Hacking and Cyber Security Tutorials, Learn How To Hack, Linux Tutorials, Programming Tutorials, Android & iOS Hacking
Advanced Hash Cracking - Breaking The Crypt
Advanced Hash Cracking Techniques
This is a series of articles where I will cover the following topics:
GPU based Cracking using Open CL hashcat. Amazon EC2 Cloud Computing for Cracking Hashes. Pushing the envelope with JTR
The intended readers for this article are users who are familiar and well versed with the process of hash cracking using tools like JTR/Hashcat/Passwords Pro.
This article is not going to cover the basics of hash cracking and how you go about it.
Hash cracking tools like JTR have existed since a long time. As the hardware speeds have scaled up over the years, so have the hash cracking speeds. It provides us better opportunities to crack more hashes than we could have on the old Pentium Processors.
Cracking Hashes on GPU: Nvidia's CUDA and ATI's OpenCL gave developers a chance to port the hash cracking algorithms to GPUs. GPU's have a high parallel processing power and this is a big advantage over CPU's which do serial processing instead.
CPU's are good at performing complex instructions quickly and GPU on the other hand can perform many easy instructions quickly.
To discuss more in depth, I'll start with using oclhashcat as an example. Oclhashcat is developed by atom (hashcat team) and it's compatible with both Nvidia's CUDA based GPU's and ATI's Open CL GPUs.
You can get more details here:
Here, I present a few ways in which we can use this tool more effectively to get better success rates at cracking hashes.
m - specifies the type of hash we are attacking. Just type in, oclhashcat --help and scroll down to see all the hash types.
-m 0 is for Raw MD5 hashes.
-n 160 - This is for workload tuning of GPU and you might have to tweak it depending on your GPU. The higher the load on your GPU, the higher will be the operating temperature as well, something that you will have to keep in mind.
--remove - This option is quite useful. Oclhashcat will remove the hashes it has cracked from the hashlist so that it doesn't attempt to crack them again during another session.
-o by default, oclhashcat will display the cracked hashes on the console. But, since we want to save our results, it's a good idea to use this option and redirect the output to a text file. In this case, foundMD5.txt
md5.txt - the hash file. At present, oclhashcat expects the hash list to have only hashes in it and no usernames. Unlike the format which JTR accepts, here we need filter out any usernames from the list.
dict1.txt and dict2.txt - oclhashcat works on the concept of the left mask and right mask. It breaks every word into a left and right part and allows us to define how these parts are controlled.
This option is really useful, as we will see further in this article, how efficiently we can use this option.
It's compulsory to provide both a left mask and a right mask. You cannot give one and omit the other. In this case, dict1.txt is the left mask and dict2.txt is the right mask.
Ok, so that was just the basic. Let's get to more effective methods.
So, far I have covered only passwords which have padded a sequence of characters to them. But, we have not touched our left mask, which is the dictionary at all.
Time to apply some modification rules to it as well.
in oclhashcat, the left mask and right mask can be controlled using -j and -k options.
-j allows the control over left mask and -k over right mask.
The correspondence between -j and -k to left and right mask respectively can be remembered easily by looking at the position of characters j and k on the keyboard. The left one corresponds to left mask and right one to right mask. It's not a big deal to remember, but just in case, it might help someone.
U will convert the first char of left mask to uppercase for every word in the dictionary. And since in the padding we have, @$a5, I have binded the charsets, ?l?d?s to -1
More complex password patterns could remove a few chars from the dictionary and do padding instead.
Here the letters, o and n are stripped off from the end of "defcon" and padded with @3$d instead. To attack such a pattern, we will do the same with our dictionary. This time, we will strip off the last 2 chars from every word of dictionary in the left mask and upper case the first one followed by the password padding.
An interesting example. Some people use their passwords in the form of dates and believe me, these are hard to bruteforce. Since, they have special characters in between digits and it's not possible to find a word like this in dictionary.