Saturday, May 7, 2016

Password Cracking: Hashcat

For hackers and security analysts that crack passwords, make sure you learn to use hashcat too! I normally use JTR (John the Ripper aka John) but, a friend of mine pointed out that hashcat is also a very viable tool. He insists that it's better than john but, I have not tested them nor am I saying one is better than the other. They are both password cracking tools and any great hacker/security analyst should be able to use either proficiently.

To get a basic understanding of how hashcat works, check out these posts*:
Now, for both my and my readers' benefit, I am going to walk through using this tool to crack passwords.

First, I am going to create a new user so I can crack the password. 

Now, I am going to follow the instructions of the previous articles to crack this password (it's fairly simple to start ;) )

I put my hashcat1 user line from /etc/shadow into the hash.lst file. I checked the hash function and it is SHA512.

Now, I will run the same commands to crack this password.

It worked in THREE seconds. Now, to be fair, it was a dictionary word and I used the rockyou dictionary to crack it. Let's make it a little more difficult for hashcat. I created a password that uses uppercase and lowercase. Let's see how hashcat does.

Hashcat allows for 'masks' which allow you to specify which types of characters will be where in the password. As we can see, I have an upper case letter, followed by 4 lower case letters, an upper case letter, followed by 5 lower case letters. Two words, put together, first letter capitalized. These masks allow for very specific guessing of passwords and drastically reduces the keyspace that hashcat needs to guess. For example, if you knew that I only used upper and lower case and that it was 11 characters long, the keyspace is 52^11 ~ 7.5*10^18. By specifying a mask, we reduce the keyspace to 26^11 ~ 3.6*10^15. The keyspace becomes approximately 2000 times smaller. So if we go by hashcat's output, 10 years would become 20,000 years. This is a great example at how computationally expensive cracking passwords can get just by adding one more letter or one more set of characters (numbers, upper case, lower case, special).

Hashcat allows for masks, dictionary files, combinations of dictionary words from files, permutations of words from a dictionary, hybrid attacks, table-lookups, and rule-based attacks. I recommend looking at hashcat's wiki to understand the more complex attacks but they can get pretty specific and the more you know about the potential password, the easier it will be to crack.  

Lastly, if anyone is looking for unsolicited advice, I always recommend using a passphrase rather than a password. 'ILoveMyCatSoMuch!0906' which could be a true statement (easy to remember), punctuation that emphasizes your true statement, and your cat's birthday (in this case) makes a very secure password that incorporates all four categories of characters, 21 character length, and it's easy to remember because it's a true statement about yourself. Now, like everything else, this is exploitable. Specifically, this is subject to Social Engineering. This password could be guessed however, the attacker would have to know you love your cat, know which letters you capitalized, which order each word goes in, and which order the sentence, punctuation, and birthday go in (for example, !0906ILoveMyCatALot, MyCatFluffyWasBorn0906, 123MyCatIsSoAwesome?!?! are all great passwords that revolve around an important part of your life.

There is no silver bullet to password cracking but hashcat is a very powerful password cracking tool and I'm very happy I decided to add it to my arsenal of hacking tools. Look it up, learn it, be great!

*These posts are not in any particular order, I am not receiving any compensation from anyone to post these sites, and these sites do not necessarily reflect my opinion, my employer's opinion, nor any certification bodies' opinions of which I hold one or more of their certificates. 

No comments:

Post a Comment