HashCrack.Copyright©2017NetmuxLLC
Allrightsreserved.Withoutlimitingtherightsunderthecopyrightreservedabove,nopartofthispublicationmaybereproduced,storedin,orintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise)withoutpriorwrittenpermission.
ISBN-10:1975924584ISBN-13:978-1975924584
NetmuxandtheNetmuxlogoareregisteredtrademarksofNetmux,LLC.Otherproductandcompanynamesmentionedhereinmaybethetrademarksoftheirrespectiveowners.Ratherthanuseatrademarksymbolwitheveryoccurrenceofatrademarkedname,weareusingthenamesonlyinaneditorialfashionandtothebenefitofthetrademarkowner,withnointentionofinfringementofthetrademark.
Theinformationinthisbookisdistributedonan“AsIs”basis,withoutwarranty.Whileeveryprecautionhasbeentakeninthepreparationofthiswork,neithertheauthornorNetmuxLLC,shallhaveanyliabilitytoanypersonorentitywithrespecttoanylossordamagecausedorallegedtobecauseddirectlyorindirectlybytheinformationcontainedinit.
Whileeveryefforthasbeenmadetoensuretheaccuracyandlegitimacyofthereferences,referrals,andlinks(collectively“Links”)presentedinthisbook/ebook,NetmuxisnotresponsibleorliableforbrokenLinksormissingorfallaciousinformationattheLinks.AnyLinksinthisbooktoaspecificproduct,process,website,orservicedonotconstituteorimplyanendorsementbyNetmuxofsame,oritsproducerorprovider.TheviewsandopinionscontainedatanyLinksdonotnecessarilyexpressorreflectthoseofNetmux.
TABLEOFCONTENTS
Intro
RequiredSoftware
CoreHashCrackingKnowledge
CrackingMethodology
BasicCrackingPlaybook
CheatSheets
ExtractHashes
PasswordAnalysis
Dictionary/Wordlist
Rules&Masks
ForeignCharacterSets
AdvancedAttacks
CrackingConcepts
CommonHashExamples
Appendix
-Terms
-OnlineResources
-JohnTheRipperMenu
-HashcatMenu
-HashCrackingBenchmarks
-HashCrackingSpeed
INTRO
Thismanualismeanttobeareferenceguideforcrackingtoolusageandsupportivetoolsthatassistnetworkdefendersandpentestersinpasswordrecovery(cracking).Thismanualwillnotbecoveringtheinstallationofthesetools,butwillincludereferencestotheirproperinstallation,andifallelsefails,Google.Updatesandadditionstothismanualareplannedyearlyasadvancementsincrackingevolve.Passwordrecoveryisabattleagainstmath,time,cost,andhumanbehavior;andmuchlikeanybattle,thetacticsareconstantlyevolving.
ACKNOWLEDGEMENTS
Thiscommunitywouldnotenjoythesuccessanddiversitywithoutthefollowingcommunitymembersandcontributors:
Alexander‘SolarDesigner’Peslvak,JohnTheRipperTeam,&CommunityJens‘atom’Steube,HashcatTeam,&DevotedHashcatForumCommunityJeremi‘epixoip’GosneyKorelogic&theCrackMeIfYouCanContestRobin‘DigiNinja’Wood(Pipal&CeWL)CynoSurePrimeTeamChris‘Unix-ninja’AurelioPerThorsheim(PasswordsCon)Blandyuk&Rurapenthe(HashKillerContest)Peter‘iphelix’Kacherginsky(PACK)Royce‘tychotithonus’Williams‘Waffle’
Andmany,many,manymorecontributors.Ifanamewasexcludedfromtheabovelistpleasereachoutandthenextversionwillgivethemtheirduecredit.
Lastly,thetools,research,andresourcescoveredinthebookaretheresultofpeople’shardwork.Assuch,IHIGHLYencourageallreaderstoDONATEtohelpassistintheirefforts.Aportionoftheproceedsfromthisbookwillbedistributedtothevariousresearchers/projects.
Suggestionsorcomments,[email protected]
REQUIREDSOFTWARE
Inordertofollowmanyofthetechniquesinthismanual,youwillwanttoinstallthefollowingsoftwareonyourWindowsor*NIXhost.Thisbookdoesnotcoverhowtoinstallsaidsoftwareandassumesyouwereabletofollowtheincludedlinksandextensivesupportwebsites.
HASHCATv3.6(ornewer)https://hashcat.net/hashcat/
JOHNTHERIPPER(v1.8.0JUMBO)http://www.openwall.com/john/
PACKV0.0.4(PasswordAnalysisandCrackingToolkit)http://thesprawl.org/projects/pack/
Hashcat-utilsv1.7https://hashcat.net/wiki/doku.php?id=hashcat_utils
Additionallyyouwillneeddictionaries/wordlistsandhighlyrecommendthebelowsources:
WEAKPASSDICTIONARYhttps://weakpass.com/wordlist
CRACKSTATIONDICTIONARYhttps://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm
SKULLSECURITYWORDLISTShttps://wiki.skullsecurity.org/index.php?title=Passwords
Throughoutthemanual,genericnameshavebeengiventothevariousinputsrequiredinacrackingcommandsstructure.Legenddescriptionisbelow:
COMMANDSTRUCTURELEGENDhashcat=GenericrepresentationofthevariousHashcatbinarynamesjohn=GenericrepresentationoftheJohntheRipperbinarynames#type=Hashtype;whichisanabbreviationinJohnoranumberinHashcathash.txt=Filecontainingtargethashestobecrackeddict.txt=Filecontainingdictionary/wordlistrule.txt=Filecontainingpermutationrulestoalterdict.txtinput
passwords.txt=Filecontainingcrackedpasswordresultsoutfile.txt=Filecontainingresultsofsomefunctionsoutput
Lastly,asagoodreferencefortestingvarioushashtypestoplaceintoyour“hash.txt”file,thebelowsitescontainallthevarioushashingalgorithmsandexampleoutputtailoredforeachcrackingtool:
HASHCATHASHFORMATEXAMPLEShttps://hashcat.net/wiki/doku.php?id=example_hashes
JOHNTHERIPPERHASHFORMATEXAMPLEShttp://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formatshttp://openwall.info/wiki/john/sample-hashes
COREHASHCRACKINGKNOWLEDGE
ENCODINGvsHASHINGvsENCRYPTINGEncoding=transformsdataintoapubliclyknownschemeforusabilityHashing=one-waycryptographicfunctionnearlyimpossibletoreverseEncrypting=mappingofinputdataandoutputdatareversiblewithakey
CPUvsGPUCPU=2-72coresmainlyoptimizedforsequentialserialprocessingGPU=1000’sofcoreswith1000’softhreadsforparallelprocessing
CRACKINGTIME=KEYSPACE/HASHRATEKeyspace:charset^length(?a?a?a?a=95^4=81,450,625)Hashrate:hashingfunction/hardwarepower(bcrypt/GTX1080=13094H/s)CrackingTime:81,450,625/13094H/s=6,220seconds
*KeyspacedisplayedandHashratevarybytoolandhardwareused
SALT=randomdatathat’susedasadditionalinputtoaone-wayfunctionITERATIONS=thenumberoftimesanalgorithmisrunoveragivenhash
HASHIDENTIFICATION:thereisn’tafoolproofmethodforidentifyingwhichhashfunctionwasusedbysimplylookingatthehash,buttherearereliableclues(i.e.$6$sha512crypt).Thebestmethodistoknowfromwherethehashwasextractedandidentifythehashfunctionforthatsoftware.
DICTIONARY/WORDLISTATTACK=straightattackusesaprecompiledlistofwords,phrases,andcommon/uniquestringstoattempttomatchapassword.
BRUTE-FORCEATTACK=attemptseverypossiblecombinationofagivencharacterset,usuallyuptoacertainlength.
RULEATTACK=generatespermutationsagainstagivenwordlistbymodifying,trimming,extending,expanding,combining,orskippingwords.
MASKATTACK=aformoftargetedbrute-forceattackbyusingplaceholdersforcharactersincertainpositions(i.e.?a?a?a?l?d?d).
HYBRIDATTACK=combinesaDictionaryandMaskAttackbytakinginputfromthedictionaryandaddingmaskplaceholders(i.e.dict.txt?d?d?d).
CRACKINGRIG=fromabasiclaptoptoa64GPUcluster,thisisthehardware/platformonwhichyouperformyourpasswordhashattacks.
EXPECTEDRESULTSKnowyourcrackingrig’scapabilitiesbyperformingbenchmarktestinganddon’tassumeyoucanachievethesameresultspostedbyforummemberswithoutusingtheexactsamedictionary,attackplan,orhardwaresetup.Crackingsuccesslargelydependsonyourabilitytouseresourcesefficientlyandmakecalculatedtrade-offsbasedonthetargethash.
DICTIONARY/WORDLISTvsBRUTE-FORCEvsANALYSISDictionariesandbrute-forcearenottheendallbealltocrackhashes.Theyaremerelythebeginningandendofanattackplan.Truemasteryiseverythinginthemiddle,whereanalysisofpasswords,patterns,behaviors,andpoliciesaffordstheabilitytorecoverthatlast20%.Experimentwithyourattacksandresearchandcompiletargetedwordlistswithyournewknowledge.Donotrelyheavilyondictionariesbecausetheycanonlyhelpyouwithwhatis“known”andnottheunknown.
CRACKINGMETHODOLOGY
Followingisbasiccrackingmethodologybrokenintosteps,buttheprocessissubjecttochangebasedoncurrent/futuretargetinformationuncoveredduringthecrackingprocess.
1-EXTRACTHASHESPullhashesfromtarget,identifyhashingfunction,andproperlyformatoutputforyourtoolofchoice.
2-FORMATHASHESFormatyourhashesbasedonyourtool’spreferredmethod.Seetooldocumentationforthisguidance.Hashcat,forexample,oneachlinetakes<user>:<hash>ORjusttheplain<hash>.
3-EVALUATEHASHSTRENGTHUsingtheAppendixtable“HashCrackingSpeed(Slow-Fast)”assessyourtargethashandit’scrackingspeed.Ifit’saslowhash,youwillneedtobemoreselectiveatwhattypesofdictionariesandattacksyouperform.Ifit’safasthash,youcanbemoreliberalwithyourattackstrategy.
4-CALCULATECRACKINGRIGCAPABILITIESWiththeinformationfromevaluatingthehashstrength,baselineyourcrackingrig’scapabilities.PerformbenchmarktestingusingJohnTheRipperand/orHashcat’sbuilt-inbenchmarkabilityonyourrig.john--testhashcat-bBasedontheseresultsyouwillbeabletobetterassessyourattackoptionsbyknowingyourrigscapabilitiesagainstaspecifichash.Thiswillbeamoreaccurateresultofahash’scrackingspeedbasedonyourrig.Itwillbeusefultosavetheseresultsforfuturereference.
5-FORMULATEPLANBasedonknownorunknownknowledgebegincreatinganattackplan.Includedonthenextpageisa“BasicCrackingPlaybook”togetyoustarted.
6-ANALYZEPASSWORDSAftersuccessfullycrackingasufficientamountofhashesanalyzetheresultsforanycluesorpatterns.Thisanalysismayaidinyoursuccessonanyremaininghashes.
7-CUSTOMATTACKSBasedonyoupasswordanalysiscreatecustomattacksleveragingthoseknowncluesorpatterns.Exampleswouldbecustommaskattacksorrulestofittargetusers’behaviororpreferences.
8-ADVANCEDATTACKSExperimentwithPrinceprocessor,customMarkov-chains,maskprocessor,orcustomdictionaryattackstoshakeoutthoseremainingstubbornhashes.Thisiswhereyourexpertiseandcreativityreallycomeintoplay.
9-REPEATGobacktoSTEP4andcontinuetheprocessoveragain,tweakingdictionaries,mask,parameters,andmethods.You’reinthegrindatthispointandneedtorelyonskillandluck.
BASICCRACKINGPLAYBOOK
Thisisonlymeantasabasicguidetoprocessinghashesandeachscenariowillobviouslybeuniquebasedonexternalcircumstances.ForthisattackplanwewillassumeweknowthepasswordhashesarerawMD5andassumewehavealreadycapturedsomeplaintextpasswordsofusers.IfwehadnoknowledgeofplaintextpasswordswewouldmostlikelyskiptoDICTIONARY/WORDLISTattacks.Lastly,sinceMD5isa“Fast”hashwecanbemoreliberalwithourattackplan.
1-CUSTOMWORDLISTFirstcompileyourknownplaintextpasswordsintoacustomwordlistfile.Passthistoyourtoolofchoiceasastraightdictionaryattack.
hashcat-a0-m0-w4hash.txtcustom_list.txt
2-CUSTOMWORDLIST+RULESRunyourcustomwordlistwithpermutationrulestocrackslightvariations.
hashcat-a0-m0-w4hash.txtcustom_list.txt-rbest64.rule--loopback
3-DICTIONARY/WORDLISTPerformabroaddictionaryattack,lookingforcommonpasswordsandleakedpasswordsinwellknowndictionaries/wordlists.
hashcat-a0-m0-w4hash.txtdict.txt
4-DICTIONARY/WORDLIST+RULESAddrulepermutationstothebroaddictionaryattack,lookingforsubtlechangestocommonwords/phrasesandleakedpasswords.
hashcat-a0-m0-w4hash.txtdict.txt-rbest64.rule--loopback
5-CUSTOMWORDLIST+RULESAddanynewlydiscoveredpasswordstoyourcustomwordlistandrunanattackagainwithpermutationrules,lookinganyothersubtlevariations.
awk-F“:”‘{print$2}’hashcat.potfile>>custom_list.txthashcat-a0-m0-w4hash.txtcustom_list.txt-rdive.rule--loopback
6-MASKNowwewillusemaskattacksincludedwithHashcattosearchthekeyspaceforcommonpasswordlengthsandpatterns,basedontheRockYoudataset.
hashcat-a3-m0-w4hash.txtrockyou-1-60.hcmask
7-HYBRIDDICTIONARY+MASKUsingadictionaryofyourchoice,conducthybridattackslookingforlargervariationsofcommonwordsorknownpasswordsbyappending/prependingmaskstothosecandidates.
hashcat-a6-m0-w4hash.txtdict.txtrockyou-1-60.hcmaskhashcat-a7-m0-w4hash.txtrockyou-1-60.hcmaskdict.txt
8-CUSTOMWORDLIST+RULESAddanynewlydiscoveredpasswordsbacktoyourcustomwordlistandrunanattackagainwithpermutationruleslookinganyothersubtlevariations.
awk-F“:”‘{print$2}’hashcat.potfile>>custom_list.txthashcat-a0-m0-w4hash.txtcustom_list.txt-rdive.rule--loopback
9-COMBOUsingadictionaryofyourchoice,performacomboattackbyindividuallycombiningthedictionary’spasswordcandidatestogethertoformnewcandidates.
hashcat-a1-m0-w4hash.txtdict.txtdict.txt
10-CUSTOMHYBRIDATTACKAddanynewlydiscoveredpasswordsbacktoyourcustomwordlistandperformahybridattackagainstthosenewacquiredpasswords.
awk-F“:”‘{print$2}’hashcat.potfile>>custom_list.txthashcat-a6-m0-w4hash.txtcustom_list.txtrockyou-1-60.hcmaskhashcat-a7-m0-w4hash.txtrockyou-1-60.hcmaskcustom_list.txt
11-CUSTOMMASKATTACKBynowtheeasier,weakerpasswordsmayhavefallentocracking,butstillsomeremain.UsingPACK(onpg.51)createcustommaskattacksbasedonyourcurrentlycrackedpasswords.Besuretosortoutmasksthatmatchthepreviousrockyou-1-60.hcmasklist.
hashcat-a3-m0-w4hash.txtcustom_masks.hcmask
12-BRUTE-FORCEWhenallelsefailsbeginastandardbrute-forceattack,beingselectiveastohowlargeakeyspaceyourrigcanadequatelybrute-force.Above8charactersthisistypicallypointlessduetohardwarelimitationsandpasswordentropy/complexity.
