48 Gaining Access – Password Cracking

This lab should familiarize students with generating password hashes and techniques for cracking them. It should also demonstrate brute force and dictionary attacks.

Learning Objectives

• 1. Generate password hashes
• 2. Identify different hash types
• 3. Perform a brute force attack using John the Ripper
• 4. Perform a dictionary attack using Hashcat

Prerequisites

• Chapter 12 – Create a Kali Linux VM

Deliverables

• Screenshot of the hashes file
• Screenshot of John the Ripper brute force attack
• Screenshot of Hashcat finished dictionary attack
• Screenshot of Hashcat showing the cracked hashes

Resources

• 1. Jain, Rakesh. “How to create SHA512/SHA256/MD5 password hashes on command line.” Medium. Accessed May 29, 2024. https://rakeshjain-devops.medium.com/how-to-create-sha512-sha256-md5-password-hashes-on-command-line-2223db20c08c
• 2. m5kro. “Hashcat vs John the Ripper (JTR).” Medium. Accessed May 29, 2024. https://medium.com/cyberscribers-exploring-cybersecurity/hashcat-vs-john-the-ripper-jtr-f207c34c5b1c
• 3. “John the Ripper user community resources.” openwall [wiki]. Accessed May 29, 2024. https://openwall.info/wiki/john
• 4. “Hashcat Advanced Password Recovery.” hashcat [hashcat wiki]. Accessed May 29, 2024. https://hashcat.net/wiki/doku.php?id=hashcat.

Contributors and Testers

• Dante Rocca, Cybersecurity Student, ERAU-Prescott
• Jacob M. Christensen, Cybersecurity Student, ERAU-Prescott

1. Turn on the Kali VM
2. Open the terminal and run this command to navigate to the Desktop

   > cd ~/Desktop

3. We are going to generate a couple of passwords: one that is easily susceptible to a brute force attack and two that will require a dictionary/wordlist attack
4. We will choose a very low-complexity password to generate a password susceptible to a brute-force attack. Lower complexity means a smaller password with a smaller character set. In this case, we will generate a hash for the password “abc123,” which is short (6 characters) and only features lowercase letters and numbers

   > mkpasswd -m md5 abc123 | tee -a hashes

5. Notice above how we use the tee command; this will output the hash to stdout (the terminal) so we can see the hash we generated, but it will also append the hash to the end of a file called “hashes” on the desktop (if that file does not exist, it will create it)
6. Next, we will generate two passwords susceptible to a dictionary/wordlist attack and add them to the “hashes” file

   > mkpasswd -m md5 Cybergenius28 | tee -a hashes

   > mkpasswd -m md5 t0byD0g\$ | tee -a hashes

   NOTE: The “\” is not part of the password. The “$” indicates to the shell that we want to access a user or environment variable. This indicates that we are not trying to access a variable called “Skywalker1” (from the first password) or 12345 (from the second password), but we are trying to use the “$” sign as a character. The “\” is used to escape the variable declaration.

7. We should now have the following file
   

   

   NOTE: The hashes you generate may be different than the hashes displayed. This is because these are salted hashes. The random bit of characters $1$ABCDEFGH$xxxxxx… are mixed in with the password to generate the hash. This is so people with the same password do not have identical password hashes, especially thwarting attackers who use rainbow tables.

1. To perform a brute-force attack using John the Ripper, run the following command on the “hashes” file from the previous phase

   > john ~/Desktop/hashes –incremental

2. After running the command, you should see that John the Ripper could quickly crack the “abc123” password
   

   

3. Let it run for a few minutes.  Hit the spacebar to see the progress at any time.  You should see something similar to this
   

   

4. John may finish in 5 minutes, 5 days, or 5 millennia, and you will see all the plaintext passwords that John cracked outputted onto the terminal. However, we will not wait; press q to end the process
5. If you want to return to the password hashes you already cracked or lost the terminal where you cracked the password, John the Ripper caches them. To view the cracked passwords again, you can run the following command

   > john ~/Desktop/hashes –show

1. A dictionary or wordlist attack in hashcat typically looks like the following

   > hashcat -m <hash type> -a 0 <hash or hashes file> <wordlist>

2. Notice that we need to figure out what the hash type is, and we need find a wordlist to use
3. Though we created the hashes earlier, if we stumble across a password dump, we might not know what kinds of hashes we are looking at. Let’s use the tool hash-identifier to determine what hash type we need to attack

   > hash-identifier

4. This tool takes in a hash and tries to identify what type of hash it is. Plugging in one of the hashes from our “hashes” file, we can see it detected this as an “MD5 (Unix)” hash
   

   

   NOTE: hash-identifier is a good first step in some cases, but it will not be able to identify all hashes you throw at it. If this does not work, it might make sense to go online and research the characteristics of the hashes you are trying to crack. For instance, some might have an identifiable prefix like “$6” (sha512crypt) or “$y” (yescrypt). Searching “$6 hash” or “$y hash” online will confirm this.

5. Now that we know the hash type is “MD5 (Unix)”, we can run the following command

   > hashcat -h

6. This will print out a very, very long help menu. This help menu not only contains different flags that can modify the behavior of hashcat, but it also contains many informational tables about different hash types, attack types, and more. We will look for the number corresponding to the hash type we identified earlier by scrolling until we find the hash type table
   

   

7. Now that we have the hash type, we need a wordlist to complete the dictionary attack
8. Kali VMs come pre-equipped with rockyou.txt, a wordlist of 14 million+ unique passwords from the data breach of the popular social media platform RockYou in 2009. Though this list is from 2009, people still come up with passwords much the same, making this list relevant today. To access this wordlist, however, we will need to uncompress it
9. Run the following command to uncompress rockyou.txt.gz using gunzip

   > sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

   NOTE: “/usr/share/wordlists” contains many wordlists that might be more applicable in other use cases. Feel free to explore.

   

10. Now, we have all the information we need to run the dictionary attack using hashcat. Plugging in the following information, we can execute the attack using the following command

    > hashcat -m 500 -a 0 ~/Desktop/hashes /usr/share/wordlists/rockyou.txt

    NOTE: If you run into the “Not enough allocatable device memory for this attack” error, shut down the Kali VM and allocate more RAM. If the attack will take too long, try increasing the number of vCPUs the VM has. Since we are in a VM, we can tack on “-w 3” or “-w 4” to increase the attack’s CPU utilization/workload. We recommend sticking to workload levels 1-2 on a host machine because it can start eating away at resources that let us use our mouse or display pictures on the screen.

11. Pressing s, we can see the dictionary attack’s current execution status. This status contains tons of information, such as the type of hash we are attacking, the estimated completion time, the number of hashes it was able to recover, etc
    

    

12. Once the attack is finished, we will see “Cracked” or “Exhausted” as the status. “Cracked” means that it was able to crack all the hashes. “Exhausted” means it went through the entire wordlist and could not crack all the hashes. Below, we managed to crack all of the hashes we provided
    

    

13. Although hashcat outputs passwords when discovered, If we miss it, we have too many status updates, etc., run the below command on the “hashes” file to see all the hashes and their corresponding plaintext values

End of Lab