Pentest Book
Search…
Password cracking

Identify hash

1
# https://github.com/noraj/haiti
2
haiti [hash]
Copied!

Dictionary creation

1
# Pydictor
2
# https://www.github.com/landgrey/pydictor.git
Copied!

Examples

1
# Numeric dictionary length 4
2
python3 pydictor.py -base d --len 4 4
3
4
# Capital letters dictionary length 4
5
python3 pydictor.py -base c --len 4 4
6
7
# Prepend word + digits 5 length
8
python3 pydictor.py --len 5 5 --head raj -base d
9
10
# Append word after digits 5 length
11
python3 pydictor.py --len 5 5 --tail raj -base d
12
13
# Permute chars in word
14
python3 pydictor.py -char raj
15
16
# Multiple permutations
17
python3 pydictor.py -chunk abc ABC 666 . _ @ "'"
18
19
# Dictionary based in word, added complexity 4 and fixed length
20
python pydictor.py -extend raj --level 4 --len 1 6
21
22
# Interactive mode
23
python3 pydictor.py --sedb
Copied!

Options

1
-base dLc # Base digits, Lowercase letters and Capital letters
2
--encode b64 # Encode output
Copied!

jtr

1
john --wordlist=/usr/share/wordlists/rockyou.txt hash
2
john --rules --wordlist=/usr/share/wordlists/rockyou.txt hash
Copied!

Hashcat

Wiki

https://hashcat.net/wiki/doku.php?id=hashcat
hashcat.net

Hashes

Sample password hash encoding strings [Openwall Community Wiki]
example_hashes [hashcat wiki]

Examples

1
# Dictionary
2
hashcat -m 0 -a 0 hashfile dictionary.txt -O --user -o result.txt
3
4
# Dictionary + rules
5
hashcat -m 0 -w 3 -a 0 hashfile dictionary.txt -O -r haku34K.rule --user -o result.txt
6
7
# Mask bruteforce (length 1-8 A-Z a-z 0-9)
8
hashcat -m 0 -w 3 -a 3 hashfile ?1?1?1?1?1?1?1?1 --increment -1 --user ?l?d?u
9
hashcat -m 0 -w 3 -a 3 hashfile suffix?1?1?1 -i -1 --user ?l?d
10
11
# Modes
12
-a 0 = Dictionary (also with rules)
13
-a 3 = Bruteforce with mask
14
15
# Max performance options
16
--force -O -w 3 --opencl-device-types 1,2
17
18
# Output results
19
-o result.txt
20
21
# Ignore usernames in hashfile
22
--user/--username
23
24
# Masks
25
?l = abcdefghijklmnopqrstuvwxyz
26
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
27
?d = 0123456789
28
?s = «space»!"#$%&'()*+,-./:;<=>[email protected][\]^_`{|}~
29
?a = ?l?u?d?s
30
?b = 0x00 - 0xff
Copied!

Useful hashes

Linux Hashes - /etc/shadow

ID
Description
500
md5crypt $1$, MD5(Unix)
200
bcrypt $2*$, Blowfish(Unix)
400
sha256crypt $5$, SHA256(Unix)
1800
sha512crypt $6$, SHA512(Unix)

Windows Hashes

ID
Description
3000
LM
1000
NTLM

Common Hashes

ID
Description
Type
900
MD4
Raw Hash
0
MD5
Raw Hash
5100
Half MD5
Raw Hash
100
SHA1
Raw Hash
10800
SHA-384
Raw Hash
1400
SHA-256
Raw Hash
1700
SHA-512
Raw Hash

Common Files with password

ID
Description
11600
7-Zip
12500
RAR3-hp
13000
RAR5
13200
AxCrypt
13300
AxCrypt in-memory SHA1
13600
WinZip
9700
MS Office <= 2003 $0/$1, MD5 + RC4
9710
MS Office <= 2003 $0/$1, MD5 + RC4, collider #1
9720
MS Office <= 2003 $0/$1, MD5 + RC4, collider #2
9800
MS Office <= 2003 $3/$4, SHA1 + RC4
9810
MS Office <= 2003 $3, SHA1 + RC4, collider #1
9820
MS Office <= 2003 $3, SHA1 + RC4, collider #2
9400
MS Office 2007
9500
MS Office 2010
9600
MS Office 2013
10400
PDF 1.1 - 1.3 (Acrobat 2 - 4)
10410
PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1
10420
PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2
10500
PDF 1.4 - 1.6 (Acrobat 5 - 8)
10600
PDF 1.7 Level 3 (Acrobat 9)
10700
PDF 1.7 Level 8 (Acrobat 10 - 11)
16200
Apple Secure Notes

Database Hashes

ID
Description
Type
Example Hash
12
PostgreSQL
Database Server
a6343a68d964ca596d9752250d54bb8a:postgres
131
MSSQL (2000)
Database Server
0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578
132
MSSQL (2005)
Database Server
0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
1731
MSSQL (2012, 2014)
Database Server
0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375
200
MySQL323
Database Server
7196759210defdc0
300
MySQL4.1/MySQL5
Database Server
fcf7c1b8749cf99d88e5f34271d636178fb5d130
3100
Oracle H: Type (Oracle 7+)
Database Server
7A963A529D2E3229:3682427524
112
Oracle S: Type (Oracle 11+)
Database Server
ac5f1e62d21fd0529428b84d42e8955b04966703:38445748184477378130
12300
Oracle T: Type (Oracle 12+)
Database Server
78281A9C0CF626BD05EFC4F41B515B61D6C4D95A250CD4A605CA0EF97168D670EBCB5673B6F5A2FB9CC4E0C0101E659C0C4E3B9B3BEDA846CD15508E88685A2334141655046766111066420254008225
8000
Sybase ASE
Database Server
0xc00778168388631428230545ed2c976790af96768afa0806fe6c0da3b28f3e132137eac56f9bad027ea2

Kerberos Hashes

ID
Type
Example
13100
Type 23
$krb5tgs$23$
19600
Type 17
$krb5tgs$17$
19700
Type 18
$krb5tgs$18$
18200
ASREP Type 23
$krb5asrep$23$

Files

1
https://github.com/kaonashi-passwords/Kaonashi
2
https://github.com/NotSoSecure/password_cracking_rules
3
https://crackstation.net/files/crackstation-human-only.txt.gz
4
https://crackstation.net/files/crackstation.txt.gz
Copied!
Last modified 2mo ago