hashcat-a3-m0-w4hash.txt-i?a?a?a?a?a?a?a?a
JOHNTHERIPPERCHEATSHEET
ATTACKMODESBRUTEFORCEATTACKjohn--format=#typehash.txtDICTIONARYATTACKjohn--format=#type--wordlist=dict.txthash.txtMASKATTACKjohn--format=#type--mask=?l?l?l?l?l?lhash.txt-min-len=6INCREMENTALATTACKjohn--incrementalhash.txtDICTIONARY+RULESATTACKjohn--format=#type--wordlist=dict.txt--rules
RULES--rules=Single--rules=Wordlist--rules=Extra--rules=Jumbo--rules=KoreLogic--rules=All
INCREMENT--incremental=Digits--incremental=Lower--incremental=Alpha--incremental=Alnum
PARALLELCPUorGPULISTOpenCLDEVICESjohn--list=opencl-devicesLISTOpenCLFORMATSjohn--list=formats--format=openclMULTI-GPU(example3GPU’s)john--format=<OpenCLformat>hash.txt--wordlist=dict.txt--rules--dev=<#>--fork=3MULTI-CPU(example8cores)john--wordlist=dict.txthash.txt--rules--dev=<#>--fork=8
MISC
BENCHMARKTESTjohn--testSESSIONNAMEjohnhash.txt--session=example_nameSESSIONRESTOREjohn--restore=example_nameSHOWCRACKEDRESULTSjohnhash.txt--pot=<johnpotfile>--showWORDLISTGENERATIONjohn--wordlist=dict.txt--stdout--external:[filtername]>out.txt
BASICATTACKMETHODOLOGY1-DEFAULTATTACKjohnhash.txt2-DICTIONARY+RULESATTACKjohn--wordlist=dict.txt--rules3-MASKATTACKjohn--mask=?l?l?l?l?l?lhash.txt-min-len=64-BRUTEFORCEINCREMENTALATTACKjohn--incrementalhash.txt
HASHCATCHEATSHEET
ATTACKMODESDICTIONARYATTACKhashcat-a0-m#typehash.txtdict.txtDICTIONARY+RULESATTACKhashcat-a0-m#typehash.txtdict.txt-rrule.txtCOMBINATIONATTACKhashcat-a1-m#typehash.txtdict1.txtdict2.txtMASKATTACKhashcat-a3-m#typehash.txt?a?a?a?a?a?aHYBRIDDICTIONARY+MASKhashcat-a6-m#typehash.txtdict.txt?a?a?a?aHYBRIDMASK+DICTIONARYhashcat-a7-m#typehash.txt?a?a?a?adict.txt
RULESRULEFILE-rhashcat-a0-m#typehash.txtdict.txt-rrule.txtMANIPULATELEFT-jhashcat-a1-m#typehash.txtleft_dict.txtright_dict.txt-j<option>MANIPULATERIGHT-khashcat-a1-m#typehash.txtleft_dict.txtright_dict.txt-k<option>
INCREMENTDEFAULTINCREMENThashcat-a3-m#typehash.txt?a?a?a?a?a--incrementINCREMENTMINIMUMLENGTHhashcat-a3-m#typehash.txt?a?a?a?a?a--increment-min=4INCREMENTMAXLENGTHhashcat-a3-m#typehash.txt?a?a?a?a?a?a--increment-max=5
MISCBENCHMARKTEST(HASHTYPE)hashcat-b-m#typeSHOWEXAMPLEHASHhashcat-m#type--example-hashesDISABLEPASSWORDLENGTHLIMIT(MaxLength256)hashcat-a0-m#type--length-limit-disablehash.txtdict.txtSESSIONNAME
hashcat-a0-m#type--session<uniq_name>hash.txtdict.txtSESSIONRESTOREhashcat-a0-m#type--restore--session<uniq_name>hash.txtdict.txtSHOWKEYSPACEhashcat-a0-m#type--keyspacehash.txtdict.txt-rrule.txtOUTPUTRESULTSFILE-ohashcat-a0-m#type-oresults.txthash.txtdict.txtCUSTOMCHARSET-1-2-3-4hashcat-a3-m#typehash.txt-1?l?u-2?l?d?s?l?2?a?d?u?lADJUSTPERFORMANCE-whashcat-a0-m#type-w<1-4>hash.txtdict.txt
BASICATTACKMETHODOLOGY1-DICTIONARYATTACKhashcat-a0-m#typehash.txtdict.txt2-DICTIONARY+RULEShashcat-a0-m#typehash.txtdict.txt-rrule.txt3-HYBRIDATTACKShashcat-a6-m#typehash.txtdict.txt?a?a?a?a4-BRUTEFORCEhashcat-a3-m#typehash.txt?a?a?a?a?a?a?a?a
HASHTYPES(SORTEDALPHABETICAL)6600 1Password,agilekeychain8200 1Password,cloudkeychain14100 3DES(PT=$salt,key=$pass)11600 7-Zip6300 AIX{smd5}6400 AIX{ssha256}6500 AIX{ssha512}6700 AIX{ssha1}5800 AndroidPIN8800 AndroidFDE<v4.312900 AndroidFDE(SamsungDEK)1600 Apache$apr1$125 ArubaOS
12001 Atlassian(PBKDF2-HMAC-SHA1)13200 AxCrypt13300 AxCryptinmemorySHA13200 bcrypt$2*$,Blowfish(Unix)600 BLAKE2-512
12400 BSDiCrypt,ExtendedDES11300 Bitcoin/Litecoinwallet.dat12700 Blockchain,MyWallet15200 Blockchain,MyWallet,V2
15400 ChaCha202410 Cisco-ASA500 Cisco-IOS$1$5700 Cisco-IOS$4$9200 Cisco-IOS$8$9300 Cisco-IOS$9$2400 Cisco-PIX8100 CitrixNetscaler12600 ColdFusion10+10200 CramMD511500 CRC3214000 DES(PT=$salt,key=$pass)1500 descrypt,DES(Unix),TraditionalDES8300 DNSSEC(NSEC3)124 Django(SHA-1)
10000 Django(PBKDF2-SHA256)1100 DomainCachedCredentials(DCC),MSCache2100 DomainCachedCredentials2(DCC2),MSCache215300 DPAPImasterkeyfilev1andv27900 Drupal712200 eCryptfs141 EPiServer6.x<v41441 EPiServer6.x>v415600 EthereumWallet,PBKDF2-HMAC-SHA25615700 EthereumWallet,PBKDF2-SCRYPT15000 FileZillaServer>=0.9.557000 Fortigate(FortiOS)6900 GOSTR34.11-9411700 GOSTR34.11-2012(Streebog)256-bit11800 GOSTR34.11-2012(Streebog)512-bit7200 GRUB250 HMAC-MD5(key=$pass)60 HMAC-MD5(key=$salt)150 HMAC-SHA1(key=$pass)160 HMAC-SHA1(key=$salt)1450 HMAC-SHA256(key=$pass)1460 HMAC-SHA256(key=$salt)1750 HMAC-SHA512(key=$pass)1760 HMAC-SHA512(key=$salt)5100 HalfMD55300 IKE-PSKMD55400 IKE-PSKSHA12811 IPB(InvisonPowerBoard)
7300 IPMI2RAKPHMAC-SHA114700 iTunesBackup<10.014800 iTunesBackup>=10.04800 iSCSICHAPauthentication,MD5(Chap)15500 JKSJavaKeyStorePrivateKeys(SHA1)
11 Joomla<2.5.18400 Joomla>2.5.18
15100 Juniper/NetBSDsha1crypt22 JuniperNetscreen/SSG(ScreenOS)501 JuniperIVE
13400 Keepass1(AES/Twofish)andKeepass2(AES)7500 Kerberos5AS-REQPre-Authetype2313100 Kerberos5TGS-REPetype23
6800 Lastpass+Lastpasssniffed3000 LM8600 LotusNotes/Domino58700 LotusNotes/Domino69100 LotusNotes/Domino814600 LUKS900 MD40 MD510 md5($pass.$salt)20 md5($salt.$pass)30 md5(unicode($pass).$salt)40 md5($salt.unicode($pass))
3710 md5($salt.md5($pass))3800 md5($salt.$pass.$salt)3910 md5(md5($pass).md5($salt))4010 md5($salt.md5($salt.$pass))4110 md5($salt.md5($pass.$salt))2600 md5(md5($pass))4400 md5(sha1($pass))4300 md5(strtoupper(md5($pass)))500 md5crypt$1$,MD5(Unix)9400 MSOffice20079500 MSOffice20109600 MSOffice20139700 MSOffice<=2003$09710 MSOffice<=2003$09720 MSOffice<=2003$09800 MSOffice<=2003$39810 MSOffice<=2003$3
9820 MSOffice<=2003$312800 MS-AzureSyncPBKDF2-HMAC-SHA256131 MSSQL(2000)132 MSSQL(2005)1731 MSSQL(2012)1731 MSSQL(2014)3711 MediawikiBtype2811 MyBB11200 MySQLCRAM(SHA1)200 MySQL323300 MySQL4.1/MySQL51000 NTLM5500 NetNTLMv15500 NetNTLMv1+ESS5600 NetNTLMv2101 nsldap,SHA-1(Base64),NetscapeLDAPSHA111 nsldaps,SSHA-1(Base64),NetscapeLDAPSSHA
13900 OpenCart21 osCommerce122 OSXV10.4,OSXV10.5,OSXV10.61722 OSXV10.77100 OSXV10.8,OSXV10.9,OSXv10.10112 OracleS:Type(Oracle11+)3100 OracleH:Type(Oracle7+)12300 OracleT:Type(Oracle12+)11900 PBKDF2-HMAC-MD512000 PBKDF2-HMAC-SHA110900 PBKDF2-HMAC-SHA25612100 PBKDF2-HMAC-SHA51210400 PDF1.1-1.3(Acrobat2-4)10410 PDF1.1-1.3(Acrobat2-4),collider#110420 PDF1.1-1.3(Acrobat2-4),collider#210500 PDF1.4-1.6(Acrobat5-8)10600 PDF1.7Level3(Acrobat9)10700 PDF1.7Level8(Acrobat10-11)400 phpBB3400 phpass2612 PHPS5200 PasswordSafev39000 PasswordSafev2133 PeopleSoft
13500 PeopleSoftToken99999 Plaintext
12 PostgreSQL11100 PostgreSQLCRAM(MD5)11000 PrestaShop4522 PunBB8500 RACF12500 RAR3-hp13000 RAR59900 Radmin27600 Redmine6000 RipeMD1607700 SAPCODVNB(BCODE)7800 SAPCODVNF/G(PASSCODE)10300 SAPCODVNH(PWDSALTEDHASH)iSSHA-18900 scrypt1300 SHA-224
1400 SHA-2561411 SSHA-256(Base64),LDAP{SSHA256}5000 SHA-3(Keccak)10800 SHA-3841700 SHA-512100 SHA1
14400 SHA1(CX)110 sha1($pass.$salt)120 sha1($salt.$pass)130 sha1(unicode($pass).$salt)140 sha1($salt.unicode($pass))4500 sha1(sha1($pass))4520 sha1($salt.sha1($pass))4700 sha1(md5($pass))4900 sha1($salt.$pass.$salt)1410 sha256($pass.$salt)1420 sha256($salt.$pass)1440 sha256($salt.unicode($pass))1430 sha256(unicode($pass).$salt)7400 sha256crypt$5$,SHA256(Unix)1710 sha512($pass.$salt)1720 sha512($salt.$pass)1740 sha512($salt.unicode($pass))1730 sha512(unicode($pass).$salt)1800 sha512crypt$6$,SHA512(Unix)11400 SIPdigestauthentication(MD5)121 SMF(SimpleMachinesForum)
1711 SSHA-512(Base64),LDAP{SSHA512}10100 SipHash14900 Skip32
23 Skype8000 SybaseASE62XY TrueCrypt
X 1=PBKDF2-HMAC-RipeMD160X 2=PBKDF2-HMAC-SHA512X 3=PBKDF2-HMAC-WhirlpoolX 4=PBKDF2-HMAC-RipeMD160+boot-modeY 1=XTS512bitpureAESY 1=XTS512bitpureSerpentY 1=XTS512bitpureTwofishY 2=XTS1024bitpureAES
Y 2=XTS1024bitpureSerpentY 2=XTS1024bitpureTwofishY 2=XTS1024bitcascadedAES-TwofishY 2=XTS1024bitcascadedSerpent-AESY 2=XTS1024bitcascadedTwofish-SerpentY 3=XTS1536bitall
2611 vBulletin<V3.8.52711 vBulletin>V3.8.5
137XY VeraCryptX 1=PBKDF2-HMAC-RipeMD160X 2=PBKDF2-HMAC-SHA512X 3=PBKDF2-HMAC-WhirlpoolX 4=PBKDF2-HMAC-RipeMD160+boot-modeX 5=PBKDF2-HMAC-SHA256X 6=PBKDF2-HMAC-SHA256+boot-modeY 1=XTS512bitpureAESY 1=XTS512bitpureSerpentY 1=XTS512bitpureTwofishY 2=XTS1024bitpureAESY 2=XTS1024bitpureSerpentY 2=XTS1024bitpureTwofishY 2=XTS1024bitcascadedAES-TwofishY 2=XTS1024bitcascadedSerpent-AESY 2=XTS1024bitcascadedTwofish-SerpentY 3=XTS1536bitall
8400 WBB3(WoltlabBurningBoard)2500 WPA/WPA22501 WPA/WPA2PMK
6100 Whirlpool13600 WinZip13800 Windows8+phonePIN/Password400 Wordpress21 xt:Commerce
TERMINALCOMMANDCHEATSHEET
Ctrl+udeleteeverythingfromthecursortothebeginningoftheline
Ctrl+wdeletethepreviouswordonthecommandlinebeforethecursor
Ctrl+lcleartheterminalwindow
Ctrl+ajumptothebeginningofthecommandline
Ctrl+emoveyourcursortotheendofthecommandline
Ctrl+rsearchcommandhistoryinreverse,continuepressingkeysequencetocontinuebackwardssearch.Escwhendoneorcommandfound.
FILEMANIPULATIONCHEATSHEET
Extractalllowercasestringsfromeachlineandoutputtowordlist.sed’s/[^a-z]*//g’wordlist.txt>outfile.txt
Extractalluppercasestringsfromeachlineandoutputtowordlist.sed’s/[^A-Z]*//g’wordlist.txt>outfile.txt
Extractalllowercase/uppercasestringsfromeachlineandoutputtowordlist.sed’s/[^a-Z]*//g’wordlist.txt>outfile.txt
Extractalldigitsfromeachlineinfileandoutputtowordlist.sed’s/[^0-9]*//g’wordlist.txt>outfile.txt
Watchhashcatpotfileordesignatedoutputfilelive.watch-n.5tail-50<hashcat.potfileoroutfile.txt>
Pull100randomsamplesfromwordlist/passwordsforvisualanalysis.shuf-n100file.txt
Printstatisticsonlengthofeachstringandtotalcountsperlength.awk‘{printlength}’file.txt|sort-n|uniq-c
Removeallduplicatestringsandcounthowmanytimestheyarepresent;thensortbytheircountindescendingorder.
uniq-cfile.txt|sort-nr
Commandtocreatequick&dirtycustomwordlistwithlength1-15characterwordsfromadesignatedwebsiteintoasortedandcountedlist.
curl-shttp://www.netmux.com|sed-e's/<[^>]*>//g'|tr"""\n"|tr-dc'[:alnum:]\n\r'|tr‘[:upper:]’‘[:lower:]’|cut-c1-15|sort|uniq-c|sort-nr
MD5eachlineinafile(MacOSX).whilereadline;doecho-n$line|md5;done<infile.txt>outfile.txt
MD5eachlineinafile(*Nix).whilereadline;doecho-n$line|md5sum;done<infile.txt|awk-F““‘{print$1}’>outfile.txt
Removelinesthatmatchfromeachfileandonlyprintremainingfromfile2.txt.grep-vwF-ffile1.txtfile2.txt
Taketwoorderedfiles,mergeandremoveduplicatelinesandmaintainordering.nl-ba-s‘:‘file1.txt>>outfile.txtnl-ba-s‘:‘file2.txt>>outfile.txt
sort-noutfile.txt|awk-F“:”‘{print$2}’|awk‘!seen[$0]++’>final.txt
Extractstringsofaspecificlengthintoanewfile/wordlist.awk‘length==8’file.txt>81en-out.txt
Convertalphacharactersoneachlineinfiletolowercasecharacters.tr[A-Z][a-z]<infile.txt>outfile.txt
Convertalphacharactersoneachlineinfiletouppercasecharacters.tr[a-z][A-Z]<infile.txt>outfile.txt
SplitafileintoseparatefilesbyXnumberoflinesperoutfile.split-d-l3000infile.txtoutfile.txt
Reversetheorderofeachcharacterofeachlineinthefile.revinfile.txt>outfile.txt
Sorteachlineinthefilefromshortesttolongest.awk‘{printlength,$0}’“”$0;}’infile.txt|sort-n|cut-d‘‘-f2-
Sorteachlineinthefilefromlongesttoshortest.awk‘{printlength,$0}’“”$0;}’infile.txt|sort-r-n|cut-d‘‘-f2-
SubstringmatchingbyconvertingtoHEXandthenbacktoASCII.(Examplesearchesfor5characterstringsfromfile1.txtfoundasasubstringin20characterstringsinfile2.txt)
stringsfile1.txt|xxd-u-ps-c5|sort-u>out1.txtstringsfile2.txt|xxd-u-ps-c20|sort-u>out2.txtgrep-Ffout1.txtout2.txt|xxd-r-p>results.txt
Cleandictionary/wordlistofnewlinesandtabs.catdict.txt|tr-cd“[:print:][/n/t]\n”>outfile.txt
SYSTEMHASHEXTRACTION
WINDOWS
METERPRETERHASHDUMPPostexploitationdumplocalSAMdatabase:meterpreter>runpost/windows/gather/hashdump
CREDDUMPhttps://github.com/Neohapsis/creddump7Threemodesofattack:cachedump,lsadump,pwdump
DUMPDOMAINCACHEDCREDENTIALS
SaveWindowsXP/Vista/7registryhivetablesC:\WIND0WS\system32>reg.exesaveHKLM\SAMsam_backup.hivC:\WIND0WS\system32>reg.exesaveHKLM\SECURITYsec_backup.hivC:\WIND0WS\system32>reg.exesaveHKLM\systemsys_backup.hiv
Runcreddumptoolsagainstthesavedhivefiles:cachedump.py<systemhive><securityhive><Vista/7>(Vista/7)cachedump.pysys_backup.hivsec_backup.hivtrue(XP)cachedump.pysys_backup.hivsec_backup.hivfalse
DUMPLSASECRETS
lsadump.pysys_backup.hivsec_backup.hiv
DUMPLOCALPASSWORDHASHES
pwdump.pysys_backup.hivsec_backup.hiv
MIMIKATZPostexploitationcommandsmustbeexecutedfromSYSTEMlevelprivileges.mimikatz#privilege::debugmimikatz#token::whoami
mimikatz#token::elevatemimikatz#lsadump::sam
SaveWindowsXP/Vista/7registrytablesC:\WIND0WS\system32>reg.exesaveHKLM\SAMsam_backup.hivC:\WIND0WS\system32>reg.exesaveHKLM\SECURITYC:\WIND0WS\system32>reg.exesaveHKLM\systemmimikatz#lsadump::samSystemBkup.hivSamBkup.hiv
*NIXRequiresrootlevelprivileges.
cat/etc/shadow
Example*NIXsha512crypthash
root:$6$52450745$k5ka2p8bFuSmoVTltz0yyuaREkkKBcCNqoDKzYiDL9RaE8yMnPgh2XzzF0NDrUhgrcLwg78xslw5pJiypEdFX/
MACOSX10.5-10.7ManualOSXHashExtractiondscllocalhost-read/Search/Users/<username>|grepGeneratedUID|cut-c15-cat/var/db/shadow/hash/<GUID>|cut-c169-216>osx_hash.txt
MACOSX10.8-10.12
ManualOSXHashExtractionsudodefaultsread/var/db/dslocal/nodes/Default/users/<username>.plistShadowHashData|tr-dc‘0-9a-f’|xxd-p-r|plutil-convertxml1--o-
ScriptedOSXHashExtractionHASHCAThttps://gist.github.com/nueh/8252572
sudoplist2hashcat.py/var/db/dslocal/nodes/Default/users/<username>.plist
JOHNhttps://github.com/truongkma/ctf-tools/blob/master/John/run/ml2john.py
sudoml2john.py/var/db/dslocal/nodes/Default/users/<username>.plist
PCAPHASHEXTRACTION
LOCALNETWORKAUTHENTICATION
PCREDZExtractsnetworkauthenticationhashesfrompcaps.Singlepcapfile:Pcredz-fexample.pcap
Multiplepcapfilesinadirectory:Pcredz-d/path/to/pcaps
Interfacetolistenonandcollect:Pcredz-ieth0
WPA/WPA2PSKAUTHENTICATIONCapturethe4-wayWPA/WPA2authenticationhandshake.
