Identify types of password hashes and apply various techniques to efficiently determine plain text passwords.  Most passwords are stored in a hash format and the cracking tools can use brute-force or some sort of dictionary (wordlist) as input.

Key Concepts:

1. Encoding, Encryption and Hashing:
   • Encoding – transpose data into an efficient publicly available format for processing (e.g., base64, hex, file conversions, etc.)
   • Encryption – transpose data into a format for confidentiality using secret keys that must be protected (e.g., AES, RSA, etc.)
   • Hash – one-way encryption algorithm performed on data (message) to produce a separate hash number (aka checksum) which is used to verify data integrity.
2. Password Formats:
   • plain Text (aka cleartext) – data that is transmitted or stored unencrypted (‘in the clear’).
   • Password hash – approach for storing passwords in the format $id$salt$hash where the id is the hashing algorithm.
   • Salt – random data added to hashed data, passwords or passphrases to safeguard passwords in plain text storage.
3. Other Related Concepts:
   • Rainbow Table –  precomputed table for reversing hash functions, usually for cracking password hashes.
   • Dictionary (Wordlist) – Large lists of commonly used words and phrases used as input into a dictionary attack.
   • Linux Passwd & Shadow Files:
     • “/etc/passwd‘‘ – text file containing user account info, including an ‘x’ if a encrypted password is in the shadow file.
     • “/etc/shadow” – is readable only by the root account and contains user name, hash ID, salt, hashed password and other info.

Recommended CTF Password Cracking Steps:

1. CFT PW challenges frequently involve Hash cracking using Hashcat with special wordlists, masks and/or rules applied.
2. Read the challenge carefully for clues.
3. Determine how and where the Password is stored.
   • The hash format is most common.
   • Linux Hash ID, Salt and Hashed Passwords are stored in the /etc/shadow file.
4. Determine the Hash type to set the Hash mode in hashcat (e.g., SHA, MD4, MD5, etc)
   • look at /etc/shadow file or ….
   • Use Hash-Identifier  (Kali)
5. Identify any PW rules – that can be applied to the character set (e.g., length, alpha/numeric characters , upper/lower case, special characters, special words, etc.)
6. Determine HashCat Attack mode:
   • Dictionary (-a 0)
   • Combination (-a 1)
   • Mask (-a 3)
   • Hybrid (-a 6 and -a 7)
7. Identify Wordlist needed for Dictionary , Combination and Hybrid mode) e.g., rockyou.txt, etc)
8. Store passwords in an input file (e.g., [PW_FILE]
9. Setup and Run Hashcat (apply attack mode, hash id, input file, word list & mask)   – see examples below

Recommended CTF Tools

• Hash Cracking:
  • Hashcat  – Open Source HASH cracking tool
  • Crackstation – Hash Cracker:  (https://crackstation.net/)
  • Hash-Identifier – Identifies hash type (Kali Linux)
  • md5sum – calculates and verifies 128-bit MD5 hashes,
  • shasum – Calculate or check cryptographic SHA checksums.
• Password Cracking:
  • John the Ripper – Linux, Unix and OS X, Win; Tool can detect weak PWs.
  • Rockyou.txt WordList –  contains 14m unique PWs used in 32m accounts. Part of Kali installation.
  • frackzip (Kali Tool) – crack zip file passwords with dictionary attack.
  • Wfuzz– web app PW cracking tool using brute force. Also finds hidden directories, servlets and scripts. 
  • THC Hydra– fast NW logon PW cracking tool. Win, Linux, BSD, Solaris and OS X and various  protocols.
  • Ophcrack –  open-source (GPL licensed) program that cracks Windows (Windows XP, 7 or Vista) log-in passwords by using LM hashes  through rainbow tables.

WordLists:

• /usr/share/dirb/wordlists
• /usr/share/dirbuster/wordlists
• dnsmap.txt -> /usr/share/dnsmap/wordlist_TLAs.txt
• fasttrack.txt -> /usr/share/set/src/fasttrack/wordlist.txt
• fern-wifi -> /usr/share/fern-wifi-cracker/extras/wordlists
• metasploit -> /usr/share/metasploit-framework/data/wordlists
• nmap.lst -> /usr/share/nmap/nselib/data/passwords.lst
• sqlmap.txt -> /usr/share/sqlmap/txt/wordlist.txt
• wfuzz -> /usr/share/wfuzz/wordlist
• hascat ->  /usr/share/wordlists/rockyou.txt

References:

1. Password Cracking by Nikita Zaitsev
2. Cracking Salted Hashes pdf –
3. Youtube: Passwords & hash functions (Simply Explained) (7:27)
4. Youtube:  NCL Summer Live – Cracking Password Hashes – Aug 19 2021 (01:06:27)  
5. Youtube: Brute Force Attacks – CompTIA Network+ N10-007 – 4.4 (02:03)
6. Why do you need to Salt and Hash passwords? by Phillip Brown
7. Youtube:  COMPTIA SECURITY+ SY0-501 TRAINING COURSE (section 6.1 – Cryptography)
8. Youtube: Passwords: Am i a joke to you? #JohntheRipper (44:27)
9. Password cracking with John the Ripper on Linux
10. Challenge Examples and Example Wordlists