Decrypting hashed and salted passwords | Part two of SQL injection.

This is part two of a obviously two part post. The disclaimer remains the same and should be reviewed prior to reading the article.

Question: I have a number of hashed passwords I need to crack. I forogt my password to insert service name here and I happen to have it in a hashed and salted value.

 Answer: Good news! This is totally possible provided you have the following 3 things.

Time , a decent GPU , and copy of Hashcat

Provided that the hashed and salted password came from one of the following sources that hash cat is good at running tables against. See here for that list these are refereed to modes when cracking.

First we need to find out what version you need to use. This depends on hardware. GPU attacks are often much faster than CPU attacks so today we will be focusing on oclHashcat. But if you like you can still use original hashcat.

If you use a ATi card you want to download oclHashcat for AMD note a specific version is required to work. At the time of this writing they recommend CCC 14.9

If your like me and have a Nvidia card then you will want to download oclHashcat for NVidia go ahead an extract that somewhere simple to get to.

You will also need to have a wordlist to throw against hashcat. I will be covering how I get these lists in a post tomorrow. A wordlist is simply put a collection of text that you will then hash and compare against the password you want to crack. See a super simplified example below.

Assume the password I want to crack is:
42f749ade7f9e195bf475f37a44cafcb

And my password list looks like this:
aaaaaaaaaa
bbbbbbbbb
Password
Password123
ccccccccccc

Hashcat will basically take each line and make an appropriate hash of it. Using mode 0 (MD5) it will look like this. Keep in mind this is a simplified example.

aaaaaaaaaa – e09c80c42fda55f9d992e59ca6b3307d – Does not match
bbbbbbbbb – 57f365f09200a0ee7c1243d545447cb1 – Does not match
Password – dc647eb65e6711e155375218212b3964 – Does not match
Password123 – 42f749ade7f9e195bf475f37a44cafcb – Match! -Stop-
ccccccccccc – not compared since I only needed to find one password

Hashcat compares lines thousands to millions of times a second based off the encryption used that it is trying to compare to and how decent you hardware is. Note, on average ATi cards can compute hashes faster than Nvidia cards.

So wordlists, I break mine down into two lists, HumanPasswords.txt (980MB all unique lines) this is from a collection of other leaks and publicly posted passwords that have been commonly used the the past. Then the other list is WordList.txt this contains a mix of Wikipedia titles, books, movies, the numbers 123456, locations and names. I split it up since odds are if a human has typed in a password once into a machine it has been used elsewhere. Using my HumanPasswords.txt (5.3GB) list I get about 84.73% of all lists in the first run without any modifiers. After that I will run WordList.txt and that will bring me roughly 87% without modifiers if I am lucky. This list takes significant time to run and gives less results.

Enough of lists. How do you use Hashcat once you have a list.

First open up a new command line and navigate to the hashcat folder. If you dont know what type of hash you are attacking try checking out HashID its great.

For this example we will use the previous post from using SQL injection and be attacking a phpBB encrypted password. For this go back to your modes list. I can see this is mode 400 (phpass, MD5 WordPress, MD5 phpBB3, MD5 Joomla).

enter in the following command:

cudaHashcat64.exe -m 400 recovered.txt hashes.txt Humanpasswords.txt

Now lets break that down we are calling hashcat for Nvidia cards, attack mode 400, we want all the cracked passwords to go into recovered.txt , the list of hashed passwords is hashes.txt and the compare list is HumanPasswords.txt

One thin you will want to look at is how long it will take to crack. Depending on your card / wordlist / number of hashes you want to crack / outdoor humidity it can all vary.

On my Nvidia 660Ti I get about 73,000 Hashes a second and it took me 4 min to run though my entire password list. Running this on normal hashcat on my CPU took over 30 mins.

Sweet I got a few passwords but not the one I wanted or I cant crack a fair number of them. This is where rules come in super useful. Believe it or not, people actually put in a effort to make passwords hard to guess. Well at least 4% of the population anyways. Here you are left with a few options this is the order I normally work.

Run the HumanPasswords list again with a rule file. Rules allow you to add substitutions to the file for example running the leet speak rule will change.

password to p@ssw0rd

To do this runt he same command but specify a rule this time.

cudaHashcat64.exe -m 400 recovered.txt hashes.txt Humanpasswords.txt -r rules\best64.rule

Once that has completed and your still in need try more rules if not you can add masks and additions. I dont use masks often enough so I will not be covering that.

Now we can finally play with WordList.txt but we dont want generic words so lets mix it up.

cudaHashcat64.exe -m 400 recovered.txt hashes.txt wordlist.txt -a ?d?d

By addng ?d?d we basically asked hashcat to add 00 to each word then 01 then 02 all the way to 99. This will take some time depending on the workstation.

This has been a very basic rundown of HashCat happy cracking!

Leave a Reply

Your email address will not be published. Required fields are marked *