AIRMON-NG/AIRODUMP-NG/AIREPLAY-NGStep1:Createmonitoringinterfacemon0Ex)interfacewlan0airmon-ngstartwlan0Step2:CapturepacketstofileontargetAPchannelEx)channel11airodump-ngmon0--writecapture.cap-c11Step3:StartdeauthattackagainstBSSIDEx)bb:bb:bb:bb:bb:bbaireplay-ng--deauth0-abb:bb:bb:bb:bb:bbmon0Step4:Waitforconfirmationtoappearattopofterminal:CH11][Elapsed:25s][<DATE/TIME)][WPAhandshake:**Step5:ExtracthandshakeintoJOHNorHASHCATformat:JOHNFORMATEXTRACT
Stepl:cap2hccap.bin-e‘<ESSID>’capture.capcapture_out.hccapStep2:hccap2johncapture_out.hccap>jtr_capture
HASHCATFORMATEXTRACTcap2hccapx.bincapture.capcapture_out.hccapxMISCWLANTOOLS
HCXTOOLS:captureandconvertpacketsfromwlandevicesforusewithHashcat.https://github.com/ZerBea/hcxtools
DATABASEHASHEXTRACTION
SQLqueriesrequireadministrativeprivileges.
ORACLE10gR2SELECTusername,passwordFROMdba_usersWHEREusername=‘<username>’;
ORACLE11gR1
SELECTname,password,spare4FROMsys.user$WHEREname=‘<username>’;
MySQL4.1/MySQL5+SELECTUser,PasswordFROMmysql.userINTOOUTFILE‘/tmp/hash.txt’;
MSSQL(2012),MSSQL(2014)SELECTSL.name,SL.password_hashFROMsys.sql_loginsASSL;
POSTGRESSELECTusername,passwdFROMpg_shadow;
MISCELLANEOUSHASHEXTRACTION
JohnTheRipperJumbocomeswithvariousprogramstoextracthashes:
NAME DESCRIPTION1password2john.py 1Passwordvaulthashextract7z2john.py 7zipencryptedarchivehashextractandroidfde2john.py AndroidFDEconvertdisks/imagesintoJTRformataix2john.py AIXshadowfile/etc/security/passwdapex2john.py OracleAPEXhashformatingbitcoin2john.py Bitcoinoldwallethashextraction(checkbtcrecover)blockchain2john.py Blockchainwalletextractioncisco2john.pl Ciscoconfigfileingestion/extractcracf2john.py CRACFprogramcrafc.txtfilesdmg2john.py Appleencrypteddiskimageecryptfs2john.py eCryptfsdiskencryptionsoftwareefs2john.py WindowsEncryptingFileSystem(EFS)extractencfs2john.py EncFSencryptedfilesystemuserspacegpg2john PGPsymmetricallyencryptedfileshccap2john ConvertpcapcaptureWPAfiletoJTRformathtdigest2john.py HTTPDigestauthenticationikescan2john.py IKEPSKSHA256authenticationkdcdump2john.py KeyDistributionCenter(KDC)serverskeepass2john Keepassfilehashextractkeychain2john.py ProcessesinputMacOSXkeychainfileskeyring2john ProcessesinputGNOMEKeyringfileskeystore2john.py OutputpasswordprotectedJavaKeyStorefilesknown_hosts2john.py SSHKnownHostfilekwallet2john.py KDEWalletManagertooltomanagethepasswordsldif2john.pl LDAPDataInterchangeFormat(LDIF)
lion2john.pllion2john-alt.pl ConvertsanAppleOSXLionplistfile
lotus2john.py LotusNotesIDfileforDominoluks2john LinuxUnifiedKeySetup(LUKS)diskencryptionmcafee_epo2john.py McAfeeePolicyOrchestratorpasswordgeneratorml2john.py ConvertMacOSX10.8andlaterplisthashmozilla2john.py MozillaFirefox,Thunderbird,SeaMonkeyextractodf2john.py ProcessesOpenDocumentFormatODFfilesoffice2john.py MicrosoftOffice[97-03,2007,2010,2013)hashesopenbsd_softraid2john.py OpenBSDSoftRAIDhashopenssl2john.py OpenSSLencryptedfilespcap2john.py PCAPextractionofvariousprotocolspdf2john.py PDFencrypteddocumenthashextractpfx2john PKCS12filesputty2john PuTTYprivatekeyformatpwsafe2john PasswordSafehashextractracf2john IBMRACFbinarydatabasefilesradius2john.pl RADIUSprotocolsharedsecretrar2john RAR3.xfilesinputintoproperformatsap2john.pl ConvertspasswordhashesfromSAPsystemssipdump2john.py ProcessessipdumpoutputfilesintoJTRformatssh2john SSHprivatekeyfilessshng2john.py SSH-ngprivatekeyfilesstrip2john.py ProcessesSTRIPPasswordManagerdatabasesxc2john.py ProcessesSXCfilestruecrypt_volume2john TrueCryptencrypteddiskvolumeuaf2john ConvertOpenVMSSYSUAFfiletounix-stylefilevncpcap2john TightVNC/RealVNCpcapsvsc3.3,3.7and3.8RFBwpapcap2john ConvertsPCAPorIVS2filestoJtRformatzip2john ProcessesZIPfilesextractshashintoJTRformat
PASSWORDANALYSIS
HISTORICALPASSWORDANALYSISTIPS
-Theaveragepasswordlengthis7-9characters.-TheaverageEnglishwordis5characterslong.-Theaveragepersonknows50,000to150,000words.-50%chanceauser’spasswordwillcontainoneormorevowels.-Womenpreferpersonalnamesintheirpasswords,andmenpreferhobbies.-Mostlikelytobeusedsymbols:~,!,@,#,$,%,&,*,and?-Ifanumber,it’susuallya1or2,sequential,andwilllikelybeattheend.-Ifmorethanonenumberitwillusuallybesequentialorpersonallyrelevant.-Ifacapitalletter,it’susuallythebeginning,followedbyavowel.-66%ofpeopleonlyuse1-3passwordsforallonlineaccounts.-OneinninepeoplehaveapasswordbasedonthecommonTop500list.-WesterncountriesuselowercasepasswordsandEasterncountriespreferdigits.
20-60-20RULE
20-60-20ruleisawaytoviewthelevelofdifficultytypicallydemonstratedbyalargepassworddump,havingcharacteristicsthatgenerallyerronthesideofaGaussianCurve,mirroringthelevelofefforttorecoversaidpassworddump.
20%ofpasswordsareeasilyguesseddictionarywordsorknowncommonpasswords.60%ofpasswordsaremoderatetoslightvariationsoftheearlier20%.20%ofpasswordsarehard,lengthy,complex,orofuniquecharacteristics.
EXAMPLEHASHES&PASSWORDS
Thisisanexamplelistofpasswordstohelpconveythevariationandcommoncomplexitiesseenwithtypicalpasswordcreation.Italsoshowsindividualuserbiasestoaidinsegmentingyourattackstobetailoredtowardaspecificuser.
CRACKINGTIPSFOREACHPASSWORD
*ThisListofpasswordswillbereferencedthroughoutthebookandtheListcanalsobefoundonlineat:https://github.com/netmux/HASH-CRACK
PASSWORDPATTERNANALYSIS
Apasswordcancontainmanyusefulbitsofinformationrelatedtoit’screatorandtheirtendencies/patterns,butyouhavetobreakdownthestructuretodecipherthemeaning.Thisanalysisprocesscouldbeconsideredasub-categoryofTextAnalytics’andsplitintothreepatterncategoriesI’mcalling:BasicPattern,Macro-Pattern,&Micro-Pattern.*RefertoEXAMPLEHASH&PASSWORDSchapter(pg.29)fornumberedexamples.
BasicPattern:visuallyobviouswhencomparedtosimilargroupings(i.e.languageandbaseword/words&digits).Let’slookatAlice’spasswords(2,5):
R0b3rt2017! Jennifer1981!
-Eachpasswordusesaname:R0b3rt&Jennifer-Endingina4digitdatewithcommonspecialcharacter:2017!&1981!
!TIP!ThistypeofbasicpatternlendsitselftoasimpledictionaryandL33TspeakruleappendingdatesorhybridmaskattackappendingDict+?d?d?d?d?s
Macro-Pattern:statisticsaboutthepasswordsunderlyingstructuresuchaslengthandcharacterset.Let’slookatCraig’spasswords(6,9):
7482Sacrifice Solitaire7482
-Lengthstructurecanbesummedupas:4Digits+7Alpha&7Alpha+4Digits-Usescharsets?l?u?d,sowemaybeabletoignorespecialcharacters.-BasicPatternpreferenceforthenumbers7482andMicro-Patternforcapitalizingwordsbeginningin“S”.
!TIP!Youcanassumethisuseris‘unlikely’tohaveapasswordlessthan12characters(+-1char)andthe4digitconstantlowerstheworkto8chars.TheseexampleslendthemselvestoaHybridAttack(Dict+7482)or(7482+Dict).
Micro-Pattern:subtletyandcontextwhichexpressesconsistentcasechanges,themes,andpersonaldata/interest.Let’slookatBob’spasswords(1,4)
BlueParrot345 RedFerret789
-Eachpasswordbeginswithacolor:Blue&Red-Secondwordisatypeofanimal:Parrot&Ferret-Consistentcapitalizationofallwords-Lastly,endingina3digitsequentialpattern:345&789
!TIP!Thispatternlendsitselftoacustomcombodictionaryandruleorhybridmaskattackappendingsequentialdigits?d?d?d
Sowhenanalyzingpasswordsbesuretogrouppasswordsandlookforpatternssuchaslanguage,baseword/digit,length,charactersets,andsubtlethemeswithpossiblecontextualmeaningorpasswordpolicyrestrictions.
WESTERNCOUNTRYPASSWORDANALYSIS
PasswordLengthDistributionbasedonlargecorpusofEnglishwebsitedumps:7=15% 8=27% 9=15% 10=12% 11=4.8% 12=4.9% 13=.6% 14=.3%
CharacterfrequencyanalysisofalargecorpusofEnglishtexts:etaoinshrdlcumwfgypbvkjxqz
CharacterfrequencyanalysisofalargecorpusofEnglishpassworddumps:aeionrlstmcdyhubkgpjvfwzxq
TopWesternpasswordmasksoutofalargecorpusofEnglishwebsitedumps:
EASTERNCOUNTRYPASSWORDANALYSIS
PasswordLengthDistributionbasedonlargecorpusofChinesewebsitedumps:7=21% 8=22% 9=12% 10=12% 11=4.2% 12=.9% 13=.5% 14=.5%
CharacterfrequencyanalysisofalargecorpusofChinesetexts:aineohglwuyszxqcdjmbtfrkpv
CharacterfrequencyanalysisofalargecorpusofChinesepassworddumps:inauhegoyszdjmxwqbctlpfrkv
TopEasternpasswordmasksoutofalargecorpusofChinesewebsitedumps:
PASSWORDMANAGERANALYSIS
AppleSafariPasswordGenerator-defaultpassword15characterswith“-”&fourgroupsofthreerandomu=ABCDEFGHJKLMNPQRSTUVWXYZl=abcdefghkmnopqrstuvwxyandd=3456789Example)X9z-2Qp-3qm-WGNXXX-XXX-XXX-XXXwhereX=?u?l?d
Dashlane-defaultpassword12charactersusingjustlettersanddigits.Example)Up0k9ZAj54KtXXXXXXXXXXXXwhereX=?u?l?d
KeePass-defaultpassword20charactersusinguppercase,lowercase,digits,andspecial.Example)$Zt={EcgQ.Umf)R,C7XFXXXXXXXXXXXXXXXXXXXXwhereX=?u?l?d?s
LastPass-defaultpassword12charactersusingatleastonedigit,uppercaseandlowercase.Example)msfNdkG29n38XXXXXXXXXXXXwhereX=?u?l?d
RoboForm-defaultpassword15charactersusinguppercase,lowercase,digits,andspecialwithaminimumof5digits.Example)871v2%%4F0w31zJ
XXXXXXXXXXXXXXXwhereX=?u?l?d?s
SymantecNortonIdentitySafe-defaultpassword8charactersusinguppercase,lowercase,anddigits.Example)Ws81f0ZgXXXXXXXXwhereX=?u?l?d
TrueKey-defaultpassword16charactersusinguppercase,lowercase,digits,andspecial.Example)1B1H:9N+@>+sgWsXXXXXXXXXXXXXXXXwhereX=?u?l?d?s
1Passwordv6-defaultpassword24charactersusinguppercase,lowercase,digits,andspecial.Example)cTmM7Tzm6iPhCdpMu.*V],VPXXXXXXXXXXXXXXXXXXXXXXXXwhereX=?u?l?d?s
PACK(PasswordAnalysisandCrackingKit)
http://thesprawl.org/projects/pack/
STATSGEN
Generatestatisticsaboutthemostcommonlength,percentages,character-setandothercharacteristicsofpasswordsfromaprovidedlist.
pythonstatsgen.pypasswords.txt
STATSGENOPTIONS-o<file.txt> outputstatsandmaskstofile--hiderare hidestatsofpasswordswithlessthan1%ofoccurrence--minlength= minimumpasswordlengthforanalysis--maxlength= maximumpasswordlengthforanalysis--charset= passwordcharfilter:loweralpha,upperalpha,numeric,special--simplemask= passwordmaskfilter:string,digit,special
STATSGENEXAMPLESOutputstatsofpasswords.txttofileexample.mask:pythonstatsgen.pypasswords.txt-oexample.mask
Hidelessthan1%occurrence;onlyanalyzepasswords7charactersandgreater:pythonstatsgen.pypasswords.txt--hiderare--minlength=7-oexample.mask
Statsonpasswordswithonlynumericcharacters:pythonstatsgen.pypasswords.txt--charset=numeric
ZXCVBN(LOW-BUDGETPASSWORDSTRENGTHESTIMATION)
Arealisticpasswordstrength(entropy)estimatordevelopedbyDropbox.
https://github.com/dropbox/zxcvbn
PIPAL(THEPASSWORDANALYSER)
Passwordanalyzerthatproducesstatsandpatternfrequencyanalysis.https://digi.ninja/projects/pipal.php
pipal.rb-ooutfile.txtpasswords.txt
PASSPAT(PASSWORDPATTERNIDENTIFIER)
Keyboardpatternanalysistoolforpasswords.https://digi.ninja/projects/passpat.php
passpat.rb--layoutuspasswords.txt
CHARACTERFREQUENCYANALYSIS
Characterfrequencyanalysisisthestudyofthefrequencyoflettersorgroupsoflettersinacorpus/text.ThisisthebasicbuildingblockofMarkovchains.
Character-Frequency-CLI-ToolTooltoanalyzealargelistofpasswordsandsummarizethecharacterfrequency.https://github.com/jcchurch/Character-Frequency-CLI-Tool
charfreq.py<options>passwords.txtOptions: -wWindowsizetoanalyze,default=l
-rRollingwindowsize-sSkipspaces,tabs,newlines
ONLINEPASSWORDANALYSISRESOURCES
WEAKPASSAnalyzespublicpassworddumpsandprovidesefficientdictionariesfordownload.
http://weakpass.com/
PASSWORDRESEARCHImportantpasswordsecurityandauthenticationresearchpapersinoneplace.
http://www.passwordresearch.com/
THEPASSWORDPROJECTCompiledanalysisoflargerpassworddumpsusingPIPALandPASSPALtools.
http://www.thepasswordproject.com/leaked_password_lists_and_dictionaries
DICTIONARY/WORDLIST
DOWNLOADRESOURCES
WEAKPASShttp://weakpass.com/wordlist
CRACKSTATIONDICTIONARYhttps://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm
HAVEIBEENPWNED*You’llhavetocracktheSHA1’shttps://haveibeenpwned.com/passwords
SKULLSECURITYWORDLISTShttps://wiki.skullsecurity.org/index.php?title=Passwords
CAPSOPhttps://wordlists.capsop.com/
UNIX-NINJADNADICTIONARY*Dictionarylinkatbottomofarticle*https://www.unix-ninja.com/p/Password_DNA
PROBABLE-WORDLISThttps://github.com/berzerk0/Probable-Wordlists
EFF-WORDLISTLong-list(7,776words)&Short-list(1,296words)https://www.eff.org/files/2016/07/18/eff_large_wordlist.txthttps://www.eff.org/files/2016/09/08/eff_short_wordlist_1.txt
RAINBOWTABLES*RainbowTablesareforthemostpartobsoletebutprovidedhereforreference*http://project-rainbowcrack.com/table.htm
WORDLISTGENERATION
JOHNTHERIPPERGeneratewordlistthatmeetscomplexityspecifiedinthecomplexfilter.
john--wordlist=dict.txt--stdout--external:[filtername]>outfile.txt
STEMMINGPROCESSStrippingcharactersfromapasswordlisttoreachthe“stem”orbaseword/wordsofthecandidatepassword.Commandsarefrom“FileManipulationCheatSheet”.
Extractalllowercasestringsfromeachlineandoutputtowordlist.sed’s/[^a-z]*//g’passwords.txt>outfile.txt
Extractalluppercasestringsfromeachlineandoutputtowordlist.sed’s/[^A-Z]*//g’passwords.txt>outfile.txt
Extractalllowercase/uppercasestringsfromeachlineandoutputtowordlist.sed’s/[^a-Z]*//g’passwords.txt>outfile.txt
Extractalldigitsfromeachlineinfileandoutputtowordlist.sed’s/[^0-9]*//g’passwords.txt>outfile.txt
HASHCATUTILS
https://hashcat.net/wiki/doku.php?id=hashcat_utils
COMBINATORCombinemultiplewordlistswitheachwordappendedtotheother.
combinator.bindict1.txtdict2.txt>combined_dict.txt
combinator3.bindict1.txtdict2.txtdict3.txt>combined_dict.txt
CUTBCutthespecificlengthofftheexistingwordlistandpassittoSTDOUT.cutb.binoffset[length]<infile.txt>outfile.txt
Exampletocutfirst4charactersinawordlistandplaceintoafile:
cutb.bin04<dict.txt>outfile.txt
RLI
Comparesafileagainstanotherfileorfilesandremovesallduplicates.
rlidict1.txtoutfile.txtdict2.txt
REQDictionarycandidatesarepassedtostdoutifitmatchesanspecifiedpasswordgroupcriteria/requirement.Groupscanbeaddedtogether(i.e.1+2=3)1=LOWER(abcdefghijklmnoprstuvwxyz)2=UPPER(ABCDEFGHIJKLMNOPRSTUVWXYZ)4=DIGIT(0123465789)8=OTHER(Allothercharactersnotmatching1,2,or4)
Thisexamplewouldstdoutallcandidatesmatchingupperandlowercharacters
req.bin3<dict.txt
COMBIPOWCreates“uniquecombinations”ofacustomdictionary;dictionarycannotbegreaterthan64lines;option-1limitscandidatesto15characters.
combipow.bindict.txtcombipow.bin-1dict.txt
EXPANDERDictionaryintostdinisparsedandsplitintoallitssinglechars(upto4)andsenttostdout.
expander.bin<dict.txt
LENEachcandidateinadictionaryischeckedforlengthandsenttostdout.len.bin<minlen><maxlen><dict.txt
Thisexamplewouldsendtostdoutallcandidates5to10charslong.
len.bin510<dict.txt
MORPHAutogeneratesinsertionrulesforthemostfrequentchainsofcharacters
morph.bindict.txtdepthwidthpos_minpos_max
PERMUTEDictionaryintostdinparsedandrunthrough“TheCountdownQuickPermAlgorithm”
permute.bin<dict.txt
CRUNCHWordlistgeneratorcanspecifyacharactersetandgenerateallpossiblecombinationsandpermutations.https://sourceforge.net/projects/crunch-wordlist/
crunch<minlength><maxlength><characterset>-ooutfile.txt
crunch880123456789ABCDEF-ocrunch_wordlist.txt
TARGETEDWORDLISTS
CeWLCustomwordlistgeneratorscrapes&compileskeywordsfromwebsites.https://digi.ninja/projects/cewl.php
Examplescandepthof2andminimumwordlengthof5outputtowordlist.txt
cewl-d2-m5-wwordlist.txthttp://<targetwebsite>
SMEEGESCRAPETextfileandwebsitescraperwhichgeneratescustomwordlistsfromcontent.http://www.smeegesec.com/2014/01/smeegescrape-text-scraper-and-custom.html
Compileuniquekeywordsfromtextfileandoutputintowordlist.
