Cracking Hashes

It is common to acquire client’s authentication and password hash values during a penetration test which can then be used for further exploitation on the network.

In some cases it is possible for the tester to relay the username and hash value to authenticate as the owner of the credentials, where hash relaying is not possible we are often able to crack the hashing value to gain a clear-text password

Password authentication has been around for quite some time with records dating back two thousand years to when the Imperial Roman Army used codewords during a battle to communicate with each other without the opposition understanding the meaning of what was being said. Fast forward to 1961 when Professor Corbato of MIT implemented a system where passwords would become the common authentication method used on file shares. Initially, these passwords were stored in the clear text until the introduction of storing a password in a hashed form in 1974 by Robert Morris. With the introduction of newer and more secure hashing algorithms our passwords are a little more secure than what they were in the 1970’s however as we will discuss shortly, they are not as secure as one would like.

What Is A Hash?

A cryptographic hash function takes some form of input, in this case our clear text password, and returns a fixed-size string called the hash value or for the purpose of this article, a hash. The hash length and strength will vary depending on what algorithm is used however one common characteristic of hashing it is a one-way function. Hashes are impossible to reverse however there are known collisions within MD4, MD5, and SHA-1.

Rainbow tables, which comprise of a list of words and their known hashes can be used to then compare against captured hashes, once a hash from within the rainbow table is matched to the captured hash then a clear text word can be established. Due to the amount of disk space which a substantive rainbow table consumes, they are not usually used as there are alternative tools available which prevent the user from having to store vast amounts of words and hashes.

Capturing Hashes

As 79% of the population employs a Windows environment, I will use examples of how to acquire and crack hashes from within this setting. We will look at some of the different hashes found on Windows operating systems used both past and present.

I use the word ‘crack’ to denote the action of matching a hash with a clear text word, which in our case is the password.

Over the years Windows has changed its password storing hash type in an attempt to increase security. In the 1980s Windows introduced LM-hashes, despite now being four decades old and very insecure, it is possible to find LM hashes in use on modern-day systems if not configured securely. LM hashes are the weakest of the set due to not being case sensitive and a maximum password length of 14 characters. The 14 characters are broken down to form two 7-character chunks, if the password is fewer than 14 characters then the remainder is padded, if the password is longer then the extra characters are dropped. Now we are left with two 7-character hashes to crack oppose to a 14-character hash.

As well as the initial password being converted to uppercase characters, LM hashes do not utilise salting, both of which result in a weak hash.

NTHashes are stored in the SAM (Security Account Manager) database on a Windows system, or the NT Directory Services (NTDS) database on the Domain Controller. Windows introduced SYSKEY which partially encrypts the SAM file to prevent direct access from %SystemRoot%/system32/config/SAM. This doesn’t mean the hashes are secure as once a shell has been established on the target system the hashes can be obtained  by dumping the SAM database using tools such as Mimikatz or post-exploitation modules within Metasploit. These hashes can then be used as part of a pass the hash (PTH) attack or they can be cracked to gain the clear text password.

More commonly found in today’s environments are NTLMv1 and NTLMv2 which are used for network authentication. NTLMv1 uses DES which is considered cryptographically weak. Unlike NTHashes,  NTLMv1 and v2 cannot be used in a PTH attack however they can be relayed to a machine providing the owner of those credentials has privileged access to the machine. If a user’s hash is captured, it can then be relayed to any machine which that user has login rights for, resulting in a command shell on that system. These hashes can also be cracked to then allow access via various other methods such as Remote Desktop Protocol or PsExec.

We won’t be looking at Kerberos tickets as they are captured and abused using different method, nor will we be looking at IIS authentication.

Let Us Get Cracking

Hashcat, John The Ripper and Rcracki-mt are very good cracking tools, for the purpose of this article I will focus on the use of Hashcat. I am aware of various online cracking platforms which may be useful for cracking hashes found when training on labs but obviously these can’t be used for client engagements.

Personally I prefer tools which work within terminal however I understand there are aftermarket GUI versions available.

