HashCrack.Copyright©2017NetmuxLLC

Allrightsreserved.Withoutlimitingtherightsunderthecopyrightreservedabove,nopartofthispublicationmaybereproduced,storedin,orintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise)withoutpriorwrittenpermission.

ISBN-10:1975924584ISBN-13:978-1975924584

NetmuxandtheNetmuxlogoareregisteredtrademarksofNetmux,LLC.Otherproductandcompanynamesmentionedhereinmaybethetrademarksoftheirrespectiveowners.Ratherthanuseatrademarksymbolwitheveryoccurrenceofatrademarkedname,weareusingthenamesonlyinaneditorialfashionandtothebenefitofthetrademarkowner,withnointentionofinfringementofthetrademark.

Theinformationinthisbookisdistributedonan“AsIs”basis,withoutwarranty.Whileeveryprecautionhasbeentakeninthepreparationofthiswork,neithertheauthornorNetmuxLLC,shallhaveanyliabilitytoanypersonorentitywithrespecttoanylossordamagecausedorallegedtobecauseddirectlyorindirectlybytheinformationcontainedinit.

Whileeveryefforthasbeenmadetoensuretheaccuracyandlegitimacyofthereferences,referrals,andlinks(collectively“Links”)presentedinthisbook/ebook,NetmuxisnotresponsibleorliableforbrokenLinksormissingorfallaciousinformationattheLinks.AnyLinksinthisbooktoaspecificproduct,process,website,orservicedonotconstituteorimplyanendorsementbyNetmuxofsame,oritsproducerorprovider.TheviewsandopinionscontainedatanyLinksdonotnecessarilyexpressorreflectthoseofNetmux.

TABLEOFCONTENTS

Intro

RequiredSoftware

CoreHashCrackingKnowledge

CrackingMethodology

BasicCrackingPlaybook

CheatSheets

ExtractHashes

PasswordAnalysis

Dictionary/Wordlist

Rules&Masks

ForeignCharacterSets

AdvancedAttacks

CrackingConcepts

CommonHashExamples

Appendix

-Terms

-OnlineResources

-JohnTheRipperMenu

-HashcatMenu

-HashCrackingBenchmarks

-HashCrackingSpeed

INTRO

Thismanualismeanttobeareferenceguideforcrackingtoolusageandsupportivetoolsthatassistnetworkdefendersandpentestersinpasswordrecovery(cracking).Thismanualwillnotbecoveringtheinstallationofthesetools,butwillincludereferencestotheirproperinstallation,andifallelsefails,Google.Updatesandadditionstothismanualareplannedyearlyasadvancementsincrackingevolve.Passwordrecoveryisabattleagainstmath,time,cost,andhumanbehavior;andmuchlikeanybattle,thetacticsareconstantlyevolving.

ACKNOWLEDGEMENTS

Thiscommunitywouldnotenjoythesuccessanddiversitywithoutthefollowingcommunitymembersandcontributors:

Alexander‘SolarDesigner’Peslvak,JohnTheRipperTeam,&CommunityJens‘atom’Steube,HashcatTeam,&DevotedHashcatForumCommunityJeremi‘epixoip’GosneyKorelogic&theCrackMeIfYouCanContestRobin‘DigiNinja’Wood(Pipal&CeWL)CynoSurePrimeTeamChris‘Unix-ninja’AurelioPerThorsheim(PasswordsCon)Blandyuk&Rurapenthe(HashKillerContest)Peter‘iphelix’Kacherginsky(PACK)Royce‘tychotithonus’Williams‘Waffle’

Andmany,many,manymorecontributors.Ifanamewasexcludedfromtheabovelistpleasereachoutandthenextversionwillgivethemtheirduecredit.

Lastly,thetools,research,andresourcescoveredinthebookaretheresultofpeople’shardwork.Assuch,IHIGHLYencourageallreaderstoDONATEtohelpassistintheirefforts.Aportionoftheproceedsfromthisbookwillbedistributedtothevariousresearchers/projects.

Suggestionsorcomments,sendyourmessagetohashcrack@netmux.com

REQUIREDSOFTWARE

Inordertofollowmanyofthetechniquesinthismanual,youwillwanttoinstallthefollowingsoftwareonyourWindowsor*NIXhost.Thisbookdoesnotcoverhowtoinstallsaidsoftwareandassumesyouwereabletofollowtheincludedlinksandextensivesupportwebsites.

HASHCATv3.6(ornewer)https://hashcat.net/hashcat/

JOHNTHERIPPER(v1.8.0JUMBO)http://www.openwall.com/john/

PACKV0.0.4(PasswordAnalysisandCrackingToolkit)http://thesprawl.org/projects/pack/

Hashcat-utilsv1.7https://hashcat.net/wiki/doku.php?id=hashcat_utils

Additionallyyouwillneeddictionaries/wordlistsandhighlyrecommendthebelowsources:

WEAKPASSDICTIONARYhttps://weakpass.com/wordlist

CRACKSTATIONDICTIONARYhttps://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm

SKULLSECURITYWORDLISTShttps://wiki.skullsecurity.org/index.php?title=Passwords

Throughoutthemanual,genericnameshavebeengiventothevariousinputsrequiredinacrackingcommandsstructure.Legenddescriptionisbelow:

COMMANDSTRUCTURELEGENDhashcat=GenericrepresentationofthevariousHashcatbinarynamesjohn=GenericrepresentationoftheJohntheRipperbinarynames#type=Hashtype;whichisanabbreviationinJohnoranumberinHashcathash.txt=Filecontainingtargethashestobecrackeddict.txt=Filecontainingdictionary/wordlistrule.txt=Filecontainingpermutationrulestoalterdict.txtinput

passwords.txt=Filecontainingcrackedpasswordresultsoutfile.txt=Filecontainingresultsofsomefunctionsoutput

Lastly,asagoodreferencefortestingvarioushashtypestoplaceintoyour“hash.txt”file,thebelowsitescontainallthevarioushashingalgorithmsandexampleoutputtailoredforeachcrackingtool:

HASHCATHASHFORMATEXAMPLEShttps://hashcat.net/wiki/doku.php?id=example_hashes

JOHNTHERIPPERHASHFORMATEXAMPLEShttp://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formatshttp://openwall.info/wiki/john/sample-hashes

COREHASHCRACKINGKNOWLEDGE

ENCODINGvsHASHINGvsENCRYPTINGEncoding=transformsdataintoapubliclyknownschemeforusabilityHashing=one-waycryptographicfunctionnearlyimpossibletoreverseEncrypting=mappingofinputdataandoutputdatareversiblewithakey

CPUvsGPUCPU=2-72coresmainlyoptimizedforsequentialserialprocessingGPU=1000’sofcoreswith1000’softhreadsforparallelprocessing

CRACKINGTIME=KEYSPACE/HASHRATEKeyspace:charset^length(?a?a?a?a=95^4=81,450,625)Hashrate:hashingfunction/hardwarepower(bcrypt/GTX1080=13094H/s)CrackingTime:81,450,625/13094H/s=6,220seconds

*KeyspacedisplayedandHashratevarybytoolandhardwareused

SALT=randomdatathat’susedasadditionalinputtoaone-wayfunctionITERATIONS=thenumberoftimesanalgorithmisrunoveragivenhash

HASHIDENTIFICATION:thereisn’tafoolproofmethodforidentifyingwhichhashfunctionwasusedbysimplylookingatthehash,buttherearereliableclues(i.e.$6$sha512crypt).Thebestmethodistoknowfromwherethehashwasextractedandidentifythehashfunctionforthatsoftware.

DICTIONARY/WORDLISTATTACK=straightattackusesaprecompiledlistofwords,phrases,andcommon/uniquestringstoattempttomatchapassword.

BRUTE-FORCEATTACK=attemptseverypossiblecombinationofagivencharacterset,usuallyuptoacertainlength.

RULEATTACK=generatespermutationsagainstagivenwordlistbymodifying,trimming,extending,expanding,combining,orskippingwords.

MASKATTACK=aformoftargetedbrute-forceattackbyusingplaceholdersforcharactersincertainpositions(i.e.?a?a?a?l?d?d).

HYBRIDATTACK=combinesaDictionaryandMaskAttackbytakinginputfromthedictionaryandaddingmaskplaceholders(i.e.dict.txt?d?d?d).

CRACKINGRIG=fromabasiclaptoptoa64GPUcluster,thisisthehardware/platformonwhichyouperformyourpasswordhashattacks.

EXPECTEDRESULTSKnowyourcrackingrig’scapabilitiesbyperformingbenchmarktestinganddon’tassumeyoucanachievethesameresultspostedbyforummemberswithoutusingtheexactsamedictionary,attackplan,orhardwaresetup.Crackingsuccesslargelydependsonyourabilitytouseresourcesefficientlyandmakecalculatedtrade-offsbasedonthetargethash.

DICTIONARY/WORDLISTvsBRUTE-FORCEvsANALYSISDictionariesandbrute-forcearenottheendallbealltocrackhashes.Theyaremerelythebeginningandendofanattackplan.Truemasteryiseverythinginthemiddle,whereanalysisofpasswords,patterns,behaviors,andpoliciesaffordstheabilitytorecoverthatlast20%.Experimentwithyourattacksandresearchandcompiletargetedwordlistswithyournewknowledge.Donotrelyheavilyondictionariesbecausetheycanonlyhelpyouwithwhatis“known”andnottheunknown.

CRACKINGMETHODOLOGY

Followingisbasiccrackingmethodologybrokenintosteps,buttheprocessissubjecttochangebasedoncurrent/futuretargetinformationuncoveredduringthecrackingprocess.

1-EXTRACTHASHESPullhashesfromtarget,identifyhashingfunction,andproperlyformatoutputforyourtoolofchoice.

2-FORMATHASHESFormatyourhashesbasedonyourtool’spreferredmethod.Seetooldocumentationforthisguidance.Hashcat,forexample,oneachlinetakes<user>:<hash>ORjusttheplain<hash>.

3-EVALUATEHASHSTRENGTHUsingtheAppendixtable“HashCrackingSpeed(Slow-Fast)”assessyourtargethashandit’scrackingspeed.Ifit’saslowhash,youwillneedtobemoreselectiveatwhattypesofdictionariesandattacksyouperform.Ifit’safasthash,youcanbemoreliberalwithyourattackstrategy.