SmeegeScrape.py-ffile.txt-owordlist.txt
Scrapekeywordsfromtargetwebsiteandoutputintowordlist.
SmeegeScrape.py-uhttp://<targetwebsite>-si-owordlist.txt
GENERATEPASSWORDHASHES
Usethebelowmethodstogeneratehashesforspecificalgorithms.
HASHCAThttps://github.com/hashcat/hashcat/tree/master/tools
test.plpassthrough<#type><#>dict.txt
MDXFINDhttps://hashes.org/mdxfind.php
echo|mdxfind-z-h‘<#type>’dict.txt
LYRICPASS(SongLyricsPasswordGenerator)
https://github.com/initstring/lyricpassGeneratorusingsonglyricsfromchosenartisttocreatecustomdictionary.
pythonlyricpass.py“ArtistName”artist-dict.txt
CONVERTWORDLISTENCODING
HASHCATForceinternalwordlistencodingfromXhashcat-a0-m#typehash.txtdict.txt--encoding-from=utf-8
ForceinternalwordlistencodingtoXhashcat-a0-m#typehash.txtdict.txt--encoding-to=iso-8859-15
ICONVConvertwordlistintolanguagespecificencoding
iconv-f<old_encode>-t<new_encode><dict.txt|spongedict.txt.enc
CONVERTHASHCAT$HEXOUTPUT
Exampleofconverting$HEX[]entriesinhashcat.potfiletoASCII
grep‘$HEX’hashcat.pot|awk-F“:”{‘print$2’}|perl-ne‘if($_=~m/\$HEX\[([A-Fa-f0-9]+)\]/){printpack(“H*”,$1),“\n”}’
EXAMPLECUSTOMDICTIONARYCREATION
1-CreateacustomdictionaryusingCeWLfromwww.netmux.comwebsite:
cewl-d2-m5-wcustom_dict.txthttp://www.netmux.com
2-Combinethenewcustom_dict.txtwiththeGoogle10,000mostcommonEnglishwords:https://github.com/first20hours/google-10000-english
catgoogle-1000.txt>>custom_dict.txt
3-CombinewithTop196passwordsfrom“ProbableWordlists”:github.com/berzerk0/Probable-Wordlists/blob/master/Real-Passwords
catTopl96-probable.txt>>custom_dict.txt
4-CombotheTopl96-probable.txttogetherusingHashcat-util“combinator.bin”andaddittoourcustom_dict.txt
combinator.binTopl96-probable.txtTopl96-probable.txt>>custom_dict.txt
5-Runthebest64.rulefromHashcatonTop196-probable.txtandsendthatoutputintoourcustomdictionary:
hashcat-a0Topl96-probable.txt-rbest64.rule--stdout>>custom_dict.txt
Canyounowcomeupwithanattackthatcancrackthishash?
e4821dl6a298092638ddb7cadc26d32f
*AnswerintheAppendix
RULES&MASKS
RULEFUNCTIONS
FollowingarecompatiblebetweenHashcat,JohnTheRipper,&PasswordProhttps://hashcat.net/wiki/doku.php?id=rule_based_attack
RULESTOREJECTPLAINShttps://hashcat.net/wiki/doku.php?id=rule_based_attack
IMPLEMENTEDSPECIFICFUNCTIONSFollowingfunctionsarenotcompatiblewithJohnTheRipper&PasswordPro
RULEATTACKCREATION
EXAMPLERULECREATION&OUTPUTBelowweapplybasicrulestohelpexplaintheexpectedoutputwhenusingrules.
MASKPROCESSORHASHCAT-UTILhttps://github.com/hashcat/maskprocessorMaskprocessorcanbeusedtogeneratealonglistofrulesveryquickly.
Examplerulecreationofprependdigitandspecialchartodictionarycandidates(i.e.^l^!,^2^@,...):
mp64.bin‘^?d^?s’-orule.txt
Examplecreatingrulewithcustomcharsetappendinglower,uppercasecharsandalldigitstodictionarycandidates(i.e.$a$Q$1,$e$A$2,...):
mp64.bin-1aeiou-2QAZWSX‘$?1$?2$?d’
GENERATERANDOMRULESATTACK(i.e.“Raking”)
hashcat-a0-m#type-g<#rules>hash.txtdict.txt
GENERATERANDOMRULESFILEUSINGHASHCAT-UTILgenerate-rules.bin<#rules><seed>|./cleanup-rules.bin[1=CPU,2=GPU]>out.txt
generate-rules.bin100042|./cleanup-rules.bin2>out.txt
SAVESUCCESSFULRULES/METRICS
hashcat-a0-m#type--debug-mode=l--debug-file=debug.txthash.txt-rrule.txt
SENDRULEOUTPUTTOSTDOUT/VISUALLYVERIFYRULEOUTPUT
hashcatdict.txt-rrule.txt--stdout
john--wordlist=dict.txt--rules=example--stdout
PACK(PasswordAnalysisandCrackingKit)RULECREATION
http://thesprawl.org/projects/pack/
RULEGEN
Advancedtechniquesforreversingsourcewordsandwordmanglingrulesfromalreadycrackedpasswordsbycontinuouslyrecycling/expandinggeneratedrulesandwords.OutputsrulesinHashcatformat.http://thesprawl.org/research/automatic-password-rule-analysis-generation/**Ensureyouinstall‘AppleSpell’‘aspell*moduleusingpacketmanager**
pythonrulegen.py--verbose--passwordP@ssw0rdl23
RULEGENOPTIONS
-brockyou Outputbasename.Thefollowingfileswillbegenerated:basename.words,basename.rulesandbasename.stats
-wwiki.dict Useacustomwordlistforruleanalysis.-q,--quiet Don’tshowheaders.--threads=THREADS Parallelthreadstouseforprocessing.
Finetunesourcewordgeneration::--maxworddist=10 Maximumwordeditdistance(Levenshtein)--maxwords=5 Maximumnumberofsourcewordcandidatestoconsider--morewords Considersuboptimalsourcewordcandidates--simplewords Generatesimplesourcewordsforgivenpasswords
Finetunerulegeneration::--maxrulelen=10 Maximumnumberofoperationsinasinglerule--maxrules=5 Maximumnumberofrulestoconsider--morerules Generatesuboptimalrules--simplerules Generatesimplerulesinsert,delete,replace--bruterules Bruteforcereversalandrotationrules(slow)
Finetunespellcheckerengine::--providers=aspell,myspell
Comma-separatedlistofproviderengines
Debuggingoptions::-v,--verbose Showverboseinformation.-d,--debug Debugrules.--password Processthelastargumentasapasswordnotafile.--word=Password Useacustomwordforruleanalysis--hashcat Testgeneratedruleswithhashcat-cli
RULEGENEXAMPLESAnalysisofasinglepasswordtoautomaticallydetectrulesandpotentialsourcewordusedtogenerateasamplepassword:pythonrulegen.py--verbose--passwordP@ssw0rdl23
Analyzepasswords.txtandoutputresults:pythonrulegen.pypasswords.txt-q
analysis.word-unsortedandnon-uniquedsourcewordsanalysis-sorted.word-occurrencesortedanduniquesourcewordsanalysis.rule-unsortedandnon-uniquedrulesanalysis-sorted.rule-occurrencesortedanduniquerules
HASHCATINCLUDEDRULES Approx#Rules
Incisive-leetspeak.rule 15,487InsidePro-HashManager.rule 6,746InsidePro-PasswordsPro.rule 3,254T0XlC-insert_00-99_1950-2050_toprules_0_F.rule 4,019T0XlC-insert_space_and_special_0_F.rule 482T0XlC-insert_top_100_passwords_l_G.rule 1,603T0XlC.rule 4,088T0XlCv1.rule 11,934best64.rule 77combinator.rule 59d3ad0ne.rule 34,101dive.rule 99,092generated.rule 14,733generated2.rule 65,117leetspeak.rule 29oscommerce.rule 256rockyou-30000.rule 30,000specific.rule 211toggles1.rule 15toggles2.rule 120toggles3.rule 575toggles4.rule 1,940toggles5.rule 4,943unix-ninja-leetspeak.rule 3,073
JOHNINCLUDEDRULES Approx#RulesAll(Jumbo+KoreLogic) 7,074,300Extra 17Jumbo(Wordlist+Single+Extra+NT+OldOffice) 226KoreLogic 7,074,074Loopback(NT+Split) 15NT 14OldOffice 1Single 169Single-Extra(Single+Extra+OldOffice) 187Split 1Wordlist 25
http://www.openwall.com/john/doc/RULES.shtml
CUSTOMRULEPLANS
MASKATTACKCREATION
DEBUG/VERIFYMASKOUTPUThashcat-a3?a?a?a?a--stdoutjohn--mask=?a?a?a?a--stdout
HASHCATMASKATTACKCREATIONExampleusage:hashcat-a3-m#typehash.txt<mask>
Examplebrute-forceallpossiblecombinations7characterslong:hashcat-a3-m#typehash.txt?a?a?a?a?a?a?a
Examplebrute-forceallpossiblecombinations1-7characterslong:hashcat-a3-m#typehash.txt-i?a?a?a?a?a?a?a
Examplebrute-forceuppercasefirstletter,3unknownmiddlecharacters,andendsin2digits(i.e.Passl2):
hashcat-a3-m#typehash.txt?u?a?a?a?d?d
Examplebrute-forceknownfirsthalfword“secret”andunknownending:hashcat-a3-m#typehash.txtsecret?a?a?a?a
Examplehybridmask(leftside)+wordlist(rightside)(i.e.123!Password)hashcat-a7-m#typehash.txt?a?a?a?adict.txt
Examplewordlist(leftside)+hybridmask(rightside)(i.e.Passwordl23!)hashcat-a6-m#typehash.txtdict.txt?a?a?a?a
HASHCATCUSTOMCHARSETSFourcustombuffercharsetstocreateefficienttargetedmaskattacksdefinedas:-1-2-3-4
Examplecustomcharsettargetingpasswordsthatonlybeginina,A,b,B,orc,C,4unknownmiddlecharacters,andendwithadigit(i.e.al7z#q7):hashcat-a3-m#typehash.txt-1abcABC?l?a?a?a?a?d
Examplecustomcharsettargetingpasswordsthatonlybegininuppercaseorlowercase,4digitsinthemiddle,andendinspecialcharacter!,@,$(i.e.W7462!orf1234$):hashcat-a3-m#typehash.txt-1?u?l-2!@$?l?d?d?d?d?2
Exampleusingallfourcustomcharsetsatonce(i.e.pow!12er):hashcat-a3-m#typehash.txt-1qwer-2poiu-3123456-4!@#$%?2?2?1?4?3?3?1?1
JOHNMASKATTACKCREATIONExampleusage:john--format=#typehash.txt--mask=<mask>
Examplebrute-forceallpossiblecombinationsupto7characterslong:john--format=#typehash.txt--mask=?a?a?a?a?a?a?a
Examplebrute-forceuppercasefirstletter,3unknownmiddlecharacters,andendsin2digits(i.e.Passl2):john--format=#typehash.txt--mask=?u?a?a?a?d?d
Examplebrute-forceknownfirsthalfword“secret”andunknownending:john--format=#typehash.txt--mask=secret?a?a?a?a
Examplemask(leftside)+wordlist(rightside)(i.e.123!Password)john--format=#typehash.txt--wordlist=dict.txt--mask=?a?a?a?a?w
Examplewordlist(leftside)+mask(rightside)(i.e.Password123!)john--format=#typehash.txt--wordlist=dict.txt--mask=?w?a?a?a?a
JOHNCUSTOMCHARSETS
Ninecustombuffercharsetstocreateefficienttargetedmaskattacksdefinedas:-1-2-3-4-5-6-7-8-9
Examplecustomcharsettargetingpasswordsthatonlybeginina,A,b,B,orc,C,4unknownmiddlecharacters,andendwithadigit(i.e.a17z#q7):john--format=#typehash.txt-1=abcABC--mask=?l?a?a?a?a?d
Examplecustomcharsettargetingpasswordsthatonlybegininuppercaseorlowercase,4digitsinthemiddle,andendinspecialcharacter!,@,$(i.e.W7462!orf1234$):john--format=#typehash.txt-1=?u?l-2=!@$--mask=?l?d?d?d?d?2
Exampleusingfourcustomcharsetsatonce(i.e.pow!12er):john--format=#typehash.txt-1=qwer-2=poiu-3=123456-4=!@#$%,--mask=?2?2?l?4?3?3?1?1
HASHCATMASKCHEATSHEET
JOHNMASKCHEATSHEET
MASKFILES
Hashcatallowsforthecreationofmaskfilesbyplacingcustommasks,oneperline,inatextfilewith“.hcmask”extension.
HASHCATBUILT-INMASKFILES Approx#Masks8char-11-1u-1d-1s-compliant.hcmask 40,8248char-11-1u-1d-1s-noncompliant.hcmask 24,712rockyou-1-60.hcmask 836rockyou-2-1800.hcmask 2,968rockyou-3-3600.hcmask 3,971rockyou-4-43200.hcmask 7,735rockyou-5-86400.hcmask 10,613rockyou-6-864000.hcmask 17,437rockyou-7-2592000.hcmask 25,043
WESTERNCOUNTRYTOPMASKS
EASTERNCOUNTRYTOPMASKS
PACK(PasswordAnalysisandCrackingKit)MASKCREATION
http://thesprawl.org/projects/pack/
MASKGEN
MaskGenallowsyoutoautomaticallygeneratepattern-basedmaskattacksfromknownpasswordsandfilterbylengthanddesiredcrackingtime.
pythonmaskgen.pyexample.mask
MASKGENOPTIONS
IndividualMaskFilterOptions:
MaskSortingOptions:
Checkmaskcoverage:
Miscellaneousoptions:
MASKGENEXAMPLESGatherstatsaboutcrackedpasswords.txtandhidethelessthan1%results:pythonstatsgen.py--hiderarepasswords.txt
Savemasksstatstoa.maskfileforfurtheranalysis:pythonstatsgen.py--hiderarepasswords.txt-oexample.mask
Analyzeexample.maskresults,numberofmasks,estimatedtimetocrack,etc...pythonmaskgen.pyexample.mask
Create24hour(86400seconds)maskattackbasedoncrackingspeedofasingleGTX1080againstMD5hashes24943.1MH/s(basedonappendixtable).!SubstituteyourGPU’scrackingspeedagainstMD5(c/s)!.pythonmaskgen.pyexample.mask--targettime=86400--optindex--pps=24943000000-q
Output24hourmaskattacktoa.hcmaskfileforuseinHashcat:pythonmaskgen.pyexample.mask--targettime=86400--optindex--pps=24943000000-q-oexample.hcmask
Useyournewexample.hcmaskfilewithHashcatinmaskattackmode:hashcat-a3-m#typehash.txtexample.hcmask
TIMETABLECHEATSHEET
POLICYGEN
Generateacollectionofmasksfollowingthepasswordcomplexityinordertosignificantlyreducethecrackingtime.
pythonpolicygen.py[options]-oexample.hcmask
POLICYGENOPTIONS
PasswordPolicy:Definetheminimum(ormaximum)passwordstrengthpolicythatyouwouldliketotest
POLICYGENEXAMPLESGeneratemaskattackforpasswordpolicy8characterlengthrequiringatleast1lowercase,1uppercase,1digit,and1specialcharacter:pythonpolicygen.py--minlength8--maxlength8--minlower1--minupper1--mindigit1--minspecial1-oexample.hcmask
GeneratemaskattackandestimatetimeofcompletionbasedonGTX1080againstMD5hashes24943.1MH/s(basedonappendixtable)forpasswordpolicy8characterlengthrequiringatleast1lowercase,1uppercase,1digit,and1specialcharacter:pythonpolicygen.py--minlength8--maxlength8--minlower1--minupper1--mindigit1--minspecial1-oexample.hcmask--pps=24943000000
CUSTOMMASKPLANS
DATEYYMMDDMASKhashcat-a3-m#typehash.txt-112-290-301-4123?l?2?3?d?4?d
DATEYYYYMMDDMASKhashcat-a3-m#typehash.txt-112-290-301-4123?l?2?d?d?3?d?4?d
3SEQUENTIALNUMBERSMASK+SPECIAL
hashcat-a3-m#typehash.txt-1147-2258-3369?l?2?3?s
FOREIGNCHARACTERSETS
UTF8POPULARLANGUAGES
*Incrementalfourcharacterpasswordexamples
ArabicUTF8(d880-ddbf)hashcat-a3-m#typehash.txt--hex-charset-1d8d9dadbdcdd-2808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0ala2a3a4a5a6a7a8a9aaabacadaeafb0blb2b3b4b5b6b7b8b9babbbcbdbebf-i?1?2?1?2?1?2?1?2
BengaliUTF8(e0a680-e0adbf)hashcat-a3-m#typehash.txt--hex-charset-1e0-2a6a7a8a9aaabacad-3808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0ala2a3a4a5a6a7a8a9aaabacadaeafb0blb2b3b4b5b6b7b8b9babbbcbdbebf-i?1?2?3?1?2?3?1?2?3?1?2?3
Chinese(CommonCharacters)UTF8(e4b880-e4bbbf)hashcat-a3-m#typehash.txt--hex-charset-1e4-2b8b9babb-3808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0ala2a3a4a5a6a7a8a9aaabacadaeafb0blb2b3b4b5b6b7b8b9babbbcbdbebf-i?1?2?3?1?2?3?1?2?3?1?2?3
Japanese(Katakana&Hiragana)UTF8(e38180-e3869f)hashcat-a3-m#typehash.txt--hex-charset-1e3-2818283848586-3808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0ala2a3a4a5a6a7a8a9aaabacadaeafb0blb2b3b4b5b6b7b8b9babbbcbdbebf-i?1?2?3?1?2?3?1?2?3?1?2?3
RussianUTF8(d080-d4bf)hashcat-a3-m#typehash.txt--hex-charset-1d0dld2d3d4-2808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0ala2a3a4a5a6a7a8a9aaabacadaeafb0blb2b3b4b5b6b7b8b9babbbcbdbebf-i?1?2?1?2?1?2?1?2
HASHCATBUILT-INCHARSETS
Germanhashcat-a3-m#typehash.txt-1charsets/German.hcchr-i?1?1?1?1
Frenchhashcat-a3-m#typehash.txt-1charsets/French.hcchr-i?1?1?1?1
Portuguesehashcat-a3-m#typehash.txt-1charsets/Portuguese.hcchr-i?1?1?1?1
SUPPORTEDLANGUAGEENCODINGShashcat-a3-m#typehash.txt-1charsets/<language>.hcchr-i?1?1?1?1
Bulgarian,Castilian,Catalan,English,French,German,Greek,GreekPolytonic,Italian,Lithuanian,Polish,Portuguese,Russian,Slovak,Spanish
JOHNUTF8&BUILT-INCHARSETS
OPTIONS:--encoding=NAME inputencoding(eg.UTF-8,ISO-8859-1).--input-encoding=NAME inputencoding(aliasfor--encoding)--internal-encoding=NAME encodingusedinrules/masks(seedoc/ENCODING)--target-encoding=NAME outputencoding(usedbyformat)
ExampleLMhashesfromWesternEurope,usingaUTF-8wordlist:john--format=lmhast.txt--encoding=utf8--target:cp850--wo:spanish.txt
ExampleusingUTF-8wordlistwithinternalencodingforrulesprocessing:john--format=#typehash.txt--encoding=utf8--internal=CP1252--wordlist=french.1st--rules
Examplemaskmodeprintingallpossible“Latin-1”wordsoflength4:john--stdout--encoding=utf8--internal=8859-1--mask:?1?1?1?1
SUPPORTEDLANGUAGEENCODINGSUTF-8,ISO-8859-1(Latin),ISO-8859-2(Central/EasternEurope),ISO-8859-7(Latin/Greek),ISO-8859-15(WesternEurope),CP437(Latin),CP737(Greek),CP850(WesternEurope),CP852(CentralEurope),CP858(WesternEurope),CP866(Cyrillic),CP1250(CentralEurope),CP1251(Russian),CP1252(DefaultLatin1),CP1253(Greek)andK0I8-R(Cyrillic).