Hashcat

As well as the hashes you wish to crack, Hashcat requires an input which it then hashes and attempts to match to the hash you are trying to crack. The characters which are supplied to Hashcat can range from a wordlist of possible passwords to an ASCII list and anything in between. There are also a number of functions within Hashcat which means that the user doesn’t have to be in possession of a wordlists, it is possible to launch a brute force attack which will try every possible combination of given characters. Regardless of what input is used, once a match has been found then Hashcat will print the matching hash and password before carrying on with its task until either all hashes are cracked, or it runs out of input.

Wordlists

As passwords are commonly decided by the user we only have to understand humans and not a technology in order to break the majority of hashes. Nearly every password chosen by a human will comprise of a known word or collection of words with perhaps characters mixed in between. There are approximately 170, 000 words in the English Oxford dictionary which equates to a couple of seconds work to crack any Windows hash when using Hashcat, of course, words can be concatenated and changed to add a minor degree of complexity. Let’s take the word ‘password’, we can create a script which will take the word and add other words and characters to it and then form our new wordlist. ‘password’ could become ‘mypassword’ which can then becomes ‘myallpassword’, this will continue for every word in the dictionary. As we will see, Hashcat has built in functions to help us produce some very effective wordlists, Hashcat combinator is able to use your wordlists and concatenate them to produce a long list.

Most password policies require us to use capital letters, numbers, and special characters when producing a new password. Taking this into consideration we can use scripts or Hashcat to then take our new wordlist and apply various combinations, ‘mypassword’ could then become MyP@55w0rd!”£$. These combinations would then be added to a wordlist and then run against the hash, of course, we are not restricted to the dictionary either, it would be prudent to scrape the client's website for all words as well as make some deductions based on your observations. E.g: you are on an internal engagement in Manchester and you hear a French accent. It is probably best to bring the French dictionary into play as well as any words which relate to the local sports teams, needless to say, that the client’s company name is top of the list.

In addition to the rockyou.txt wordlist available on Kali Linux, a good web search will reveal an endless number of word lists that have been dumped from previous hacks. There is a high chance that two people have decided to use the same password, it happens within the same organisation so I expect it is more common in a larger population.

Ensure your final wordlist is checked for repetitions as this will cause unnecessary work for Hashcat when time is of the essence. Rockyou.txt contains a little over 14,000,000 words which is easy work for any Windows hashes, I recommend spending a good amount of time planning how to produce a wordlist so you are effective when time is against you. Consider the storage for this wordlist too, a wordlist of twelve billion will use 135GB, a small price for a 90% successful cracking rate. Hashcat devs recommend that your wordlist should have at least 10 million words and you should supply at least 1000 rules so you can make full use of a GPU.

Here is command for cracking NTLMv2 hashes using a wordlist:

  • hashcat -m 5600 hashes/client_hashes.txt wordlists/rockyou.txt

Rules

A powerful function within Hashcat is that we can add rules to change how it uses our input. Leetspeak or 1337 speak as the 1337 kids say, is my preferred rule as it addresses the issue of taking a word such as ‘password’ and changing it into p@55w0rd.

Rules enable a tester to apply their understanding of passwords and human behaviour to successfully crack what may be considered the most complex of passwords.

Here is a command for cracking passwords where the user has changed some letters for numbers and/or other characters.

hashcat -m 5600 hashes/client_hashes.txt wordlists/bigdaddy.txt -r hashes/rules/leetspeak.rule --debug-mode=1 --debug-file=matched.rule

Another successful rule is to append numbers to a wordlist in an incremental fashion eg:

password0000

password0001

password0002

  • hashcat -m 5600 hashes/client_hashes.txt wordlists/bigdaddy.txt -r hashes/rules/d3ad0ne.rule --debug-mode=1 --debug-file=matched.rule

Let us look at the command:

  • sudo hashcat                                     The tool we are using, sudo because I am not root.
  • -m 5600                                            -m tells Hashcat what type of hash we are cracking, 5600 denotes NTLMv2
  • hashes/client_hashes.txt               is the locations and file name of captured hashes
  • wordlist/bigdaddy.txt                     is the location and file name of my wordlist
  • -r                                                         denotes that a rule is being used
  • hashes/rules/d3ad0ne.rule           is the location and name of the rule
  • --debug-mode=1                              saves the rule used to find successful passwords.
  • --debug-file=matched.rule            saves the above file as matched.rule

Bruteforce

Where a password and is not based on a word then a bruteforce attack is the only way of cracking the hash, the duration of the attack is dependent on the length of password, hashing algorithm, and the hardware in use. Depending on what hardware you have available to you will depend on whether a brute force attack is going to quicker than using a wordlist or not. Brute force will always be successful given enough time; however, time is a commodity, especially on an engagement.