4-CALCULATECRACKINGRIGCAPABILITIESWiththeinformationfromevaluatingthehashstrength,baselineyourcrackingrig’scapabilities.PerformbenchmarktestingusingJohnTheRipperand/orHashcat’sbuilt-inbenchmarkabilityonyourrig.john--testhashcat-bBasedontheseresultsyouwillbeabletobetterassessyourattackoptionsbyknowingyourrigscapabilitiesagainstaspecifichash.Thiswillbeamoreaccurateresultofahash’scrackingspeedbasedonyourrig.Itwillbeusefultosavetheseresultsforfuturereference.

5-FORMULATEPLANBasedonknownorunknownknowledgebegincreatinganattackplan.Includedonthenextpageisa“BasicCrackingPlaybook”togetyoustarted.

6-ANALYZEPASSWORDSAftersuccessfullycrackingasufficientamountofhashesanalyzetheresultsforanycluesorpatterns.Thisanalysismayaidinyoursuccessonanyremaininghashes.

7-CUSTOMATTACKSBasedonyoupasswordanalysiscreatecustomattacksleveragingthoseknowncluesorpatterns.Exampleswouldbecustommaskattacksorrulestofittargetusers’behaviororpreferences.

8-ADVANCEDATTACKSExperimentwithPrinceprocessor,customMarkov-chains,maskprocessor,orcustomdictionaryattackstoshakeoutthoseremainingstubbornhashes.Thisiswhereyourexpertiseandcreativityreallycomeintoplay.

9-REPEATGobacktoSTEP4andcontinuetheprocessoveragain,tweakingdictionaries,mask,parameters,andmethods.You’reinthegrindatthispointandneedtorelyonskillandluck.

BASICCRACKINGPLAYBOOK

Thisisonlymeantasabasicguidetoprocessinghashesandeachscenariowillobviouslybeuniquebasedonexternalcircumstances.ForthisattackplanwewillassumeweknowthepasswordhashesarerawMD5andassumewehavealreadycapturedsomeplaintextpasswordsofusers.IfwehadnoknowledgeofplaintextpasswordswewouldmostlikelyskiptoDICTIONARY/WORDLISTattacks.Lastly,sinceMD5isa“Fast”hashwecanbemoreliberalwithourattackplan.

1-CUSTOMWORDLISTFirstcompileyourknownplaintextpasswordsintoacustomwordlistfile.Passthistoyourtoolofchoiceasastraightdictionaryattack.

hashcat-a0-m0-w4hash.txtcustom_list.txt

2-CUSTOMWORDLIST+RULESRunyourcustomwordlistwithpermutationrulestocrackslightvariations.

hashcat-a0-m0-w4hash.txtcustom_list.txt-rbest64.rule--loopback

3-DICTIONARY/WORDLISTPerformabroaddictionaryattack,lookingforcommonpasswordsandleakedpasswordsinwellknowndictionaries/wordlists.

hashcat-a0-m0-w4hash.txtdict.txt

4-DICTIONARY/WORDLIST+RULESAddrulepermutationstothebroaddictionaryattack,lookingforsubtlechangestocommonwords/phrasesandleakedpasswords.

hashcat-a0-m0-w4hash.txtdict.txt-rbest64.rule--loopback

5-CUSTOMWORDLIST+RULESAddanynewlydiscoveredpasswordstoyourcustomwordlistandrunanattackagainwithpermutationrules,lookinganyothersubtlevariations.

awk-F“:”‘{print$2}’hashcat.potfile>>custom_list.txthashcat-a0-m0-w4hash.txtcustom_list.txt-rdive.rule--loopback

6-MASKNowwewillusemaskattacksincludedwithHashcattosearchthekeyspaceforcommonpasswordlengthsandpatterns,basedontheRockYoudataset.

hashcat-a3-m0-w4hash.txtrockyou-1-60.hcmask

7-HYBRIDDICTIONARY+MASKUsingadictionaryofyourchoice,conducthybridattackslookingforlargervariationsofcommonwordsorknownpasswordsbyappending/prependingmaskstothosecandidates.

hashcat-a6-m0-w4hash.txtdict.txtrockyou-1-60.hcmaskhashcat-a7-m0-w4hash.txtrockyou-1-60.hcmaskdict.txt

8-CUSTOMWORDLIST+RULESAddanynewlydiscoveredpasswordsbacktoyourcustomwordlistandrunanattackagainwithpermutationruleslookinganyothersubtlevariations.

awk-F“:”‘{print$2}’hashcat.potfile>>custom_list.txthashcat-a0-m0-w4hash.txtcustom_list.txt-rdive.rule--loopback

9-COMBOUsingadictionaryofyourchoice,performacomboattackbyindividuallycombiningthedictionary’spasswordcandidatestogethertoformnewcandidates.

hashcat-a1-m0-w4hash.txtdict.txtdict.txt

10-CUSTOMHYBRIDATTACKAddanynewlydiscoveredpasswordsbacktoyourcustomwordlistandperformahybridattackagainstthosenewacquiredpasswords.

awk-F“:”‘{print$2}’hashcat.potfile>>custom_list.txthashcat-a6-m0-w4hash.txtcustom_list.txtrockyou-1-60.hcmaskhashcat-a7-m0-w4hash.txtrockyou-1-60.hcmaskcustom_list.txt

11-CUSTOMMASKATTACKBynowtheeasier,weakerpasswordsmayhavefallentocracking,butstillsomeremain.UsingPACK(onpg.51)createcustommaskattacksbasedonyourcurrentlycrackedpasswords.Besuretosortoutmasksthatmatchthepreviousrockyou-1-60.hcmasklist.

hashcat-a3-m0-w4hash.txtcustom_masks.hcmask

12-BRUTE-FORCEWhenallelsefailsbeginastandardbrute-forceattack,beingselectiveastohowlargeakeyspaceyourrigcanadequatelybrute-force.Above8charactersthisistypicallypointlessduetohardwarelimitationsandpasswordentropy/complexity.

hashcat-a3-m0-w4hash.txt-i?a?a?a?a?a?a?a?a

JOHNTHERIPPERCHEATSHEET

ATTACKMODESBRUTEFORCEATTACKjohn--format=#typehash.txtDICTIONARYATTACKjohn--format=#type--wordlist=dict.txthash.txtMASKATTACKjohn--format=#type--mask=?l?l?l?l?l?lhash.txt-min-len=6INCREMENTALATTACKjohn--incrementalhash.txtDICTIONARY+RULESATTACKjohn--format=#type--wordlist=dict.txt--rules

RULES--rules=Single--rules=Wordlist--rules=Extra--rules=Jumbo--rules=KoreLogic--rules=All

INCREMENT--incremental=Digits--incremental=Lower--incremental=Alpha--incremental=Alnum

PARALLELCPUorGPULISTOpenCLDEVICESjohn--list=opencl-devicesLISTOpenCLFORMATSjohn--list=formats--format=openclMULTI-GPU(example3GPU’s)john--format=<OpenCLformat>hash.txt--wordlist=dict.txt--rules--dev=<#>--fork=3MULTI-CPU(example8cores)john--wordlist=dict.txthash.txt--rules--dev=<#>--fork=8

MISC

BENCHMARKTESTjohn--testSESSIONNAMEjohnhash.txt--session=example_nameSESSIONRESTOREjohn--restore=example_nameSHOWCRACKEDRESULTSjohnhash.txt--pot=<johnpotfile>--showWORDLISTGENERATIONjohn--wordlist=dict.txt--stdout--external:[filtername]>out.txt

BASICATTACKMETHODOLOGY1-DEFAULTATTACKjohnhash.txt2-DICTIONARY+RULESATTACKjohn--wordlist=dict.txt--rules3-MASKATTACKjohn--mask=?l?l?l?l?l?lhash.txt-min-len=64-BRUTEFORCEINCREMENTALATTACKjohn--incrementalhash.txt

HASHCATCHEATSHEET

ATTACKMODESDICTIONARYATTACKhashcat-a0-m#typehash.txtdict.txtDICTIONARY+RULESATTACKhashcat-a0-m#typehash.txtdict.txt-rrule.txtCOMBINATIONATTACKhashcat-a1-m#typehash.txtdict1.txtdict2.txtMASKATTACKhashcat-a3-m#typehash.txt?a?a?a?a?a?aHYBRIDDICTIONARY+MASKhashcat-a6-m#typehash.txtdict.txt?a?a?a?aHYBRIDMASK+DICTIONARYhashcat-a7-m#typehash.txt?a?a?a?adict.txt

RULESRULEFILE-rhashcat-a0-m#typehash.txtdict.txt-rrule.txtMANIPULATELEFT-jhashcat-a1-m#typehash.txtleft_dict.txtright_dict.txt-j<option>MANIPULATERIGHT-khashcat-a1-m#typehash.txtleft_dict.txtright_dict.txt-k<option>

INCREMENTDEFAULTINCREMENThashcat-a3-m#typehash.txt?a?a?a?a?a--incrementINCREMENTMINIMUMLENGTHhashcat-a3-m#typehash.txt?a?a?a?a?a--increment-min=4INCREMENTMAXLENGTHhashcat-a3-m#typehash.txt?a?a?a?a?a?a--increment-max=5

MISCBENCHMARKTEST(HASHTYPE)hashcat-b-m#typeSHOWEXAMPLEHASHhashcat-m#type--example-hashesDISABLEPASSWORDLENGTHLIMIT(MaxLength256)hashcat-a0-m#type--length-limit-disablehash.txtdict.txtSESSIONNAME

hashcat-a0-m#type--session<uniq_name>hash.txtdict.txtSESSIONRESTOREhashcat-a0-m#type--restore--session<uniq_name>hash.txtdict.txtSHOWKEYSPACEhashcat-a0-m#type--keyspacehash.txtdict.txt-rrule.txtOUTPUTRESULTSFILE-ohashcat-a0-m#type-oresults.txthash.txtdict.txtCUSTOMCHARSET-1-2-3-4hashcat-a3-m#typehash.txt-1?l?u-2?l?d?s?l?2?a?d?u?lADJUSTPERFORMANCE-whashcat-a0-m#type-w<1-4>hash.txtdict.txt

BASICATTACKMETHODOLOGY1-DICTIONARYATTACKhashcat-a0-m#typehash.txtdict.txt2-DICTIONARY+RULEShashcat-a0-m#typehash.txtdict.txt-rrule.txt3-HYBRIDATTACKShashcat-a6-m#typehash.txtdict.txt?a?a?a?a4-BRUTEFORCEhashcat-a3-m#typehash.txt?a?a?a?a?a?a?a?a

