Crack The Hash
文章目录
- Crack The Hash
- Crack the hash
- Crack The Hash Level 2
- Task1 **Info** Introduction
- Task2 **Walkthrough** Hash identification
- Task3 **Walkthrough** Wordlists
- Task4 **Walkthrough** Cracking tools, modes & rules
- Task5 **Walkthrough** Custom wordlist generation
- Task6 **Challenge** It's time to crack hashes
- Task7 **Info** About the author
- Task7 **Info** About the author
Crack the hash
hashcat命令
hashcat -m 哈希类型编号 -o 结果文件 哈希文件 字典文件
Task1 Level 1
1.48bb6e862e54f2a795ffc4e541caed4d
easy
hash类型识别为md5 hashcat编号为0
2.CBFDAC6008F9CAB4083784CBD1874F76618D2A97
password123
hash识别为为SHA-1 hashcat编号为100
3.1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032
letmein
hash识别为SHA256 hashcat编号为1400
4.$2y 12 12 12Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom
bleh
hash识别为bcrypt 2 ∗ 2* 2∗ hashcat编号为3200
5.279412f945939ba78ce0758d3fd83daa
Eternity22
hash识别为MD5
Task2
1.Hash: F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85
paule
hash识别为SHA256
2.Hash: 1DFECA0C002AE40B8619ECF94819CC1B
n63umy8lkf4i
hash识别为NTLM hashcat编号为1000
3.Hash: 6 6 6aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.
Salt: aReallyHardSalt
waka99
hash识别为sha512crypt 6 6 6,hashcat编号为1800
4.Hash: e5d8870e5bdd26602cab8dbe07a942c8669e56d6
Salt: tryhackme
481616481616
hash类型提示为HMAC-SHA1,hashcat编号为110
Crack The Hash Level 2
Task1 Info Introduction
无需回答
Task2 Walkthrough Hash identification
1.Haiti is a CLI tool to identify the hash type of a given hash. Install it
2.Launch Haiti on this hash:
741ebf5166b9ece4cca88a3868c44871e8370707cf19af3ceaa4a6fba006f224ae03f39153492853
What kind of hash it is?
RIPEMD-320
3.Launch Haiti on this hash:
1aec7a56aa08b25b596057e1ccbcb6d768b770eaa0f355ccbd56aee5040e02ee
4.What is Keccak-256 Hashcat code?
17800
5.What is Keccak-256 John the Ripper code?
raw-keccak-256
Task3 Walkthrough Wordlists
1.RockYou is a famous wordlist contains a large set of commonly used password sorted by frequency.
To search for this wordlist with wordlistclt run:
wordlistctl search rockyou
2.Which option do you need to add to the previous command to search into local archives instead of remote ones?
-l
3.Download and install rockyou wordlist by running this command: wordlistctl fetch -l rockyou
4.Now search again for rockyou on your local archive with wordlistctl search -l rockyou
You should see that the wordlist is deployed at /usr/share/wordlists/passwords/rockyou.txt.tar.gz
But the wordlist is compressed in a tar.gz archive, to decompress it run wordlistctl fetch -l rockyou -d
.
If you run wordlistctl search -l rockyou
one more time, what is the path where is stored the wordlist?
/usr/share/wordlists/passwords/rockyou.txt
5.You can search for a wordlist about a specific subject (eg. facebook) wordlistctl search facebook
or list all wordlists from a category (eg. fuzzing) wordlistctl list -g fuzzing
.
What is the name of the first wordlist in the usernames category?
CommonAdminBase64
Task4 Walkthrough Cracking tools, modes & rules
1.Depending of your distribution, the John configuration may be located at /etc/john/john.conf
and/or /usr/share/john/john.conf
. To locate the JtR install directory run locate john.conf
, then create john-local.conf
in the same directory (in my case/usr/share/john/john-local.conf
) and create our rules in here
2.Let’s use the top 10 000 most used password list from SecLists (/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt
) and generate a simple border mutation by appending all 2 digits combinations at the end of each password.
Let’s edit /usr/share/john/john-local.conf
and add a new rule:
[List.Rules:THM01]
$[0-9]$[0-9]
3.Now let’s crack the SHA1 hash 2d5c517a4f7a14dcb38329d228a7d18a3b78ce83
, we just have to write the hash in a text file and to specify the hash type, the wordlist and our rule name. john hash.txt --format=raw-sha1 --wordlist=/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt --rules=THM01
What was the password?
moonligh56
Task5 Walkthrough Custom wordlist generation
1.Let’s say we know the password we want to crack is about dogs. We can download a list of dog races wordlistctl fetch -l dogs -d
(/usr/share/wordlists/misc/dogs.txt
). Then we can use Mentalist to generate some mutations.
2.We can load our dog wordlist in Mentalist, add some Case, Substitution, Append/Prepend rules.Here we will toggle the case of one char of two and replace all s with a dollar sign.
Then we can process and save the newly generated wordlist.
It’s also possible to export John/Hashcat rules.
