H 520: Hashcat (60 pts)

What You Need for This Project

Getting Hashcat

In an SSH window, execute these commands:
sudo apt update
sudo apt install hashcat -y
hashcat
Hashcat runs, showing a brief help message, as shown below.

Creating a Test User

In a Terminal window, execute this command:
sudo adduser jose
At the "Enter new UNIX password" enter a password of password

At the "Retype new UNIX password" enter a password of password

Press Enter to accept defaults for the other options, as shown below:

Viewing the Password Hash

In a Terminal window, execute this command:
sudo tail -n 1 /etc/shadow
The password hash for jose appears, as shown below (your hash will be different):

Finding Your Salt Value

Look at the salt following the username "jose". The $6$ value indicates a type 6 password hash (SHA-512, many rounds). The characters after $6$, up to the next $, are the SALT.

In my example, the SALT is NArMeZ5Qr9Vtn8T0

Understanding the Hash Algorithm

The hash algorithm is defined in the file /etc/login.defs. To see the portion of that file discussing the password hash algorithm, execute this grep command to see 18 lines after the line containing the string "ENCRYPT_METHOD":
sudo grep -A 18 ENCRYPT_METHOD /etc/login.defs
As you can see, Debian 10 Linux uses SHA-512 hashes, with the default value of 5000 rounds:

Making a Hash File

In a Terminal window, execute these commands:
sudo tail -n 1 /etc/shadow > crack1.hash
nano crack1.hash
In the nano text editor, carefully delete the username jose and the colon after it, and all the numbers at the end of the file, including all the colons., leaving only the hash, as shown below:

Press Ctrl+X, Y, Enter to save the file.

Downloading a Wordlist

Hashcat comes with an example wordlist. To get it, and see what it contains, execute these commands:
sudo apt install wget -y
wget https://github.com/hashcat/hashcat/raw/master/example.dict
head example.dict
tail example.dict
grep password example.dict
wc -l example.dict
As shown below, this file contains over 128,000 words, including the correct password of "password":

Cracking the Hash

In a Terminal window, execute this command:
sudo hashcat --force -m 1800 -a 0 -o found1.txt --remove crack1.hash example.dict
Explanation: This uses hashcat with these options:

After a few seconds, press Enter.

Hashcat shows that it has made some progress. When I did it, it was 16% through the wordlist, as shown below.

After a few minutes, hashcat will find the password and stop, as shown below.

H 520.1: Status (10 pts)

The flag is covered by a green rectangle in the image above.
To see the password, execute this command:
sudo cat found1.txt
The password appears at the end of the line, after the hash, as shown below.

Getting the crack2.hash List

In a Terminal window, execute these commands:
wget https://samsclass.info/123/proj10/crack2.hash 
cat crack2.hash
You should see four password hashes, as shown below:

H 520.2: P-Password (10 pts)

Crack the hashes using the same wordlist. One of the passwords begins with the letter "p". That password is the flag.

If you're waiting for 20 minutes, you're doing it the hard way.

H 520.3: S-Password (10 pts)

Crack the hashes using the same wordlist. One of the passwords begins with the letter "s". That password is the flag.

Cracking Windows NTLM Hashes

Here are hashes from a Windows 2016 Server:
wagner:"":"":AAD3B435B51404EEAAD3B435B51404EE:4F2D47B681C9FCFFBE11ED6E9F7DF1BA waldo:"":"":AAD3B435B51404EEAAD3B435B51404EE:76BF100CEA9B9F7B9E0C78419998AE1B walter:"":"":AAD3B435B51404EEAAD3B435B51404EE:A60E7EB7B49FD0C2E7DD4739FF2AE76B
Crack them to find the flags, as shown below.

H 520.4: Word (10 pts)

One of the passwords is in the example wordlist, like "password". That password is the flag.

H 520.5: Word Plus Digit (10 pts)

One of the passwords is a word in the example wordlist with a digit added to it, like "password1".

That password is the flag.

H 520.6: Wordlist (10 pts)

One of the passwords is a word in the example wordlist with two digits added to it, like "password11".

That password is the flag.

Sources

http://www.vidarholen.net/contents/junk/files/sha512crypt.bash

http://hashcat.net/files/hashcat_user_manual.pdf

How To Use hashcat On CPU Only


Renumbered and updated for Google cloud 6-8-2020