HASHTYPES(SORTEDALPHABETICAL)6600 1Password,agilekeychain8200 1Password,cloudkeychain14100 3DES(PT=$salt,key=$pass)11600 7-Zip6300 AIX{smd5}6400 AIX{ssha256}6500 AIX{ssha512}6700 AIX{ssha1}5800 AndroidPIN8800 AndroidFDE<v4.312900 AndroidFDE(SamsungDEK)1600 Apache$apr1$125 ArubaOS

12001 Atlassian(PBKDF2-HMAC-SHA1)13200 AxCrypt13300 AxCryptinmemorySHA13200 bcrypt$2*$,Blowfish(Unix)600 BLAKE2-512

12400 BSDiCrypt,ExtendedDES11300 Bitcoin/Litecoinwallet.dat12700 Blockchain,MyWallet15200 Blockchain,MyWallet,V2

15400 ChaCha202410 Cisco-ASA500 Cisco-IOS$1$5700 Cisco-IOS$4$9200 Cisco-IOS$8$9300 Cisco-IOS$9$2400 Cisco-PIX8100 CitrixNetscaler12600 ColdFusion10+10200 CramMD511500 CRC3214000 DES(PT=$salt,key=$pass)1500 descrypt,DES(Unix),TraditionalDES8300 DNSSEC(NSEC3)124 Django(SHA-1)

10000 Django(PBKDF2-SHA256)1100 DomainCachedCredentials(DCC),MSCache2100 DomainCachedCredentials2(DCC2),MSCache215300 DPAPImasterkeyfilev1andv27900 Drupal712200 eCryptfs141 EPiServer6.x<v41441 EPiServer6.x>v415600 EthereumWallet,PBKDF2-HMAC-SHA25615700 EthereumWallet,PBKDF2-SCRYPT15000 FileZillaServer>=0.9.557000 Fortigate(FortiOS)6900 GOSTR34.11-9411700 GOSTR34.11-2012(Streebog)256-bit11800 GOSTR34.11-2012(Streebog)512-bit7200 GRUB250 HMAC-MD5(key=$pass)60 HMAC-MD5(key=$salt)150 HMAC-SHA1(key=$pass)160 HMAC-SHA1(key=$salt)1450 HMAC-SHA256(key=$pass)1460 HMAC-SHA256(key=$salt)1750 HMAC-SHA512(key=$pass)1760 HMAC-SHA512(key=$salt)5100 HalfMD55300 IKE-PSKMD55400 IKE-PSKSHA12811 IPB(InvisonPowerBoard)

7300 IPMI2RAKPHMAC-SHA114700 iTunesBackup<10.014800 iTunesBackup>=10.04800 iSCSICHAPauthentication,MD5(Chap)15500 JKSJavaKeyStorePrivateKeys(SHA1)

11 Joomla<2.5.18400 Joomla>2.5.18

15100 Juniper/NetBSDsha1crypt22 JuniperNetscreen/SSG(ScreenOS)501 JuniperIVE

13400 Keepass1(AES/Twofish)andKeepass2(AES)7500 Kerberos5AS-REQPre-Authetype2313100 Kerberos5TGS-REPetype23

6800 Lastpass+Lastpasssniffed3000 LM8600 LotusNotes/Domino58700 LotusNotes/Domino69100 LotusNotes/Domino814600 LUKS900 MD40 MD510 md5($pass.$salt)20 md5($salt.$pass)30 md5(unicode($pass).$salt)40 md5($salt.unicode($pass))

3710 md5($salt.md5($pass))3800 md5($salt.$pass.$salt)3910 md5(md5($pass).md5($salt))4010 md5($salt.md5($salt.$pass))4110 md5($salt.md5($pass.$salt))2600 md5(md5($pass))4400 md5(sha1($pass))4300 md5(strtoupper(md5($pass)))500 md5crypt$1$,MD5(Unix)9400 MSOffice20079500 MSOffice20109600 MSOffice20139700 MSOffice<=2003$09710 MSOffice<=2003$09720 MSOffice<=2003$09800 MSOffice<=2003$39810 MSOffice<=2003$3

9820 MSOffice<=2003$312800 MS-AzureSyncPBKDF2-HMAC-SHA256131 MSSQL(2000)132 MSSQL(2005)1731 MSSQL(2012)1731 MSSQL(2014)3711 MediawikiBtype2811 MyBB11200 MySQLCRAM(SHA1)200 MySQL323300 MySQL4.1/MySQL51000 NTLM5500 NetNTLMv15500 NetNTLMv1+ESS5600 NetNTLMv2101 nsldap,SHA-1(Base64),NetscapeLDAPSHA111 nsldaps,SSHA-1(Base64),NetscapeLDAPSSHA

13900 OpenCart21 osCommerce122 OSXV10.4,OSXV10.5,OSXV10.61722 OSXV10.77100 OSXV10.8,OSXV10.9,OSXv10.10112 OracleS:Type(Oracle11+)3100 OracleH:Type(Oracle7+)12300 OracleT:Type(Oracle12+)11900 PBKDF2-HMAC-MD512000 PBKDF2-HMAC-SHA110900 PBKDF2-HMAC-SHA25612100 PBKDF2-HMAC-SHA51210400 PDF1.1-1.3(Acrobat2-4)10410 PDF1.1-1.3(Acrobat2-4),collider#110420 PDF1.1-1.3(Acrobat2-4),collider#210500 PDF1.4-1.6(Acrobat5-8)10600 PDF1.7Level3(Acrobat9)10700 PDF1.7Level8(Acrobat10-11)400 phpBB3400 phpass2612 PHPS5200 PasswordSafev39000 PasswordSafev2133 PeopleSoft

13500 PeopleSoftToken99999 Plaintext

12 PostgreSQL11100 PostgreSQLCRAM(MD5)11000 PrestaShop4522 PunBB8500 RACF12500 RAR3-hp13000 RAR59900 Radmin27600 Redmine6000 RipeMD1607700 SAPCODVNB(BCODE)7800 SAPCODVNF/G(PASSCODE)10300 SAPCODVNH(PWDSALTEDHASH)iSSHA-18900 scrypt1300 SHA-224

1400 SHA-2561411 SSHA-256(Base64),LDAP{SSHA256}5000 SHA-3(Keccak)10800 SHA-3841700 SHA-512100 SHA1

14400 SHA1(CX)110 sha1($pass.$salt)120 sha1($salt.$pass)130 sha1(unicode($pass).$salt)140 sha1($salt.unicode($pass))4500 sha1(sha1($pass))4520 sha1($salt.sha1($pass))4700 sha1(md5($pass))4900 sha1($salt.$pass.$salt)1410 sha256($pass.$salt)1420 sha256($salt.$pass)1440 sha256($salt.unicode($pass))1430 sha256(unicode($pass).$salt)7400 sha256crypt$5$,SHA256(Unix)1710 sha512($pass.$salt)1720 sha512($salt.$pass)1740 sha512($salt.unicode($pass))1730 sha512(unicode($pass).$salt)1800 sha512crypt$6$,SHA512(Unix)11400 SIPdigestauthentication(MD5)121 SMF(SimpleMachinesForum)

1711 SSHA-512(Base64),LDAP{SSHA512}10100 SipHash14900 Skip32

23 Skype8000 SybaseASE62XY TrueCrypt

X 1=PBKDF2-HMAC-RipeMD160X 2=PBKDF2-HMAC-SHA512X 3=PBKDF2-HMAC-WhirlpoolX 4=PBKDF2-HMAC-RipeMD160+boot-modeY 1=XTS512bitpureAESY 1=XTS512bitpureSerpentY 1=XTS512bitpureTwofishY 2=XTS1024bitpureAES

Y 2=XTS1024bitpureSerpentY 2=XTS1024bitpureTwofishY 2=XTS1024bitcascadedAES-TwofishY 2=XTS1024bitcascadedSerpent-AESY 2=XTS1024bitcascadedTwofish-SerpentY 3=XTS1536bitall

2611 vBulletin<V3.8.52711 vBulletin>V3.8.5

137XY VeraCryptX 1=PBKDF2-HMAC-RipeMD160X 2=PBKDF2-HMAC-SHA512X 3=PBKDF2-HMAC-WhirlpoolX 4=PBKDF2-HMAC-RipeMD160+boot-modeX 5=PBKDF2-HMAC-SHA256X 6=PBKDF2-HMAC-SHA256+boot-modeY 1=XTS512bitpureAESY 1=XTS512bitpureSerpentY 1=XTS512bitpureTwofishY 2=XTS1024bitpureAESY 2=XTS1024bitpureSerpentY 2=XTS1024bitpureTwofishY 2=XTS1024bitcascadedAES-TwofishY 2=XTS1024bitcascadedSerpent-AESY 2=XTS1024bitcascadedTwofish-SerpentY 3=XTS1536bitall

8400 WBB3(WoltlabBurningBoard)2500 WPA/WPA22501 WPA/WPA2PMK

6100 Whirlpool13600 WinZip13800 Windows8+phonePIN/Password400 Wordpress21 xt:Commerce

TERMINALCOMMANDCHEATSHEET

Ctrl+udeleteeverythingfromthecursortothebeginningoftheline

Ctrl+wdeletethepreviouswordonthecommandlinebeforethecursor

Ctrl+lcleartheterminalwindow

Ctrl+ajumptothebeginningofthecommandline

Ctrl+emoveyourcursortotheendofthecommandline

Ctrl+rsearchcommandhistoryinreverse,continuepressingkeysequencetocontinuebackwardssearch.Escwhendoneorcommandfound.

