display all of the cracked passwords reliably
Session completed.In this case, the password hash was successfully cracked.
Wordlist mode
Wordlist mode is used to crack passwords with a dictionary attack, meaning it attempts all passwords in a supplied wordlist against the password hash. The basic syntax for the command is as follows:
The wordlist file (or files) used for cracking password hashes must be in plain text format, with one word per line. Multiple wordlists can be specified by separating them with a comma. Rules, either custom or built-in, can be specified by using the --rules argument. These can be applied to generate candidate passwords using transformations such as appending numbers, capitalizing letters and adding special characters.
Incremental mode
Incremental mode is a powerful, brute-force-style password cracking mode that generates candidate passwords based on a statistical model (Markov chains). It is designed to test all character combinations defined by a specific character set, prioritizing more likely passwords based on training data.
By default, JtR uses predefined incremental modes specified in its configuration file (john.conf), which define character sets and password lengths. You can customize these or define your own to target passwords that use special characters or specific patterns.
Note: This mode can be resource-intensive and slow, especially for long or complex passwords. Customizing the character set and length can improve performance and focus the attack.
Identifying hash formats
Sometimes, password hashes may appear in an unknown format, and even John the Ripper (JtR) may not be able to identify them with complete certainty. For example, consider the following hash:
One way to get an idea is to consult JtR's sample hash documentation, or this list by PentestMonkey. Both sources list multiple example hashes as well as the corresponding JtR format. Another option is to use a tool like hashID, which checks supplied hashes against a built-in list to suggest potential formats. By adding the -j flag, hashID will, in addition to the hash format, list the corresponding JtR format:
Cracking files
It is also possible to crack password-protected or encrypted files with JtR. Multiple "2john" tools come with JtR that can be used to process files and produce hashes compatible with JtR. The generalized syntax for these tools is:
Some of the tools included with JtR are:
Tool
Description
pdf2john
Converts PDF documents for John
ssh2john
Converts SSH private keys for John
mscash2john
Converts MS Cash hashes for John
keychain2john
Converts OS X keychain files for John
rar2john
Converts RAR archives for John
pfx2john
Converts PKCS#12 files for John
truecrypt_volume2john
Converts TrueCrypt volumes for John
keepass2john
Converts KeePass databases for John
vncpcap2john
Converts VNC PCAP files for John
putty2john
Converts PuTTY private keys for John
zip2john
Converts ZIP archives for John
hccap2john
Converts WPA/WPA2 handshake captures for John
office2john
Converts MS Office documents for John
wpa2john
Converts WPA/WPA2 handshakes for John
...SNIP...
...SNIP...
An even larger collection can be found on the Pwnbox:
Lab - Questions
Use single-crack mode to crack r0lf's password.
Use wordlist-mode with rockyou.txt to crack the RIPEMD-128 password.
Introduction to Hashcat
In the command above:
-ais used to specify theattack mode-mis used to specify thehash type<hashes>is a either a hash string, or a file containing one or more password hashes of the same type[wordlist, rule, mask, ...]is a placeholder for additional arguments that depend on the attack mode
Hash types
Hashcat supports hundreds of different hash types, each of which is assigned a ID. A list of associated IDs can be generated by running hashcat --help.
The hashcat website hosts a comprehensive list of example hashes which can assist in manually identifying an unknown hash type and determining the corresponding Hashcat hash mode identifier.
Alternatively, hashID can be used to quickly identify the hashcat hash type by specifying the -m argument.
Dictionary attack
A wordlist alone is often not enough to crack a password hash. As was the case with JtR, rules can be used to perform specific modifications to passwords to generate even more guesses. The rule files that come with hashcat are typically found under /usr/share/hashcat/rules:
As another example, imagine an additional md5 hash was leaked from the SQL database: 1b0556a75770563578569ae21392630c. We weren't able to crack it using rockyou.txt alone, so in a subsequent attempt, we might apply some common rule-based transformations. One ruleset we could try is best64.rule, which contains 64 standard password modificationsโsuch as appending numbers or substituting characters with their "leet" equivalents. To perform this kind of attack, we would append the -r <ruleset> option to the command, as shown below:
Mask attack
Mask attack (-a 3) is a type of brute-force attack in which the keyspace is explicitly defined by the user. For example, if we know that a password is eight characters long, rather than attempting every possible combination, we might define a mask that tests combinations of six letters followed by two numbers.
A mask is defined by combining a sequence of symbols, each representing a built-in or custom character set. Hashcat includes several built-in character sets:
?l
abcdefghijklmnopqrstuvwxyz
?u
ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d
0123456789
?h
0123456789abcdef
?H
0123456789ABCDEF
?s
ยซspaceยป!"#$%&'()*+,-./:;<=>?@[]^_`{
?a
?l?u?d?s
?b
0x00 - 0xff
Custom charsets can be defined with the -1, -2, -3, and -4 arguments, then referred to with ?1, ?2, ?3, and ?4.
