Showing posts with label hashcat. Show all posts
Showing posts with label hashcat. Show all posts

26 March 2013

371. Hashcat on debian was just published, which made me want to have a look at hashcat.

Note that Hashcat is closed source. An open source alternative is John the Ripper .

Note also that there's a GPU-enabled version of hashcat, ocl-hashcat.

Whether you'll ever have a legitimate need for this stuff depends, but apart from the fun of it -- and the feelings of Power that cracking gives you -- being able to crack the odd password does serve as an eye opener to how easy this can be under the right circumstances. And who knows? You might find a justified use for it, especially if you're in academia where old computers and poor discipline abounds, and you are faced with computers that belong to you but were set up without any proper records.

sudo apt-get install p7zip-full
sudo mkdir /opt/hashcat -p
sudo chown $USER /opt/hashcat
cd /opt/hashcat
7z x hashcat-0.44.7z
7z x hashcat-gui-
bunzip2 rockyoutxt.bz2
echo 'export PATH=$PATH:/opt/hashcat/hashcat-0.44:/opt/hashcat/hashcat-gui-0.5.1' >> ~/.bashrc
source ~/.bashrc

Test run
Let's generate a file of simple passwords to crack:
echo -n "city" | md5sum > test.list
echo -n "n00b" | md5sum >> test.list
echo -n "123654"| md5sum >> test.list
echo -n "Chicago"| md5sum >> test.list
cat test.list
4ed5d2eaed1a1fadcc41ad1d58ed603e 16e029226d8960b2d7cba16cab5f7044 733d7be2196ff70efaf6913fc8bdcabf 9cfa1e69f507d007a516eb3e9f5074e2
Edit the test.list file to remove all the ' - '. Note that you need to run hashcat-gui in your /opt/hashcat/hashcat-0.44/ folder. Start hashcat-gui:

cd /opt/hashcat/hashcat-0.44/

Once it has finished, you can look at the output
cat test.list.out 
733d7be2196ff70efaf6913fc8bdcabf:123654 9cfa1e69f507d007a516eb3e9f5074e2:Chicago 4ed5d2eaed1a1fadcc41ad1d58ed603e:city
Use the rule set best64 and it cracks all passwords and does it fast:

733d7be2196ff70efaf6913fc8bdcabf:123654 9cfa1e69f507d007a516eb3e9f5074e2:Chicago 4ed5d2eaed1a1fadcc41ad1d58ed603e:city 16e029226d8960b2d7cba16cab5f7044:n00b
My account password wasn't cracked by this though, but all that we can be certain that it means is that it would take someone more than 30 seconds to do so. Maybe 35 seconds, maybe 2 years -- we can't tell.

If you want to compare with John the Ripper you could do e.g.
mpirun -n 6 run/./john test.list --wordlist=rockyoutxt --format=raw-md5

to do list-based cracking and
mpirun -n 6 run/./john test.list--format=raw-md5

for brute-force.

John the Ripper works well for windows passwords as well (might write about that in another post)

Linux passwords
To crack actual linux user passwords, you'll need to access /etc/shadow and only root should be able to do that. Looking at /etc/password we have for example
I've made up the string above (using mkpasswd -m sha-512 -S MyySaltt which is salted using MyySaltt. ). Anyway, copy the hash, e.g.


to a file, e.g. nutest.list

man crypt
ID | Method --------------------------------------------------------- 1 | MD5 2a | Blowfish (not in mainline glibc; added in some | Linux distributions) 5 | SHA-256 (since glibc 2.7) 6 | SHA-512 (since glibc 2.7)
The $6$ means that it's a SHA-512 hashed password.

Now run hashcat:
hashcat-cli64.bin -n 6 -m 1800 nutest.list rockyoutxt -r /opt/hashcat/hashcat-0.44/rules/best64.rule

where 1800 means SHA-512 (do hashcat --help to see what code to use) and 6 is the number of threads (six core CPU). You should be able to easily crack this one...