As some hashes are acquired from a command shell it is possible that you will have knowledge of the password policy which you can then use to enhance the effectiveness of the attack. Should the policy specify a minimum length of 6 characters then there is no gain to be had by brute forcing against 1 to 5-character length passwords.

  • hashcat -a 3 -m 5600 hashes/client_hashes.txt -i --increment-min=6

This command will begin brute forcing at 6 characters and will try every character at every position until either it runs out of options or it succeeds and cracking the hash.

Hardware

Minimum requirements are not extravagant for Hashcat, of course, the more powerful rig you have the faster your hashes will be cracked but don’t go out buying a four Titan RTX graphic cards. I would recommend becoming very familiar with how it works before venturing into faster territory and avoid AWS until you are comfortable with all of Hashcat’s configurations, forget to power down your p3.16 x large and you will have a nice £14,500  bill at the end of the month.

Here are some benchmarks for a few different options when cracking hashmode: 5600 - NetNTLMv2:

Dell XPS 15 - NVIDIA GeForce GTX 1650:

888.9 kH/s

Nvidia GTX 980 ti:

1258.3 MH/s

Titan RTX:

4335.0 MH/s

AWS EC2 instance p3.16xlarge:

28912.2 MH/s

To check the capacity of your system, run the following command:

  • hashcat --benchmark

Get Cracking

Have a look through the Hashcat help page as everything you need to know is in there, download from https://hashcat.net/hashcat/.

You have a few options to practice this, either go and get a shell on a lab and dump the hashes using Mimikatz or Metasploit pwdump or you can also intercept NTLMv1 and NLTMv2 using Responder if you have a home lab or are on a test. If you want to practice cracking other algorithm hashes then you can produce your own list, just change the algorithm to suit. Here are some commands so you can create a sample hash file.

  • echo -n password | md5sum | awk '{print $1}’

This will echo the word ‘password’, hash the word in md5 then print the hash only.To hash the individual lines within a text file then use:

  • while read -r line; do printf %s "$line" | md5sum | cut -f1 -d' '; done < password.txt
  • hashcat -m 0 password_hashed.txt /usr/share/wordlists/bigdaddy.txt –force
  • cat /root/.hashcat/hashcat.potfile

You can tell Hashcat to save your results to file or alternatively the cracked hashes and corresponding clear text password can be found in the pot file.

Summary

In the danger of turning this into a dissertation, there is a lot of information which will not form part of this article, there is however enough here for you to produce some hashes and begin cracking which is where the real learning will happen.

If you need any direction with anything then feel free to holla via LinkedIn and I will be happy to assist, 135GB is a bit much to email so your out of luck if you want my wordlist.

The process of cracking password hashes can be much more effective when you consider the human cognition element of producing passwords. When trying to crack hashes take time to reflect on how you produce you passwords, is it a word followed by some numbers? Possibly with some capital letters in there? Or perhaps you have taken the NCSC advice of concatenating 3 random words. Whatever your password producing theory is, it is likely that others use a similar method.

This article is aimed at those in the penetration testing industry as well as those responsible for system security, whether you are a tester or a system admin, the aim is to provide better security. Weak password are not just the usual suspects such as ‘qwerty’ and ‘password123’, effective use of Hashcat now means that using 3 random words, regardless of length, is also a weak password.

Latest insights and articles

In its latest Patch Tuesday release, Microsoft has rolled out a crucial fix for a high-risk vulnerability...

Our next Success Story spotlights Juliette Hudson, our talented CTO, her professional journey and passion for...

The notorious Lazarus Group, a North Korean state-sponsored Advanced Persistent Threat (APT), has once again...

The Future of Cyber Security.