HASHCAT?bBYTECHARSET
Ifyourunsureastopositionofaforeigncharactersetcontainedwithinyourtargetpassword,youcanattemptthe?bbytecharsetinamaskusingaslidingwindow.Forexampleifwehaveapassword6characterslong:
?b=256byte=0x00-0xff
hashcat-a3-m#typehash.txt
?b?a?a?a?a?a?a?b?a?a?a?a?a?a?b?a?a?a?a?a?a?b?a?a?a?a?a?a?b?a?a?a?a?a?a?b
CONVERTENCODING
HASHCATForceinternalwordlistencodingfromXhashcat-a0-m#typehash.txtdict.txt--encoding-from=utf-8
ForceinternalwordlistencodingtoXhashcat-ao-m#typehash.txtdict.txt--encoding-to=iso-8859-15
ICONVConvertwordlistintolanguagespecificencodingiconv-f<old_encode>-t<new_encode><dict.txt|spongedict.txt.enc
CONVERTHASHCAT$HEXOUTPUT
Exampleofconverting$HEX[]entriesinhashcat.potfiletoASCIIgrep‘$HEX’hashcat.pot|awk-F“:”{‘print$2’}|perl-ne‘if($_=~m/\$HEX\[([A-Fa-f0-9]+)\]/){printpack(“H*”,$1),“\n”}’
ADVANCEDATTACKS
PRINCEATTACK
PRINCE(PRobabilityINfiniteChainedElements)Attacktakesoneinputwordlistandbuilds“chains”ofcombinedwordsautomatically.
HASHCATPRINCEPROCESSORhttps://github.com/hashcat/princeprocessor
Attackslowhashes:
pp64.bindict.txt|hashcat-a0-m#typehash.txt
Amplifiedattackforfasthashes:
pp64.bin--case-permutedict.txt|hashcat-a0-m#typehash.txt-rrule.txt
ExamplePRINCEattackproducingminimum8charcandidateswith4elementspipeddirectlyintoHashcatwithrulesattack.
pp64.bin--pw-min=8--limit=4dict.txt|hashcat-a0-m#hash.txt-rbest64.rule
PRINCECEPTIONATTACK(epixoip)PipingtheoutputofonePRINCEattackintoanotherPRINCEattack.
pp64.bindict.txt|pp64.bin|hashcat-a0-m#typehash.txt
JOHNBUILT-INPRINCEATTACK
john--prince=dict.txthash.txt
MASKPROCESSOR
Maskattackgeneratorwithacustomconfigurablecharsetandabilitytolimitconsecutiveandrepeatingcharacterstodecreaseattackkeyspace.https://github.com/hashcat/maskprocessor
Limit4consecutiveidenticalcharactersinthepasswordstring“-q”option:
mp64.bin-q4?d?d?d?d?d?d?d?d|hashcat-a0-m#typehash.txt
Limit4identicalcharactersinthepasswordstring“-r”option:
mp64.bin-r4?d?d?d?d?d?d?d?d|hashcat-a0-m#typehash.txt
Limit2consecutiveand2identicalcharactersinthepasswordstring:
mp64.bin-r2-q2?d?d?d?d?d?d?d?d|hashcat-a0-m#typehash.txt
Customcharsetlimiting2consecutiveand2identicalcharactersinthepasswordstring:
mp64.bin-r2-q2-1aeiuo-2TGBYHN?l?2?l?2?d?d?d?d|hashcat-a0-m#typehash.txt
CUSTOMMARKOVMODEL/STATSPROCESSOR
Word-generatorbasedontheper-positionmarkov-attack.https://github.com/hashcat/statsprocessor
HCSTATGENCreatecustomMarkovmodelsusinghashcat-utilhcstatgen.binbasedoncrackedtargetpasswords.Theutilhcstatgenmakesa32MBfileeachtimenomatterhowsmall/largethepasswordlistprovided.HighlyrecommendedyoumakecustomMarkovmodelsfordifferenttargetsets.
hcstatgen.binoutfile.hcstat<passwords.txt
STATSPROCESSORIsahigh-performanceword-generatorbasedonausersuppliedper-positionMarkovmodel(hcstatfile)usingmaskattacknotation.
Step1:CreateyourcustomMarkovmodel
hcstatgen.binout.hcstat<passwords.txt
Step2.1:SupplyyournewMarkovmodeltoHashcatasmaskorruleattack.
hashcat-a3-m#typehash.txt--markov-hcstat=out.hcstat?a?a?a?a?a?a
hashcat-a0-m#typehash.txtdict.txt-rrule.txt--markov-hcstat=out.hcstat
Step2.2:ORSupplyyournewMarkovmodelwithsp64andpipeintoHashcat.
sp64.bin--pw-min3--pw-max5out.hcstat?1?1?1?1?1?1|hashcat-a0-m#typehash.txt
KEYBOARDWALKPROCESSOR
Keyboard-walkgeneratorwithconfigurablebasechars,keymappingsandroutes.https://github.com/hasheat/kwprocessor
Examplekeyboardwalkwithtinycharsetinenglishmappingandwith2-10adjacentkeyspipingoutresultsintoahashcatattack:kwp.binbasechar/tiny.basekeymaps/en.keymaproutes/2-to-10-max-3-0-z|hashcat-a0-m#typehash.txt
Examplekeyboardwalkwithfullcharsetinenglishmappingandwith3x3adjacentkeyspipingoutresultsintoahashcatattack:./kwpbasechars/full.basekeymaps/en.keymaproutes/3-to-3-exhaustive.route|hashcat-a0-m#typehash.txt
[FULLLISTOFOPTIONS]
MDXFIND/MDSPLIT
https://hashes.org/mdxfind.php(credit‘Waffle’)
MDXFINDisaprogramwhichallowsyoutorunlargenumbersofunsolvedhashesofanytype,usingmanyalgorithmsconcurrently,againstalargenumberofplaintextwordsandrules,veryquickly.It’smainpurposewastodealwithlargelists(20million,50million,etc)ofunsolvedhashesandrunthemagainstnewdictionariesasyouacquirethem.
SowhenwouldyouuseMDXFINDonapentest?Ifyoudumpadatabasetiedtowebsiteauthenticationandthehashesarenotcrackingbystandardattackplans.Thehashesmaybegeneratedinauniquenestedhashingseries.IfyouareabletoviewthesourcecodeofsaidwebsitetoviewthecustomhashingfunctionyoucandirectMDXFINDtoreplicatethathashingseries.Ifnot,youcanstillrunMDXFINDusingsomeofthebelow‘GenericAttackCommands’.MDXFINDistailoredtowardintermediatetoexpertlevelpasswordcrackingbutisextremelypowerfulandflexible.
ExamplewebsiteSHA1customhashingfunctionperformingmultipleiterations:
$hash=sha1($password.$salt);for($i=1;$i<=65000;++$i){
$hash=sha1($hash.$salt);}
MDXFIND
COMMANDSTRUCTURETHREEMETHODS1-STDOUT2-STDIN3-File
1-Readshashescomingfromcat(orother)commandsstdout.
cathash.txt|mdxfind-h<regex#type>-i<#iterations>dict.txt>out.txt
2-Takesstdinfromoutsideattacksourcesinplaceofdict.txtwhenusingtheoptionsvariable‘-f’tospecifyhash.txtfilelocationandvariable‘stdin’.
mp64.bin?d?d?d?d?d?d|mdxfind-h<regex#type>-i<#iterations>-fhash.txtstdin>out.txt
3-Specifyfilelocation‘-f’withnoexternalstdout/stdinsources.
mdxfind-h<regex#type>-i<#iterations>-fhash.txtdict.txt>out.txt
[FULLLISTOFOPTIONS]-a Doemailaddressmunging-b Expandeachwordintounicode,besteffort-c Replaceeachspecialchar(<>&,etc)withXMLequivalents-d De-duplicatewordlists,besteffort...butbesttodoaheadoftime-e Extendedsearchfortruncatedhashes-p Printsource(filename)offoundplain-texts
InternaliterationcountsforSHA1MD5X,andothers.Forexample,ifyouhaveahashthatis
-q SHA1(MD5(MD5(MD5(MD5($pass)))))),youwouldset-qto5.
-g Rotatecalculatedhashestoattemptmatchtoinputhash-s Filetoreadsaltsfrom-u FiletoreadUserid/Usernamesfrom-k Filetoreadsuffixesfrom
-n Numberofdigitstoappendtopasswords.Otheroptions,like:-n6xwouldappend6digithexvalues,and8iwouldappendallipv4dotted-quadIP-addresses.
-i Thenumberofiterationsforeachhash-t Thenumberofthreadstorun-f filetoreadhashesfrom,elsestdin-1 AppendCR/LF/CRLFandprintinhex-r Filetoreadrulesfrom-v Donotmarksaltsasfound.-w Numberoflinestoskipfromfirstwordlist-y Enabledirectoryrecursionforwordlists-z Enabledebugginginformation/hashresults-h Thehashtypes:459TOTALHASHESSUPPORTED
GENERICATTACKPLANS
ThisisagoodgeneralpurposeMDXFINDcommandtorunyourhashesagainstifyoususpectthemtobe“non-standard”nestedhashingsequences.Thiscommandsays“Runallhashesagainstdict.txtusing10iterationsexceptoneshavingasalt,user,ormd5xvalueinthename.”It’ssmarttoskipsalted/userhashtypesinMDXFINDunlessyouareconfidentasaltvaluehasbeenused.
cathash.txt|mdxfind-hALL-h‘!salt,!user,!md5x’-i10dict.txt>out.txt
ThedeveloperofMDXFINDalsorecommendsrunningthebelowcommandoptionsasagoodgeneralpurposeattack:
cathash.txt|mdxfind-h<^md5$,^sha1$,^md5md5pass$,^md5sha1$’-i5dict.txt>out.txt
Andyoucouldaddaruleattackaswell:
cathash.txt|mdxfind-h<^md5$,^sha1$,^md5md5pass$,^md5sha1$’-i5dict.txt-rbest64.rule>out.txt
GENERALNOTESABOUTMDXFIND-Candomultiplehashtypes/filesallduringasingleattackrun.
catsha1/*.txtsha256/*.txtmd5/*.txtsalted/*.txt|mdxfind-Supports459differenthashtypes/sequences-Cantakeinputfromspecial‘stdin’mode-SupportsVERYlargehashlists(l00mil)and10kbcharacterpasswords-Supportsusinghashcatrulefilestointegratewithdictionary
-Option‘-z’outputsALLviablehashingsolutionsandfilecangrowverylarge-Supportsincluding/excludinghashtypesbyusingsimpleregexparameters-Supportsmultipleiterations(upto4billiontimes)bytweaking-iparameterforinstance:MD5X01isthesameasmd5($Pass)MD5x02isthesameasmd5(md5($pass))MD5X03isthesameasmd5(md5(md5($pass)))...MD5xl0isthesameasmd5(md5(md5(md5(md5(md5(md5(md5(md5(md5($pass))))))))))-Separateout-usernames-email-ids-saltstocreatecustomattacks-Ifyouaredoingbrute-forceattacks,thenhashcatisprobablybetterroute-WhenMDXfindfindsanysolution,itoutputsthekindofsolutionfound,followedbythehash,followedbythesaltand/orpassword.Forexample:
MD5X01000012273bc5cab48bf3852658b259ef:lEb0TBK3MD5X05033blll073e5f64ee59f0be9d6b8a561:08061999MD5X09aadb9dlb23729a3e403d7fc62d507df7:1140MD5X09326d921d591162eed302ee25a09450ca:1761974
MDSPLIT
Whencrackinglargelistsofhashesfrommultiplefilelocations,MDSPLITwillhelpmatchwhichfilesthecrackedhasheswerefoundin,whilealsooutputingthemintoseparatefilesbasedonhashtype.Additionallyitwillremovethefoundhashesfromtheoriginalhashfile.
COMMANDSTRUCTURETWOMETHODS1-STDOUT2-STDIN3-File
1-MatchingMDXFINDresultsfileswiththeiroriginalhash_orig.txtfiles.
cathashes_out/out_results.txt|mdsplithashes_orig/hash_orig.txt
ORperformmatchingagainstadirectoryoforiginalhashesandtheirresults.
cathashes_out/*|mdsplithashes_orig/*
2-PipingMDXFINDdirectlyintoMDSPLITtosortinreal-timeresults.
cat*.txt|mdxfind-hALL-h‘!salt,!user,!md5x’-i10dict.txt|mdsplit*.txt
3-SpecifyingafilelocationinMDXFINDtomatchresultsinreal-time.
mdxfind-hALL-fhashes.txt-i10dict.txt|mdsplithashes.txt
GENERALNOTESABOUTMDSPLIT
-MDSPLITwillappendthefinalhashsolutiontotheendofthenewfilename.Forexample,ifwesubmitteda‘hashes.txt’andthesolutiontothehasheswas“MD5x01”thentheresultsfilewouldbe‘hashes.MD5x01’.IfmultiplehashsolutionsarefoundthenMDSPLITknowshowtodealwiththis,andwillthenremoveeachofthesolutionsfromhashes.txt,andplacetheminto‘hashes.MD5x01’,‘hashes.MD5x02’,‘hashes.SHA1’...andsoon.
-MDSPLITcanhandlesortingmultiplehashfiles,types,andtheirresultsallatonetime.AnysolutionswillbeautomaticallyremovedfromallofthesourcefilesbyMDSPLIT,andtabulatedintothecorrectsolvedfiles.Forexample:
catdirl/*.txtdir2/*.txtdir3/*.txt|mdxfind-h‘^md5$,^sha1$,^sha256$’-i10dict.txt|mdsplitdirl/*.txtdir2/*.txtdir3/*.txt
DISTRIBUTED/PARALLELIZATIONCRACKING
HASHCAT
https://hashcat.net/forum/thread-3047.html
Step1:Calculatekeyspaceforattack(ExampleMD5BruteForcex3nodes)hashcat-a3-m0?a?a?a?a?a?a--keyspace81450625
Step2:Distributeworkthroughkeyspacedivision(s)kipand(l)imit81450625/3=27150208.3Node1#hashcat-a3-m0hash.txt?a?a?a?a?a?a-s0-127150208Node2#hashcat-a3-m0hash.txt?a?a?a?a?a?a-s27150208-127150208Node3#hashcat-a3-m0hash.txt?a?a?a?a?a?a-s54300416-127150209
JOHN
http://www.openwall.com/john/doc/OPTIONS.shtmlManualdistributionusingOptions--node&--forkto3similarCPUnodesutilizing8cores:Node#john--format=<#>hash.txt--wordlist=dict.txt--rules=All--fork=8--node=1-8/24Node2#john--format=<#>hash.txt--wordlist=dict.txt--rules=All--fork=8--node=9-16/24Node3#john--format=<#>hash.txt--wordlist=dict.txt--rules=All--fork=8--node=17-24/24
OtherJohnOptionsforparallelization:Option1:EnableOpenMPthroughuncommentinginMakefileOption2:Createadditionalincrementalmodesinjohn.confOption3:Utilizebuilt-inMPIparallelization
PASSWORDGUESSINGFRAMEWORK
https://github.com/RUB-SysSec/Password-Guessing-Frameworkhttps://www.password-guessing.org/
PasswordGuessingFrameworkisanopensourcetooltoprovideanautomatedandreliablewaytocomparepasswordguessers.Itcanhelptoidentifyindividualstrengthsandweaknessesofaguesser,it’smodesofoperation,oreventheunderlyingguessingstrategies.Therefore,itgathersinformationabouthowmanypasswordsfromaninputfile(passwordleak)havebeencrackedinrelationtotheamountofgeneratedguesses.Subsequenttotheguessingprocessananalysisofthecrackedpasswordsisperformed.
OTHERCREATIVEADVANCEDATTACKS
Randomcreativepasswordattacksusingthepowerofstdinandstdout.Notimplyingthey’reusefulbuttodemonstratethepowerofmixingandmatching.Goforthandcreatesomethinguseful.
