THM: Crack The Hash
In the field of security, hashes are values across which we come a lot. From the hashed passwords stored locally in the
/etc/shadow to passwords stored by biggest corporations like Google and Facebook also incorporate one of the other forms of hashing.
This Crak The Hash room on TryHackMe helps to build a basic understanding of different types of hashes and how we can decrypt these hashes. Before we start, make sure that you have HashCat and Hash Identifier installed on the system along with the rockyou.txt dictionary.
So, let’s begin!
- In the image below from
hash-identifier, it can be seen that the passed value is MD5 hashed.
Now, we can use hashcat along with rockyou.txt to break the hash using the command:
tester@kali:~/Desktop$ hashcat -m 0 hash_value /usr/share/wordlists/rockyou.txt
-m defines the mode of the hashing algorithm that is to be cracked. The entire list of various modes that hashcat supports are present at this link. Also, with hashcat, we can break the password easily.
- Again we can use
hash-identifierto find the hashing algorithm, which turns out to be SHA-1. This hash can also be cracked by
- Again from
hash-identifier, we can find out that this is a SHA-256 hashed value and crack the value using hashcat in mode
- Now this hash is a bit different from the previous ones as
hash-identifierwon't be able to determine the hashing algorithm used but we can use Google to find the hash. At the beginning of the hashed value, we can see the
$2y$, this is a hash signature and we can Google what hashing algorithm has this signature. We can find out that this is hashed using the
bcrypthashing algorithm. Again that password can be cracked using mode
-m 3200in hashcat but it might take a lot of time. So, we can look up for some online
bcrypt cracking toolslike the one here. We simply need to provide the hash value, select the hashing algorithm and perform a search. And we'll get the desired cracked value.
- With hashcat, we can figure out that this hash appears to be MD5 but when we try to crack this hash with hashcat using the mode
-m 0, the hash does not get cracked.
- We can see that the
hash-identifierhad also suspected this has to be an MD4 hash. So, we can try to crack this hash with mode
-m 900in hashcat but this time also it won't work. So, we can use another online hash cracker over here and get the cracked hash value.
- For this hash,
hash-identifierdetects it as SHA-256 but when tried to break with hashcat using mode
-m 1400, it fails. So, we can look out for some other online hash decryptor like the one here and get the cracked value of the hash.
- This hash got identified as MD5 and MD4 but when tried with hashcat none of these worked. On checking the hint for this question it was mentioned as NTLM. And NTLM hashes can be cracked with hashcat using mode
3. Hash: $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.
- For this question, we must know that what hashing algorithm uses a $6$ signature. After some googling, we can find out that this is a SHA-512 hash signature. Another important thing with this hash is that salting is used here. And the value between
$6$and the first
$after that is the salt that is used, which in our case is
- Hashcast has various supported formats of salted SHA-512 hash but we need the one in which the hashed value consists of
sha512crypt $6$ hash. Hence, we can crack this hash using mode
-m 1800in hashcat.
- P.S. Crack this hash will take a lot of time, so be patient.
4. Hash: e5d8870e5bdd26602cab8dbe07a942c8669e56d6 Salt: tryhackme
hash-identifier, it can be found out that this is a SHA-1 hashed value. Now, we know that we are provided both the hash and salt but unlike SHA-512, the salt is not present in the hash value. So, it must be by some way passed to the cracker in order to crack it in a proper way. So to do that there are two method:
- The issue here from
hash-identifierit was found out that it is a SHA-1 hash value but on trying various modes related to SHA-1 in hashcat like 100, 110, 120, 130, 140 and 150 we were not able to get the cracked value. Finally the value got cracked with mode
-m 160which is used for
Some key points to take away
hash-identifiercan be used to identify a huge variety of hashes.
- Sometimes, we can use hash signatures to determine the hashing algorithm like:
$2y$signatures are used by the
$6$signature is used by the
3. Sometimes, our local hash cracker tools won’t work because of the limitations of the variety of values in the passed dictionary. Hence, if not locally then we can search for online hash crackers.
4. In SHA512crypt hash, the salt is present between
5. In case of salted SHA1, password and salt must be arranged across colon(:).