FILEMANIPULATIONCHEATSHEET

Extractalllowercasestringsfromeachlineandoutputtowordlist.sed’s/[^a-z]*//g’wordlist.txt>outfile.txt

Extractalluppercasestringsfromeachlineandoutputtowordlist.sed’s/[^A-Z]*//g’wordlist.txt>outfile.txt

Extractalllowercase/uppercasestringsfromeachlineandoutputtowordlist.sed’s/[^a-Z]*//g’wordlist.txt>outfile.txt

Extractalldigitsfromeachlineinfileandoutputtowordlist.sed’s/[^0-9]*//g’wordlist.txt>outfile.txt

Watchhashcatpotfileordesignatedoutputfilelive.watch-n.5tail-50<hashcat.potfileoroutfile.txt>

Pull100randomsamplesfromwordlist/passwordsforvisualanalysis.shuf-n100file.txt

Printstatisticsonlengthofeachstringandtotalcountsperlength.awk‘{printlength}’file.txt|sort-n|uniq-c

Removeallduplicatestringsandcounthowmanytimestheyarepresent;thensortbytheircountindescendingorder.

uniq-cfile.txt|sort-nr

Commandtocreatequick&dirtycustomwordlistwithlength1-15characterwordsfromadesignatedwebsiteintoasortedandcountedlist.

curl-shttp://www.netmux.com|sed-e's/<[^>]*>//g'|tr"""\n"|tr-dc'[:alnum:]\n\r'|tr‘[:upper:]’‘[:lower:]’|cut-c1-15|sort|uniq-c|sort-nr

MD5eachlineinafile(MacOSX).whilereadline;doecho-n$line|md5;done<infile.txt>outfile.txt

MD5eachlineinafile(*Nix).whilereadline;doecho-n$line|md5sum;done<infile.txt|awk-F““‘{print$1}’>outfile.txt

Removelinesthatmatchfromeachfileandonlyprintremainingfromfile2.txt.grep-vwF-ffile1.txtfile2.txt

Taketwoorderedfiles,mergeandremoveduplicatelinesandmaintainordering.nl-ba-s‘:‘file1.txt>>outfile.txtnl-ba-s‘:‘file2.txt>>outfile.txt

sort-noutfile.txt|awk-F“:”‘{print$2}’|awk‘!seen[$0]++’>final.txt

Extractstringsofaspecificlengthintoanewfile/wordlist.awk‘length==8’file.txt>81en-out.txt

Convertalphacharactersoneachlineinfiletolowercasecharacters.tr[A-Z][a-z]<infile.txt>outfile.txt

Convertalphacharactersoneachlineinfiletouppercasecharacters.tr[a-z][A-Z]<infile.txt>outfile.txt

SplitafileintoseparatefilesbyXnumberoflinesperoutfile.split-d-l3000infile.txtoutfile.txt

Reversetheorderofeachcharacterofeachlineinthefile.revinfile.txt>outfile.txt

Sorteachlineinthefilefromshortesttolongest.awk‘{printlength,$0}’“”$0;}’infile.txt|sort-n|cut-d‘‘-f2-

Sorteachlineinthefilefromlongesttoshortest.awk‘{printlength,$0}’“”$0;}’infile.txt|sort-r-n|cut-d‘‘-f2-

SubstringmatchingbyconvertingtoHEXandthenbacktoASCII.(Examplesearchesfor5characterstringsfromfile1.txtfoundasasubstringin20characterstringsinfile2.txt)

stringsfile1.txt|xxd-u-ps-c5|sort-u>out1.txtstringsfile2.txt|xxd-u-ps-c20|sort-u>out2.txtgrep-Ffout1.txtout2.txt|xxd-r-p>results.txt

Cleandictionary/wordlistofnewlinesandtabs.catdict.txt|tr-cd“[:print:][/n/t]\n”>outfile.txt

SYSTEMHASHEXTRACTION

WINDOWS

METERPRETERHASHDUMPPostexploitationdumplocalSAMdatabase:meterpreter>runpost/windows/gather/hashdump

CREDDUMPhttps://github.com/Neohapsis/creddump7Threemodesofattack:cachedump,lsadump,pwdump

DUMPDOMAINCACHEDCREDENTIALS

SaveWindowsXP/Vista/7registryhivetablesC:\WIND0WS\system32>reg.exesaveHKLM\SAMsam_backup.hivC:\WIND0WS\system32>reg.exesaveHKLM\SECURITYsec_backup.hivC:\WIND0WS\system32>reg.exesaveHKLM\systemsys_backup.hiv

Runcreddumptoolsagainstthesavedhivefiles:cachedump.py<systemhive><securityhive><Vista/7>(Vista/7)cachedump.pysys_backup.hivsec_backup.hivtrue(XP)cachedump.pysys_backup.hivsec_backup.hivfalse

DUMPLSASECRETS

lsadump.pysys_backup.hivsec_backup.hiv

DUMPLOCALPASSWORDHASHES

pwdump.pysys_backup.hivsec_backup.hiv

MIMIKATZPostexploitationcommandsmustbeexecutedfromSYSTEMlevelprivileges.mimikatz#privilege::debugmimikatz#token::whoami

mimikatz#token::elevatemimikatz#lsadump::sam

SaveWindowsXP/Vista/7registrytablesC:\WIND0WS\system32>reg.exesaveHKLM\SAMsam_backup.hivC:\WIND0WS\system32>reg.exesaveHKLM\SECURITYC:\WIND0WS\system32>reg.exesaveHKLM\systemmimikatz#lsadump::samSystemBkup.hivSamBkup.hiv

*NIXRequiresrootlevelprivileges.

cat/etc/shadow

Example*NIXsha512crypthash

root:$6$52450745$k5ka2p8bFuSmoVTltz0yyuaREkkKBcCNqoDKzYiDL9RaE8yMnPgh2XzzF0NDrUhgrcLwg78xslw5pJiypEdFX/

MACOSX10.5-10.7ManualOSXHashExtractiondscllocalhost-read/Search/Users/<username>|grepGeneratedUID|cut-c15-cat/var/db/shadow/hash/<GUID>|cut-c169-216>osx_hash.txt

MACOSX10.8-10.12

ManualOSXHashExtractionsudodefaultsread/var/db/dslocal/nodes/Default/users/<username>.plistShadowHashData|tr-dc‘0-9a-f’|xxd-p-r|plutil-convertxml1--o-

ScriptedOSXHashExtractionHASHCAThttps://gist.github.com/nueh/8252572

sudoplist2hashcat.py/var/db/dslocal/nodes/Default/users/<username>.plist

JOHNhttps://github.com/truongkma/ctf-tools/blob/master/John/run/ml2john.py

sudoml2john.py/var/db/dslocal/nodes/Default/users/<username>.plist

PCAPHASHEXTRACTION

LOCALNETWORKAUTHENTICATION

PCREDZExtractsnetworkauthenticationhashesfrompcaps.Singlepcapfile:Pcredz-fexample.pcap

Multiplepcapfilesinadirectory:Pcredz-d/path/to/pcaps

Interfacetolistenonandcollect:Pcredz-ieth0

WPA/WPA2PSKAUTHENTICATIONCapturethe4-wayWPA/WPA2authenticationhandshake.

AIRMON-NG/AIRODUMP-NG/AIREPLAY-NGStep1:Createmonitoringinterfacemon0Ex)interfacewlan0airmon-ngstartwlan0Step2:CapturepacketstofileontargetAPchannelEx)channel11airodump-ngmon0--writecapture.cap-c11Step3:StartdeauthattackagainstBSSIDEx)bb:bb:bb:bb:bb:bbaireplay-ng--deauth0-abb:bb:bb:bb:bb:bbmon0Step4:Waitforconfirmationtoappearattopofterminal:CH11][Elapsed:25s][<DATE/TIME)][WPAhandshake:**Step5:ExtracthandshakeintoJOHNorHASHCATformat:JOHNFORMATEXTRACT

Stepl:cap2hccap.bin-e‘<ESSID>’capture.capcapture_out.hccapStep2:hccap2johncapture_out.hccap>jtr_capture

HASHCATFORMATEXTRACTcap2hccapx.bincapture.capcapture_out.hccapxMISCWLANTOOLS

HCXTOOLS:captureandconvertpacketsfromwlandevicesforusewithHashcat.https://github.com/ZerBea/hcxtools

DATABASEHASHEXTRACTION

SQLqueriesrequireadministrativeprivileges.

ORACLE10gR2SELECTusername,passwordFROMdba_usersWHEREusername=‘<username>’;

ORACLE11gR1

SELECTname,password,spare4FROMsys.user$WHEREname=‘<username>’;

MySQL4.1/MySQL5+SELECTUser,PasswordFROMmysql.userINTOOUTFILE‘/tmp/hash.txt’;

MSSQL(2012),MSSQL(2014)SELECTSL.name,SL.password_hashFROMsys.sql_loginsASSL;

POSTGRESSELECTusername,passwdFROMpg_shadow;

MISCELLANEOUSHASHEXTRACTION

JohnTheRipperJumbocomeswithvariousprogramstoextracthashes:

NAME DESCRIPTION1password2john.py 1Passwordvaulthashextract7z2john.py 7zipencryptedarchivehashextractandroidfde2john.py AndroidFDEconvertdisks/imagesintoJTRformataix2john.py AIXshadowfile/etc/security/passwdapex2john.py OracleAPEXhashformatingbitcoin2john.py Bitcoinoldwallethashextraction(checkbtcrecover)blockchain2john.py Blockchainwalletextractioncisco2john.pl Ciscoconfigfileingestion/extractcracf2john.py CRACFprogramcrafc.txtfilesdmg2john.py Appleencrypteddiskimageecryptfs2john.py eCryptfsdiskencryptionsoftwareefs2john.py WindowsEncryptingFileSystem(EFS)extractencfs2john.py EncFSencryptedfilesystemuserspacegpg2john PGPsymmetricallyencryptedfileshccap2john ConvertpcapcaptureWPAfiletoJTRformathtdigest2john.py HTTPDigestauthenticationikescan2john.py IKEPSKSHA256authenticationkdcdump2john.py KeyDistributionCenter(KDC)serverskeepass2john Keepassfilehashextractkeychain2john.py ProcessesinputMacOSXkeychainfileskeyring2john ProcessesinputGNOMEKeyringfileskeystore2john.py OutputpasswordprotectedJavaKeyStorefilesknown_hosts2john.py SSHKnownHostfilekwallet2john.py KDEWalletManagertooltomanagethepasswordsldif2john.pl LDAPDataInterchangeFormat(LDIF)

lion2john.pllion2john-alt.pl ConvertsanAppleOSXLionplistfile

lotus2john.py LotusNotesIDfileforDominoluks2john LinuxUnifiedKeySetup(LUKS)diskencryptionmcafee_epo2john.py McAfeeePolicyOrchestratorpasswordgeneratorml2john.py ConvertMacOSX10.8andlaterplisthashmozilla2john.py MozillaFirefox,Thunderbird,SeaMonkeyextractodf2john.py ProcessesOpenDocumentFormatODFfilesoffice2john.py MicrosoftOffice[97-03,2007,2010,2013)hashesopenbsd_softraid2john.py OpenBSDSoftRAIDhashopenssl2john.py OpenSSLencryptedfilespcap2john.py PCAPextractionofvariousprotocolspdf2john.py PDFencrypteddocumenthashextractpfx2john PKCS12filesputty2john PuTTYprivatekeyformatpwsafe2john PasswordSafehashextractracf2john IBMRACFbinarydatabasefilesradius2john.pl RADIUSprotocolsharedsecretrar2john RAR3.xfilesinputintoproperformatsap2john.pl ConvertspasswordhashesfromSAPsystemssipdump2john.py ProcessessipdumpoutputfilesintoJTRformatssh2john SSHprivatekeyfilessshng2john.py SSH-ngprivatekeyfilesstrip2john.py ProcessesSTRIPPasswordManagerdatabasesxc2john.py ProcessesSXCfilestruecrypt_volume2john TrueCryptencrypteddiskvolumeuaf2john ConvertOpenVMSSYSUAFfiletounix-stylefilevncpcap2john TightVNC/RealVNCpcapsvsc3.3,3.7and3.8RFBwpapcap2john ConvertsPCAPorIVS2filestoJtRformatzip2john ProcessesZIPfilesextractshashintoJTRformat

