Jan 27, 2021
Crack The Hash Level 2 — TryHackMe
Advanced cracking hashes challenges and wordlist generation
Introduction
This is the write-up TryHackMe’s room named :- Crack The Hash Level 2
This room can be found here:- https://tryhackme.com/room/crackthehashlevel2
This is the second room in “Crack the Hash” series and it is recommended to finish Level 1 before trying this room which is available here:- https://tryhackme.com/room/crackthehash
Before we get in to cracking hashes, Tasks 1–5 talks about various tools and tricks about cracking and wordlist generation. We should read them first as that is what this room is all about — learning new tools and tricks.Here is the summary:
[ Hash identification ]
- Haiti — https://github.com/noraj/haiti/
A CLI tool to identify the hash type of a given hash.
[ Wordlists ]
- Seclists — https://github.com/danielmiessler/SecLists
SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. - wordlistctl — https://github.com/BlackArch/wordlistctl
Fetch, install and search wordlist archives from websites and torrent peers. - Rawsec’s CyberSecurity Inventory — https://inventory.raw.pm/tools.html#title-tools-cracking
Tools and resources about CyberSecurity. The Cracking category will be especially useful to find wordlist generator tools. - Rockyou — https://en.wikipedia.org/wiki/RockYou#Data_breach
Famous wordlist contains a large set of commonly used password sorted by frequency.
[ Cracking tools, modes & rules ]
- Hashcat — https://hashcat.net/hashcat/
Advanced password recovery utility. - John the Ripper — https://www.openwall.com/john/
Open Source password security auditing and password recovery tool.
[ Custom wordlist generation ]
- Mentalist — https://github.com/sc0tfree/mentalist
Mentalist is a graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper. - CeWL — https://github.com/digininja/CeWL
CeWL is a Custom Word List Generator - TTPassGen — https://github.com/tp7309/TTPassGen
Flexible and scriptable password dictionary generator which can support brute-force,combination,complex rule mode etc…
It’s time to crack hashes
We will use John the Ripper to Crack hashes for this room.
The most important things which I learnt from this room are:
- Cracking is all about trial and error. You may need to try to lot of things and there is no guarantee that you will be able to crack the hash.
- The hardware configuration matters a lot which is directly related to the speed of cracking.
- Picking good wordlist(s) also plays an important role.
- Trying combinations helps like a word can start with a capital letter, a word can have all small letters, a word can have all capital letters etc…
- Use “john --list=formats” to list all the supported hash formats by John The Ripper cracking tool.
[Advise 1]
advise1.hash = b16f211a8ad7f97778e5006c7cecdf31
Advice = Boy Name, You can use border mutation. It's commonly used, add a combination of digits and special symbols at the end or at the beginning, or both. English male name, MD5, Border mutation, custom rule.
We used haiti tool to identify this as an MD5 hash.This is arguably the toughest hash to crack in this room.Here we need to use a combination of digits and symbols in the starting or ending or at both stating and ending.So suppose we have a list of names called LIST and “x” and “y” are the collection of digits and special symbols like:
x = A0"[0–9!@#$%^&*()_+]”
y = Az”[0–9!@#$%^&*()_+]”
Let’s break this down:
A0 means add in the starting(perpend)
Az means add in the ending(append)
0–9 means numbers from 0 to 9
!@#$%^&*()_+ means special symbols.More special symbols can also be added here and a complete set might contain these special symbols:- !@\#\$%^&()_+\-={}|\[\]\\;’:,/\<\>?`~*. We need to add ‘\’ in front of few symbols so that they can be interpreted correctly for e.g. in front of ‘[‘ we need a ‘\’.But for this hash lets stick to the symbols mentioned initially.So few possible combinations can be:
xLIST
xxLIST
xxxLIST
xxxxLIST
LISTy
LISTyy
LISTyyy
LISTyyyy
xLISTy
xLISTyy
xLISTyyy
xLISTyyyy
xxLISTy
xxLISTyy
xxLISTyyy
xxLISTyyyy
xxxLISTy
xxxLISTyy
xxxLISTyyy
xxxLISTyyyy
xxxxLISTy
xxxxLISTyy
xxxxLISTyyy
xxxxLISTyyyy
xxxxxLISTy
xxxxxLISTyy
xxxxxLISTyyy
xxxxxLISTyyyy
xxxxxLISTyyyyy
This list can grow infinitely long as there is no length given in the task, so let us stick to maximum of 5 combinations either in the starting or in the end or both. Also pick the following word list from Seclists for Boy’s/Man name located here on kali:
/usr/share/seclists/Usernames/Names/malenames-usa-top1000.txt
Now, this JTR custom rule set is huge and can take a very long time to crack the hash with any decent wordlist, so lets break in to parts and try them out individually.We need to add our custom rules in JTR’s local conf file located on kali here:-
/usr/share/john/john-local.conf.