PRINCE-MDXFINDATTACK
pp64.bindict.txt|mdxfind-hALL-fhash.txt-i10stdin>out.txt
HASHCAT-UTILCOMBONATORPRINCEcombinator.bindict.txtdict.txt|pp64.bin|hashcat-a0-m#typehash.txt-rbest64.rule
combinator3.bindict.txtdict.txtdict.txt|pp64.bin|hashcat-a0-m#typehash.txt-rrockyou-30000.rule
HASHCATSTDOUTATTACKSPRINCEhashcat-a0dict.txt-rdive.rule--stdout|pp64.bin|hashcat-a0-m#typehash.txt
hashcat-a6dict.txt?a?a?a?a--stdout|pp64.bin--pw-min=8|hashcat-a0-m#typehash.txt
hashcat-a7?a?a?a?adict.txt--stdout|pp64.bin--pw-min=8|hashcat-a0-m#typehash.txt
hashcat-a6dict.txtrockyou-1-60.hcmask--stdout|pp64.bin--pw-min=8--pw-max=14Ihashcat-a0-m#typehash.txt
hashcat-a7rockyou-1-60.hcmaskdict.txt--stdout|pp64.bin--pw-min=8--pw-max=14Ihashcat-a0-m#typehash.txt
DISTRIBUTEDCRACKINGSOFTWARE
HASHTOPUSSYhttps://bitbucket.org/seinlc/hashtopussy/
HASHSTACKhttps://sagitta.pw/software/
DISTHChttps://github.com/unix-ninja/disthc
CRACKLORDhttp://jmmcatee.github.io/cracklord/
HASHTOPUShttp://hashtopus.org/Site/
HASHVIEWhttp://www.hashview.io/
CLORTHOhttps://github.com/ccdes/clortho
ONLINEHASHCRACKINGSERVICES
GPUHASHhttps://gpuhash.me/
CRACKSTATIONhttps://crackstation.net/
ONLINEHASHCRACKhttps://www.onlinehashcrack.com/
HASHHUNTERShttp://www.hashhunters.net/
Informationinthischapterisanattempttosummarizeafewofthebasicandmorecomplexconceptsinpasswordcracking.ThisallowsallskilllevelstograsptheseconceptswithoutneedingaLinguisticsorMathematicsDegree.It’sanalmostimpossibletasktocondenseintooneparagraph,butthefollowingisanattempt.Foradeeperunderstanding,IhighlyencourageyoutoreadtheResourcelinksincludedbeloweachsection.
PASSWORDENTROPYvsCRACKTIME
Passwordentropyisameasureofhowrandom/unpredictableapasswordcouldhavebeen,soitdoesnotreallyrelatetothepassworditself,buttoaselectionprocess.Whenjudginghumangeneratedpasswordsforentropy,itfranklyisn’tanaccuratemeasurement.Thisistruemainlybecausehumansliketousememorablewords/sequencesandthusamyriadofattacksaccountforthatbehavior.however,entropyisgoodformeasuringrandomlygeneratedpasswordsfrompasswordmanagers,suchas1PasswordorKeepass,inthateachdefaultcharactersetusedcanbecalculated.PasswordentropyismeasuredinbitsandusesthefollowingformulawhereC=SizeofCharacterset&L=Lengthofpassword:log(C)/log(2)*LTocalculatethetimetocrack,justusethebenchmarkingfunctiononyourfavoritecrackingsoftwareagainstyourmodeofhashtoobtaincrackspersecond.ThetablebelowestimatespasswordlengthusinganMD4hashingfunctionagainstan8GPUxNvidiaGTX1080system:
*Tableonlytrulymattersforrandomlygeneratedpasswords
ResourcesPasswordComplexityversusPasswordEntropyhttps://blogs.technet.microsoft.com/msftcam/2015/05/19/password-complexity-versus-password-entropy/
WHATISACRYPTOGRAPHICHASH?
Acryptographichashfunctionisasubclassofthegeneralhashfunctionwhichpossessespropertieslendingitsuseincryptography.Cryptographichashfunctionsaremathematicalalgorithmswhichmapdataofanysizetoastringcontainingafixedlength,andshouldmakeitinfeasibletoreverse.Forinstance,thestring“password,”whenmappedusingtheMD5hashfunction,returnsafixedlength32characterstring“5f4dcc3b5aa765d61d8327deb882cf99”.The32characterstringcannottheoreticallybereversedwithanyothermappedinputdataexcept“password”.Thecurrentmethodofrecreatingthisinputdata“password”isthroughadictionary/mask/brute-forceattackofallpossibleinputsmatchingthehashedvalue;alsocalledapre-imageattack.Generallyspeaking,hashfunctionsshouldpossessthebelowcharacteristics:-Becomputationallyinfeasibletofindtwodifferentsetsofinputdatawiththesamehashvalue(alsocalledacollision).-Thehashvalueshouldbe“quick”tocompute(i.e.>~1second).-ItshouldbedifficulttogeneratetheinputdataJustbylookingatthehashvalue.-Onesimplechangetotheinputdatashoulddrasticallychangetheresultanthashvalue.
ResourcesHowHashAlgorithmsWorkhttp://www.metamorphosite.com/one-way-hash-encryption-sha1-data-software
MARKOVCHAINS
MarkovChainsarecreated,forourpasswordcrackingpurposes,bystatisticalanalysisofalargelistofpasswords/words(i.e.theRockYoupassworddataset).Theresultantanalysisofthesewordsandtheirper-positioncharacterfrequency/probabilityarestoredinatable.Thistableisreferencedwhenperformingbrute-force/maskattackstopreventhavingtogeneratepasswordcandidatesinasequentialorder,whichisveryinefficient.Instead,themostcommoncharactersareattemptedfirstinorderofprecedingcharacterprobability.Solet’sseesequentialbrute-force?a?a?a?awithoutMarkovChainsapplied:
Nowthesamebrute-forceattackwithMarkovChainsapplied:
MarkovChainspredicttheprobabilityofthenextcharacterinapasswordbasedontheprevious
characters,orcontextcharacters.It’sthatsimple.
ResourcesFastDictionaryAttacksonPasswordsUsingTime-SpaceTradeoffhttp://www.cs.utexas.edu/~shmat/shmat_ccs05pwd.pdf
OMEN:FasterPasswordGuessingUsinganOrderedMarkovEnumeratorhttps://hal.inria.fr/hal-01112124/document
PROBABILISTICCONTEXT-FREEGRAMMARS(PCFG)
AProbabilisticContextFreeGrammar(PCFG)consistsofterminalandnonterminalvariables.Eachfeaturetobemodeledhasaproductionrulethatisassignedaprobability,estimatedfromatrainingsetofRNAstructures.Productionrulesarerecursivelyapplieduntilonlyterminalresiduesareleft.ThenotionsupportingPCFGsisthatpasswordsareconstructedwithtemplatestructuresandterminalsthatfitintothosestructures.Forexample,thepasswordcandidate‘passwordl23!’is8letters,3digits,1specialandwouldbenotedas‘L8D3S1’.Apassword’sprobabilityofoccurringistheprobabilityofitsstructure,multipliedbythoseofitsunderlyingterminals.
ResourcesPasswordCrackingUsingProbabilisticContext-FreeGrammarshttps://sites.google.com/site/reusablesec/Home/password-cracking-tools/probablistic_cracker
NextGenPCFGPasswordCrackinghttps://github.com/lakiw/pcfg_cracker
NEURALNETWORKS
ArtificialNeuralNetworksorNeuralNetworks(NN)isamachine-learningtechniquecomposedofnodescalledArtificialNeurons,justlikethebrainpossesses.SuchsystemsuseMachineLearningtoapproximatehighlydimensionalfunctionsandprogressivelylearnthroughexamplesoftrainingsetdata,orinourcasealargepassworddump.Theyhaveshowninitialpromisetobeeffectiveatgeneratingoriginalyetrepresentativepasswordcandidates.AdvantagestoNN’sforpasswordcrackingarethelowoverheadforstoringthefinalNNmodel,approximately500kb,andtheabilitytocontinuallylearnovertimethroughretrainingortransferlearning.
ResourcesFast,Lean,andAccurate:ModelingPasswordGuessabilityUsingNeuralNetworks(USENIX‘16)https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_melicher.pdfhttps://github.com/cupslab/neural_network_cracking
COMMONHASHEXAMPLES
MD5,NTLM,NTLMv2,LM,MD5crypt,SHA1,SHA256,bcrypt,PDF1.4-1.6(Acrobat5-8),MicrosoftOFFICE2013,RAR3-HP,Winzip,7zip,Bitcoin/Litecoin,MACOSXv10.5-v10.6,MySQL4.1-5+,Postgres,MSSQL(2012)-MSSQL(2014),Oracle11g,CiscoTYPE4589,WPAPSK/WPA2PSK
MDS
HASHCATHASHFORMAT8743b52063cd84097a65dl633f5c74f5
BRUTEFORCEATTACKhashcat-m0-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m0-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m0-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMAT8743b52063cd84097a65dl633f5c74f5
BRUTEFORCEATTACKjohn--format=raw-md5hash.txtWORDLISTATTACKjohn--format=raw-md5wordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=raw-md5wordlist=dict.txt--ruleshash.txt
NTLM(PWDUMP)
HASHCAT
HASHFORMATb4b9b02e6f09a9bd760f388b67351e2b
BRUTEFORCEATTACKhashcat-m1000-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m1000-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m1000-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMATb4b9b02e6f09a9bd760f388b67351e2b
BRUTEFORCEATTACKjohn--format=nthash.txtWORDLISTATTACKjohn--format=ntwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=ntwordlist=dict.txt--ruleshash.txt
NTLMV2
HASHCATHASHFORMATusername::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966al53a0064958dac6:5c7830315C7830310000000000000b45c67103d07d7b95acdl2ffall230e0000000052920b85f78d013c31cdb3b92f5d765c783030
BRUTEFORCEATTACKhashcat-m5600-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m5600-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m5600-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMATusername:$NETNTLMv2$NTLMV2TESTWORKGROUP$1122334455667788$07659A550D5E9D02996DFD95C87EC1D5$0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000
BRUTEFORCEATTACKjohn--format=netntlmv2hash.txtWORDLISTATTACKjohn--format=netntlmv2wordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=netntlmv2wordlist=dict.txt--ruleshash.txt
LM
HASHCATHASHFORMAT299bdl28cll01fd6
BRUTEFORCEATTACKhashcat-m3000-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m3000-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m3000-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMAT$LM$a9c604d244c4e99d
BRUTEFORCEATTACKjohn--format=lmhash.txtWORDLISTATTACKjohn--format=lmwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=lmwordlist=dict.txt--ruleshash.txt
MD5CRYPT
HASHCATHASHFORMAT$1$28772684$iEwNOgGugq09.bIz5sk8k/BRUTEFORCEATTACKhashcat-m500-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m500-a0hash.txtdict.txt
WORDLIST+RULEATTACKhashcat-m500-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMAT$l$28772684$iEwNOgGugq09.bIz5sk8k/
BRUTEFORCEATTACKjohn--format=md5crypthash.txtWORDLISTATTACKjohn--format=md5cryptwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=md5cryptwordlist=dict.txt--ruleshash.txt
SHA1
HASHCATHASHFORMATb89eaac7e61417341b710b727768294d0e6a277b
BRUTEFORCEATTACKhashcat-m100-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m100-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m100-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMATb89eaac7e61417341b710b727768294d0e6a277b
BRUTEFORCEATTACKjohn--format=raw-sha1hash.txtWORDLISTATTACKjohn--format=raw-sha1wordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=raw-sha1wordlist=dict.txt--ruleshash.txt
SHA256
HASHCATHASHFORMAT127e6fbfe24a750e72930c220a8el38275656b8e5d8f48a98c3c92df2caba935
BRUTEFORCEATTACKhashcat-m1400-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m1400-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m1400-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMAT127e6fbfe24a750e72930c220a8el38275656b8e5d8f48a98c3c92df2caba935
BRUTEFORCEATTACKjohn--format=raw-sha256hash.txtWORDLISTATTACKjohn--format=raw-sha256wordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=raw-sha256wordlist=dict.txt--ruleshash.txt
BCRYPT
HASHCATHASHFORMAT$2a$05$LhayLxezLhKlLhWvKxCyLOj0jlu.Kj0jZ0pEmml34uzrQlFvQDLF6
BRUTEFORCEATTACKhashcat-m3200-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m3200-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m3200-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMAT$2a$05$LhayLxezLhKlLhWvKxCyLOj0jlu.Kj0jZ0pEmml34uzrQlFvQDLF6
BRUTEFORCEATTACKjohn--format=bcrypthash.txtWORDLISTATTACKjohn--format=bcryptwordlist=dict.txthash.txt
WORDLIST+RULEATTACKjohn--format=bcryptwordlist=dict.txt--ruleshash.txt
PDF1.4-1.6(ACROBAT5-8)
HASHCATHASHFORMAT$pdf$2*3*128*-1028*l*16*da42eel5d4b3e08fe5b9ecea0e02ad0f*32*c9b59d72c7c670c42eeb4fcald2cal5000000000000000000000000000000000*32*c4ff3e868dc87604626c2b8c259297al4d58c6309c70b00afdfblfbbal0ee571
EXTRACTHASHpdf2hashcat.pyexample.pdf>hash.txt
BRUTEFORCEATTACKhashcat-m10500-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m10500-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m10500-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMAT$pdf$Standard*badadle86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badfl01112131415161718191alblcldlelf*16*34blb6e593787af681a9b63fa8bf563b*l*l*0*l*4*128*-4*3*2
EXTRACTHASHpdf2john.pyexample.pdf>hash.txt
BRUTEFORCEATTACKjohn--format=pdfhash.txtWORDLISTATTACKjohn--format=pdfwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=pdfwordlist=dict.txt--ruleshash.txt
MICROSOFTOFFICE2013
HASHCAT
HASHFORMATexample.docx:$office$*2013*100000*256*16*7dd611d7eb4c899f74816dldec817b3b*948dc0b2c2c6c32fl4b5995a543ad037*0b7ee0e48e935f937192a59de48a7d561ef2691d5c8a3ba87ec2d04402a94895
EXTRACTHASHoffice2hashcat.pyexample.docx>hash.txt
BRUTEFORCEATTACKhashcat-m9600-a3--usernamehash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m9600-a0--usernamehash.txtdict.txtWORDLIST+RULEATTACKhashcat-m9600-a0--usernamehash.txtdict.txt-rrule.txt
JOHNHASHFORMATexample.docx:$office$*2013*100000*256*16*7dd611d7eb4c899f74816dldec817b3b*948dc0b2c2c6c32f14b5995a543ad037*0b7ee0e48e935f937192a59de48a7d561ef2691d5c8a3ba87ec2d04402a94895
EXTRACTHASHoffice2john.pyexample.docx>hash.txt
BRUTEFORCEATTACKjohn--format=office2013hash.txtWORDLISTATTACKjohn--format=office2013wordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=office2013wordlist=dict.txt--ruleshash.txt
RAR3-HP(ENCRYPTEDHEADER)
HASHCATHASHFORMAT$RAR3$*0*45109af8ab5f297a*adbf6c5385d7a40373e8f77d7b89d317#!Ensuretoremoveextraneousrar2johnoutputtomatchabovehash!#EXTRACTHASHrar2john.pyexample.rar>hash.txt
BRUTEFORCEATTACKhashcat-m12500-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m12500-a0hash.txtdict.txt
WORDLIST+RULEATTACKhashcat-m12500-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMATexample.rar:$RAR3$*l*20e041a232b4b7f0*5618c5f0*1472*2907*0*/Path/To/example.rar*138*33:1::example.txt
EXTRACTHASHrar2john.pyexample.rar>hash.txt
BRUTEFORCEATTACKjohn--format=rarhash.txtWORDLISTATTACKjohn--format=rarwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=rarwordlist=dict.txt--ruleshash.txt
WINZIP
HASHCATHASHFORMAT$zip2$*0*3*0*b5d2b7bf57ad5e86a55c400509c672bd*d218*0**ca3d736d03a34165cfa9*$/zip2$#!Ensuretoremoveextraneouszip2johnoutputtomatchabovehash!#EXTRACTHASHzip2john.pyexample.zip>hash.txt
BRUTEFORCEATTACKhashcat-m13600-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m13600-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m13600-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMATexample.zip:$zip2$*0*3*0*5b0a8bl53fb94bf719abb81a80e90422*8e91*9*0b76bf50al5938ce9c*3f37001e241el96195al*$/zip2$:::::example.zip
EXTRACTHASHzip2john.pyexample.zip>hash.txt
BRUTEFORCEATTACK
john--format=ZIPhash.txtWORDLISTATTACKjohn--format=ZIPwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=ZIPwordlist=dict.txt--ruleshash.txt
7-ZIP
HASHCATHASHFORMAT$7z$0$19$0$salt$8$f6196259a7326e3f0000000000000000$185065650$112$98$f3bc2a88062c419a25acd40c0c2d75421cf23263f69c51bl3f9blaada41a8a09f9adeae45d67c60b56aad338f20c0dcc5eb811c7a61128ee0746f922cdb9c59096869f341c7a9cblac7bb7d771f546b82cf4e6flla5eCd4b61751e4d8de66dd6e2dfb5b7dl022d2211e2d66eal703f96#!Ensuretoremoveextraneous7zip2johnoutputtomatchabovehash!#EXTRACTHASH7z2john.pyexample.7z>hash.txt
BRUTEFORCEATTACKhashcat-m11600-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m11600-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m11600-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMATexample.7z:$7z$0$19$0$salt$8$f6196259a7326e3f0000000000000000$185065650$112$98$f3bc2a88062c419a25acd40c0c2d75421cf23263f69c51bl3f9blaada41a8a09f9adeae45d67c60b56aad338f20c0dcc5eb811c7a61128ee0746f922cdb9c59096869f341c7a9cblac7bb7d771f546b82Cf4e6flla5ecd4b61751e4d8de66dd6e2dfb5b7dl022d2211e2d66eal703f96
EXTRACTHASH7z2john.pyexample.7z>hash.txt
BRUTEFORCEATTACKjohn--format=7zhash.txtWORDLISTATTACKjohn--format=7zwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=7zwordlist=dict.txt--ruleshash.txt
BITCOIN/LITECOIN