PASSWORDANALYSIS

HISTORICALPASSWORDANALYSISTIPS

-Theaveragepasswordlengthis7-9characters.-TheaverageEnglishwordis5characterslong.-Theaveragepersonknows50,000to150,000words.-50%chanceauser’spasswordwillcontainoneormorevowels.-Womenpreferpersonalnamesintheirpasswords,andmenpreferhobbies.-Mostlikelytobeusedsymbols:~,!,@,#,$,%,&,*,and?-Ifanumber,it’susuallya1or2,sequential,andwilllikelybeattheend.-Ifmorethanonenumberitwillusuallybesequentialorpersonallyrelevant.-Ifacapitalletter,it’susuallythebeginning,followedbyavowel.-66%ofpeopleonlyuse1-3passwordsforallonlineaccounts.-OneinninepeoplehaveapasswordbasedonthecommonTop500list.-WesterncountriesuselowercasepasswordsandEasterncountriespreferdigits.

20-60-20RULE

20-60-20ruleisawaytoviewthelevelofdifficultytypicallydemonstratedbyalargepassworddump,havingcharacteristicsthatgenerallyerronthesideofaGaussianCurve,mirroringthelevelofefforttorecoversaidpassworddump.

20%ofpasswordsareeasilyguesseddictionarywordsorknowncommonpasswords.60%ofpasswordsaremoderatetoslightvariationsoftheearlier20%.20%ofpasswordsarehard,lengthy,complex,orofuniquecharacteristics.

EXAMPLEHASHES&PASSWORDS

Thisisanexamplelistofpasswordstohelpconveythevariationandcommoncomplexitiesseenwithtypicalpasswordcreation.Italsoshowsindividualuserbiasestoaidinsegmentingyourattackstobetailoredtowardaspecificuser.

CRACKINGTIPSFOREACHPASSWORD

*ThisListofpasswordswillbereferencedthroughoutthebookandtheListcanalsobefoundonlineat:https://github.com/netmux/HASH-CRACK

PASSWORDPATTERNANALYSIS

Apasswordcancontainmanyusefulbitsofinformationrelatedtoit’screatorandtheirtendencies/patterns,butyouhavetobreakdownthestructuretodecipherthemeaning.Thisanalysisprocesscouldbeconsideredasub-categoryofTextAnalytics’andsplitintothreepatterncategoriesI’mcalling:BasicPattern,Macro-Pattern,&Micro-Pattern.*RefertoEXAMPLEHASH&PASSWORDSchapter(pg.29)fornumberedexamples.

BasicPattern:visuallyobviouswhencomparedtosimilargroupings(i.e.languageandbaseword/words&digits).Let’slookatAlice’spasswords(2,5):

R0b3rt2017! Jennifer1981!

-Eachpasswordusesaname:R0b3rt&Jennifer-Endingina4digitdatewithcommonspecialcharacter:2017!&1981!

!TIP!ThistypeofbasicpatternlendsitselftoasimpledictionaryandL33TspeakruleappendingdatesorhybridmaskattackappendingDict+?d?d?d?d?s

Macro-Pattern:statisticsaboutthepasswordsunderlyingstructuresuchaslengthandcharacterset.Let’slookatCraig’spasswords(6,9):

7482Sacrifice Solitaire7482

-Lengthstructurecanbesummedupas:4Digits+7Alpha&7Alpha+4Digits-Usescharsets?l?u?d,sowemaybeabletoignorespecialcharacters.-BasicPatternpreferenceforthenumbers7482andMicro-Patternforcapitalizingwordsbeginningin“S”.

!TIP!Youcanassumethisuseris‘unlikely’tohaveapasswordlessthan12characters(+-1char)andthe4digitconstantlowerstheworkto8chars.TheseexampleslendthemselvestoaHybridAttack(Dict+7482)or(7482+Dict).

Micro-Pattern:subtletyandcontextwhichexpressesconsistentcasechanges,themes,andpersonaldata/interest.Let’slookatBob’spasswords(1,4)

BlueParrot345 RedFerret789

-Eachpasswordbeginswithacolor:Blue&Red-Secondwordisatypeofanimal:Parrot&Ferret-Consistentcapitalizationofallwords-Lastly,endingina3digitsequentialpattern:345&789

!TIP!Thispatternlendsitselftoacustomcombodictionaryandruleorhybridmaskattackappendingsequentialdigits?d?d?d

Sowhenanalyzingpasswordsbesuretogrouppasswordsandlookforpatternssuchaslanguage,baseword/digit,length,charactersets,andsubtlethemeswithpossiblecontextualmeaningorpasswordpolicyrestrictions.

WESTERNCOUNTRYPASSWORDANALYSIS

PasswordLengthDistributionbasedonlargecorpusofEnglishwebsitedumps:7=15% 8=27% 9=15% 10=12% 11=4.8% 12=4.9% 13=.6% 14=.3%

CharacterfrequencyanalysisofalargecorpusofEnglishtexts:etaoinshrdlcumwfgypbvkjxqz

CharacterfrequencyanalysisofalargecorpusofEnglishpassworddumps:aeionrlstmcdyhubkgpjvfwzxq

TopWesternpasswordmasksoutofalargecorpusofEnglishwebsitedumps:

EASTERNCOUNTRYPASSWORDANALYSIS

PasswordLengthDistributionbasedonlargecorpusofChinesewebsitedumps:7=21% 8=22% 9=12% 10=12% 11=4.2% 12=.9% 13=.5% 14=.5%

CharacterfrequencyanalysisofalargecorpusofChinesetexts:aineohglwuyszxqcdjmbtfrkpv

CharacterfrequencyanalysisofalargecorpusofChinesepassworddumps:inauhegoyszdjmxwqbctlpfrkv

TopEasternpasswordmasksoutofalargecorpusofChinesewebsitedumps:

PASSWORDMANAGERANALYSIS

AppleSafariPasswordGenerator-defaultpassword15characterswith“-”&fourgroupsofthreerandomu=ABCDEFGHJKLMNPQRSTUVWXYZl=abcdefghkmnopqrstuvwxyandd=3456789Example)X9z-2Qp-3qm-WGNXXX-XXX-XXX-XXXwhereX=?u?l?d

Dashlane-defaultpassword12charactersusingjustlettersanddigits.Example)Up0k9ZAj54KtXXXXXXXXXXXXwhereX=?u?l?d

KeePass-defaultpassword20charactersusinguppercase,lowercase,digits,andspecial.Example)$Zt={EcgQ.Umf)R,C7XFXXXXXXXXXXXXXXXXXXXXwhereX=?u?l?d?s

LastPass-defaultpassword12charactersusingatleastonedigit,uppercaseandlowercase.Example)msfNdkG29n38XXXXXXXXXXXXwhereX=?u?l?d

RoboForm-defaultpassword15charactersusinguppercase,lowercase,digits,andspecialwithaminimumof5digits.Example)871v2%%4F0w31zJ

XXXXXXXXXXXXXXXwhereX=?u?l?d?s

SymantecNortonIdentitySafe-defaultpassword8charactersusinguppercase,lowercase,anddigits.Example)Ws81f0ZgXXXXXXXXwhereX=?u?l?d

TrueKey-defaultpassword16charactersusinguppercase,lowercase,digits,andspecial.Example)1B1H:9N+@>+sgWsXXXXXXXXXXXXXXXXwhereX=?u?l?d?s

1Passwordv6-defaultpassword24charactersusinguppercase,lowercase,digits,andspecial.Example)cTmM7Tzm6iPhCdpMu.*V],VPXXXXXXXXXXXXXXXXXXXXXXXXwhereX=?u?l?d?s

PACK(PasswordAnalysisandCrackingKit)

http://thesprawl.org/projects/pack/

STATSGEN

Generatestatisticsaboutthemostcommonlength,percentages,character-setandothercharacteristicsofpasswordsfromaprovidedlist.

pythonstatsgen.pypasswords.txt

STATSGENOPTIONS-o<file.txt> outputstatsandmaskstofile--hiderare hidestatsofpasswordswithlessthan1%ofoccurrence--minlength= minimumpasswordlengthforanalysis--maxlength= maximumpasswordlengthforanalysis--charset= passwordcharfilter:loweralpha,upperalpha,numeric,special--simplemask= passwordmaskfilter:string,digit,special

STATSGENEXAMPLESOutputstatsofpasswords.txttofileexample.mask:pythonstatsgen.pypasswords.txt-oexample.mask

Hidelessthan1%occurrence;onlyanalyzepasswords7charactersandgreater:pythonstatsgen.pypasswords.txt--hiderare--minlength=7-oexample.mask

Statsonpasswordswithonlynumericcharacters:pythonstatsgen.pypasswords.txt--charset=numeric

ZXCVBN(LOW-BUDGETPASSWORDSTRENGTHESTIMATION)

Arealisticpasswordstrength(entropy)estimatordevelopedbyDropbox.

https://github.com/dropbox/zxcvbn

PIPAL(THEPASSWORDANALYSER)

Passwordanalyzerthatproducesstatsandpatternfrequencyanalysis.https://digi.ninja/projects/pipal.php

pipal.rb-ooutfile.txtpasswords.txt

PASSPAT(PASSWORDPATTERNIDENTIFIER)

Keyboardpatternanalysistoolforpasswords.https://digi.ninja/projects/passpat.php

passpat.rb--layoutuspasswords.txt

CHARACTERFREQUENCYANALYSIS

Characterfrequencyanalysisisthestudyofthefrequencyoflettersorgroupsoflettersinacorpus/text.ThisisthebasicbuildingblockofMarkovchains.

