Cracking a SHA512 Debian password hash with oclhashcat on Debian 8.0. I am using a Radeon HD6670 card and I created a user with the crappy password of “password”. Then I downloaded oclHashcat 1.37 and used this to crack the password using the GPU.
$ john unshadowed Warning: detected hash type 'sha512crypt', but the string is also recognized as 'crypt' Use the '-format=crypt' option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ SHA512 128/128 SSE2 2x) Press 'q' or Ctrl-C to. SHA-512 is a hashing function similar to that of SHA-1 or the SHA-256 algorithms. The SHA-512 algorithm generates a fixed size 512-bit (64-byte) hash. This type of hash calculation was designed as a one way function. It cannot be reversed but can be cracked by simply brute force or comparing calculated hashes of known strings to the target hash. I think there may also be a 'fat' salted sha512 format (not 100% sure). I do know that with dynamic, getting hashes like this where there is no 'real' format is pretty easy to do now. With the new on-commandline dynamic, you do not even need to write a script any more. I think there may also be a 'fat' salted sha512 format (not 100% sure). I do know that with dynamic, getting hashes like this where there is no 'real' format is pretty easy to do now. With the new on-commandline dynamic, you do not even need to write a script any more. But first of this tutorial we learn John, Johnny this twin tools are very good in cracking hashes and then we learn online methods. Offline Methods John the ripper John the ripper is free and open source tool. To use this easy and awesome tool just open terminal window and call his name 'john'.
This is the password hash in the /etc/shadow file.
The salt of the password hash is the first section:
And the hash is the next part of the line:
The $ sign is the delimiter between the salt and the hash in a shadow password file entry. $6 defines this as a SHA512 password hash.
I needed to edit this file to remove the extraneous data and leave just the hash.
Then I could use hashcat and rockyou.txt from Kali Linux to attack this hash and get the users password.
This is the output I received after cracking the password with oclHashcat.
And now I have the users password. That is how simple this is, but you need a wordlist with the password in it and this consumes a very large amount of disk space. I have cracked a pin hash with a wordlist generated with crunch, but it was 60 gigabytes. A wordlist that contained all possible 4 digit numbers would have been 150 Petabytes. Luckily, this pin code only used certain numbers and therefore the wordlist of all possible pin numbers was less than that. The rockyou.txt file may be downloaded here: http://scrapmaker.com/download/data/wordlists/dictionaries/rockyou.txt This is quite a comprehensive wordlist and I have used this to crack a couple of things. More wordlists are available here: https://github.com/danielmiessler/SecLists/tree/master/Passwords.
The mkpasswd command allows the creation of a password hash on Linux.
Here is an example. The salt is randomly generated. This is generating a password hash with the password “password” three times and we get a different result each time. But when I put one of these password hashes on an actual Linux system, I was able to login. So this does work.
But if you have access to the shadow file, you would have root access and would be able to change the password with passwd anyway. But his goes to show that you can crack a SHA512 password hash on Linux in no time with a GPU.
In this post I will show you how to crack Windows passwords using John The Ripper.
John the Ripper is a fast password cracker, primarily for cracking Unix (shadow) passwords.Other than Unix-type encrypted passwords it also supports cracking Windows LM hashes and many more with open source contributed patches.
Now lets talk about the password protection method used by Windows. Windows user account passwords are typically stored in SAM hive of the registry (which corresponds to
%SystemRoot%system32configSAM
file), in the SAM
file the password is kept encrypted using the NTLM hash is very well known for its cryptanalysis weaknesses.The SAM file is further encrypted with the SysKey (Windows 2000 and above) which is stored in
%SystemRoot%system32configsystem
file.During the boot-time of Windows the hashes from the SAM
file gets decrypted using the SysKey and the hashes are loaded to the registry is then used for authentication purpose. Both system and SAM
files are unavailable (i.e, locked by kernel) to standard programs (like regedit) during Windows’ runtime .As told earlier NTLM hash is very weak for encrypting passwords.The NTLM encryption algorithm is explained below :
- ASCII password is converted to uppercase
- Padding with null is done until 14 bytes
- Split it in two 7-byte arrays
- Pad both to make 64 bits (8-byte) which will be used to create a DES key
- DES-encrypt the string “[email protected]#$%” using the array as key for each 7-byte array (results 8-byte stream)
- Join 2 cipertexts which forms the NTLM hash (16-byte)
Major pitfals of NTLM hash
- ASCII is not Unicode
- Uppercase reduce complexity
- LM fails with passwords length more than 14 characters
- Salting is not available
- It is easy to determine whether the password is less than or more than 7 characters
Cracking Windows Passwords John The Ripper
For the sake of demonstrating this I had already set a dummy account called
demo
and allotted a password iRock
to it, which will be cracked later-on.User Accounts showing
demo
userI booted using the Ubuntu LiveCD and mounted my Windows partition -
/dev/sda1
Then copied SAM and system files to
/home/prakhar
Then installed
samdump2
and John The Ripper :John The Ripper Crack Sha512 Encryption Decryption
Then dumped the
syskey
and NTLM hashes from system
and SAM
file, respectively :NTLM hashes recovered from
SAM
fileI then bruteforced the password using John The Ripper : Deus ex: mankind divided - system rift for mac.
John The Ripper Crack Sha512 Encryption Download
You can clearly see above, JTR has cracked the password within matter of seconds, I aborted the session in between since password was already recovered. Mission accomplished !