So edit it with sudo permission and add the following rule:
[List.Rules:THM_Advise1]
cAz”[0–9!@#$%^&*()_+][0–9!@#$%^&*()_+][0–9!@#$%^&*()_+][0–9!@#$%^&*()_+][0–9!@#$%^&*()_+]”
Here c implies capitalize the first letter in the list.Well the reasoning being that we usually capitalize the first letter of a name while writing.Now run john the ripper to start cracking the hash
john advise1.hash --format=raw-md5 --wordlist=malenames-usa-top1000.txt --rules=THM_Advise1
Here advise1.hash contains the MD5 hash which we want to crack.
Use the following to see the cracked hash:
john --show --format=raw-md5 advise1.hash
Note that the cracked hashes for JTR are stored here:
~/.john/john.pot
Point to note here is the we directly used the rule above that cracked the hash. But in reality you have to try all the combinations above to finally narrow down to a particular rule set.
[Advise 2]
advise2.hash = 7463fcb720de92803d179e7f83070f97
Advice = Female Name, Border Mutation, custom rule
This is exactly same as Advise 1 and it is just that we need to use a different wordlist from Seclists:
/usr/share/seclists/Usernames/Names/femalenames-usa-top1000.txt
The JTR rule that worked for this hash was:
[List.Rules:THM_Advise2]
cAz”[0–9!@#$%^&*()_+][0–9!@#$%^&*()_+][0–9!@#$%^&*()_+]”
And the commands were:
john advise2.hash --format=raw-md5 --wordlist=femalenames-usa-top1000.txt --rules=THM_Advise2
john --show --format=raw-md5 advise2.hash
[Advise 3]
advise3.hash = f4476669333651be5b37ec6d81ef526f
Advice = Town names from Mexico , freak/1337/l33t mutation. Replace some letters with similarly looking special symbols.
Haiti tool tells us that this is most probably MD5 hash.
Use wordlistctl to find a wordlist for cities/towns in Mexico:
We have two lists here,we can try them one by one,so lets pick the first one and fetch it.
sudo /opt/tools/wordlistctl/wordlistctl.py fetch -l cities -d
The cities names in this list contain capital letters and spaces,so we need to modify the list such that names are in small letters without spaces.There are many ways to achieve these,one of them is simple python script:
#!/usr/bin/env python# first get all lines from file
with open('cities.txt', 'r') as f:
lines = f.readlines()# remove spaces
lines = [line.replace(' ', '') for line in lines]# convert to lowercase
lines = [line.lower() for line in lines]# finally, write lines in the file
with open('cities_modified.txt', 'w') as f:
f.writelines(lines)
This will produce a text file named cities_modified.txt which we can use with JTR’s inbuilt l33t rule:
john advise3.hash --format=raw-md5 --wordlist=cities_spaces_removed_lowercase.txt --rules=l33t
john --show --format=raw-md5 advise3.hash
[Advise 4]
advise4.hash = a3a321e1c246c773177363200a6c0466a5030afc
name.txt = DavidGuettapan — Username which we got from the Advice Portal.Put this name in a text file.
Advice = Use case mutation, make variations of uppercase or lowercase letters for any character. We already have an inbuilt JTR’s rule called “NT” for this.Running Haiti against the hash indicates that this hash is SHA1:
Run john to crack the hash:
john advise4.hash --format=raw-sha1 --wordlist=name.txt --rules=NT
john --show --format=raw-sha1 advise4.hash
[Advise 5]
advise5.hash = d5e085772469d544a447bc8250890949
Advice = Adele, the singer,Reverse the character orders. MD5 hash as indicated by haiti.
Tool = https://github.com/initstring/lyricpass
lyricpass is a Password wordlist generator using song lyrics for targeted bruteforce audits / attacks. Useful for penetration testing or security research.We can use this to make a password list with the songs from the singer named “Adele” using:
/opt/tools/lyricpass/lyricpass.py -a “Adele”
And then use a simple custom rule to reverse the character order with the raw lyrics wordlist produced above.