Character-Frequency-CLI-ToolTooltoanalyzealargelistofpasswordsandsummarizethecharacterfrequency.https://github.com/jcchurch/Character-Frequency-CLI-Tool

charfreq.py<options>passwords.txtOptions: -wWindowsizetoanalyze,default=l

-rRollingwindowsize-sSkipspaces,tabs,newlines

ONLINEPASSWORDANALYSISRESOURCES

WEAKPASSAnalyzespublicpassworddumpsandprovidesefficientdictionariesfordownload.

http://weakpass.com/

PASSWORDRESEARCHImportantpasswordsecurityandauthenticationresearchpapersinoneplace.

http://www.passwordresearch.com/

THEPASSWORDPROJECTCompiledanalysisoflargerpassworddumpsusingPIPALandPASSPALtools.

http://www.thepasswordproject.com/leaked_password_lists_and_dictionaries

DICTIONARY/WORDLIST

DOWNLOADRESOURCES

WEAKPASShttp://weakpass.com/wordlist

CRACKSTATIONDICTIONARYhttps://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm

HAVEIBEENPWNED*You’llhavetocracktheSHA1’shttps://haveibeenpwned.com/passwords

SKULLSECURITYWORDLISTShttps://wiki.skullsecurity.org/index.php?title=Passwords

CAPSOPhttps://wordlists.capsop.com/

UNIX-NINJADNADICTIONARY*Dictionarylinkatbottomofarticle*https://www.unix-ninja.com/p/Password_DNA

PROBABLE-WORDLISThttps://github.com/berzerk0/Probable-Wordlists

EFF-WORDLISTLong-list(7,776words)&Short-list(1,296words)https://www.eff.org/files/2016/07/18/eff_large_wordlist.txthttps://www.eff.org/files/2016/09/08/eff_short_wordlist_1.txt

RAINBOWTABLES*RainbowTablesareforthemostpartobsoletebutprovidedhereforreference*http://project-rainbowcrack.com/table.htm

WORDLISTGENERATION

JOHNTHERIPPERGeneratewordlistthatmeetscomplexityspecifiedinthecomplexfilter.

john--wordlist=dict.txt--stdout--external:[filtername]>outfile.txt

STEMMINGPROCESSStrippingcharactersfromapasswordlisttoreachthe“stem”orbaseword/wordsofthecandidatepassword.Commandsarefrom“FileManipulationCheatSheet”.

Extractalllowercasestringsfromeachlineandoutputtowordlist.sed’s/[^a-z]*//g’passwords.txt>outfile.txt

Extractalluppercasestringsfromeachlineandoutputtowordlist.sed’s/[^A-Z]*//g’passwords.txt>outfile.txt

Extractalllowercase/uppercasestringsfromeachlineandoutputtowordlist.sed’s/[^a-Z]*//g’passwords.txt>outfile.txt

Extractalldigitsfromeachlineinfileandoutputtowordlist.sed’s/[^0-9]*//g’passwords.txt>outfile.txt

HASHCATUTILS

https://hashcat.net/wiki/doku.php?id=hashcat_utils

COMBINATORCombinemultiplewordlistswitheachwordappendedtotheother.

combinator.bindict1.txtdict2.txt>combined_dict.txt

combinator3.bindict1.txtdict2.txtdict3.txt>combined_dict.txt

CUTBCutthespecificlengthofftheexistingwordlistandpassittoSTDOUT.cutb.binoffset[length]<infile.txt>outfile.txt

Exampletocutfirst4charactersinawordlistandplaceintoafile:

cutb.bin04<dict.txt>outfile.txt

RLI

Comparesafileagainstanotherfileorfilesandremovesallduplicates.

rlidict1.txtoutfile.txtdict2.txt

REQDictionarycandidatesarepassedtostdoutifitmatchesanspecifiedpasswordgroupcriteria/requirement.Groupscanbeaddedtogether(i.e.1+2=3)1=LOWER(abcdefghijklmnoprstuvwxyz)2=UPPER(ABCDEFGHIJKLMNOPRSTUVWXYZ)4=DIGIT(0123465789)8=OTHER(Allothercharactersnotmatching1,2,or4)

Thisexamplewouldstdoutallcandidatesmatchingupperandlowercharacters

req.bin3<dict.txt

COMBIPOWCreates“uniquecombinations”ofacustomdictionary;dictionarycannotbegreaterthan64lines;option-1limitscandidatesto15characters.

combipow.bindict.txtcombipow.bin-1dict.txt

EXPANDERDictionaryintostdinisparsedandsplitintoallitssinglechars(upto4)andsenttostdout.

expander.bin<dict.txt

LENEachcandidateinadictionaryischeckedforlengthandsenttostdout.len.bin<minlen><maxlen><dict.txt

Thisexamplewouldsendtostdoutallcandidates5to10charslong.

len.bin510<dict.txt

MORPHAutogeneratesinsertionrulesforthemostfrequentchainsofcharacters

morph.bindict.txtdepthwidthpos_minpos_max

PERMUTEDictionaryintostdinparsedandrunthrough“TheCountdownQuickPermAlgorithm”

permute.bin<dict.txt

CRUNCHWordlistgeneratorcanspecifyacharactersetandgenerateallpossiblecombinationsandpermutations.https://sourceforge.net/projects/crunch-wordlist/

crunch<minlength><maxlength><characterset>-ooutfile.txt

crunch880123456789ABCDEF-ocrunch_wordlist.txt

TARGETEDWORDLISTS

CeWLCustomwordlistgeneratorscrapes&compileskeywordsfromwebsites.https://digi.ninja/projects/cewl.php

Examplescandepthof2andminimumwordlengthof5outputtowordlist.txt

cewl-d2-m5-wwordlist.txthttp://<targetwebsite>

SMEEGESCRAPETextfileandwebsitescraperwhichgeneratescustomwordlistsfromcontent.http://www.smeegesec.com/2014/01/smeegescrape-text-scraper-and-custom.html

Compileuniquekeywordsfromtextfileandoutputintowordlist.

SmeegeScrape.py-ffile.txt-owordlist.txt

Scrapekeywordsfromtargetwebsiteandoutputintowordlist.

SmeegeScrape.py-uhttp://<targetwebsite>-si-owordlist.txt

GENERATEPASSWORDHASHES

Usethebelowmethodstogeneratehashesforspecificalgorithms.

HASHCAThttps://github.com/hashcat/hashcat/tree/master/tools

test.plpassthrough<#type><#>dict.txt

MDXFINDhttps://hashes.org/mdxfind.php

echo|mdxfind-z-h‘<#type>’dict.txt

LYRICPASS(SongLyricsPasswordGenerator)

https://github.com/initstring/lyricpassGeneratorusingsonglyricsfromchosenartisttocreatecustomdictionary.

pythonlyricpass.py“ArtistName”artist-dict.txt

CONVERTWORDLISTENCODING

HASHCATForceinternalwordlistencodingfromXhashcat-a0-m#typehash.txtdict.txt--encoding-from=utf-8

ForceinternalwordlistencodingtoXhashcat-a0-m#typehash.txtdict.txt--encoding-to=iso-8859-15

ICONVConvertwordlistintolanguagespecificencoding

iconv-f<old_encode>-t<new_encode><dict.txt|spongedict.txt.enc

CONVERTHASHCAT$HEXOUTPUT

Exampleofconverting$HEX[]entriesinhashcat.potfiletoASCII

grep‘$HEX’hashcat.pot|awk-F“:”{‘print$2’}|perl-ne‘if($_=~m/\$HEX\[([A-Fa-f0-9]+)\]/){printpack(“H*”,$1),“\n”}’

EXAMPLECUSTOMDICTIONARYCREATION

1-CreateacustomdictionaryusingCeWLfromwww.netmux.comwebsite:

cewl-d2-m5-wcustom_dict.txthttp://www.netmux.com

2-Combinethenewcustom_dict.txtwiththeGoogle10,000mostcommonEnglishwords:https://github.com/first20hours/google-10000-english

catgoogle-1000.txt>>custom_dict.txt

3-CombinewithTop196passwordsfrom“ProbableWordlists”:github.com/berzerk0/Probable-Wordlists/blob/master/Real-Passwords

catTopl96-probable.txt>>custom_dict.txt

4-CombotheTopl96-probable.txttogetherusingHashcat-util“combinator.bin”andaddittoourcustom_dict.txt

combinator.binTopl96-probable.txtTopl96-probable.txt>>custom_dict.txt

5-Runthebest64.rulefromHashcatonTop196-probable.txtandsendthatoutputintoourcustomdictionary:

hashcat-a0Topl96-probable.txt-rbest64.rule--stdout>>custom_dict.txt

Canyounowcomeupwithanattackthatcancrackthishash?

e4821dl6a298092638ddb7cadc26d32f

*AnswerintheAppendix

RULES&MASKS

RULEFUNCTIONS

FollowingarecompatiblebetweenHashcat,JohnTheRipper,&PasswordProhttps://hashcat.net/wiki/doku.php?id=rule_based_attack

RULESTOREJECTPLAINShttps://hashcat.net/wiki/doku.php?id=rule_based_attack

IMPLEMENTEDSPECIFICFUNCTIONSFollowingfunctionsarenotcompatiblewithJohnTheRipper&PasswordPro

RULEATTACKCREATION

EXAMPLERULECREATION&OUTPUTBelowweapplybasicrulestohelpexplaintheexpectedoutputwhenusingrules.

MASKPROCESSORHASHCAT-UTILhttps://github.com/hashcat/maskprocessorMaskprocessorcanbeusedtogeneratealonglistofrulesveryquickly.

