Skip to content

Hashes and Password Cracking

h00die edited this page Jul 20, 2020 · 26 revisions

Intro

This article will discuss the various libraries, dependencies, and functionality built in to metasploit for dealing with password hashes, and cracking them. In general, this will not cover storing credentials in the database, which can be read about here. Metasploit currently support cracking passwords with John the Ripper and hashcat.

Hashes

Many modules dump hashes from various software. Anything from the OS: Windows, OSX, and Linux, to applications such as postgres, and oracle. Similar, to the hash-identifier project, Metasploit includes a library to identify the type of a hash in a standard way. identify.rb can be given a hash, and will return the jtr type. Metasploit standardizes to John the Ripper's types. While you may know the hash type being dumped already, using this library will help standardize future changes.

Hash Identify Example

In this first, simple, example we will simply show loading the library and calling its function.

require 'metasploit/framework/hashes/identify'
puts identify_hash "$1$28772684$iEwNOgGugqO9.bIz5sk8k/"
# note, bad hashes return an empty string since nil is not accepted when creating credentials in msf.
puts identify_hash "This_is a Fake Hash"
puts identify_hash "_9G..8147mpcfKT8g0U."

In practice, we receive the following output from this:

msf5 > irb
[*] Starting IRB shell...
[*] You are in the "framework" object

irb: warn: can't alias jobs from irb_jobs.
>> require 'metasploit/framework/hashes/identify'
=> false
>> puts identify_hash "$1$28772684$iEwNOgGugqO9.bIz5sk8k/"
md5
=> nil
>> puts identify_hash "This_is a Fake Hash"

=> nil
>> puts identify_hash "_9G..8147mpcfKT8g0U."
des,bsdi,crypt

Crackers

Differences Between Hashcat vs JtR

This section will cover the differences between the two crackers. This is not a comparison of speed, or why one may work better in a specific case than another.

General Settings

Description JtR hashcat
session --session --session
no logging --nolog --logfile-disable
config file --config (n/a)
previous cracks --pot --potfile-path
type of hashes --format --hash-type
wordlist --wordlist (last parameter)
incremental --incremental --increment
rules --rules --rules-file
max run time --max-run-time --runtime
show results --show --show

Hash Setting

Hash JtR hashcat
List formats john --list=formats john --list=format-all-details hashcat -h
cram-md5 hmac-md5 10200
des descrypt 1500
md5 (crypt is $1$) md5crypt 500
sha1 100
bsdi bsdicrypt 12400
sha256 sha256crypt 7400
sha512 sha512crypt 1800
blowfish bcrypt 3200
lanman lm 3000
NTLM nt 1000
mssql (05) mssql 131
mssql12 mssql12 1731
mssql (2012/2014) mssql05 132
oracle (10) oracle 3100
oracle 11 oracle11 112
oracle 12 oracle12c 12300
postgres dynamic_1034 12
mysql mysql 200
mysql-sha1 mysql-sha1 300
sha512($p.$s) - vmware ldap dynamic_82 1710

While Metasploit standardizes with the JtR format, the hashcat library includes the jtr_format_to_hashcat_format function to translate from jtr to hashcat.

Cracker Modes

Each crack mode is a set of rules which apply to that specific mode. The idea being any optimizations can be applied to that mode, and reset on other modes. These modes include:

Hashcat Optimized Kernel

Hashcat contains a -O flag which uses an optimized kernel. From internal testing it looks to be >200% faster, with a password length tradeoff. For more information see https://github.com/rapid7/metasploit-framework/pull/12790

Example Hashes

Hashcat

JtR

For testing Hashcat/JtR integration, this is a common list of commands to import example hashes of many different types. When possible the username is separated by an underscore, and anything after it is the password. For example des_password, the password for the hash is password:

creds add user:des_password hash:rEK1ecacw.7.c jtr:des
creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt
creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt
creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm
creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt
creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 jtr:mssql
creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12
creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
## oracle (10) uses usernames in the hashing, so we can't overide that here
creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
## oracle 11/12 H value, username is used
creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
## oracle 11/12 uses a LONG format, see lib/msf/core/auxiliary/jtr.rb
creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c
## postgres uses username, so we can't overide that here
creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
## other
creds add user:hmac_password hash:'<3263520797@127.0.0.1>#3f089332842764e71f8400ede97a84c9' jtr:hmac-md5
creds add user:vmware_ldap hash:'09486b2065eb6cb1e50fd9ee37c232d7a8654880172a7c348de5cf81f80c5929915f26cef17ce6e40fe474f53d595cf968eee7bbc1275248d2c5172642d1da7d$HEX$26037596705305554266639308182171' jtr:dynamic_82