Let's say that we specifically want to try passwords which start with an uppercase letter, continue with four lowercase letters, a digit, and then a symbol. The resulting hashcat mask would be ?u?l?l?l?l?d?s.
Lab - Questions
Use a dictionary attack to crack the first password hash. (Hash: e3e3ec5831ad5e7288241960e5d4fdb8)
Use a dictionary attack with rules to crack the second password hash. (Hash: 1b0556a75770563578569ae21392630c)
For this occasion, we need use someone more of complicity, use:
Use a mask attack to crack the third password hash. (Hash: 1e293d6912d074c0fd15844d803400dd)
Here, we need use a mask attack -->
?l = lowercase?d = nรบmeros?u = uppercase?s = sรญmbolos
Writing Custom Wordlists and Rules
Commonly, users use the following additions for their password to fit the most common password policies:
Description
Password Syntax
First letter is uppercase
Password
Adding numbers
Password123
Adding year
Password2022
Adding month
Password02
Last character is an exclamation mark
Password2022!
Adding special characters
P@ssw0rd2022!
Let's look at a simple example using a password list with only one entry.
We can use Hashcat to combine lists of potential names and labels with specific mutation rules to create custom wordlists. Hashcat uses a specific syntax to define characters, words, and their transformations. The complete syntax is documented in the official Hashcat rule-based attack documentation, but the examples below are sufficient to understand how Hashcat mutates input words.
Function
Description
:
Do nothing
l
Lowercase all letters
u
Uppercase all letters
c
Capitalize the first letter and lowercase others
sXY
Replace all instances of X with Y
$!
Add the exclamation character at the end
Each rule is written on a new line and determines how a given word should be transformed. If we write the functions shown above into a file, it may look like this:
We can use the following command to apply the rules in custom.rule to each word in password.list and store the mutated results in mut_password.list.
In this case, the single input word will produce fifteen mutated variants.
Lab - Questions
For this sections exercise, imagine that we compromised the password hash of a work email belonging to Mark White. After performing a bit of OSINT, we have gathered the following information about Mark:
He was born on
August 5, 1998He works at
Nexura, Ltd.The company's password policy requires passwords to be at least 12 characters long, to contain at least one uppercase letter, at least one lowercase letter, at least one symbol and at least one number
He lives in
San Francisco, CA, USAHe has a pet cat named
BellaHe has a wife named
MariaHe has a son named
AlexHe is a big fan of
baseball
The password hash is: 97268a8ae45ac7d15c3cea4ce6ea550b. Use the techniques covered in this section to generate a custom wordlist and ruleset targeting Mark specifically, and crack the password.
Personal Info
Name: Mark White
Born: August 5, 1998
Location: San Francisco
Pet cat: Bella
Wife: Maria
Son: Alex
Hobby: Baseball
Company Info
Company: Nexura
Password Policy
โฅ12 characters
1 uppercase
1 lowercase
1 symbol
1 number
What is Mark's password?
Once, we craft a new dictionary with name mark.txt
Add combinations (most common patterns people use):
In addition, now craft a new dicctionay with mutation rules, mark-rules.txt
Likely patterns Mark would choose:
Capitalize first letter
Append year or birthday (1998, 98, 0805)
Append "!","@" or "$"
Combine rules to ensure uppercase + number + symbol.
Now, generete the mutated dicctionay -->
97268a8ae45ac7d15c3cea4ce6ea550b
โ 32 hex chars โ MD5Finally I cracked the password using the rule
best64:
Cracking Protected Files
Hunting for Encrypted Files
Many different extensions correspond to encrypted filesโa useful reference list can be found on FileInfo. As an example, consider this command we might use to locate commonly encrypted files on a Linux system:
Hunting for SSH keys
Certain files, such as SSH keys, do not have standard file extension. In cases like these, it may be possible to identify files by standard content such as header and footer values. For example, SSH private keys always begin with -----BEGIN [...SNIP...] PRIVATE KEY-----. We can use tools like grep to recursively search the file system for them during post-exploitation.
Some SSH keys are encrypted with a passphrase. With older PEM formats, it was possible to tell if an SSH key is encrypted based on the header, which contains the encryption method in use. Modern SSH keys, however, appear the same whether encrypted or not.
One way to tell whether an SSH key is encrypted or not, is to try reading the key with ssh-keygen.
As shown below, attempting to read a password-protected SSH key will prompt the user for a passphrase:
Cracking encrypted SSH keys
As mentioned in a previous section, JtR has many different scripts for extracting hashes from filesโwhich we can then proceed to crack. We can find these scripts on our system using the following command:
For example, we could use the Python script ssh2john.py to acquire the corresponding hash for an encrypted SSH key, and then use JtR to try and crack it.
We can then view the resulting hash:
Cracking password-protected documents
Over the course of our careers, we are likely to encounter a wide variety of documents that are password-protected to restrict access to authorized individuals. Today, most reports, documentation, and information sheets are commonly distributed as Microsoft Office documents or PDFs. John the Ripper (JtR) includes a Python script called office2john.py, which can be used to extract password hashes from all common Office document formats. These hashes can then be supplied to JtR or Hashcat for offline cracking. The cracking procedure remains consistent with other hash types.
