Staphysec
  • StaphySec
  • Resources
  • Tricks
  • Brute Force - CheatSheet
  • File Transfer
    • Windows File Transfer
    • Linux File Transfer
    • HTTP/SMB/Nginx/Web Servers/Netcat
  • Hashcat
  • Cheatsheet
  • Curl
  • Tools
    • Cracking
    • Information Gathering
    • XSS
    • Obfuscation
    • Credentials Theft/ Win
    • Content Management Systems (CMS)
  • Programming and Scripting
    • Virtualenv & Switching Versions
    • Python
  • SHELLS
    • Shells (Linux, Windows, Msfvenom)
  • Linux
    • CheatSheet
    • EOP Linux Tools and Resources
    • Blogs
  • Windows
    • CheatSheet
    • EOP Windows Tools and Resources
    • Useful commands and Modules
    • Active Directory
      • Tools
  • Blogs
    • Miscellaneous resources
  • PENTESTING
    • 21 - Pentesting FTP
    • 22 - Pentesting SSH
    • 25,465,587 - Pentesting SMTP
    • 53 - Pentesting DNS
    • 110,995 - Pentesting POP
    • 135 - Pentesting WMI
    • 139,445 - SMB Pentesting
    • 143,993 - Pentesting IMAP
    • 161,162,10161,10162/udp - Pentesting SNMP
    • 623/UDP/TCP - IPMI
    • 1433 - Pentesting mssql
    • 2049 - NFS Pentesting
    • 3306 - Pentesting Mysql
    • 3389 - Pentesting RDP
    • 5985,5986 - WinRm
  • Pentesting Web
    • SQL Injections
      • MySQL injection
      • SQLmap Cheatsheet
    • Command injections
    • File Uploads
    • Abusing Intermediary Applications
    • HTTP Verb Tampering
    • IDOR
    • File Inclusion / Directory Traversal
    • XXE - XEE - XML External Entity
    • SSRF
    • SSI/ESI
    • SSTI (Server Side Template Injection)
    • XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
Powered by GitBook
On this page
  • Cracking Miscellaneous Files & Hashes
  • Cracking Password Protected Zip Files
  • Cracking Password Protected KeePass Files
  • Cracking Protected PDF Files
  • Cracking MIC
  • Cracking PMKID
  • Optimization
  • Mask Attack
  • Hybrid Mode
  • Creating Wordlists
  • Rules
  • Hashcat debugging Rules
  • Hashcat - Cracking Passwords Using Wordlists and Rule
  • Hashcat - Default Rules

Hashcat

PreviousHTTP/SMB/Nginx/Web Servers/NetcatNextCheatsheet

Last updated 3 years ago

  • .

  • Hack the box Hashcat course on using Hashcat rocks!

  • Here is most hash modes that Hashcat supports.

  • Software to identify the different types of hashes

  • to scan potential words from the company's website and save them in a separate list.

Cracking Miscellaneous Files & Hashes

  • The password cracking tool JohnTheRipper help us extract the password hashes from files etc, can be viewed .

Staphy$ sudo git clone https://github.com/magnumripper/JohnTheRipper.git
Staphy$ cd JohnTheRipper/src
Staphy$ sudo she./configure && make

There are also Python ports of most of these tools available that are very easy to work with. The majority of them are contained in the JohnTheRipper jumbo GitHub repo .

One additional tool ported to Python is tool for extracting a crackable hashes.

  • Hashcat can be used to attempt to crack password hashes extracted from some Microsoft Office documents using the tool.

Staphy$ python office2john.py file.docx

Hashcat - Cracking MS Office Passwords

Staph$ hashcat -m 9600 file_hash /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

Cracking Password Protected Zip Files

Extract Hash

Staphy$ zip2john file.zip

Hashcat - Cracking ZIP Files

Staphy$ hashcat -a 0 -m 17200 pdf_hash_to_crack /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

Cracking Password Protected KeePass Files

We can use keepass2john.py to extract the hash:

Staphy$ python keepass2john.py file.kdbx

Cracking Protected PDF Files

Extract Hash

Staphy$ python pdf2john.py inventory.pdf | awk -F":" '{ print $2}'

  • Cracking Wireless (WPA and WPA2) Handshakes with Hashcat

Cracking MIC

To perform this type of offline cracking attack, we need to capture a valid 4-way handshake, by sending de-authentication frames to force a client (user) to disconnect from an AP. When the client reauthenticates (usually automatically), the attacker can attempt to sniff out the WPA 4-way handshake without their knowledge.

Staphy$ git clone https://github.com/hashcat/hashcat-utils.git
Staphy$ cd hashcat-utils/src
Staphy$ make

Hashcat-Utils - Installation

Staphy$ git clone https://github.com/hashcat/hashcat-utils.git
Staphy$ cd hashcat-utils/src
Staphy$ make

Cap2hccapx - Convert To Crackable File

Staphy$ ./cap2hccapx.bin corp_capture1-01.cap mic_to_crack.hccapx

Hashcat - Cracking WPA Handshakes

Staphy$ hashcat -a 0 -m 2500 mic_to_crack.hccapx /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

Cracking PMKID

This attack can be performed against wireless networks that use WPA/WPA2-PSK (pre-shared key) and allows us to obtain the PSK being used by the targeted wireless network by attacking the AP directly. The attack does not require deauthentication (deauth) of any users from the target AP. The PMK is the same as in the MIC (4-way handshake) attack but can generally be obtained faster and without interrupting any users.