[List.Rules:THM_Advise5]
r
Run john to crack the hash:
john advise5.hash --format=raw-md5 --wordlist=raw-lyrics-2021–01–26–15.51.09 --rules=THM_Advise5
john --show --format=raw-md5 advise5.hash
[Advise 6]
advise6.hash = 377081d69d23759c5946a95d1b757adc
Advice = Phone Number — Sint Maarten. MD5 hash as indicated by Haiti.
Tool = https://github.com/toxydose/pnwgen
pnwgen is a very flexible phone number wordlist generator
Searching the inter-webs for Sint Maarten reveals it to be a Constituent country in the Kingdom of the Netherlands with a 7 digit phone number format having a prefix “+1721”.
Pwngen can generate a Phone Number wordlist for us with this prefix and number of digits as 7:
Run JTR with this wordlist to crack the hash:
john advise6.hash --format=raw-md5 --wordlist=/opt/tools/pnwgen/wordlist.txt
john --show --format=raw-md5 advise6.hash
[Advise 7]
advise7.hash = ba6e8f9cd4140ac8b8d2bf96c9acd2fb58c0827d556b78e331d1113fcbfe425ca9299fe917f6015978f7e1644382d1ea45fd581aed6298acde2fa01e7d83cdbd
Advice = common password not MD5 not SHA1 - last Competition Project of NIST - lol lel kek keccak topkek. Searching for this will reveals that it is SHA3 algorithm:
Haiti indicates this hash as SHA-512 but the hints indicates it is SHA3 and we can use raw-sha3 format in JTR and rockyou as the wordlist to crack the hash:
john advise7.hash --format=raw-sha3 --wordlist=/usr/share/wordlists/rockyou.txt
john --show --format=raw-sha3 advise7.hash
[Advise 8]
advise8.hash = 9f7376709d3fe09b389a27876834a13c6f275ed9a806d4c8df78f0ce1aad8fb343316133e810096e0999eaf1d2bca37c336e1b7726b213e001333d636e896617
Advice = Randomly picking a word from the website given and repeat it 2, 3, 4 or maybe 5 times so it will be longer. Finally let's pick a hardcore cryptographic hash function -> a finalist of SHA-3 project. But one that is used by PHC winner KDF. It is included in GNU core utilities. Even WireGuard use it.The following links points to the hashing algorithm as Blake2:
Use CeWL to scrape the deployed rooms’s website by using the following command:
cewl -d 2 -w advise8.txt http://10.10.231.53/rtfm.re/en/sponsors/index.html
where advise8.txt is the file containing words scrapped from the website.Now we need to repeat each word 2,3,4,5 times and came up with our wordlist for john.This can be done in many ways and here is one using python:
#!/usr/bin/env python#get file object
file1 = open("advise8.txt", "r")
file2 = open('advise8_modified.txt', 'w')while(True):
#read next line
line = file1.readline()
#check if line is not null
if not line:
break
#write in file2 with each line repeated 2,3,4,5 times
file2.writelines(line.strip()*2+'\n'+line.strip()*3+'\n'+line.strip()*4+'\n'+line.strip()*5+'\n')#close files
file2.close
file1.close
Above python script will produce the output in a new file advise8_modified.txt which we will use to crack the hash with john:
john advise8.hash --format=Raw-Blake2 --wordlist=advise8_modified.txt
john --show --format=Raw-Blake2 advise8.hash
[Advise 9]
advise9.hash = $6$kI6VJ0a31.SNRsLR$Wk30X8w8iEC2FpasTo0Z5U7wke0TpfbDtSwayrNebqKjYWC4gjKoNEJxO/DkP.YFTLVFirQ5PEh4glQIHuKfA/
Advice = Why are you spreading your stupid mutations? Strong hash + salt is enough.
From https://hashcat.net/wiki/doku.php?id=example_hashes, we can see that this type of hash is actually sha512crypt with salt for example:
So we will use rockyou.txt wordlist to crack this hash with john:
john advise9.hash --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt
john --show --format=sha512crypt advise9.hash
These are all the hashes which we needed to crack. Hope you have learned something new with this write-up.
One last tip for Task 5 Custom wordlist generation where we need to run CeWL for website https://example.org:
Try using the cached version of this site, if you could reach it :)