HASHCATHASHFORMAT$bitcoin$96$d011alb6a8d675b7a36d0cd2efaca32a9f8dcld57d6d01a58399ea04e703e8bbb44899039326f7a00fl71a7bbc854a54$16$1563277210780230$158555$96$628835426818227243334570448571536352510740823233055715845322741625407685873076027233865346542174$66$625882875480513751851333441623702852811440775888122046360561760525EXTRACTHASHbitcoin2john.pywallet.dat>hash.txtBRUTEFORCEATTACKhashcat-m11300-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m11300-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m11300-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMAT$bitcoin$96$d011alb6a8d675b7a36d0cd2efaca32a9f8dcld57d6d01a58399ea04e703e8bbb44899039326f7a00fl71a7bbc854a54$16$1563277210780230$158555$96$628835426818227243334570448571536352510740823233055715845322741625407685873076027233865346542174$66$625882875480513751851333441623702852811440775888122046360561760525EXTRACTHASHbitcoin2john.pywallet.dat>hash.txtBRUTEFORCEATTACKjohn--format=bitcoinhash.txtWORDLISTATTACKjohn--format=bitcoinwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=bitcoinwordlist=dict.txt--ruleshash.txt
MACOSX10.8-10.12
HASHCATHASHFORMATusername:$ml$35714$50973de90d336b5258f01e48ab324aa9ac81ca7959ac470d3d9c4395af624398$631a0ef84081b37cfe594a5468cf3a63173cd2ec25047b89457ed300f2b41b30a0792a39912fC5f3f7be8f74b7269ee3713172642de96ee482432a8dl2bf291aEXTRACTHASHsudoplist2hashcat.py/var/db/dslocal/nodes/Default/users/<username>.plistBRUTEFORCEATTACK
hashcat-m122-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m122-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m122-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMATusername:$pbkdf2-hmac-sha512$31724.019739e90d326b5258f01e483bl24aa9ac81ca7959acb70c3d9c4297af924398.631a0bf84081b37dae594a5468cf3a63183cd2ec25047b89457ed300f2bf1b40a0793a39512fc5a3f7ae8f74b7269ee3723172642de96eee82432a8dllbf365e:501:20:HOSTNAME:/bin/bash:/var/db/dslocal/nodes/Default/users/username.plistEXTRACTHASHsudoml2john.py/var/db/dslocal/nodes/Default/users/<username>.plistBRUTEFORCEATTACKjohn--format=xshahash.txtWORDLISTATTACKjohn--format=xshawordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=xshawordlist=dict.txt--ruleshash.txt
MYSQL4.1/MYSQL5+(DOUBLESHA1)
HASHCATHASHFORMATFCF7C1B8749CF99D88E5F34271D636178FB5D130EXTRACTHASHSELECTuser,passwordFROMmysql.userINTOOUTFILE‘/tmp/hash.txt’;BRUTEFORCEATTACKhashcat-m300-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m300-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m300-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMAT*FCF7C1B8749CF99D88E5F34271D636178FB5D130EXTRACTHASHSELECTuser,passwordFROMmysql.userINTOOUTFILE‘/tmp/hash.txt’;BRUTEFORCEATTACKjohn--format=mysql-sha1hash.txtWORDLISTATTACK
john--format=mysql-sha1wordlist=dict.txthash.txt
POSTGRESQL
HASHCATHASHFORMATa6343a68d964ca596d9752250d54bb8a:postgresEXTRACTHASHSELECTusername,passwdFROMpg_shadow;BRUTEFORCEATTACKhashcat-m12-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m12-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m12-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMATa6343a68d964ca596d9752250d54bb8a:postgresEXTRACTHASHSELECTusername,passwdFROMpg_shadow;BRUTEFORCEATTACKjohn--format=postgreshash.txtWORDLISTATTACKjohn--format=postgreswordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=postgreswordlist=dict.txt--ruleshash.txt
MSSQL(2012),MSSQL(2014)
HASHCATHASHFORMAT0x02000102030434ealbl7802fd95ea6316bd61d2c94622ca3812793e8fbl672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375EXTRACTHASHSELECTSL.name,SL.password_hashFROMsys.sql_loginsASSL;BRUTEFORCEATTACKhashcat-m1731-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m1731-a0hash.txtdict.txt
WORDLIST+RULEATTACKhashcat-m1731-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMAT0x02000102030434ealbl7802fd95ea6316bd61d2c94622ca3812793e8fbl672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375EXTRACTHASHSELECTSL.name,SL.password_hashFROMsys.sql_loginsASSL;BRUTEFORCEATTACKjohn--format=mssql12hash.txtWORDLISTATTACKjohn--format=mssql12wordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=mssql12wordlist=dict.txt--ruleshash.txt
ORACLE11G
HASHCATHASHFORMATac5fle62d21fd0529428b84d42e8955b04966703:38445748184477378130EXTRACTHASHSELECTSL.name,SL.password_hashFROMsys.sql_loginsASSL;BRUTEFORCEATTACKhashcat-m112-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m112-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m112-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMATac5fle62d21fd0529428b84d42e8955b04966703:38445748184477378130EXTRACTHASHSELECTSL.name,SL.password_hashFROMsys.sql_loginsASSL;BRUTEFORCEATTACKjohn--format=oraclellhash.txtWORDLISTATTACKjohn--format=oraclellwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=oraclellwordlist=dict.txt--ruleshash.txt
CISCOTYPE4(SHA256)
HASHCATHASHFORMAT2btjjy78REtmYkkW0csHUbDZOstRXoWdX1mGrmmfeHI
BRUTEFORCEATTACKhashcat-m5700-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m5700-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m5700-a0hash.txtdict.txt-rrule.txt
CISCOTYPE5(MD5)
HASHCATHASHFORMAT$l$28772684$iEwN0gGugq09.bIz5sk8k/
BRUTEFORCEATTACKhashcat-m500-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m500-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m500-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMAT$1$28772684$iEwN0gGugq09.bIz5sk8k/
BRUTEFORCEATTACKjohn--format=md5crypthash.txtWORDLISTATTACKjohn--format=md5cryptwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=md5cryptwordlist=dict.txt--ruleshash.txt
CISCOTYPE8(PBKDF2+SHA256)
HASHCATHASHFORMAT$8$TnGX/fE4KGH0VU$pEhnEvxrvaynpi8j4f.EMHr6M.FzU8xnZnBr/tJdFWk
BRUTEFORCEATTACKhashcat-m9200-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m9200-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m9200-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMAT$8$TnGX/fE4KGH0VU$pEhnEvxrvaynpi8j4f.EMHr6M.FzU8xnZnBr/tJdFWk
BRUTEFORCEATTACKjohn--format=pbkdf2-hmac-sha256hash.txtWORDLISTATTACKjohn--format=pbkdf2-hmac-sha256wordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=pbkdf2-hmac-sha256wordlist=dict.txt--ruleshash.txt
CISCOTYPE9(SCRYPT)
HASHCATHASHFORMAT$9$2MJBozw/9R3UsU$21FhcKvpghcyw8deP25G0fyZaagyU0GBymkryv0dfo6
BRUTEFORCEATTACKhashcat-m9300-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m9300-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m9300-a0hash.txtdict.txt-rrule.txt
JOHNHASHFORMAT$9$2MJBozw/9R3UsU$21FhcKvpghcyw8deP25G0fyZaagyU0GBymkryv0dfo6
BRUTEFORCEATTACKjohn--format=scrypthash.txtWORDLISTATTACKjohn--format=scryptwordlist=dict.txthash.txt
WORDLIST+RULEATTACKjohn--format=scryptwordlist=dict.txt--ruleshash.txt
WPAPSK/WPA2PSK
HASHCATHASHFORMAT*Capture4-wayauthenticationhandshake>capture.capcap2hccapx.bincapture.capcapture_out.hccapxBRUTEFORCEATTACKhashcat-m2500-a3capture_out.hccapx?a?a?a?a?a?aWORDLISTATTACKhashcat-m2500-a3capture_out.hccapxdict.txtWORDLIST+RULEATTACKhashcat-a0capture_out.hccapxdict.txt-rrule.txt
JOHNHASHFORMAT*Capture4-wayauthenticationhandshake>capture.capcap2hccap.bin-e‘<ESSID>’capture.capcapture_out.hccaphccap2johncapture_out.hccap>jtr_captureBRUTEFORCEATTACKjohn--format=wpapskjtr_captureWORDLISTATTACKjohn--format=wpapskwordlist=dict.txtjtr_captureWORDLIST+RULEATTACKjohn--format=wpapskwordlist=dict.txt--rulesjtr_capture
APPENDIX
TERMS
BRUTE-FORCEATTACK-theactoftryingeverypossiblecombinationofagivenkeyspaceorcharactersetforagivenlength
DICTIONARY-acollectionofcommonswords,phrases,keyboardpatterns,generatedpasswords,orleakedpasswords,alsoknownasawordlist
DICTIONARYATTACK-usingafilecontainingcommonorknownpasswordcombinationsorwordsinanattempttomatchagivenhashingfunction’soutputbyrunningsaidwordsthroughthesametargethashingfunction
HASH-thefixedbitresultofahashfunction
HASHFUNCTION-mapsdataofarbitrarysizetoabitstringofafixedsize(ahashfunction)whichisdesignedtoalsobeaone-wayfunction,thatis,afunctionwhichisinfeasibletoinvert
ITERATIONS-thenumberoftimesanalgorithmisrunoveragivenhash
KEYSPACE-thenumberofpossiblecombinationsforagivencharactersettothepowerofit’slength(i.e.charset^length)
MASKATTACK-usingplaceholderrepresentationstotryallcombinationsofagivenkeyspace,similartobrute-forcebutmoretargetedandefficient
PASSWORDENTROPY-anestimationofhowdifficultapasswordwillbetocrackgivenitscharactersetandlength
PLAINTEXT-unalteredtextthathasn’tbeenobscuredoralgorithmicallyalteredthroughahashingfunction
RAKING-generatingrandompasswordrules/candidatesinanattempttodiscoverapreviouslyunknownmatchingpasswordpattern
RAINBOWTABLE-aprecomputedtableofatargetedcryptographichashfunctionofacertainminimumandmaximumcharacterlength
RULEATTACK-similartoaprogramminglanguageforgeneratingcandidatepasswordsbasedonsomeinputsuchasadictionary
SALT-randomdatathatusedasadditionalinputtoaone-wayfunction
WORDLIST-acollectionofcommonswords,phrases,keyboardpatterns,generatedpasswords,orleakedpasswords,alsoknownasadictionary
TIMETABLE
60seconds 1minute3,600seconds 1hour86,400seconds 1day604,800seconds 1week1,209,600seconds 1fortnight2,419,200seconds 1month(30days)31,536,000seconds 1year
ONLINERESOURCES
JOHNhttp://openwall.info/wiki/johnhttp://openwall.info/wiki/john/sample-non-hasheshttp://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formatshttps://countuponsecurity.com/2015/06/14/jonh-the-ripper-cheat-sheet/https://xinn.org/blog/JtR-AD-Password-Auditing.htmlhttps://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf
HASHCAThttps://hashcat.net/wiki/https://hashcat.net/wiki/doku.php?id=hashcat_utils
https://hashcat.net/wiki/doku.php?id=statsprocessorhttp://www.netmux.com/blog/ultimate-guide-to-cracking-foreign-character-passwords-using-hashttp://www.netmux.com/blog/cracking-12-character-above-passwords
CRACKINGRIGShttp://www.netmux.com/blog/how-to-build-a-password-cracking-righttps://www.unix-ninja.com/p/Building_a_Password_Cracking_Rig_for_Hashcat_-_Part_III
EXAMPLEHASHGENERATIONhttps://www.onlinehashcrack.com/hash-generator.phphttps://www.tobtu.com/tools.phphttp://hash.online-convert.com/https://www.tools4noobs.com/online_tools/hash/https://quickhash.com/http://bitcoinvalued.com/tools.phphttp://www.sha1-online.com/http://www.freeformatter.com/hmac-generator.htmlhttp://openwall.info/wiki/john/Generating-test-hashes
OTHERhttp://blog.thireus.com/cracking-story-how-i-cracked-over-122-million-sha1-and-md5-hashed-passwords/http://www.utf8-chartable.de/http://thesprawl.org/projects/pack/https://blog.gotmilk.com/2011/06/dictionaries-wordlists/http://wpengine.com/unmasked/https://www.unix-ninja.com/p/A_cheat-sheet_for_password_crackershttps://room362.com/post/2017/05-06-2017-password-magic-numbers/http://www.netmux.com/blog/how-to-build-a-password-cracking-righttp://passwordchart.com/http://www.vigilante.pw
NETMUXhttp://www.netmux.comhttp://www.hashcrack.iohttps://github.com/netmuxhttps://twitter.com/netmuxhttps://www.instagram.com/netmux/
***ANSWERTOCUSTOMDICTIONARYCREATIONHASH:e4821dl6a298092638ddb7cadc26d32f=letmein123456Netmux
10CRACKCOMMANDMENTS
1.Thoushaltknowhashtypesandtheirorigin/function2.Thoushaltknowcrackingsoftwarestrengths&weaknesses3.Thoushaltstudy&applypasswordanalysistechniques4Thoushaltbeproficientathashextractionmethods5.Thoushaltcreatecustom/targeteddictionaries6.Thoushaltknowthycrackingrigscapabilities7.Thoushaltunderstandbasichumanpsychology/behavior8.Thoushaltcreatecustommasks,rules,andMarkovchains9.Thoushaltcontinuallyexperimentwithnewtechniques10.Thoushaltsupportthyfellowcrackingcommunitymembers
JOHNTHERIPPERHELPMENU
JohntheRipperpasswordcracker,version1.8.0-jumbo-1[darwinl5.6.064-bitAVX2-autoconf]Copyright (c)1996-2014bySolarDesignerandothersHomepage: http://www.openwall.com/john/
Usage:john[OPTIONS][PASSWORD-FILES]--single[=SECTION] “singlecrack”mode--wordlist[=FILE]--stdin wordlistmode,readwordsfromFILEorstdin--pipe like--stdin,butbulkreads,andallowsrules--loopback[=FILE] like--wordlist,butfetchwordsfroma.potfile--dupe-suppression suppressalldupesinwordlist(andforcepreload)
--encoding=NAME inputencoding(eg.UTF-8,ISO-8859-1).Seealsodoc/ENCODINGand--list=hidden-options.
--rules[=SECTION] enablewordmanglingrulesforwordlistmodes--incremental[=MODE] “incremental”mode[usingsectionMODE]--mask=MASK maskmodeusingMASK--markov[=OPTIONS] “Markov”mode(seedoc/MARKOV)--external=MODE externalmodeorwordfilter--stdout[=LENGTH] justoutputcandidatepasswords[cutatLENGTH]--restore[=NAME] restoreaninterruptedsession[calledNAME]--session=NAME giveanewsessiontheNAME--status[=NAME] printstatusofasession[calledNAME]--make-charset=FILE makeacharsetfile.Itwillbeoverwritten
showcrackedpasswords[if=LEFT,then
--show[=LEFT] uncracked]
--test[=TIME] runtestsandbenchmarksforTIMEsecondseach--users=[-]LOGIN|UID[,..] [donot]loadthis(these)user(s)only--groups=[-]GID[,..] loadusers[not]ofthis(these)group(s)only--shells=[-]SHELL[,..] loaduserswith[out]this(these)shell(s)only--salts=[-]COUNT[:MAX] loadsaltswith[out]COUNT[toMAX]hashes--save-memory=LEVEL enablememorysaving,atLEVEL1..3--node=MIN[-MAX]/TOTAL thisnode’snumberrangeoutofTOTALcount--fork=N forkNprocesses--pot=NAME potfiletouse--list=WHAT listcapabilities,see--list=helpordoc/OPTIONS--devices=N[,..]devices) setOpenCLdevice(s)(listusing--list=opencl---format=NAME forcehashtypeNAME:7z7z-openclAFSagilekeychainagilekeychain-openclaix-smd5aix-ssha1aix-ssha256aix-ssha512asa-md5bcryptbcrypt-openclbfeggBitcoinblackberry-es10Blockchainblockchain-openclbsdicryptchapCitrix_NS10ClipperzcloudkeychaincqCRC32cryptdahuadescryptdescrypt-openclDjangodjango-scryptdmd5dmgdmg-opencldominosecdragonfly3-32dragonfly3-64dragonfly4-32dragonfly4-64Drupal7dummydynamic_neCryptfsEFSeigrpEncFSencfs-openclEPIEPiServerfdeFormSpringFortigategostgpggpg-openclHAVAL-128-4HAVAL-256-3hdaaHMAC-MD5HMAC-SHA1HMAC-SHA224HMAC-SHA256HMAC-SHA384HMAC-SHA512hMailServerhsrpIKEipb2KeePasskeychainkeychain-openclkeyringkeyring-openclkeystoreknown_hostskrb4krb5krb5-18krb5pa-md5krb5pa-md5-openclkrb5pa-sha1krb5pa-sha1-openclkwalletLastPassLMlotus5lotus5-opencllotus85LUKSMD2md4-genmd5cryptmd5crypt-openclmd5nsmdc2MediaWikiMongoDBMozillamscashmscash2mscash2-openclMSCHAPv2mschapv2-naivemssqlmssql05mssqll2mysqlmysql-sha1mysql-sha1-openclmysqlnanet-md5net-sha1nethalflmnetlmnetlmv2netntlmnetntlm-naivenetntlmv2nknsldapNTnt-openclnt2ntlmv2-openclo51ogono51ogon-openclODFODF-AES-openclODF-openclOfficeoffice2007-opencloffice2010-opencloffice2013-opencloldofficeoldoffice-openclOpenBSD-SoftRAIDopenssl-encOpenVMSoracleoraclelloscPanamaPBKDF2-HMAC-SHA1PBKDF2-HMAC-SHA1-openclPBKDF2-HMAC-SHA256PBKDF2-HMAC-SHA256-openclPBKDF2-HMAC-SHA512pbkdf2-hmac-sha512-openclPDFPFXphpassphpass-openclPHPSpix-md5PKZIPpopostgresPSTPuTTYpwsafepwsafe-openclRACFRAdminRAKPRAKP-openclrarrar-openclRAR5RAR5-openclRaw-Blake2Raw-KeccakRaw-Keccak-256Raw-MD4Raw-MD4-openclRaw-MD5Raw-MD5-openclRaw-MD5uRaw-SHARaw-SHA1Raw-SHA1-LinkedinRaw-SHA1-ngRaw-SHA1-openclRaw-SHA224Raw-SHA256Raw-SHA256-ngRaw-SHA256-openclRaw-SHA384Raw-SHA512Raw-SHA512-ngRaw-SHA512-openclripemd-128ripemd-160rsvpSalted-SHA1sapbsapgscryptsha1-gensha1cryptsha1crypt-openclsha256cryptsha256crypt-openclsha512cryptsha512crypt-openclSiemens-S7SIPskein-256skein-512skeySnefru-128Snefru-256SSHSSH-ngssha-openclSSHA512STRIPstrip-openclSunMD5sxcsxc-openclSybase-PROPsybaseasetc_aes_xtstc_ripemdl60tc_sha512tc_whirlpooltcp-md5TigertripcodeVNCvtpwbb3whirlpoolwhirlpool0whirlpoollWoWSRPwpapskwpapsk-openclxshaxsha512XSHA512-openclZIPzip-opencl
HASHCATHELPMENU
hashcat3.6-advancedpasswordrecovery
Usage:hashcat[options]...hash|hash-file|hccapxfile[dictionary|mask|directory]...
