Basic password cracking with hashcat
As a developer, it could be very useful to know how can you test the security of your password hashes. How a hacker could break your hashes? In how much time he could get all the passwords in plain text?
There are a lot of different ways to do it, in this article we will use the hashcat command utility.
Wait, what type of hash is it?
I can be sure that you know what type of hash your application uses, but how can a hacker identify it fastly?
There are very simple tools to use, like a pip package called hashid.
# you need python3 already installed
pip install hashid
Once installed, it can identify what type of hash could be based on multiple factors like the string length or the characters used.
Below we can see different hashes of the same string “password”:
These are the results for the hashid analysis of the first hash:
Now I know the hash algorithm, so what?
Now that we know the hash algorithm it is easier for us to do brute force cracking by generating all possible password combinations.
Wait, testing all possible passwords could require a very long time. If you check only the 26 minuscule letters, a password with 10 characters means 26¹⁰ = 1,411670957×10¹⁴ possible combinations!
Fortunately, most people use passwords simple to remember like birthday or anniversary dates, relatives’ names, or film/videogames/tv characters like “pikachu” or “brucelee”.
Hashcat can work with regex and pattern generation to start the cracking only with the most common password.
One of the most commonly used password lists is the RockYou list.
You can find it easily on the internet or already downloaded on the most common security distro like Kali or Parrot.
Even using this list could require a long time, mainly when also the hashing algorithm is complex and with a slower execution.
For this reason, exists smaller collections of RockYou with only the most common password based on popularity.
Some cracking attempts
Now we have the hash and a password list, also we know the type of hash and which tool to use. We can start the cracking!
We need to specify the hashcat mode that corresponds to the hash algorithm to use.
We can easily find it by searching in the help output with a grep command followed by the hash name.
After specifying the mode, we only need to write the hash and a wordlist, then hashcat will do its work. That’s it!
# on kali linux /usr/share/wordlists/rockyou.txt
hashcat -m 0 bdc87b9c894da5168059e00ebffb9077 path/to/wordlists/rockyou.txt
I hope that this brief tutorial helps you to understand the basics of password cracking. Don’t hesitate to write in comments your thoughts or doubts!