The process for cracking PDF files is quite similar, as we simply swap out office2john.py for pdf2john.py.
Lab - Questions
Download the attached ZIP archive (cracking-protected-files.zip), and crack the file within. What is the password?
First, unzip the file use gunzip -->
We obtain a file xlsx that is equal that a excel, get his hash with office2jhon an crack it -->
Cracking Protected Archives
Besides standalone files, we will often run across archives and compressed filesโsuch as ZIP filesโwhich are protected with a password.
There are many types of archive files. Some of the more commonly encountered file extensions include tar, gz, rar, zip, vmdb/vmx, cpt, truecrypt, bitlocker, kdbx, deb, 7z, and gzip.
A comprehensive list of archive file types can be found on FileInfo. Rather than typing them out manually, we can also query the data using a one-liner, apply filters as needed, and save the results to a file. At the time of writing, the website lists 365 archive file types.
Note that not all archive types support native password protection, and in such cases, additional tools are often used to encrypt the files. For example, TAR files are commonly encrypted using openssl or gpg.
Cracking ZIP files
The ZIP format is often heavily used in Windows environments to compress many files into one file. The process of cracking an encrypted ZIP file is similar to what we have seen already, except for using a different script to extract the hashes.
Once we have extracted the hash, we can use JtR to crack it with the desired password list.
Cracking OpenSSL encrypted GZIP files
It is not always immediately apparent whether a file is password-protected, particularly when the file extension corresponds to a format that does not natively support password protection. As previously discussed, openssl can be used to encrypt files in the GZIP format. To determine the actual format of a file, we can use the file command, which provides detailed information about its contents. For example:
When cracking OpenSSL encrypted files, we may encounter various challenges, including numerous false positives or complete failure to identify the correct password. To mitigate this, a more reliable approach is to use the openssl tool within a for loop that attempts to extract the contents directly, succeeding only if the correct password is found.
The following one-liner may produce several GZIP-related error messages, which can be safely ignored. If the correct password list is used, as in this example, we will see another file successfully extracted from the archive.
Once the for loop has finished, we can check the current directory for a newly extracted file.
Cracking BitLocker-encrypted drives
BitLocker is a full-disk encryption feature developed by Microsoft for the Windows operating system. Available since Windows Vista, it uses the AES encryption algorithm with either 128-bit or 256-bit key lengths. If the password or PIN used for BitLocker is forgotten, decryption can still be performed using a recovery keyโa 48-digit string generated during the setup process.
In enterprise environments, virtual drives are sometimes used to store personal information, documents, or notes on company-issued devices to prevent unauthorized access. To crack a BitLocker encrypted drive, we can use a script called bitlocker2john to four different hashes: the first two correspond to the BitLocker password, while the latter two represent the recovery key. Because the recovery key is very long and randomly generated, it is generally not practical to guessโunless partial knowledge is available. Therefore, we will focus on cracking the password using the first hash ($bitlocker$0$...).
Once a hash is generated, either JtR or hashcat can be used to crack it. For this example, we will look at the procedure with hashcat. The hashcat mode associated with the $bitlocker$0$... hash is -m 22100. We supply the hash, specify the wordlist, and define the hash mode. Since this encryption uses strong AES encryption, cracking may take considerable time depending on hardware performance.
After successfully cracking the password, we can access the encrypted drive.
Mounting BitLocker-encrypted drives in Windows
The easiest method for mounting a BitLocker-encrypted virtual drive on Windows is to double-click the .vhd file. Since it is encrypted, Windows will initially show an error. After mounting, simply double-click the BitLocker volume to be prompted for the password.
Mounting BitLocker-encrypted drives in Linux (or macOS)
It is also possible to mount BitLocker-encrypted drives in Linux (or macOS). To do this, we can use a tool called dislocker. First, we need to install the package using apt:
Next, we create two folders which we will use to mount the VHD.
We then use losetup to configure the VHD as loop device, decrypt the drive using dislocker, and finally mount the decrypted volume:
If everything was done correctly, we can now browse the files:
Once we have analyzed the files on the mounted drive, we can unmount it using the following commands:
Lab - Questions
Run the above target then navigate to http://ip:port/download, then extract the downloaded file. Inside, you will find a password-protected VHD file. Crack the password for the VHD and submit the recovered password as your answer.
Berofe of unzip the file, obtain the Private.vhd, so... get the hash -->
Now, filter to obtain only the hash and save it to after crack it -->
Mount the BitLocker-encrypted VHD and enter the contents of flag.txt as your answer.
Now create the two folder -->
Now configure the VHD -->
Note: -u
Now, verify the the /dev/loop0p* something -->
Now, unlock the bitlocker -->
To finished, enter to the directory create and mounted -->
Last updated