Hash cracking cheatsheet

Rich
4 min readMar 23, 2023

--

TL;DR cheatsheet for cracking various hash types with john & hashcat, with a footnote on wordlists at the end.

Welcome to Part VII of our Cheatsheet Series!

Part I: Mimikatz cheatsheet

Part II: Set-Acl cheatsheet

Part III: Get-Acl cheatsheet

Part IV: Enumerating AD cheatsheet

Part V: Windows reverse shells cheatsheet

Part VI: MS Graph PowerShell cheatsheet

Part VII: Hash cracking cheatsheet

Part VIII: The Credential Theft Shuffle

Part IX: SACLs & Querying Collected Logs

Part X: Setting up a simple AD lab in Azure

Background

This is mostly from the THM rooms here and here, with a few other tips & tricks thrown in from random sources. I’m probably preaching to the choir, but john and hashcat can be easily added to Windows and come ‘out of the box’ on Kali.

IDing a hash type

There’s two great ways to do this; Kali’s builtin tool and the website crackstation.

The builtin tool is simply ran via:

hash-identifier <hash>

Or simply copy/paste the hash into crackstation. If the password is easy then you might immediately get it. However you should at least get the hash type.

Hashcat

I’ve used and cited this table before, but I really can’t speak highly enough of it. It really is the proverbial ‘stone tablet from on high’ of matching hash types up to hashcat mode.

Once you know the hash type you simply run hashcat with the mode and wordlist. Examples:

#hashcat on bcrypt (used in OpenBSD, used in various Linux distros in the past)

hashcat -m3200 ‘$2a$06$7yoU3Ng8dHTXphAg913cyO6Bjs3K5lBnwq5FJyA6d01pMSrddr1ZG’ /home/kali/Downloads/Wordlists/rockyou.txt -force

#SHA256 (used in many *nix for password hashes)

hashcat -m1400 ‘9eb7ee7f551d2f0ac684981bd1f1e2fa4a37590199636753efe614d4db30e8e1’ /home/kali/Downloads/Wordlists/rockyou.txt –force

#hash resulting from ASREPRoast (copy/paste the hash from GetNPUsers.py & enclose in single quotes)

hashcat -m 18200 ‘$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:479e4f94a068ef144a788436c7df94e7$7a05e6b2e85dff303406c56f1c85feefe6ea6b5fbbe6a9d9cc59cf190add2502d2b8906eabe9d1f6a49cf90a707f94118477754fc7c04c2644824d35d25b11ee5dcc1bb519b78367d172374fdab521fb236fbd0f4dccb6d3f3a9a7c5ea0b1223a7a29adc38665abb144feff9f0b539b26f2f32d49d0a6820fd05c6b64ffe611df26d0adb0d05b7eab01639cdfc2d7ffaab92e94c7c077eaeeef14e9ce69d4088aabba32f6bb8c10235e0b03c496c409257c64d839e397e9c979346557f0d675cdb9f97224ba0954be9540f91cd7ea7be20ea745a9bf393807201ff9ff2685ac1f801dd77d2c049249f34a3e6509be3eb821b’ -a 3 rockyou.txt

#run hashcat on a hash that was copy/pasted into a file after Kerberoasting

hashcat -m 19700 hashes.kerberoast2 rockyou.txt –force

John

One of the more popular uses for John is combining the passwd and shadow files, running them past a wordlist, and seeing how many username\password combos we can find.

cd /home/kali/Downloads/hashes/THM
unshadow passwd shadow > combined
john --wordlist=/home/kali/Downloads/Wordlists/rockyou.txt /home/kali/Downloads/hashes/THM/combined.txt

John is also really handy for cracking password protected zip files. If you don’t already have zip2john loaded then you can grab it here.

zip2john backup.zip > /home/kali/Downloads/hashes/ziphash.txt
john --wordlist=/home/kali/Downloads/Wordlists/rockyou.txt /home/kali/Downloads/hashes/ziphash.txt

John can also crack password protected rar files. If you don’t have unrar loaded already then just run the below:

sudo apt-get update
sudo apt-get install unrar

cd /home/kali/Downloads/hashes/THM
rar2john secure.rar > rarhash.txt
john --wordlist=/home/kali/Downloads/Wordlists/rockyou.txt rarhash.txt

John is great for cracking password protected ssh keys. If you don’t already have ssh2john loaded then you can grab it here.

python /usr/share/john/ssh2john.py idrsa.id_rsa > ssh
john --wordlist=/home/kali/Downloads/Wordlists/rockyou.txt ssh

It’s not quite as handy as hashcat’s table, however there is a list of john formats matched to hash types here.

#For example run John on a SHA256 hash

john --format=raw-sha256 --wordlist=/home/kali/Downloads/Wordlists/rockyou.txt /home/kali/Downloads/hashes/THM/hash3.txt

#Another example; John vs a hash grabbed via Kerberoasting

john hash.txt --format=krb5tgs --wordlist=rockyou.txt

Word mangling

We can even do some word mangling with John and take advantage of human nature.

#edit John's configuration
sudo mousepad /etc/john/john.conf

#add a custom rule
[List.Rules:MishkaRules]
cAz"[0–9] [!@#$%^&*]"

#custom rule cheatsheet
c = Capitalise the first letter
A0 = put at the beginning of the word
Az = append to the end of the word
[0–9] = # in the range 0–9
[A - z] = both upper & lower case letters
[A - Z] = upper case characters
[a - z] = lower case characters
[!@#$%^&*] = tack on a symbol from this list

#use the custom word mangling
john - wordlist=/home/kali/Downloads/Wordlists/rockyou.txt - rule=MishkaRules hash

#For example, to add all capital letters to the end of the word:
Az"[A-Z]"

Other word mangling tools

One can also easily generate a mangled wordlist with a tool like crunch. If crunch isn’t already loaded

sudo apt install crunch

There’s a full crunch cheatsheet here. However a very simple example is below:

crunch 5 5 -t “THM^^” -o tryhackme.txt

This takes the word “THM” and tacks two special characters onto the end of it, keeping the entire word to 5 characters. If we wanted to include words like “THM!” then we would do

crunch 4 5 -t “THM^^” -o tryhackme.txt

Generating a wordlist from a website

If the org/THM VM/CTF/etc has a website then it’s often worth making a quick & dirty wordlist to try along with fan favorites like rockyou.txt. For example:

cewl -d 2 -m 8 -w dvwa_wordlist http://10.0.0.1/dvwa

This will crawl the specified site to a depth of 2, create a wordlist named “dvwa_wordlist”, and use any words found up to 8 characters long.

Summary

This is really just to put my notes on hashcat, john, and wordlists in one place. I had a lot of stuff scattered across notes from various THM rooms, labs projects, exams like eJPT, etc. I’ll probably come back and add to this as I go.

Remember that hashes like NTLM are not salted. One can often simply PTH and gain access with NTLM even if one can’t crack it.

References

Bcrypt: https://en.wikipedia.org/wiki/Bcrypt#:~:text=bcrypt%20is%20a%20password%2Dhashing,presented%20at%20USENIX%20in%201999.

Hashcat hash type table: https://hashcat.net/wiki/doku.php?id=example_hashes

John hash types: https://github.com/Shiva108/CTF-notes/blob/master/Notes%20VA/HashFormats_JackTheRipper.txt

Crunch howto: https://www.hackingarticles.in/a-detailed-guide-on-crunch/

--

--

Rich
Rich

Written by Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.

No responses yet