H 520: Hashcat (60 pts)

What You Need for This Project

Getting Hashcat

In an SSH or Terminal window, execute these commands:
sudo apt update
sudo apt install hashcat -y
hashcat -V
Hashcat runs, showing its version number, as shown below.

Creating a Test User

In a Terminal window, execute this command:
sudo adduser fred
At the "Enter new UNIX password" enter a password of password

At the "Retype new UNIX password" enter a password of password

Press Enter to accept defaults for the other options, as shown below:

Viewing the Password Hash

In a Terminal window, execute these commands, to put the hash in a file named "crack1.hash" and print it:
sudo tail -n 1 /etc/shadow 
The password hash appears, as shown below (your hash will be different).

The $y$ prefix indicates that this is a yescrypt hash, which cannot be cracked by hashcat as of 2023. It can be cracked with john, however.

Generating a $6$ Hash

Execute these commands to create a type $6$ hash to crack, as shown below.

The $6$ indicates a type 6 password hash (SHA-512, many rounds).

sudo apt update
sudo apt install whois
mkpasswd -m sha-512 password SALTSALT > crack1.hash
cat crack1.hash

Finding Your Salt Value

The characters after $6$, up to the next $, are the SALT.

In the image above, the SALT is SALTSALT

Understanding the Hash Algorithm

The hash algorithm is defined in the file /etc/login.defs. To see the portion of that file discussing the password hash algorithm, execute this grep command to see 18 lines after the line containing the string "ENCRYPT_METHOD":
sudo grep -A 18 ENCRYPT_METHOD /etc/login.defs
As you can see, Debian 10 Linux uses SHA-512 hashes, with the default value of 5000 rounds:

Downloading a Wordlist

Hashcat comes with an example wordlist. To get it, and see what it contains, execute these commands:
sudo apt install wget -y
wget https://github.com/hashcat/hashcat/raw/master/example.dict
head example.dict
tail example.dict
grep password example.dict
wc -l example.dict
As shown below, this file contains over 128,000 words, including the correct password of "password":

Cracking the Hash

In a Terminal window, execute this command:
hashcat -m 1800 -a 0 crack1.hash example.dict
Explanation: This uses hashcat with these options:

H 520.1: Status (10 pts)

After a few minutes, hashcat will find the password, outlined in yellow in the image below.

The flag is covered by a green rectangle in the image above.

Getting the crack2.hash List

In a Terminal window, execute these commands:
wget https://samsclass.info/123/proj10/crack2.hash 
cat crack2.hash
You should see four password hashes, as shown below:

H 520.2: p-Password (10 pts)

Crack the hashes using the same wordlist. One of the passwords begins with the letter "p". That password is the flag.

If you're waiting for 20 minutes, you're doing it the hard way. Try trimming the wordlist before performing the crack.

H 520.3: s-Password (10 pts)

Crack the hashes using the same wordlist. One of the passwords begins with the letter "s". That password is the flag.

Cracking Windows NTLM Hashes

Here are hashes from a Windows 2016 Server:
wagner:"":"":AAD3B435B51404EEAAD3B435B51404EE:4F2D47B681C9FCFFBE11ED6E9F7DF1BA
waldo:"":"":AAD3B435B51404EEAAD3B435B51404EE:76BF100CEA9B9F7B9E0C78419998AE1B
walter:"":"":AAD3B435B51404EEAAD3B435B51404EE:A60E7EB7B49FD0C2E7DD4739FF2AE76B
Crack them to find the flags, as shown below.

Hint: remove extraneous text from the hashes to avoid confusing hashcat.

H 520.4: Word (10 pts)

One of the passwords is in the example wordlist, like "password". That password is the flag.

H 520.5: Word Plus Digit (10 pts)

One of the passwords is a word in the example wordlist with a digit added to it, like "password1".

That password is the flag.

H 520.6: Word Plus Two Digits (10 pts)

One of the passwords is a word in the example wordlist with two digits added to it, like "password11".

That password is the flag.

Sources

http://www.vidarholen.net/contents/junk/files/sha512crypt.bash

http://hashcat.net/files/hashcat_user_manual.pdf

How To Use hashcat On CPU Only


Renumbered and updated for Google cloud 6-8-2020
Updated with local copy of hashcalc version 2 2-18-23
Unzipping instructions fixed 3-23-23
"$y$" warning added 3-24-23
7z command fixed 5-10-23
Updated for hashcat v6 7-19-23
420.6 fixed 9-13-23