Hey everyone! It has been a couple of weeks since I dropped a blog, so I figured it is about time I put together a nice technical one. Today we will be discussing strategies to more effectively (and efficiently) crack different types of hashes. These techniques will apply as equally to CTF’s as they will to real-life pen testing engagements.
Recently, during engagements, I have been acquiring loads of hashes from sources such a Responder, Mimikatz, and the Zerologon exploit. I did the cursory “throw a wordlist against them” and move on. To me, there was not much benefit in bruteforcing, simply because the projects were short, and chances of a successful crack were slim to none. But I felt terrible. Surely I was leaving some meat on the bone that would give the customer more for their money. Don’t get me wrong. It’s not like I’m not giving a solid pen test. At a minimum, I meet my primary objectives 90% of the time.
But we can always be better, can’t we?
This is were using rules come in. Bruteforcing just sucks. Nobody wants to spend days trying to find a password, not to mention with the new length requirements at many organizations of 12 or more characters; this can be a futile task.
With rules, you are still using wordlists, but in a more intelligent manner. The rules manipulate the wordlists in different ways to take into account all those things we as security practitioners tell our users. Change O(as in ohhh) to a 0 (as in zero). Change a’s to @. Put capital letters in there. Add special characters. All to make it harder to guess. Luckily for us pen testers, humans are predictable (and lazy) for the most part.
This technique holds a massive advantage over bruteforcing. With wordlists, we can rely on prior password breaches to come with a base word lists and then use rules to manipulate these words with common variations. By doing this, we cut down our time substantially. I’m talking hours instead of months.
We aren’t looking to guess all the hashes. We don’t need to. We just need a foothold on the network, which means one or two will be sufficient for our goals. If we get an administrator, even better.
Alright. So how do we do this.
For starters, I recommend using an operating system that is actually installed on the hardware, not a virtual machine. I dual boot a Kali and Windows system. No matter what, this will be faster because you can use all the resources available. I am not sure if you can use the GPU’s in a VM. Maybe that is possible, and you can use a VM. Let me know because that would be awesome.
Once you have the OS set up, the hard part is out the way. Now you must find word lists and rule lists to use.
For word lists, I use Rockyou.txt (the Kali one located in /usr/share/wordlists/) and Phpbb.txt.
For rule lists I use Praetorians two lists.
The basic command you are going to run is:
NOTE: In the code above, I added line breaks for readability. This should be all on one line.
For NTLMv2 the algorithm is 5600.
Starting out you should run the command once for each rule and wordlist combination. This may look something like.
Let’s Build Some Efficiencies
Now that you have the basics, you can add in longer word lists like those provided by Daniel Miessler, the notorious SecLists.
My advice with multiple lists is to use the smaller lists first and work your way up to the longer lists. This way, you may get some passwords back before running the longer lists. For a frame of reference, one combination I did took over 12 hours, where the four basic ones take anywhere from 10 minutes to an hour.
One final tip for efficiencies is finding words related to your customer and putting them in a wordlist. These words could be street address, the company name, the products they offer, slogans, etc. You would be amazed at what people use. One time I did a project for a sports team and the passwords were “Go<insert team name>!” as in “GoUnicorns!”. An excellent place to pull words from is the organization's websites. You can use tools such as CeWl to spider and scrape the website to generate a word list.
Make sure to use these wordlists with the bigger rule list d3adhob0.rule.
Hopefully, these tips help you out as much as they have helped me. Don’t be like me and ignore a solid attack surface because you think it will take forever to learn. Yes, I had other things on my to do list, but this only took a couple of days to put together. I plan to build on these techniques in the future and release a blog when I have more to add.
Before closing out, I want to thank Praetorian for their rule lists and awesome blogs. I also picked up some useful tips from f-secure and a few other awesome folks. See my links below to check out their work.
A Practical Guide to Cracking Password Hashes
Hashcat's Git Repo
Statistics will crack your password mask structure
Hash dumps for practice