Staphy$ git clone https://github.com/ZerBea/hcxtools.git
Staphy$ cd hcxtools
Staphy$ make && make install

Hcxtools - Installation

To perform PMKID cracking, we need to obtain the pmkid hash. The first step is extracting it from the capture (.cap) file using the tool hcxpcaptool from the hcxtools GitHub repo.

We may run into compilation errors which can be solved as follows:

Missing Dependency - openssl/sha.h

hcxpcapngtool.c:20:10: fatal error: openssl/sha.h: No such file or directory

Installation of Dependencies

Installation of Dependencies

Staphy@htb[/htb]$ sudo apt install libssl-dev

Missing Dependency - curl/curl.h

Missing Dependency - curl/curl.h

hcxhashtool.c:19:10: fatal error: curl/curl.h: No such file or directory

Installation of Dependencies

Staphy@htb[/htb]$ sudo apt install libcurl4-openssl-dev

Extract PMKID

Staphy$ hcxpcaptool -z pmkidhash_corp cracking_pmkid.cap

There is as Change in Hash mode Hashcat 16800 So what are the benefits of hash mode 22000?

  • The hash mode 22000 hash line combines PMKIDs and EAPOL MESSAGE PAIRs in a single file

  • Having all the different handshake types in a single file allows for efficient reuse of PBKDF2 to save GPU cycles

  • It is no longer a binary format that allows various standard tools to be used to filter or process the hashes

  • It is no longer a binary format which makes it easier to copy / paste anywhere as it is just text

  • The best tools for capturing and filtering WPA handshake output in hash mode 22000 format (see tools below)

    In order to be able to use the hash mode 22000 to the full extent, you need the following tools:

If you choose the online converter, you may need to remove some data from your dump file if the file size is too large. Most of the time, this happens when data traffic is also being recorded.

Optimization

  • Optimized Kernels: This is the -O flag, which according to the documentation, means Enable optimized kernels (limits password length). The magical password length number is generally 32, with most wordlists won't even hit that number. This can take the estimated time from days to hours, so it is always recommended to run with -O first and then rerun after without the -O if your GPU is idle.

  • Workload: This is the -w flag, which, according to the documentation, means Enable a specific workload profile. The default number is 2, but if you want to use your computer while Hashcat is running, set this to 1. If you plan on the computer only running Hashcat, this can be set to 3.

Mask Attack

Hybrid Mode

  • Hybrid mode is a variation of the combinator attack, wherein multiple modes can be used together for a fine-tuned wordlist creation.

Mode 6 to append mask.

Staphy$ hashcat -a 6 -m 0 hybrid_hash /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt '?d?s'

Mode 7 to prepend mask. 

Staphy$ hashcat -a 7 -m 0 hybrid_hash_prefix -1 01 '20?1?d' /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

Creating Wordlists

Tools :

Rules

Hashcat debugging Rules

Staphy$ hashcat -r rule.txt test.txt --stdoutHashcat

Hashcat - Cracking Passwords Using Wordlists and Rule

Staphy$ hashcat -a 0 -m 100 hash /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -r rule.txt

Hashcat - Default Rules

Staphy$ ls -l /usr/share/hashcat/rules/

Hashcat provides an option to generate random rules on the fly and apply them to the input wordlist. The following command will generate 1000 random rules and apply them to each word from rockyou.txt by specifying the "-g" flag. There is no certainty to the success rate of this attack as the generated rules are not constant

we may find an interesting zip file password protected! We can extract these hashes using the compiled version of the tool.

We can extract these hashes using the compiled version of the tool or using the Python port done by , .

We can extract the hash of the passphrase using . The following command will extract the hash into a format that Hashcat can use.

Once we have successfully captured a 4-way handshake with a tool such as , we need to convert it to a format that can be supplied to Hashcat for cracking, he format required is hccapxand Hashcat hosts an online service to convert to this format (not recommended for actual client data but fine for lab/practice exercises): . To perform the conversion offline, we need the hashcat-utils repo from GitHub.

hcxdumptool v6.0.0 or higher:

hcxpcapngtool from hcxtools v6.0.0 or higher:

hashcat v6.0.0 or higher:

Optionally there is hcxlabtool, which you can use as an experienced user or in headless operation instead of hcxdumptool:

For users who don't want to struggle with compiling hcxtools from sources there is an online converter:

For more information Visit this thread in Hashcat site ().

Mask attacks are used to generate words matching a specific pattern .

Common User Passwords Profiler ().

Advanced keyboard-walk with configureable basechars, keymap and routes.

Standalone password candidate generator using the PRINCE algorithm .

is a Custom Word List Generator.

Small utilities that are useful in advanced password cracking .

wordlist generator.

The attack is one of the most complicated of all the attack modes. The reason for this is very simple. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.

There are a variety of publicly available rules as well, such as the , , and the which is featured in the book . These are curated rulesets generally targeted at common corporate Windows password policies or based on statistics and probably industry password patterns.

Website
academy
example hashes
hashid
CeWL
here
here
keepass2john.py
office2john.py
zip2john
keepass2john
HarmJ0y
keepass2john.py
pdf2john.py
airodump-ng
https://hashcat.net/cap2hccapx
https://github.com/ZerBea/hcxdumptool
https://github.com/ZerBea/hcxtools
https://github.com/hashcat/hashcat
https://github.com/ZerBea/wifi_laboratory
https://hashcat.net/cap2hashcat/
https://hashcat.net/forum/thread-10253.html
Link
CUPP
generator
princeprocessor
CeWL
Hashcat-utils
Crunch
rule-based
nsa-rules
Hob0Rules
corporate.rule
How to Hack Like a Legend