This data breaks down to the following table:

Hash Type Username Hash Password jtr format Modules which dump this info Modules which crack this
DES des_password rEK1ecacw.7.c password des auxiliary/analyze/jtr_aix auxiliary/analyze/jtr_linux
MD5 md5_password $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ password md5 auxiliary/analyze/jtr_linux
BSDi bsdi_password _J9..K0AyUubDrfOgO4s password bsdi auxiliary/analyze/jtr_linux
SHA256 sha256_password $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 password sha256,crypt auxiliary/analyze/jtr_linux
SHA512 sha512_password $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 password sha512,crypt auxiliary/analyze/jtr_linux
Blowfish blowfish_password $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe password bf auxiliary/analyze/jtr_linux
Lanman lm_password E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C password lm auxiliary/analyze/jtr_windows_fast
NTLM nt_password AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C password nt auxiliary/analyze/jtr_windows_fast
MSSQL (2005) mssql05_toto 0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 toto mssql05 auxiliary/scanner/mssql/mssql_hashdump auxiliary/analyze/jtr_mssql_fast
MSSQL mssql_foo 0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 foo mssql auxiliary/scanner/mssql/mssql_hashdump auxiliary/analyze/jtr_mssql_fast
MSSQL (2012) mssql12_Password1! 0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 Password! mssql12 auxiliary/scanner/mssql/mssql_hashdump auxiliary/analyze/jtr_mssql_fast
MySQL mysql_probe 445ff82636a7ba59 probe mysql auxiliary/scanner/mysql/mysql_hashdump auxiliary/analyze/jtr_mysql_fast
MySQL SHA1 mysql-sha1_tere *5AD8F88516BD021DD43F171E2C785C69F8E54ADB tere mysql-sha1 auxiliary/scanner/mysql/mysql_hashdump auxiliary/analyze/jtr_mysql_fast
Oracle simon 4F8BC1809CB2AF77 A des,oracle auxiliary/scanner/oracle/oracle_hashdump auxiliary/analyze/jtr_oracle_fast
Oracle SYSTEM 9EEDFA0AD26C6D52 THALES des,oracle auxiliary/scanner/oracle/oracle_hashdump auxiliary/analyze/jtr_oracle_fast
Oracle 11 DEMO S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C epsilon raw-sha1,oracle auxiliary/scanner/oracle/oracle_hashdump auxiliary/analyze/jtr_oracle_fast
Oracle 11 oracle11_epsilon S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C epsilon raw-sha1,oracle modules/auxiliary/scanner/oracle/oracle_hashdump auxiliary/analyze/jtr_oracle_fast
Oracle 12 oracle12_epsilon H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B epsilon pbkdf2,oracle12c auxiliary/scanner/oracle/oracle_hashdump auxiliary/analyze/jtr_oracle_fast
Postgres example md5be86a79bf2043622d58d5453c47d4860 password raw-md5,postgres auxiliary/scanner/postgres/postgres_hashdump auxiliary/analyze/jtr_postgres_fast
HMAC-MD5 hmac_password <3263520797@127.0.0.1>#3f089332842764e71f8400ede97a84c9 password hmac-md5 auxiliary/server/capture/smtp None
SHA512($p.$s) vmware_ldap 09486b2065eb6cb1e50fd9ee37c232d7a8654880172a7c348de5cf81f80c5929915f26cef17ce6e40fe474f53d595cf968eee7bbc1275248d2c5172642d1da7d$HEX$26037596705305554266639308182171 testpass dynamic_82 None

Metasploit Wiki Pages


Clone this wiki locally