3.Crack the following md5 hash with the wordlist generated in the previous steps.
ed91365105bba79fdab20c376d83d752
mOlo$ u u u
4.Now let’s use CeWL to generate a wordlist from a website. It could be useful to retrieve a lot of words related to the password’s topic
5.For example to download all words from example.org with a depth of 2, run:
cewl -d 2 -w $(pwd)/example.txt https://example.org
The depth is the number of link level the spider will follow.
What is the last word of the list?
information
6.With TTPassGen we can craft wordlists from scratch. Create a first wordlist containing all 4 digits PIN code value.
ttpassgen --rule '[?d]{4:4:*}' pin.txt
7.Generate a list of all lowercase chars combinations of length 1 to 3.
ttpassgen --rule '[?l]{1:3:*}' abc.txt
8.Then we can create a new wordlist that is a combination of several wordlists. Eg. combine the PIN wordlist and the letter wordlist separated by a dash.
ttpassgen --dictlist 'pin.txt,abc.txt' --rule '$0[-]{1}$1' combination.txt
Be warned combining wordlists quickly generated huge files, here combination.txt is 1.64 GB.
$ wc pin.txt
10000 10000 50000 pin.txt
$ wc abc.txt
18278 18278 72384 abc.txt
$ wc combination.txt
182780000 182780000 1637740000 combination.txt
9.Crack this md5 hash with combination.txt.
e5b47b7e8df2597077e703c76ee86aee
1551-li
Task6 Challenge It’s time to crack hashes
1.Advice n°1 b16f211a8ad7f97778e5006c7cecdf31
Zachariah1234*
john hash.txt --wordlist=english-proper-names.50.txt -format=Raw-MD5 -rules=ALL
http://www.mediafire.com/file/uib35ra8poqpirk/english-proper-names.50.txt.gz
2.Advice n°2 7463fcb720de92803d179e7f83070f97
Angelita35!
john hash.txt -wordlist=femalenames-usa-top1000.txt -rules=ALL -format=Raw-MD5
https://github.com/danielmiessler/SecLists/raw/master/Usernames/Names/femalenames-usa-top1000.txt
3.Advice n°3 f4476669333651be5b37ec6d81ef526f
Tl@xc@l@ncing0
hashcat -m 0 hash.txt cities.txt -r /usr/share/hashcat/rules/Incisive-leetspeak.rule
https://github.com/danielmiessler/SecLists/raw/master/Miscellaneous/security-question-answers/cities.txt
4.Advice n°4 a3a321e1c246c773177363200a6c0466a5030afc
DavIDgUEtTApAn
echo ‘davidguettapan’ > name.txtjohn hash.txt --format=Raw-SHA1 --wordlist=name.txt --rules=NT
5.Advice n°5 d5e085772469d544a447bc8250890949
uoy ot miws ot em rof peed oot ro ediw oot si revir oN
6.Advice n°6 377081d69d23759c5946a95d1b757adc
+17215440375
+1721为固定位,生成7位数字字典,在每个字符前添加固定位
7.Advice n°7 ba6e8f9cd4140ac8b8d2bf96c9acd2fb58c0827d556b78e331d1113fcbfe425ca9299fe917f6015978f7e1644382d1ea45fd581aed6298acde2fa01e7d83cdbd
!@#redrose!@#
hashcat -m 17600 hash.txt rockyou.txt
8.Advice n°8 9f7376709d3fe09b389a27876834a13c6f275ed9a806d4c8df78f0ce1aad8fb343316133e810096e0999eaf1d2bca37c336e1b7726b213e001333d636e896617
hackinghackinghackinghacking
使用Release Updated minimum gem versions · digininja/CeWL (github.com)生成
cewl http://<CTH2RoomMachineIP>/rtfm.re/en/sponsors/index.html -w wordlist
网页的字典
mp64 -o 3duplicate.rule ‘dd’
生成重复规则
hashcat -m 600 hash.txt wordlist.txt -r 3duplicate.rule
echo ‘$BLAKE2$9f7376709d3fe09b389a27876834a13c6f275ed9a806d4c8df78f0ce1aad8fb343316133e810096e0999eaf1d2bca37c336e1b7726b213e001333d636e896617’ > hash.txt
9.Advice n°9 $6$kI6VJ0a31.SNRsLR$Wk30X8w8iEC2FpasTo0Z5U7wke0TpfbDtSwayrNebqKjYWC4gjKoNEJxO/DkP.YFTLVFirQ5PEh4glQIHuKfA/
kakashi1
hashcat -m 1800 hash.txt rockyou.txt
Task7 Info About the author
Thank you
343316133e810096e0999eaf1d2bca37c336e1b7726b213e001333d636e896617’ > hash.txt`
9.Advice n°9 $6$kI6VJ0a31.SNRsLR$Wk30X8w8iEC2FpasTo0Z5U7wke0TpfbDtSwayrNebqKjYWC4gjKoNEJxO/DkP.YFTLVFirQ5PEh4glQIHuKfA/
kakashi1
hashcat -m 1800 hash.txt rockyou.txt
Task7 Info About the author
Thank you