-[Options]-
Ifyoustillhavenoideawhatjusthappened,trythefollowingpages:
*https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild*https://hashcat.net/faq/
***HASHCRACKINGBENCHMARKtablesaremeanttobeareferencetoenableuserstogaugehowSLOWorFASTahashingalgorithmisbeforeformulatinganattackplan.NvidiaGTX2080waschosenasthedefaultduetoitsprevalenceamongthecrackingcommunityandit’spositionasatopperformingGPUcard.
HASHCRACKINGBENCHMARKS(ALPHABETICAL)
1Password,agilekeychain 3319.2kH/s1Password,cloudkeychain 10713H/s3DES(PT=$salt,key=$pass) 594.3MH/s7-Zip 7514H/sAIX 14937.2kH/sAIX 44926.1kH/sAIX 6359.3kH/sAIX 9937.1kH/sAndroidFDE(SamsungDEK) 291.8kH/sAndroidFDE<=4.3 803.0kH/sAndroidPIN 5419.4kH/sArubaOS 6894.7MH/sAtlassian(PBKDF2-HMAC-SHA1) 283.6kH/sAxCrypt 113.9kH/sAxCryptinmemorySHA1 7503.3MH/sbcrypt,Blowfish(OpenBSD) 13094H/sBSDiCrypt,ExtendedDES 1552.5kH/sBitcoin/Litecoinwallet.dat 4508H/sBLAKE2-512 1488.9MH/sBlockchain,MyWallet 50052.3kH/sBlockchain,MyWallet,V2 305.2kH/sChaCha20 3962.0MH/sCisco$8$ 59950H/sCisco$9$ 22465H/sCisco-ASAMD5 17727.2MH/sCisco-IOSSHA256 2864.3MH/sCisco-PIXMD5 16407.2MH/sCitrixNetScaler 7395.3MH/sColdFusion10+ 1733.6MH/sDES(PT=$salt,key=$pass) 19185.7MH/sdescrypt,DES(Unix),TraditionalDES 906.7MH/sDNSSEC(NSEC3) 3274.6MH/s
Django(PBKDF2-SHA256) 59428H/sDjango(SHA-1) 6822.6MH/sDomainCachedCredentials(DCC),MSCache 11195.8MH/sDomainCachedCredentials2(DCC2),MSCache2 317.5kH/sDPAPImasterkeyfilev1andv2 73901H/sDrupal7 56415H/seCryptfs 13813H/sEthereumWallet,PBKDF2-HMAC-SHA256 4518H/sEthereumWallet,SCRYPT 29H/sEPiServer6.x<v4 6818.5MH/sEPiServer6.x>v4 2514.4MH/sFileZillaServer>=0.9.55 565.2MH/sFortiGate(FortiOS) 6386.2MH/sGOSTR34.11-2012(Streebog)256-bit 50018.8kH/sGOSTR34.11-2012(Streebog)512-bit 49979.4kH/sGOSTR34.11-94 206.2MH/sGRUB2 43235H/sHalfMD5 15255.8MH/shMailServer 2509.6MH/sIKE-PSKMD5 1834.0MH/sIKE-PSKSHA1 788.2MH/sIPB2+,MyBB1.2+ 5011.8MH/sIPMI2RAKPHMAC-SHA1 1607.3MH/siTunesbackup<10.0 140.2kH/siTunesbackup>=10.0 94H/sJKSJavaKeyStorePrivateKeys(SHA1) 7989.4MH/sJoomla<2.5.18 25072.2MH/sJuniperIVE 9929.1kH/sJuniper/NetBSDsha1crypt 144.1kH/sJuniperNetscreen/SSG(ScreenOS) 12946.8MH/sKeepass1(AES/Twofish)andKeepass2(AES) 139.8kH/sKerberos5AS-REQPre-Authetype23 291.5MH/sKerberos5TGS-REPetype23 291.1MH/sLM 18382.7MH/sLastpass 2331.2kH/sLotusNotes/Domino5 205.2MH/sLotusNotes/Domino6 69673.5kH/sLotusNotes/Domino8 667.2kH/sLUKS 8703H/sMD4 43722.9MH/sMD5 24943.1MH/smd5(md5($pass).md5($salt)) 4291.9MH/smd5($salt.md5($salt.$pass)) 5037.7MH/s
md5($salt.md5($pass.$salt)) 5401.6MH/smd5apr1,MD5(APR),ApacheMD5 9911.5kH/smd5crypt,MD5(Unix),FreeBSDMD5,Cisco-IOSMD5 9918.1kH/sMSOffice<=2003MD5+RC4,collision-mode#1 339.9MH/sMSOffice<=2003MD5+RC4,oldoffice$0,oldoffice$l 219.6MH/sMSOffice<=2003SHA1+RC4,collision-mode#1 330.8MH/sMSOffice<=2003SHA1+RC4,oldoffice$3,oldoffice$4 296.7MH/sMS-AzureSyncPBKDF2-HMAC-SHA256 10087.9kH/sMSSQL(2000) 8609.7MH/sMSSQL(2005) 8636.4MH/sMSSQL(2012) 1071.3MH/sMediawikiBtype 6515.8MH/sMySQLChallenge-ResponseAuthentication(SHA1) 2288.0MH/sMySQL323 51387.0MH/sMySQL4.1/MySQL5 3831.5MH/sNTLM 41825.0MH/sNetNTLMv1-VANILLA/NetNTLMv1+ESS 22308.5MH/sNetNTLMv2 1634.9MH/sosCommerce,xt 12883.7MH/sOSXV10.4,V10.5,V10.6 6831.3MH/sOSXV10.7 834.1MH/sOSXV10.8+ 12348H/sOffice2007 134.5kH/sOffice2010 66683H/sOffice2013 8814H/sOpenCart 2097.0MH/sOracleH 851.6MH/sOracleS 8565.0MH/sOracleT 104.7kH/sPasswordSafev2 332.0kH/sPasswordSafev3 1233.4kH/sPBKDF2-HMAC-MD5 7408.3kH/sPBKDF2-HMAC-SHA1 3233.9kH/sPBKDF2-HMAC-SHA256 1173.1kH/sPBKDF2-HMAC-SHA512 431.4kH/sPDF1.1-1.3(Acrobat2-4) 345.0MH/sPDF1.1-1.3(Acrobat2-4)+collider-mode#1 373.4MH/sPDF1.4-1.6(Acrobat5-8) 16048.0kH/sPDF1.7Level3(Acrobat9) 2854.1MH/sPDF1.7Level8(Acrobat10-11) 30974H/sPeopleSoft 8620.3MH/sPeopleSoftPS_TOKEN 3226.5MH/sphpass,MD5(Wordpress),MD5(phpBB3),MD5(Joomla) 6917.9kH/s
PHPS 6972.6MH/sPlaintext 37615.5MH/sPostgreSQL 25068.0MH/sPostgreSQLChallenge-ResponseAuth(MD5) 6703.0MH/sPrestaShop 8221.3MH/sPunBB 2837.7MH/sRACF 2528.4MH/sRAR3-hp 29812H/sRAR5 36473H/sRadmin2 8408.3MH/sRedmineProjectManagementWebApp 2121.3MH/sRipeMD160 4732.0MH/sSAPCODVNB(BCODE) 1311.2MH/sSAPCODVNF/G(PASSCODE) 739.3MH/sSAPCODVNH(PWDSALTEDHASH)iSSHA-1 6096.6kH/sscrypt 435.1kH/sSHA-1(Base64),nsldap,NetscapeLDAPSHA 8540.0MH/sSHA-3(Keccak) 769.8MH/sSHA1 8538.1MH/sSHA1(CX) 291.8MH/ssha1($salt.sha1($pass)) 2457.6MH/sSHA-224 3076.6MH/sSHA256 2865.2MH/ssha256crypt,SHA256(Unix) 388.8kH/sSHA384 1044.8MH/sSHA512 1071.1MH/ssha512crypt,SHA512(Unix) 147.5kH/sSIPdigestauthentication(MD5) 2004.3MH/sSKIP32 4940.9MH/sSMF>v1.1 6817.7MH/sSSHA-1(Base64),nsldaps,NetscapeLDAPSSHA 8584.5MH/sSSHA-256(Base64),LDAP{SSHA256} 3216.9MH/sSSHA-512(Base64),LDAP 1072.2MH/sSipHash 28675.1MH/sSkype 12981.9MH/sSybaseASE 398.1MH/sTrueCryptPBKDF2-HMAC-RipeMD160+XTS512bit+boot-mode 512.4kH/sTrueCryptPBKDF2-HMAC-RipeMD160+XTS512bit 277.0kH/sTrueCryptPBKDF2-HMAC-SHA512+XTS512bit 376.2kH/sTrueCryptPBKDF2-HMAC-Whirlpool+XTS512bit 36505H/svBulletin<V3.8.5 6947.7MH/svBulletin>V3.8.5 4660.5MH/sVeraCryptPBKDF2-HMAC-RipeMD160+XTS512bit 907H/s
VeraCryptPBKDF2-HMAC-RipeMD160+XTS512bit+boot-mode 1820H/sVeraCryptPBKDF2-HMAC-SHA256+XTS512bit 1226H/s
VeraCryptPBKDF2-HMAC-SHA256+XTS512bit+boot-mode 3012H/sVeraCryptPBKDF2-HMAC-SHA512+XTS512bit 830H/sVeraCryptPBKDF2-HMAC-Whirlpool+XTS512bit 74H/sWBB3,WoltlabBurningBoard3 1293.3MH/sWPA/WPA2 396.8kH/sWhirlpool 253.9MH/sWinZip 1054.4kH/s
*CRACKINGSPEEDBASEDONNVIDIAGTX1080&HASHCATv3.6
HASHCRACKINGSPEED(SLOW-FAST)
EthereumWallet,SCRYPT 29H/sVeraCryptPBKDF2-HMAC-Whirlpool+XTS512bit 74H/siTunesbackup>=10.0 94H/sVeraCryptPBKDF2-HMAC-SHA512+XTS512bit 830H/sVeraCryptPBKDF2-HMAC-RipeMD160+XTS512bit 907H/sVeraCryptPBKDF2-HMAC-SHA256+XTS512bit 1226H/sVeraCryptPBKDF2-HMAC-RipeMD160+XTS512bit+boot-mode 1820H/sVeraCryptPBKDF2-HMAC-SHA256+XTS512bit+boot-mode 3012H/sBitcoin/Litecoinwallet.dat 4508H/sEthereumWallet,PBKDF2-HMAC-SHA256 4518H/s7-Zip 7514H/sLUKS 8703H/sOffice2013 8814H/s1Password,cloudkeychain 10713H/sOSXV10.8+ 12348H/sbcrypt,Blowfish(OpenBSD) 13094H/seCryptfs 13813H/sCisco$9$ 22465H/sRAR3-hp 29812H/sPDF1.7Level8(Acrobat10-11) 30974H/sRAR5 36473H/sTrueCryptPBKDF2-HMAC-Whirlpool+XTS512bit 36505H/sGRUB2 43235H/sDrupal7 56415H/sDjango(PBKDF2-SHA256) 59428H/sCisco$8$ 59950H/sOffice2010 66683H/sDPAPImasterkeyfilev1andv2 73901H/sOracleT 104.7kH/sAxCrypt 113.9kH/sOffice2007 134.5kH/sKeepass1(AES/Twofish)andKeepass2(AES) 139.8kH/siTunesbackup<10.0 140.2kH/sJuniper/NetBSDsha1crypt 144.1kH/s
sha512crypt,SHA512(Unix) 147.5kH/sTrueCryptPBKDF2-HMAC-RipeMD160+XTS512bit 277.0kH/sAtlassian(PBKDF2-HMAC-SHA1) 283.6kH/sAndroidFDE(SamsungDEK) 291.8kH/sBlockchain,MyWallet,V2 305.2kH/sDomainCachedCredentials2(DCC2),MSCache2 317.5kH/sPasswordSafev2 332.0kH/sTrueCryptPBKDF2-HMAC-SHA512+XTS512bit 376.2kH/ssha256crypt,SHA256(Unix) 388.8kH/sWPA/WPA2 396.8kH/sPBKDF2-HMAC-SHA512 431.4kH/sscrypt 435.1kH/sTrueCryptPBKDF2-HMAC-RipeMD160+XTS512bit+boot-mode 512.4kH/sLotusNotes/Domino8 667.2kH/sAndroidFDE<=4.3 803.0kH/sWinZip 1054.4kH/sPBKDF2-HMAC-SHA256 1173.1kH/sPasswordSafev3 1233.4kH/sBSDiCrypt,ExtendedDES 1552.5kH/sLastpass 2331.2kH/sPBKDF2-HMAC-SHA1 3233.9kH/s1Password,agilekeychain 3319.2kH/sAndroidPIN 5419.4kH/sSAPCODVNH(PWDSALTEDHASH)iSSHA-1 6096.6kH/sAIX 6359.3kH/sphpass,MD5(Wordpress),MD5(phpBB3),MD5(Joomla) 6917.9kH/sPBKDF2-HMAC-MD5 7408.3kH/smd5apr1,MD5(APR),ApacheMD5 9911.5kH/smd5crypt,MD5(Unix),FreeBSDMD5,Cisco-IOSMD5 9918.1kH/sJuniperIVE 9929.1kH/sAIX 9937.1kH/sMS-AzureSyncPBKDF2-HMAC-SHA256 10087.9kH/sAIX 14937.2kH/sPDF1.4-1.6(Acrobat5-8) 16048.0kH/sAIX 44926.1kH/sGOSTR34.11-2012(Streebog)512-bit 49979.4kH/sGOSTR34.11-2012(Streebog)256-bit 50018.8kH/sBlockchain,MyWallet 50052.3kH/sLotusNotes/Domino6 69673.5kH/sLotusNotes/Domino5 205.2MH/sGOSTR34.11-94 206.2MH/sMSOffice<=2003MD5+RC4,oldoffice$0,oldoffice$l 219.6MH/sWhirlpool 253.9MH/s
Kerberos5TGS-REPetype23 291.1MH/sKerberos5AS-REQPre-Authetype23 291.5MH/sSHA1(CX) 291.8MH/sMSOffice<=2003SHA1+RC4,oldoffice$3,oldoffice$4 296.7MH/sMSOffice<=2003SHA1+RC4,collision-mode#1 330.8MH/sMSOffice<=2003MD5+RC4,collision-mode#1 339.9MH/sPDF1.1-1.3(Acrobat2-4) 345.0MH/sPDF1.1-1.3(Acrobat2-4)+collider-mode#1 373.4MH/sSybaseASE 398.1MH/sFileZillaServer>=0.9.55 565.2MH/s3DES(PT=$salt,key=$pass) 594.3MH/sSAPCODVNF/G(PASSCODE) 739.3MH/sSHA-3(Keccak) 769.8MH/sIKE-PSKSHA1 788.2MH/sOSXV10.7 834.1MH/sOracleH 851.6MH/sdescrypt,DES(Unix),TraditionalDES 906.7MH/sSHA384 1044.8MH/sSHA512 1071.1MH/sMSSQL(2012) 1071.3MH/sSSHA-512(Base64),LDAP 1072.2MH/sWBB3,WoltlabBurningBoard3 1293.3MH/sSAPCODVNB(BCODE) 1311.2MH/sBLAKE2-512 1488.9MH/sIPMI2RAKPHMAC-SHA1 1607.3MH/sNetNTLMv2 1634.9MH/sColdFusion10+ 1733.6MH/sIKE-PSKMD5 1834.0MH/sSIPdigestauthentication(MD5) 2004.3MH/sOpenCart 2097.0MH/sRedmineProjectManagementWebApp 2121.3MH/sMySQLChallenge-ResponseAuthentication(SHA1) 2288.0MH/ssha1($salt.sha1($pass)) 2457.6MH/shMailServer 2509.6MH/sEPiServer6.x>v4 2514.4MH/sRACF 2528.4MH/sPunBB 2837.7MH/sPDF1.7Level3(Acrobat9) 2854.1MH/sCisco-IOSSHA256 2864.3MH/sSHA256 2865.2MH/sSHA-224 3076.6MH/sSSHA-256(Base64),LDAP{SSHA256} 3216.9MH/sPeopleSoftPS_TOKEN 3226.5MH/s
DNSSEC(NSEC3) 3274.6MH/sMySQL4.1/MySQL5 3831.5MH/s
ChaCha20 3962.0MH/smd5(md5($pass).md5($salt)) 4291.9MH/svBulletin>V3.8.5 4660.5MH/sRipeMD160 4732.0MH/sSKIP32 4940.9MH/sIPB2+,MyBB1.2+ 5011.8MH/smd5($salt.md5($salt.$pass)) 5037.7MH/smd5($salt.md5($pass.$salt)) 5401.6MH/sFortiGate(FortiOS) 6386.2MH/sMediawikiBtype 6515.8MH/sPostgreSQLChallenge-ResponseAuthentication(MD5) 6703.0MH/sSMF>v1.1 6817.7MH/sEPiServer6.x<v4 6818.5MH/sDjango(SHA-1) 6822.6MH/sOSXV10.4,V10.5,V10.6 6831.3MH/sArubaOS 6894.7MH/svBulletin<V3.8.5 6947.7MH/sPHPS 6972.6MH/sCitrixNetScaler 7395.3MH/sAxCryptinmemorySHA1 7503.3MH/sJKSJavaKeyStorePrivateKeys(SHA1) 7989.4MH/sPrestaShop 8221.3MH/sRadmin2 8408.3MH/sSHA1 8538.1MH/sSHA-1(Base64),nsldap,NetscapeLDAPSHA 8540.0MH/sSSHA-1(Base64),nsldaps,NetscapeLDAPSSHA 8584.5MH/sMSSQL(2000) 8609.7MH/sPeopleSoft 8620.3MH/sMSSQL(2005) 8636.4MH/sOracleS 8565.0MH/sDomainCachedCredentials(DCC),MSCache 11195.8MH/sosCommerce,xt 12883.7MH/sJuniperNetscreen/SSG(ScreenOS) 12946.8MH/sSkype 12981.9MH/sHalfMD5 15255.8MH/sCisco-PIXMD5 16407.2MH/sCisco-ASAMD5 17727.2MH/sLM 18382.7MH/sDES(PT=$salt,key=$pass) 19185.7MH/sNetNTLMv1-VANILLA/NetNTLMv1+ESS 22308.5MH/s
MD5 24943.1MH/sPostgreSQL 25068.0MH/sJoomla<2.5.18 25072.2MH/sSipHash 28675.1MH/s
Plaintext 37615.5MH/sMD4 43722.9MH/sNTLM 41825.0MH/sMySQL323 51387.0MH/s
*SpeedbasedonNVIDIAGTX1080RunningHashcatv3.6
NOTES