I’ve recently been working through the Cyber Security 101 learning path on TryHackMe (THM) and I’ve reached the Cryptography (Hashing basics) part of the path which includes a task involving password cracking using Hashcat.
When I first started learning about cyber security and hacking two years ago, I’d dabbled with cracking my home Wi-Fi password using some tools in Kali Linux and some wordlists, but I’d never used Hashcat before. So, last night was my first time using this tool.
After completing this section and the task questions on THM last night, I thought It’d be useful to repeat this section today, and record the process that I went through in this post.
The first thing to note (and explained in Task 5 – Recognising Password Hashes) is that Linux password hashes are stored in the /etc/shadow folder which is normally only readable by root.
And the encrypted password field contains the hashed passphrase with four components: prefix (algorithm id), options (parameters), salt, and hash. It is saved in the format $prefix$options$salt$hash.
THM states that the prefix makes it easy to recognise Unix and Linux-style passwords; it specifies the hashing algorithm used to generate the hash; and THM gives some examples of some prefixes, as well as providing a link to the Hashcat Example Hashes page with a list of various different prefixes, and hash names.
In Task 6 – Password Cracking, THM asks you to answer the following questions:
- Use
hashcatto crack the hash,$2a$06$7yoU3Ng8dHTXphAg913cyO6Bjs3K5lBnwq5FJyA6d01pMSrddr1ZG, saved in~/Hashing-Basics/Task-6/hash1.txt - Use
hashcatto crack the SHA2-256 hash,9eb7ee7f551d2f0ac684981bd1f1e2fa4a37590199636753efe614d4db30e8e1, saved in saved in~/Hashing-Basics/Task-6/hash2.txt - Use
hashcatto crack the hash,$6$GQXVvW4EuM$ehD6jWiMsfNorxy5SINsgdlxmAEl3.yif0/c3NqzGLa0P.S7KRDYjycw5bnYkF5ZtB8wQy8KnskuWQS3Yr1wQ0, saved in~/Hashing-Basics/Task-6/hash3.txt. - Crack the hash,
b6b0d451bbf6fed658659a9e7e5598fe, saved in~/Hashing-Basics/Task-6/hash4.txt.
And THM gives you instructions about how to do this using the following syntax: hashcat -m <hash_type> -a <attack_mode> hashfile wordlist, where:
-m <hash_type>specifies the hash-type in numeric format. For example,-m 1000is for NTLM. Check the official documentation (man hashcat) and example page to find the hash type code to use.-a <attack_mode>specifies the attack-mode. For example,-a 0is for straight, i.e., trying one password from the wordlist after the other.hashfileis the file containing the hash you want to crack.wordlistis the security word list you want to use in your attack (in this case, the wordlist is rockyou.txt).
For example, hashcat -m 3200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt will treat the hash as Bcrypt and try the passwords in the rockyou.txt file.
Now, moving onto the questions.
Question 1
Use hashcat to crack the hash, $2a$06$7yoU3Ng8dHTXphAg913cyO6Bjs3K5lBnwq5FJyA6d01pMSrddr1ZG, saved in ~/Hashing-Basics/Task-6/hash1.txt
The prefix for this hash is $2a$. And looking for this prefix on the Hashcat Example Hashes page shows me that the hash name is bcrypt with a hash mode number of 3200.
So, the command to enter is:
hashcat -m 3200 -a 0 hash1.txt /usr/share/wordlists/rockyou.txt
After typing this command in, unfortunately it didn’t work the first time and gave the following response.
This is because I didn’t launch the command from within the folder in which the file is located. The current folder I’m in which can be found by typing and running pwd is:
And by typing ls, I can see that the hash1.txt file isn’t in this folder.
So, I navigated to the correct folder using the command cd Hashing-Basics/Task-6 and then ran the command again.
This time, the cracking attempt was successful and I could see that the cracked password (highlighted in blue) is:
85208520
And THM confirms this is the correct answer.
Question 2
Use hashcat to crack the SHA2-256 hash, 9eb7ee7f551d2f0ac684981bd1f1e2fa4a37590199636753efe614d4db30e8e1, saved in saved in ~/Hashing-Basics/Task-6/hash2.txt
To answer this question, I again used the Hashcat examples page and searched for SHA2-256. And this provided the following hash mode number of 1400.
Last night when I first tried answering this question, I searched for SHA-256 instead of SHA2-256. So, I ended up inputting the wrong number for the hash mode in the command multiple times until I realised my mistake. But once I realised, the correct command to enter was as follows:
hashcat -m 1400 -a 0 hash2.txt /usr/share/wordlists/rockyou.txt
Again, the password was successfully cracked and the password this time is:
halloween
And THM again confirms this is correct.
Question 3
Use hashcat to crack the hash, $6$GQXVvW4EuM$ehD6jWiMsfNorxy5SINsgdlxmAEl3.yif0/c3NqzGLa0P.S7KRDYjycw5bnYkF5ZtB8wQy8KnskuWQS3Yr1wQ0, saved in ~/Hashing-Basics/Task-6/hash3.txt.
This time, the prefix is $6$. And the Hashcat Example Hashes page shows me that the hash name is sha512crypt with a hash mode number of 1800.
So, the command to enter is:
hashcat -m 1800 -a 0 hash3.txt /usr/share/wordlists/rockyou.txt
Once again, the password cracking was successful, and the password is:
spaceman
THM also confirms this is correct.
Question 4
Crack the hash, b6b0d451bbf6fed658659a9e7e5598fe, saved in ~/Hashing-Basics/Task-6/hash4.txt.
I struggled to get the answer to this question last night because no matter what I tried when using Hashcat, I couldn’t crack the password.
So, I reluctantly used the hint prompt on THM for a clue, and this said I’d need to use an online service to find the password.
At this point I realised what’d happened. The rockyou.txt wordlist, whilst containing millions of passwords, didn’t include the password that this hash relates to, which is why Hashcat couldn’t crack it.
So, using a website called Crackstation I input the password there and this provided the answer I was looking for which was:
funforyou
And finally, once more, THM confirms this is the correct answer.
In conclusion, this was a very enjoyable room to work through. Whilst I made some mistakes during the process of trying to crack the hashes, I understand what it was that I was doing wrong, so there were lessons learned.
Hashcat wasn’t too difficult a tool to use either. The syntax and formatting of this is straight forward, and now I know what it is I was doing wrong when trying to complete the tasks, I’ll be more aware and alert to this when I use Hashcat and I try to crack password hashes again in the future.