Examplerulecreationofprependdigitandspecialchartodictionarycandidates(i.e.^l^!,^2^@,...):

mp64.bin‘^?d^?s’-orule.txt

Examplecreatingrulewithcustomcharsetappendinglower,uppercasecharsandalldigitstodictionarycandidates(i.e.$a$Q$1,$e$A$2,...):

mp64.bin-1aeiou-2QAZWSX‘$?1$?2$?d’

GENERATERANDOMRULESATTACK(i.e.“Raking”)

hashcat-a0-m#type-g<#rules>hash.txtdict.txt

GENERATERANDOMRULESFILEUSINGHASHCAT-UTILgenerate-rules.bin<#rules><seed>|./cleanup-rules.bin[1=CPU,2=GPU]>out.txt

generate-rules.bin100042|./cleanup-rules.bin2>out.txt

SAVESUCCESSFULRULES/METRICS

hashcat-a0-m#type--debug-mode=l--debug-file=debug.txthash.txt-rrule.txt

SENDRULEOUTPUTTOSTDOUT/VISUALLYVERIFYRULEOUTPUT

hashcatdict.txt-rrule.txt--stdout

john--wordlist=dict.txt--rules=example--stdout

PACK(PasswordAnalysisandCrackingKit)RULECREATION

http://thesprawl.org/projects/pack/

RULEGEN

Advancedtechniquesforreversingsourcewordsandwordmanglingrulesfromalreadycrackedpasswordsbycontinuouslyrecycling/expandinggeneratedrulesandwords.OutputsrulesinHashcatformat.http://thesprawl.org/research/automatic-password-rule-analysis-generation/**Ensureyouinstall‘AppleSpell’‘aspell*moduleusingpacketmanager**

pythonrulegen.py--verbose--passwordP@ssw0rdl23

RULEGENOPTIONS

-brockyou Outputbasename.Thefollowingfileswillbegenerated:basename.words,basename.rulesandbasename.stats

-wwiki.dict Useacustomwordlistforruleanalysis.-q,--quiet Don’tshowheaders.--threads=THREADS Parallelthreadstouseforprocessing.

Finetunesourcewordgeneration::--maxworddist=10 Maximumwordeditdistance(Levenshtein)--maxwords=5 Maximumnumberofsourcewordcandidatestoconsider--morewords Considersuboptimalsourcewordcandidates--simplewords Generatesimplesourcewordsforgivenpasswords

Finetunerulegeneration::--maxrulelen=10 Maximumnumberofoperationsinasinglerule--maxrules=5 Maximumnumberofrulestoconsider--morerules Generatesuboptimalrules--simplerules Generatesimplerulesinsert,delete,replace--bruterules Bruteforcereversalandrotationrules(slow)

Finetunespellcheckerengine::--providers=aspell,myspell

Comma-separatedlistofproviderengines

Debuggingoptions::-v,--verbose Showverboseinformation.-d,--debug Debugrules.--password Processthelastargumentasapasswordnotafile.--word=Password Useacustomwordforruleanalysis--hashcat Testgeneratedruleswithhashcat-cli

RULEGENEXAMPLESAnalysisofasinglepasswordtoautomaticallydetectrulesandpotentialsourcewordusedtogenerateasamplepassword:pythonrulegen.py--verbose--passwordP@ssw0rdl23

Analyzepasswords.txtandoutputresults:pythonrulegen.pypasswords.txt-q

analysis.word-unsortedandnon-uniquedsourcewordsanalysis-sorted.word-occurrencesortedanduniquesourcewordsanalysis.rule-unsortedandnon-uniquedrulesanalysis-sorted.rule-occurrencesortedanduniquerules

HASHCATINCLUDEDRULES Approx#Rules

Incisive-leetspeak.rule 15,487InsidePro-HashManager.rule 6,746InsidePro-PasswordsPro.rule 3,254T0XlC-insert_00-99_1950-2050_toprules_0_F.rule 4,019T0XlC-insert_space_and_special_0_F.rule 482T0XlC-insert_top_100_passwords_l_G.rule 1,603T0XlC.rule 4,088T0XlCv1.rule 11,934best64.rule 77combinator.rule 59d3ad0ne.rule 34,101dive.rule 99,092generated.rule 14,733generated2.rule 65,117leetspeak.rule 29oscommerce.rule 256rockyou-30000.rule 30,000specific.rule 211toggles1.rule 15toggles2.rule 120toggles3.rule 575toggles4.rule 1,940toggles5.rule 4,943unix-ninja-leetspeak.rule 3,073

JOHNINCLUDEDRULES Approx#RulesAll(Jumbo+KoreLogic) 7,074,300Extra 17Jumbo(Wordlist+Single+Extra+NT+OldOffice) 226KoreLogic 7,074,074Loopback(NT+Split) 15NT 14OldOffice 1Single 169Single-Extra(Single+Extra+OldOffice) 187Split 1Wordlist 25

http://www.openwall.com/john/doc/RULES.shtml

CUSTOMRULEPLANS

MASKATTACKCREATION

DEBUG/VERIFYMASKOUTPUThashcat-a3?a?a?a?a--stdoutjohn--mask=?a?a?a?a--stdout

HASHCATMASKATTACKCREATIONExampleusage:hashcat-a3-m#typehash.txt<mask>

Examplebrute-forceallpossiblecombinations7characterslong:hashcat-a3-m#typehash.txt?a?a?a?a?a?a?a

Examplebrute-forceallpossiblecombinations1-7characterslong:hashcat-a3-m#typehash.txt-i?a?a?a?a?a?a?a

Examplebrute-forceuppercasefirstletter,3unknownmiddlecharacters,andendsin2digits(i.e.Passl2):

hashcat-a3-m#typehash.txt?u?a?a?a?d?d

Examplebrute-forceknownfirsthalfword“secret”andunknownending:hashcat-a3-m#typehash.txtsecret?a?a?a?a

Examplehybridmask(leftside)+wordlist(rightside)(i.e.123!Password)hashcat-a7-m#typehash.txt?a?a?a?adict.txt

Examplewordlist(leftside)+hybridmask(rightside)(i.e.Passwordl23!)hashcat-a6-m#typehash.txtdict.txt?a?a?a?a

HASHCATCUSTOMCHARSETSFourcustombuffercharsetstocreateefficienttargetedmaskattacksdefinedas:-1-2-3-4

Examplecustomcharsettargetingpasswordsthatonlybeginina,A,b,B,orc,C,4unknownmiddlecharacters,andendwithadigit(i.e.al7z#q7):hashcat-a3-m#typehash.txt-1abcABC?l?a?a?a?a?d

Examplecustomcharsettargetingpasswordsthatonlybegininuppercaseorlowercase,4digitsinthemiddle,andendinspecialcharacter!,@,$(i.e.W7462!orf1234$):hashcat-a3-m#typehash.txt-1?u?l-2!@$?l?d?d?d?d?2

Exampleusingallfourcustomcharsetsatonce(i.e.pow!12er):hashcat-a3-m#typehash.txt-1qwer-2poiu-3123456-4!@#$%?2?2?1?4?3?3?1?1

JOHNMASKATTACKCREATIONExampleusage:john--format=#typehash.txt--mask=<mask>

Examplebrute-forceallpossiblecombinationsupto7characterslong:john--format=#typehash.txt--mask=?a?a?a?a?a?a?a

Examplebrute-forceuppercasefirstletter,3unknownmiddlecharacters,andendsin2digits(i.e.Passl2):john--format=#typehash.txt--mask=?u?a?a?a?d?d

Examplebrute-forceknownfirsthalfword“secret”andunknownending:john--format=#typehash.txt--mask=secret?a?a?a?a

Examplemask(leftside)+wordlist(rightside)(i.e.123!Password)john--format=#typehash.txt--wordlist=dict.txt--mask=?a?a?a?a?w

Examplewordlist(leftside)+mask(rightside)(i.e.Password123!)john--format=#typehash.txt--wordlist=dict.txt--mask=?w?a?a?a?a

JOHNCUSTOMCHARSETS

Ninecustombuffercharsetstocreateefficienttargetedmaskattacksdefinedas:-1-2-3-4-5-6-7-8-9

Examplecustomcharsettargetingpasswordsthatonlybeginina,A,b,B,orc,C,4unknownmiddlecharacters,andendwithadigit(i.e.a17z#q7):john--format=#typehash.txt-1=abcABC--mask=?l?a?a?a?a?d

Examplecustomcharsettargetingpasswordsthatonlybegininuppercaseorlowercase,4digitsinthemiddle,andendinspecialcharacter!,@,$(i.e.W7462!orf1234$):john--format=#typehash.txt-1=?u?l-2=!@$--mask=?l?d?d?d?d?2

Exampleusingfourcustomcharsetsatonce(i.e.pow!12er):john--format=#typehash.txt-1=qwer-2=poiu-3=123456-4=!@#$%,--mask=?2?2?l?4?3?3?1?1

HASHCATMASKCHEATSHEET

JOHNMASKCHEATSHEET

MASKFILES

Hashcatallowsforthecreationofmaskfilesbyplacingcustommasks,oneperline,inatextfilewith“.hcmask”extension.

