How to use hashcat to crack hashes in Linux

New to cybersecurity? Do you want to be on his attacking side? As a member of the red team, you learn many techniques and tactics that help you perform the activities of the cyber elimination chain. One such task is privilege elevation, where you get password hashes.

hashcat is a powerful and versatile tool that brute force stored credentials using known hashes by conducting various attack modes. The article covers this password cracking utility used by penetration testers, system administrators, spies or hackers to find passwords.


What are hashes?

Hash is a one-way mathematical function or unique identifier that returns a fixed-length output, regardless of the size/length of the input. It is therefore an irreversible process that does not require a key as in encryption to decrypt the hash value.

The most common purpose of hashing is to ensure data integrity against tampering during data transmission. The hash properties are as follows:

  • Offers fast calculation
  • Good algorithms avoid the same output for different inputs
  • They are deterministic
  • Small changes in the input greatly influence the output hash value

Why use hashcat?

hashcat is a multi-threaded utility that allows you to configure the number of threads and limit execution based on priority. It supports over 300 hashing algorithms such as MD4, MD5, SHA1, SHA512, bcrypt, HMAC-SHA512, NTLM, MySQL, WHIRLPOOL, among others. It is available for all types of operating systems including Windows, Linux, Unix, and BSD.

USE VIDEO OF THE DAY

Ways to crack password hashes using hashcat

hashcat offers a variety of attack modes (Combiner, rule-based, brute-force guessing, hybrid, and dictionary attacks) to provide better coverage. Here is an explanation of some attacks that hashcat uses to crack hashed passwords:

  1. brute force attack: A brute force attack uses all possible character combinations to determine the exact password. However, it has a limitation of maximum password length and number of characters. Additionally, an advanced level of brute force attack can also optimize time by making complexity assumptions. For example, an advanced brute-force technique might assume that the first character is more likely to be uppercase and numbers are more likely to appear at the end of a password, etc.
  2. Dictionary attack: A dictionary attack uses a precomputed list of passwords based on information gathered around the target or an observed pattern among users. Therefore, it takes some of the most commonly used passwords and adds a few permutations to them to increase the range.
  3. hybrid attack: The hybrid is a combination of the attacks described above, as it checks if the password is “crackable” via a dictionary attack and switches to the brute force technique, if it is not possible.


How to install hashcat on Linux

hashcat is available by default in Kali Linux. To install it on Ubuntu and Debian:

sudo apt-get update
sudo apt-get install hashcat

On Fedora, CentOS, and other RHEL-based distributions:

sudo dnf update
sudo dnf install hashcat

To install hashcat on Arch Linux:

sudo pacman -Syu
sudo pacman -S hashcat

After installation, use the help command to list all available options:

hashcat --help

Some hashcat options and their descriptions are as follows:

Choice The description
-m The type of hash with a default value of 0, i.e. MD5 hash
-a Attack type, 0 for direct attack, 2 for combination and 3 for brute force attack
-o Store the cracked password in an output file
word list Requires password list path to match and decrypt hashes

To note: Before working with hashcat, make sure your system meets its hardware requirements. Check the official website for more details.

Crack hashes from /etc/shadow file in Linux

The /etc/shadow file stores scrambled or hashed values ​​of all user passwords on Linux. It is a critical file with strict access permissions; it is and should only be accessible by the root account.

Therefore, if you encounter readable text /etc/shadow file through any regular user account, you can get hash value of root account and decrypt password hash using hashcat utility.

For demonstration purposes, switch to the root account and create a new user account Alice to understand how hashcat works:

sudo su
sudo useradd -c "Alice" alice

Create a password using the passwd command:

passwd alice

Check the hashed password value inside the /etc/shadow file as follows:

cut -d: -f1 /etc/shadow | grep alice

To go out:

alice:$y$j9T$TANXgpk59y8r3jgPbDl/w/$UqiK6yahwqfyqhcegWLa1.z64TyePP5.VQpUnLqI3VD:19023:0:99999:7::

The hash in the output above starts from “Alice:” from ; save it in a new file hash.txt.

You can go to the hashcat website to identify the type of hash function and the associated reference value. The SHA512 hash mode is usually identified by the $6$ term and has a reference value of 1800.

You can also find the encryption method in the login.defs to file:

grep ENCRYPT_METHOD /etc/login.defs

Alice password hash and hash type

Next, check the associated value of the hash function using the hashcat command as follows:

hashcat -h | grep sha512

Hashcat Sha512

Now use the hashcat utility to decrypt the hash with the -a flag for attack mode, -m hint for hash reference value (because it does not support hash function name), hash.txt file path and a path to the word list rockyou.txt.

hashcat -m 1800 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

To go out:


.
.
$y$j9T$TANXgpk59y8r3jgPbDl/w/$UqiK6yahwqfyqhcegWLa1.z64TyePP5.VQpUnLqI3VD:12345
.
.

To note: On Kali Linux, the rockyou.txt the file is available by default in the /usr/share/wordlists phone book. You can also use other wordlists by running the following command in the terminal:

locate wordlists | less

To go out:


Localize wordlists in Kali Linux

However, for other Linux distributions, you will need to download the rockyou.txt GitHub repository file as follows:

wget https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou-20.txt

Crack passwords in Linux with hashcat

A well-designed authentication system does not store user passwords in plain text and in plain view, as this can lead to security breaches. A better authentication mechanism stores passwords as hashes in secure and inaccessible files. However, a password cracker such as hashcat is designed to crack or guess passwords using different attack modes.

This article details the ways a penetration tester should know to crack hashed passwords using the hashcat utility. As a red teamer, it is necessary to understand the techniques an attacker can use to compromise authentication controls and provide guidance on covering system vulnerabilities.


hash checkers
7 Free Hash Checkers to Check the Integrity of Any File

Are you ignoring the file hash check at your peril? Use these tools to verify that the file you are downloading is safe.

Read more


About the Author

About Jon Moses

Check Also

NSA, CISA say: don’t block PowerShell, here’s what to do instead

Image: Getty Images/iStockphoto Cybersecurity authorities in the United States, United Kingdom, and New Zealand have …