TL;DR cheatsheet for cracking various hash types with john & hashcat, with a footnote on wordlists at the end.
Welcome to Part VII of our Cheatsheet Series!
Part I: Mimikatz cheatsheet
Part II: Set-Acl cheatsheet
Part III: Get-Acl cheatsheet
Part IV: Enumerating AD cheatsheet
Part V: Windows reverse shells cheatsheet
Part VI: MS Graph PowerShell cheatsheet
Part VII: Hash cracking cheatsheet
Part VIII: The Credential Theft Shuffle
Part IX: SACLs & Querying Collected Logs
Part X: Setting up a simple AD lab in Azure
Background
This is mostly from the THM rooms here and here, with a few other tips & tricks thrown in from random sources. I’m probably preaching to the choir, but john and hashcat can be easily added to Windows and come ‘out of the box’ on Kali.
IDing a hash type
There’s two great ways to do this; Kali’s builtin tool and the website crackstation.
The builtin tool is simply ran via:
hash-identifier <hash>
Or simply copy/paste the hash into crackstation. If the password is easy then you might immediately get it. However you should at least get the hash type.
Hashcat
I’ve used and cited this table before, but I really can’t speak highly enough of it. It really is the proverbial ‘stone tablet from on high’ of matching hash types up to hashcat mode.
Once you know the hash type you simply run hashcat with the mode and wordlist. Examples:
#hashcat on bcrypt (used in OpenBSD, used in various Linux distros in the past)
hashcat -m3200 ‘$2a$06$7yoU3Ng8dHTXphAg913cyO6Bjs3K5lBnwq5FJyA6d01pMSrddr1ZG’ /home/kali/Downloads/Wordlists/rockyou.txt -force
#SHA256 (used in many *nix for password hashes)
hashcat -m1400 ‘9eb7ee7f551d2f0ac684981bd1f1e2fa4a37590199636753efe614d4db30e8e1’ /home/kali/Downloads/Wordlists/rockyou.txt –force
#hash resulting from ASREPRoast (copy/paste the hash from GetNPUsers.py & enclose in single quotes)
hashcat -m 18200 ‘$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:479e4f94a068ef144a788436c7df94e7$7a05e6b2e85dff303406c56f1c85feefe6ea6b5fbbe6a9d9cc59cf190add2502d2b8906eabe9d1f6a49cf90a707f94118477754fc7c04c2644824d35d25b11ee5dcc1bb519b78367d172374fdab521fb236fbd0f4dccb6d3f3a9a7c5ea0b1223a7a29adc38665abb144feff9f0b539b26f2f32d49d0a6820fd05c6b64ffe611df26d0adb0d05b7eab01639cdfc2d7ffaab92e94c7c077eaeeef14e9ce69d4088aabba32f6bb8c10235e0b03c496c409257c64d839e397e9c979346557f0d675cdb9f97224ba0954be9540f91cd7ea7be20ea745a9bf393807201ff9ff2685ac1f801dd77d2c049249f34a3e6509be3eb821b’ -a 3 rockyou.txt
#run hashcat on a hash that was copy/pasted into a file after Kerberoasting
hashcat -m 19700 hashes.kerberoast2 rockyou.txt –force
John
One of the more popular uses for John is combining the passwd and shadow files, running them past a wordlist, and seeing how many username\password combos we can find.
cd /home/kali/Downloads/hashes/THM
unshadow passwd shadow > combined
john --wordlist=/home/kali/Downloads/Wordlists/rockyou.txt /home/kali/Downloads/hashes/THM/combined.txt
John is also really handy for cracking password protected zip files. If you don’t already have zip2john loaded then you can grab it here.
zip2john backup.zip > /home/kali/Downloads/hashes/ziphash.txt
john --wordlist=/home/kali/Downloads/Wordlists/rockyou.txt /home/kali/Downloads/hashes/ziphash.txt
John can also crack password protected rar files. If you don’t have unrar loaded already then just run the below:
sudo apt-get update
sudo apt-get install unrar
cd /home/kali/Downloads/hashes/THM
rar2john secure.rar > rarhash.txt
john --wordlist=/home/kali/Downloads/Wordlists/rockyou.txt rarhash.txt
John is great for cracking password protected ssh keys. If you don’t already have ssh2john loaded then you can grab it here.
python /usr/share/john/ssh2john.py idrsa.id_rsa > ssh
john --wordlist=/home/kali/Downloads/Wordlists/rockyou.txt ssh
It’s not quite as handy as hashcat’s table, however there is a list of john formats matched to hash types here.
#For example run John on a SHA256 hash
john --format=raw-sha256 --wordlist=/home/kali/Downloads/Wordlists/rockyou.txt /home/kali/Downloads/hashes/THM/hash3.txt
#Another example; John vs a hash grabbed via Kerberoasting
john hash.txt --format=krb5tgs --wordlist=rockyou.txt
Word mangling
We can even do some word mangling with John and take advantage of human nature.
#edit John's configuration
sudo mousepad /etc/john/john.conf
#add a custom rule
[List.Rules:MishkaRules]
cAz"[0–9] [!@#$%^&*]"
#custom rule cheatsheet
c = Capitalise the first letter
A0 = put at the beginning of the word
Az = append to the end of the word
[0–9] = # in the range 0–9
[A - z] = both upper & lower case letters
[A - Z] = upper case characters
[a - z] = lower case characters
[!@#$%^&*] = tack on a symbol from this list
#use the custom word mangling
john - wordlist=/home/kali/Downloads/Wordlists/rockyou.txt - rule=MishkaRules hash
#For example, to add all capital letters to the end of the word:
Az"[A-Z]"
Other word mangling tools
One can also easily generate a mangled wordlist with a tool like crunch. If crunch isn’t already loaded
sudo apt install crunch
There’s a full crunch cheatsheet here. However a very simple example is below:
crunch 5 5 -t “THM^^” -o tryhackme.txt
This takes the word “THM” and tacks two special characters onto the end of it, keeping the entire word to 5 characters. If we wanted to include words like “THM!” then we would do
crunch 4 5 -t “THM^^” -o tryhackme.txt
Generating a wordlist from a website
If the org/THM VM/CTF/etc has a website then it’s often worth making a quick & dirty wordlist to try along with fan favorites like rockyou.txt. For example:
cewl -d 2 -m 8 -w dvwa_wordlist http://10.0.0.1/dvwa
This will crawl the specified site to a depth of 2, create a wordlist named “dvwa_wordlist”, and use any words found up to 8 characters long.
Summary
This is really just to put my notes on hashcat, john, and wordlists in one place. I had a lot of stuff scattered across notes from various THM rooms, labs projects, exams like eJPT, etc. I’ll probably come back and add to this as I go.
Remember that hashes like NTLM are not salted. One can often simply PTH and gain access with NTLM even if one can’t crack it.
References
Hashcat hash type table: https://hashcat.net/wiki/doku.php?id=example_hashes
John hash types: https://github.com/Shiva108/CTF-notes/blob/master/Notes%20VA/HashFormats_JackTheRipper.txt
Crunch howto: https://www.hackingarticles.in/a-detailed-guide-on-crunch/