PostHole
Compose
Login
hash-cracker – password cracking done effectively
Intro
I wrote a tool to help with cracking of hashes, today I finally decided to blog about it. The idea was to take what I’d learned about common patterns in passwords, and put my experience into practice to make password cracking more efficient on future engagements. Below is a short history of how we got to where we are, as well as some examples of how to use it.
Intro
I wrote a tool to help with cracking of hashes, today I finally decided to blog about it. The idea was to take what I’d learned about common patterns in passwords, and put my experience into practice to make password cracking more efficient on future engagements. Below is a short history of how we got to where we are, as well as some examples of how to use it.
The Indirect Start of Hash-cracker
For the start of hash-cracker we first need to go back to the hassle of my notes_all.txt – this was, explicitly, my text file with a list of commands I used most. These notes for hash-cracking are in the image below:
The contents of notes_all.txt were all migrated to what is now known as the Knowledge Base – aka kb.offsec.nl / https://github.com/crypt0rr/kb. This Hugo based website is built with a CI/CD pipeline via GitHub to CloudFlarePages where it is hosted as well. Feel free to contribute!
During this note migration, I wondered how could I use the hashcat commands more effectively during engagements.
The opportunity I saw was to improve and eventually create a more efficient way of cracking hashes on regular hardware. Think laptop GPUs and low-level computer GPUs. This does not exclude GPU clusters etc. but is not the main goal.
Basically, I have assumed that the commands as shown in the image above should at least be part of the script, not yet thinking further about other techniques and possibilities. With current knowledge, I would approach this differently in the future, first better figuring out exactly what the requirements are before building.
The Actual Start of Hash-cracker
From, assessments I’ve learnt a lot about common patterns people tend to use when setting a new password. For example;
- Summer2023!
- John1970?
- l3kk3rp@ssw0rd
Most commonly used is a word followed by x amount of numbers and a special character. But also, a technique called leet speak – replacing chars a/@ o/0 i/1 e/3 etc.
Based on this information, I started experimenting with hybrid/combinator attacks. In this form of hash cracking attacks you have one list with words as input and a brute force pattern. This brute force pattern can be placed in front or at the end of the words from the list. With this knowledge I wrote some simple commands into a bash script.
-m1000– hash mode NTLM – list of supported modes
nt_hashes– a file containing the hashes that I want to crack (e.g.4ea072db1483a7df8643772b6b25cb43)
-a6– attack mode used, in this case hybrid
?d?d?d?d?s– the brute force pattern where?d= 0123456789?s=«space»!"#$%&'()*+,-./:;<=>?@[\]^_{|}~`
hashcat -m1000 nt_hashes -a6 wordlist '?d?d?d?d?s'
hashcat -m1000 nt_hashes -a6 wordlist '?d?d?d?d?d?s'
hashcat -m1000 nt_hashes -a6 wordlist '?d?d?d?d?d?d?s'
The example above was my first try, this will work for cracking something like Summer2023!, if Summer is in the wordlist. After using this method for a while, I started looking into more attack modes and options within hashcat. Some examples are:
v1.0
The idea behind hash-cracker was, and still is, to be able to crack efficiently by putting gathered knowledge on password (re)use into a ‘simple’ script. This was all optimised to run quick, but effective jobs on a laptop with a dedicated GPU (NVIDIA M1200 Mobile at the time). To get an idea about the performance of this GPU, I ran the benchmark within hashcat – it is available over here.
After playing around with hashcat on my CLI and being inefficient about it, I put my gathered knowledge into a simple bash script. The first release was one large file with 222 lines of code (without dependencies / add-ins). When started, it looked like this:
$ ./processor.sh
Hash-cracker v1.0 by crypt0rr
Checking if requirements are met:
[+] Hashcat is installed
[+] common-substr is executable
0. Exit
1. Default light rules
2. Default heavy rules
3. Brute force
4. Iterate results
5. Plain
6. Hybrid
7. Toggle-case
9. Prefix suffix (advise: first run steps above)
10. Common substring (advise: first run steps above)
99. Show info about modules
100. Show results in usable format
Please enter number:
With a few options already, I felt quite proud being able to do my first (public) release. Also with this release, I included a bunch of example hashes in three different hashing formats, namely:
- MD5
- SHA1
- NT(LM)
With functions like checking requirements to run the script, light rules to have a go with, and also iterate the things I’ve cracked already. To have a look at the code you can checkout the following commit:
git clone https://github.com/sensepost/hash-cracker
git checkout 92986f16507c232178804525e754c89d778a1030
./processor.sh
With this script, efficiency and more effective cracking on a mobile GPU was more noticeable.
v2.0
The first version had some improvements in the time between releasing v2.0. The major change for v2.0 was moving everything from the main script and into separate files that would be sourced when called. This has two benefits, first the ability to extend and adapt extra features more easily, secondly someone else could actually find what the ‘processors’ were doing.
With v1.7 the Python2 based Password Analysis and Cracking Kit (PACK) was added as functionality. This was expanded on during the development of v2.x – eventually resulting in two effective options, namely:
- PACK rulegen
- PACK mask
As the name implies, rulegen is able to create a new ‘rule’ based on the already cracked passwords. So, it takes the cracked passwords from the current potfile (database with hash:plaintext), and performs an analysis for patterns. A rule is created upon the results and this can be used to perform a rule based attack (wordlist + rule).
The mask function does basically the same, but the output is slightly different. This function will output a set of brute-force patterns based on the already cracked passwords. These brute-force patterns are run as-is.
In October 2021, Apple introduced the Apple Silicon M1 Pro / Max processors for their Pro line of MacBooks. After the first models were delivered, hashcat benchmarks started popping up. During this period, I also ordered a M1 Pro equipped MacBook. Since some binaries in hash-cracker are pre-compiled for x64-based systems it would not work directly.
When I got delivery I started compiling the needed binaries to release a Apple Silicon version of hash-cracker. So, (almost) everything from v2.6 was used as starting point for the first release, namely v2.7 – Apple Silicon Edition.
After this new highlight in the hash-cracker journey, I started implementing more options, more logic and playing with variables for almost everything (instead of hardcoding).
v3.x
Version 3.0 arrived with some small but welcome additions like multi-wordlist support, re-arranged menu and getting rid of hardware monitoring.
[...]