Password Cracking Fundamentals
16.2.1 - Introduction to encryption, hashes and cracking
It's important to know how long it's likely to take to crack a hash.
Calculate the keyspace, in this example for a 5-char password (outputs a keyspace, as in the number of potential characters)
echo -n "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" | wc -c
Hashcat's benchmark mode can help determine hash rates for various hash algorithms (typically measured in MH/s). Results will differ for GPU & CPU hashing
hashcat -b
Calculate the cracking time, for example for SHA256 by dividing the mega-hash rate by the encryption type keyspace
python3 -c "print(916132832 / 134200000)"
Example calculating maximum variations for an 8-10 char password
python3 -c "print(62**8)"
python3 -c "print(218340105584896 / 9276300000)"
python3 -c "print(62**10)"
python3 -c "print(839299365868340224 / 9276300000)"
16.2.2 - Mutating wordlists
Use rule lists to append letters/numbers onto the end of passwords as well as capitalizing various words.
hashcat -r demo.rule --stdout demo.txt
hashcat -m 0 crackme.txt /usr/share/wordlists/rockyou.txt -r demo3.rule --force
Rules on the same line will modify each password in the list with those rules. Putting them on separate lines will test each line of modifications against each password. c is used to capitalize, $1 appends 1 to the end of each password in this example.
$1 c
$1
c
Find more rules like base64.rule with:
ls -la /usr/share/hashcat/rules/
16.2.3 - Cracking methodology
- Extract hashes
- Format hashes
- Calculate the cracking time
- Prepare wordlist
- Attack the hash
16.2.4 - Password manager
This uses an outdated version of KeePass as an example password manager
Check for .kdbx files on the target machine
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
After transferring to Kali, keepass2john can be used to format the DB and save the output
keepass2john Database.kdbx > keepass.hash
Make sure to remove the Database: string before attempting to run hashcat
cat keepass.hash
Using the rockyou-3000 rule here
hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force
16.2.5 - SSH key passphrase
We may need to crack a passphrase, these are a security measure used to protect private SSH keys. ssh2john can be used to transform the private key into a hash we can attempt to crack
https://vk9-sec.com/ssh2john-how-to/
ssh2john id_rsa > ssh.hash
hashcat -h | grep -i "ssh"
hashcat -m 22921 ssh.hash ssh.passwords -r ssh.rule --force
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.john
We can attempt to crack with a custom ruleset using a file we found on the machine that is likely to influence the password. Note we're also using a custom wordlist.
c $1 $3 $7 $!
c $1 $3 $7 $@
c $1 $3 $7 $#
john --wordlist=ssh.passwords --rules=sshRules ssh.hash
ssh -i id_rsa -p 2222 dave@192.168.50.201
PFX Key Passphrase
Winrm Supports PKINIT, meaning if you have a computers PFX file, you can authenticate and get a shell. Note that the command requires a public and a private key in PEM format, that can be extracted by converting the PFX to PEM format.
https://wadcoms.github.io/wadcoms/Evil-Winrm-PKINIT/
Convert the .pfx file to a hash format using pfx2john
pfx2john yourfile.pfx > hash.txt
Run John the Ripper with a wordlist (e.g., rockyou.txt) to crack the password:
john hash.txt -w=/usr/share/wordlists/rockyou.txt
Convert PFX file into a PEM file (containing both certificate and private key)
openssl pkcs12 -in filename.pfx -out cert.pem -nodes
We can extract the private key form a PFX to a PEM file with this command:
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
Exporting the certificate only:
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
Removing the password from the extracted private key:
openssl rsa -in key.pem -out server.key