Password Hash Cracking

TL;DR

You can’t directly ‘break’ encryption with just a password hash. Hashes are one-way functions. However, you can try to find the original password by comparing the hash to pre-computed tables of hashes (rainbow tables) or by trying common passwords and their variations (brute-force/dictionary attacks). Success depends on password complexity and whether it’s been compromised before.

How Password Hashing Works

Before we get into cracking, let’s understand hashing. When you set a password, the system doesn’t store the actual password itself. Instead, it runs the password through a hash function. This creates a fixed-size string of characters (the hash). If someone steals the database, they only get the hashes, not your passwords.

Steps to Attempt Password Hash Cracking

1. Identify the Hashing Algorithm: Knowing which algorithm was used is crucial. Common ones include MD5, SHA-1, SHA-256, bcrypt, and Argon2. Sometimes this information is available in documentation or by analysing the system.
2. Online Hash Lookup Services: These are a quick first step.
   • Hashcat Mode 0 (Straight Lookup): Use websites like CrackStation or MD5Online to see if the hash is already in their databases of cracked passwords.
3. Download a Password Cracking Tool: Hashcat and John the Ripper are popular choices. Hashcat is generally faster for GPU-based cracking, while John the Ripper is more versatile.
   • Install Hashcat (Example on Linux):

     sudo apt update && sudo apt install hashcat

4. Create a Wordlist: A wordlist is a text file containing potential passwords. Good sources include:
   • Common password lists (rockyou.txt).
   • Lists based on data breaches.
   • Variations of the target’s username or related information.
5. Run a Dictionary Attack: This tries passwords from your wordlist.

   hashcat -m  -a 0 hashfile.txt wordlist.txt

   Replace <hash_type> with the correct algorithm number (e.g., 0 for MD5, 1400 for bcrypt). Replace hashfile.txt with your file containing the hashes and wordlist.txt with your wordlist.

6. Run a Brute-Force Attack: This tries all possible combinations of characters within a specified length.

   hashcat -m  -a 3 hashfile.txt ?l?l?l?l?l?l?l?l

   This example attempts 8-character passwords using lowercase letters (?l). Brute-force attacks are very time-consuming.

7. Use Rainbow Tables: Pre-computed tables of hashes and their corresponding passwords. They can be faster than brute-force but require significant storage space.
   • Hashcat supports rainbow tables with the -r option.
8. Rulesets (Hashcat): Hashcat rules modify your wordlist to create variations (e.g., capitalization, adding numbers/symbols).

   hashcat -m  -a 0 hashfile.txt wordlist.txt -r /path/to/ruleset.rule

9. Hybrid Attacks: Combine dictionary attacks with brute-force or mask attacks.

Important Considerations

• Salts: A salt is a random value added to the password before hashing. This makes rainbow table attacks much harder. Modern systems always use salts.
• Key Stretching: Algorithms like bcrypt and Argon2 repeatedly hash the password, making cracking slower and more resource-intensive.
• Password Complexity: Longer, more complex passwords with a mix of characters are significantly harder to crack.
• Legal Implications: Cracking passwords without authorization is illegal. Only attempt this on systems you own or have explicit permission to test.