Crack the Hashes
HINT
Use
hashid '{YOUR_HASH}'andhashcat --example-hashes | grep -B1 -A2 "{HASHNAME}"to identify your hashOr use this Website: Hashcat wiki: example_hashes
HINT
During CTFs its uncommon to spend hours on hash cracking, so you can prepend the command with something like
timeout 30m {COMMAND}to stop the execution after 30 minutes.
WARNING
The configuration below is optimized for <32 char passwords! If you don’t want this remove the
-Oflag.
Use hashcat its the fastest: hashcat -m {HASHMODE} -a 0 --force -o cracked.txt -w 3 --opencl-device-types 1,2 -O -r ~/tools/OneRuleToRuleThemAll.rule hashes.txt /usr/share/wordlists/rockyou.txt with OneRuleToRuleThemAll.rule. If you want to change the load on you system decrease or increase -w 3 to 2 or 4.
Online
Linux
On Linux distributions, password hashes are stored in the /etc/shadow file, which can be read only with administrative privileges. The hashes are in the following format: $id$salt$hash.
$1$: MD5-based crypt ('md5crypt')
$2$: Blowfish-based crypt ('bcrypt')[^bcrypt]
$sha1$: SHA-1-based crypt ('sha1crypt')
$5$: SHA-256-based crypt ('sha256crypt')
$6$: SHA-512-based crypt ('sha512crypt')- sha512crypt $6$:
hashcat -m 1800 - sha256crypt $5$:
hashcat -m 7400 - md5crypt:
hashcat -m 500
Windows
On Windows operating systems, user password hashes are stored in the Security Account Manager (SAM). Entries in the SAM file are stored in the following format: uid:rid:lm hash:ntlm hash.
User:1001:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C:::- NTLM:
hashcat -m 1000 - Kerberoast:
- If you only have the kirbi file (e.g.: from mimikatz) you can convert it to the hashcat format like this:
python ~/tools/kirbi2hashcat.py 2-40a10000-client251MSSQLSvcCorpSqlServer.corp.com1433-CORP.COM.kirbi hashcat -m 13100
- If you only have the kirbi file (e.g.: from mimikatz) you can convert it to the hashcat format like this:
- ASREP:
hashcat -m 18200 - NetNTLMv2:
hashcat -m 27100
Relevant Note(s): Hashing