The labs shows how to crack hashed passwords using dictionary and brute-force methods on Kali Linux.
Download hashcat-exercise-files.zip
sudo mkdir hashcat-exercise
unzip hashcat-exercise-files.zip
./view-sample-password.sh
echo -n salt [password] | md5sum
man crypt
man mkpasswd
A: Dictionary attack
Create text file test-dictionary with three words hello, wtaddtsbtk, dog in three lines.
hashcat -m 500 -a 0 crack-these-please-md5 test-dictionary --force (cracked with 3 passwords)
hashcat -m 1800 -a 0 crack-these-please-sha512 test-dictionary (cracked with 3 passwords)
hashcat -m 500 -a 0 crack-these-please-md5 500_passwords.txt (cracked with 7 different)
hashcat -m 1800 -a 0 crack-these-please-sha512 500_passwords.txt (cracked with 7 different)
B: Brute force attack
openssl speed md5
openssl speed sha512
This shows md5 processes more data than sha512 in the same amount of time.
hashcat -m 500 -a 3 crack-these-please-md5 ?l?l (mask ?l means one lowercase letter) return: w, ww
hashcat -m 500 -a 3 crack-these-please-md5 ?a?a (?a all 95 characters on keyboards instead of 26)
Core attack modes
- Dictionary attack - trying all words in a list; also called “straight” mode (attack mode 0, -a 0)
- Combinator attack - concatenating words from multiple wordlists (mode 1)
- Brute-force attack and Mask attack - trying all characters from given charsets, per position (mode 3)
- Hybrid attack - combining wordlists+masks (mode 6) and masks+wordlists (mode 7); can also be done with rules
