ICT Security Basics – work 2

Homework 2

h2 hashes

Read and summarize

Santos et al 2017: Security Penetration Testing – The Art of Hacking Series LiveLessons: Lesson 6: Hacking User Credentials

Password best practices:

  • Strong long passwords
  • Unique password for each system
  • Multi-factor authentication
  • Disable default passwords
  • Using a VPN on Public Networks

 

How do we do better with passwords:

  • Hashing algorithms are not enough
  • Use salt on your hash
  • Create strong passwords every where
  • Use two factor authentication
  • Use certificate based authentication
  • Better randomness

 

Brute Force tools

Source:

Security Penetration Testing The Art of Hacking Series LiveLessons

By Omar Santos, Jon Sternstein, Ron Taylor, Chris McCoy

Hashcat

I am using Kali linux distribution on the VMWare Workstation 15 Pro hypervisor. Hashcat comes pre-installed with Kali Linux, so I needed to read the hashcat help to learn the command syntax.

$ hashcat –help
hashcat (v6.2.5) starting in help mode

Usage: hashcat [options]… hash|hashfile|hccapxfile [dictionary|mask|directory]…
I tried running hashcat in Benchmarking mode using the -b option. This failed due to insufficient memory allocated to the virtual machine.

After I allocated 8 GB of RAM to the virtual machine, hashcat started working in Benchmarking mode. But the speed was low, and I decided to increase the number of dedicated processor cores for the virtual machine. After that hashcat Benchmarking test was done in 2 minutes.

 

Crack the hash

The first task is to crack hash: 21232f297a57a5a743894a0e4a801fc3

So, I had to specify the hash type for hashcat. Using the Hash Analyzer service, I got that the type of this hash is MD5 or MD4. The hash type will be 0 or 900. First I will try MD5 using the -m 0 option.

Hash Aalyzer service: https://www.tunnelsup.com/hash-analyzer/

 

Because I was trying to crack one hash, I added it to the command as is, without putting it in a file first.

$ hashcat -m 0 -a 0 -o hashcat-output.txt 21232f297a57a5a743894a0e4a801fc3 /usr/share/wordlists/rockyou.txt

21232f297a57a5a743894a0e4a801fc3:admin

 

I knew that the password length is 5 symbols. I tried to crack it using mask option -a 3 and mask ?1?1?1?1?1

$ hashcat -m 0 -a 3 –show 21232f297a57a5a743894a0e4a801fc3 ?1?1?1?1?1
21232f297a57a5a743894a0e4a801fc3:admin

 

But what if the length of the password is unknown? In this case, you can use a length range and the -i increment option with minimum and maximum values.

$ hashcat -m 0 -a 3 –show -i –increment-min=3 –increment-max=10 21232f297a57a5a743894a0e4a801fc3
21232f297a57a5a743894a0e4a801fc3:admin

 

Crack Windows NTLM hash

Next task is to Crack this Windows NTLM hash: f2477a144dff4f216ab81f2ac3e3207d

I used password dictionary and output file windows-hash.txt

$ hashcat -m 1000 -a 0 -o windows-hash.txt f2477a144dff4f216ab81f2ac3e3207d /usr/share/wordlists/rockyou.txt

$ cat windows-hash.txt
f2477a144dff4f216ab81f2ac3e3207d:monkey

 

I tried to use mask with increment option

$ hashcat -m 1000 -a 3 –show -i –increment-min=3 –increment-max=10 f2477a144dff4f216ab81f2ac3e3207d
f2477a144dff4f216ab81f2ac3e3207d:monkey

 

Try cracking this hash and comment on your hash rate

Try cracking this hash and comment on your hash rate $2y$18$axMtQ4N8j/NQVItQJed9uORfsUK667RAWfycwFMtDBD6zAo1Se2eu (Update: Crack this -> Try cracking this. I’m interested in your comments on the hash rate, no need to get the password).

Well, for that, I needed to understand what hash rate means. I found the definition of the term:

“Hashrate is a measure of the computational power per second used when mining. More simply, it is the speed of mining. It is measured in units of hash/second, meaning how many calculations per second can be performed.”

Source: https://bitflyer.com/en-us/s/glossary/hashrate

Hash Analyzer gave me an example of hashes. It looked like a BCRYPT hash

I had added hash to the file bcrypt.txt and checked it using hashid tool

$ hashid -m bcypt.txt
–File ‘bcypt.txt’–
Analyzing ‘$2y$18$axMtQ4N8j/NQVItQJed9uORfsUK667RAWfycwFMtDBD6zAo1Se2eu’
[+] Blowfish(OpenBSD) [Hashcat Mode: 3200]
[+] Woltlab Burning Board 4.x
[+] bcrypt [Hashcat Mode: 3200]
–End of file ‘bcypt.txt’–

I had to use hash mode 3200

$ hashcat -m 3200 -a 3 -w 3 bcypt.txt

I guess hashrate is speed. Because I was using a VMWare virtual machine, I couldn’t use the GPU to crack the hashes. As a result, we see that there is speed for only one device. The allocated processor power of the virtual machine will not be enough for bitcoin mining.

Speed.#1………: 0 H/s (41.96ms) @ Accel:4 Loops:512 Thr:1 Vec:1

 

The Top tool showed that when the BCRYPT hash was cracked, the CPU usage was almost 400%, which means that almost all the power of four cores was used.

 

Also, the CPU usage of the Windows host machine was quite high.

 

John the Ripper

I tried to use the John the Ripper tool that comes preinstalled with the Kali linux distribution to crack passwords on local machines from the /etc/passwd and /etc/shadow files. I once did this in my homework for a penetration testing course, but here in Kali linux it didn’t work.

First I needed to unshadow the /etc/passwd and /etc/shadow files and redirect the output to a file.

$ sudo unshadow /etc/passwd /etc/shadow > shadow

 

Then, using john tool, I needed to crack passwords in an unshadowed file. But I always had the same error.

$ john –wordlist=/usr/share/wordlists/rockyou.txt  unshadowed
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)

After some research and googling, I found that I need to use the –format=crypt option. It worked. Kali linux distribution has only one “kali” user by default and his “kali” password was cracked using John the Ripper tool.

 

Sources:

https://terokarvinen.com/2022/cracking-passwords-with-hashcat/

https://resources.infosecinstitute.com/topic/hashcat-tutorial-beginners/ 

https://hackware.ru/?p=4830

https://hashcat.net/wiki/doku.php?id=hashcat

https://samsclass.info/123/proj10/px16-hashcat-win.htm

https://security.stackexchange.com/questions/109211/john-the-ripper-is-not-identifying-hashes