26 March 2013

371. Hashcat on debian

http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/ was just published, which made me want to have a look at hashcat.

Note that Hashcat is closed source. An open source alternative is John the Ripper .

Note also that there's a GPU-enabled version of hashcat, ocl-hashcat.

Why?
Whether you'll ever have a legitimate need for this stuff depends, but apart from the fun of it -- and the feelings of Power that cracking gives you -- being able to crack the odd password does serve as an eye opener to how easy this can be under the right circumstances. And who knows? You might find a justified use for it, especially if you're in academia where old computers and poor discipline abounds, and you are faced with computers that belong to you but were set up without any proper records.


Installation
sudo apt-get install p7zip-full
sudo mkdir /opt/hashcat -p
sudo chown $USER /opt/hashcat
cd /opt/hashcat
wget http://hashcat.net/files/hashcat-0.44.7z
wget http://hashcat.net/files/hashcat-gui-0.5.1.7z
wget http://runamux.net/search/download/file/95wr2RdM/rockyoutxt.bz2
7z x hashcat-0.44.7z
7z x hashcat-gui-0.5.1.7z
bunzip2 rockyoutxt.bz2
echo 'export PATH=$PATH:/opt/hashcat/hashcat-0.44:/opt/hashcat/hashcat-gui-0.5.1' >> ~/.bashrc
source ~/.bashrc


Test run
Let's generate a file of simple passwords to crack:
echo -n "city" | md5sum > test.list
echo -n "n00b" | md5sum >> test.list
echo -n "123654"| md5sum >> test.list
echo -n "Chicago"| md5sum >> test.list
cat test.list
4ed5d2eaed1a1fadcc41ad1d58ed603e 16e029226d8960b2d7cba16cab5f7044 733d7be2196ff70efaf6913fc8bdcabf 9cfa1e69f507d007a516eb3e9f5074e2
Edit the test.list file to remove all the ' - '. Note that you need to run hashcat-gui in your /opt/hashcat/hashcat-0.44/ folder. Start hashcat-gui:

cd /opt/hashcat/hashcat-0.44/
hashcat-gui64.bin




Once it has finished, you can look at the output
cat test.list.out 
733d7be2196ff70efaf6913fc8bdcabf:123654 9cfa1e69f507d007a516eb3e9f5074e2:Chicago 4ed5d2eaed1a1fadcc41ad1d58ed603e:city
Use the rule set best64 and it cracks all passwords and does it fast:

733d7be2196ff70efaf6913fc8bdcabf:123654 9cfa1e69f507d007a516eb3e9f5074e2:Chicago 4ed5d2eaed1a1fadcc41ad1d58ed603e:city 16e029226d8960b2d7cba16cab5f7044:n00b
My account password wasn't cracked by this though, but all that we can be certain that it means is that it would take someone more than 30 seconds to do so. Maybe 35 seconds, maybe 2 years -- we can't tell.

If you want to compare with John the Ripper you could do e.g.
mpirun -n 6 run/./john test.list --wordlist=rockyoutxt --format=raw-md5

to do list-based cracking and
mpirun -n 6 run/./john test.list--format=raw-md5

for brute-force.

John the Ripper works well for windows passwords as well (might write about that in another post)


Linux passwords
To crack actual linux user passwords, you'll need to access /etc/shadow and only root should be able to do that. Looking at /etc/password we have for example
guest:$6$MyySaltt$eZXKl12CRRPZW1O/wKpodIB76f46NNVQ3o2Pyvh3m0QeHaW20WthUCkeLCZSPS6o9lks8g4Ua8v6OqbIXZw4r.:12567:0:88888:3:::
I've made up the string above (using mkpasswd -m sha-512 -S MyySaltt which is salted using MyySaltt. ). Anyway, copy the hash, e.g.

$6$MyySaltt$eZXKl12CRRPZW1O/wKpodIB76f46NNVQ3o2Pyvh3m0QeHaW20WthUCkeLCZSPS6o9lks8g4Ua8v6OqbIXZw4r.

to a file, e.g. nutest.list

Do
man crypt
ID | Method --------------------------------------------------------- 1 | MD5 2a | Blowfish (not in mainline glibc; added in some | Linux distributions) 5 | SHA-256 (since glibc 2.7) 6 | SHA-512 (since glibc 2.7)
The $6$ means that it's a SHA-512 hashed password.

Now run hashcat:
hashcat-cli64.bin -n 6 -m 1800 nutest.list rockyoutxt -r /opt/hashcat/hashcat-0.44/rules/best64.rule

where 1800 means SHA-512 (do hashcat --help to see what code to use) and 6 is the number of threads (six core CPU). You should be able to easily crack this one...

7 comments:

  1. Thanks for the post, but may I ask for the source of your information about hashcat being a keylogger?!

    And you only talked about hashcat not ocl-hashcat (the gpu aided edition)

    ReplyDelete
    Replies
    1. The comment was about closed source in general -- if it's closed source then you're taking your chances, however small (in reality few people inspect the source code, so with the possible exception of large, collaborative projects you're always taking a small risk). This was to highlight why one might want to consider john the ripper instead, although I think that program comes in both an open and a closed flavour.
      I'll update the post with a reference to ocl-hascat.

      Delete
    2. I talked to the guys in team hashcat and they pointed that for a program to be a keylogger it needs a network connection, and hashcat doesn't use any network connection, and saying about a specific program that it's a keylogger and it sends your passwords to a central database isn't really a general comment!
      I'm aware of the issues behind using a proprietary software but in my opinion this is not the right way to encourage FOSS use.

      Delete
    3. Fair enough. As I wrote before, it wasn't a jab at hashcat as such. Either way, I've removed the offending sentences lest they should be misinterpreted again in the future.

      Delete
    4. Nice, good to know, good luck.

      Delete
  2. Maybe you could add a reference in the end of the post.

    ReplyDelete
  3. how do I crack blockchain wallet second password? this GUI doesn't have a second password or blockchain option. I have the first-the most encrypted. I think the second is a salted SHA256

    ReplyDelete