HASHCATBUILT-INMASKFILES Approx#Masks8char-11-1u-1d-1s-compliant.hcmask 40,8248char-11-1u-1d-1s-noncompliant.hcmask 24,712rockyou-1-60.hcmask 836rockyou-2-1800.hcmask 2,968rockyou-3-3600.hcmask 3,971rockyou-4-43200.hcmask 7,735rockyou-5-86400.hcmask 10,613rockyou-6-864000.hcmask 17,437rockyou-7-2592000.hcmask 25,043

WESTERNCOUNTRYTOPMASKS

EASTERNCOUNTRYTOPMASKS

PACK(PasswordAnalysisandCrackingKit)MASKCREATION

http://thesprawl.org/projects/pack/

MASKGEN

MaskGenallowsyoutoautomaticallygeneratepattern-basedmaskattacksfromknownpasswordsandfilterbylengthanddesiredcrackingtime.

pythonmaskgen.pyexample.mask

MASKGENOPTIONS

IndividualMaskFilterOptions:

MaskSortingOptions:

Checkmaskcoverage:

Miscellaneousoptions:

MASKGENEXAMPLESGatherstatsaboutcrackedpasswords.txtandhidethelessthan1%results:pythonstatsgen.py--hiderarepasswords.txt

Savemasksstatstoa.maskfileforfurtheranalysis:pythonstatsgen.py--hiderarepasswords.txt-oexample.mask

Analyzeexample.maskresults,numberofmasks,estimatedtimetocrack,etc...pythonmaskgen.pyexample.mask

Create24hour(86400seconds)maskattackbasedoncrackingspeedofasingleGTX1080againstMD5hashes24943.1MH/s(basedonappendixtable).!SubstituteyourGPU’scrackingspeedagainstMD5(c/s)!.pythonmaskgen.pyexample.mask--targettime=86400--optindex--pps=24943000000-q

Output24hourmaskattacktoa.hcmaskfileforuseinHashcat:pythonmaskgen.pyexample.mask--targettime=86400--optindex--pps=24943000000-q-oexample.hcmask

Useyournewexample.hcmaskfilewithHashcatinmaskattackmode:hashcat-a3-m#typehash.txtexample.hcmask

TIMETABLECHEATSHEET

POLICYGEN

Generateacollectionofmasksfollowingthepasswordcomplexityinordertosignificantlyreducethecrackingtime.

pythonpolicygen.py[options]-oexample.hcmask

POLICYGENOPTIONS

PasswordPolicy:Definetheminimum(ormaximum)passwordstrengthpolicythatyouwouldliketotest

POLICYGENEXAMPLESGeneratemaskattackforpasswordpolicy8characterlengthrequiringatleast1lowercase,1uppercase,1digit,and1specialcharacter:pythonpolicygen.py--minlength8--maxlength8--minlower1--minupper1--mindigit1--minspecial1-oexample.hcmask

GeneratemaskattackandestimatetimeofcompletionbasedonGTX1080againstMD5hashes24943.1MH/s(basedonappendixtable)forpasswordpolicy8characterlengthrequiringatleast1lowercase,1uppercase,1digit,and1specialcharacter:pythonpolicygen.py--minlength8--maxlength8--minlower1--minupper1--mindigit1--minspecial1-oexample.hcmask--pps=24943000000

CUSTOMMASKPLANS

DATEYYMMDDMASKhashcat-a3-m#typehash.txt-112-290-301-4123?l?2?3?d?4?d

DATEYYYYMMDDMASKhashcat-a3-m#typehash.txt-112-290-301-4123?l?2?d?d?3?d?4?d

3SEQUENTIALNUMBERSMASK+SPECIAL

hashcat-a3-m#typehash.txt-1147-2258-3369?l?2?3?s

FOREIGNCHARACTERSETS

UTF8POPULARLANGUAGES

*Incrementalfourcharacterpasswordexamples

ArabicUTF8(d880-ddbf)hashcat-a3-m#typehash.txt--hex-charset-1d8d9dadbdcdd-2808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0ala2a3a4a5a6a7a8a9aaabacadaeafb0blb2b3b4b5b6b7b8b9babbbcbdbebf-i?1?2?1?2?1?2?1?2

BengaliUTF8(e0a680-e0adbf)hashcat-a3-m#typehash.txt--hex-charset-1e0-2a6a7a8a9aaabacad-3808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0ala2a3a4a5a6a7a8a9aaabacadaeafb0blb2b3b4b5b6b7b8b9babbbcbdbebf-i?1?2?3?1?2?3?1?2?3?1?2?3

Chinese(CommonCharacters)UTF8(e4b880-e4bbbf)hashcat-a3-m#typehash.txt--hex-charset-1e4-2b8b9babb-3808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0ala2a3a4a5a6a7a8a9aaabacadaeafb0blb2b3b4b5b6b7b8b9babbbcbdbebf-i?1?2?3?1?2?3?1?2?3?1?2?3

Japanese(Katakana&Hiragana)UTF8(e38180-e3869f)hashcat-a3-m#typehash.txt--hex-charset-1e3-2818283848586-3808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0ala2a3a4a5a6a7a8a9aaabacadaeafb0blb2b3b4b5b6b7b8b9babbbcbdbebf-i?1?2?3?1?2?3?1?2?3?1?2?3

RussianUTF8(d080-d4bf)hashcat-a3-m#typehash.txt--hex-charset-1d0dld2d3d4-2808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0ala2a3a4a5a6a7a8a9aaabacadaeafb0blb2b3b4b5b6b7b8b9babbbcbdbebf-i?1?2?1?2?1?2?1?2

HASHCATBUILT-INCHARSETS

Germanhashcat-a3-m#typehash.txt-1charsets/German.hcchr-i?1?1?1?1

Frenchhashcat-a3-m#typehash.txt-1charsets/French.hcchr-i?1?1?1?1

Portuguesehashcat-a3-m#typehash.txt-1charsets/Portuguese.hcchr-i?1?1?1?1

SUPPORTEDLANGUAGEENCODINGShashcat-a3-m#typehash.txt-1charsets/<language>.hcchr-i?1?1?1?1

Bulgarian,Castilian,Catalan,English,French,German,Greek,GreekPolytonic,Italian,Lithuanian,Polish,Portuguese,Russian,Slovak,Spanish

JOHNUTF8&BUILT-INCHARSETS

OPTIONS:--encoding=NAME inputencoding(eg.UTF-8,ISO-8859-1).--input-encoding=NAME inputencoding(aliasfor--encoding)--internal-encoding=NAME encodingusedinrules/masks(seedoc/ENCODING)--target-encoding=NAME outputencoding(usedbyformat)

ExampleLMhashesfromWesternEurope,usingaUTF-8wordlist:john--format=lmhast.txt--encoding=utf8--target:cp850--wo:spanish.txt

ExampleusingUTF-8wordlistwithinternalencodingforrulesprocessing:john--format=#typehash.txt--encoding=utf8--internal=CP1252--wordlist=french.1st--rules

Examplemaskmodeprintingallpossible“Latin-1”wordsoflength4:john--stdout--encoding=utf8--internal=8859-1--mask:?1?1?1?1

SUPPORTEDLANGUAGEENCODINGSUTF-8,ISO-8859-1(Latin),ISO-8859-2(Central/EasternEurope),ISO-8859-7(Latin/Greek),ISO-8859-15(WesternEurope),CP437(Latin),CP737(Greek),CP850(WesternEurope),CP852(CentralEurope),CP858(WesternEurope),CP866(Cyrillic),CP1250(CentralEurope),CP1251(Russian),CP1252(DefaultLatin1),CP1253(Greek)andK0I8-R(Cyrillic).

HASHCAT?bBYTECHARSET

Ifyourunsureastopositionofaforeigncharactersetcontainedwithinyourtargetpassword,youcanattemptthe?bbytecharsetinamaskusingaslidingwindow.Forexampleifwehaveapassword6characterslong:

?b=256byte=0x00-0xff

hashcat-a3-m#typehash.txt

?b?a?a?a?a?a?a?b?a?a?a?a?a?a?b?a?a?a?a?a?a?b?a?a?a?a?a?a?b?a?a?a?a?a?a?b

CONVERTENCODING

HASHCATForceinternalwordlistencodingfromXhashcat-a0-m#typehash.txtdict.txt--encoding-from=utf-8

ForceinternalwordlistencodingtoXhashcat-ao-m#typehash.txtdict.txt--encoding-to=iso-8859-15

ICONVConvertwordlistintolanguagespecificencodingiconv-f<old_encode>-t<new_encode><dict.txt|spongedict.txt.enc

CONVERTHASHCAT$HEXOUTPUT

Exampleofconverting$HEX[]entriesinhashcat.potfiletoASCIIgrep‘$HEX’hashcat.pot|awk-F“:”{‘print$2’}|perl-ne‘if($_=~m/\$HEX\[([A-Fa-f0-9]+)\]/){printpack(“H*”,$1),“\n”}’

ADVANCEDATTACKS

PRINCEATTACK

PRINCE(PRobabilityINfiniteChainedElements)Attacktakesoneinputwordlistandbuilds“chains”ofcombinedwordsautomatically.

HASHCATPRINCEPROCESSORhttps://github.com/hashcat/princeprocessor

Attackslowhashes:

pp64.bindict.txt|hashcat-a0-m#typehash.txt

Amplifiedattackforfasthashes:

pp64.bin--case-permutedict.txt|hashcat-a0-m#typehash.txt-rrule.txt

ExamplePRINCEattackproducingminimum8charcandidateswith4elementspipeddirectlyintoHashcatwithrulesattack.

pp64.bin--pw-min=8--limit=4dict.txt|hashcat-a0-m#hash.txt-rbest64.rule

PRINCECEPTIONATTACK(epixoip)PipingtheoutputofonePRINCEattackintoanotherPRINCEattack.

pp64.bindict.txt|pp64.bin|hashcat-a0-m#typehash.txt

JOHNBUILT-INPRINCEATTACK

john--prince=dict.txthash.txt

MASKPROCESSOR

Maskattackgeneratorwithacustomconfigurablecharsetandabilitytolimitconsecutiveandrepeatingcharacterstodecreaseattackkeyspace.https://github.com/hashcat/maskprocessor

Limit4consecutiveidenticalcharactersinthepasswordstring“-q”option:

mp64.bin-q4?d?d?d?d?d?d?d?d|hashcat-a0-m#typehash.txt

Limit4identicalcharactersinthepasswordstring“-r”option:

mp64.bin-r4?d?d?d?d?d?d?d?d|hashcat-a0-m#typehash.txt

Limit2consecutiveand2identicalcharactersinthepasswordstring:

mp64.bin-r2-q2?d?d?d?d?d?d?d?d|hashcat-a0-m#typehash.txt

Customcharsetlimiting2consecutiveand2identicalcharactersinthepasswordstring:

mp64.bin-r2-q2-1aeiuo-2TGBYHN?l?2?l?2?d?d?d?d|hashcat-a0-m#typehash.txt

CUSTOMMARKOVMODEL/STATSPROCESSOR

Word-generatorbasedontheper-positionmarkov-attack.https://github.com/hashcat/statsprocessor

HCSTATGENCreatecustomMarkovmodelsusinghashcat-utilhcstatgen.binbasedoncrackedtargetpasswords.Theutilhcstatgenmakesa32MBfileeachtimenomatterhowsmall/largethepasswordlistprovided.HighlyrecommendedyoumakecustomMarkovmodelsfordifferenttargetsets.

hcstatgen.binoutfile.hcstat<passwords.txt

STATSPROCESSORIsahigh-performanceword-generatorbasedonausersuppliedper-positionMarkovmodel(hcstatfile)usingmaskattacknotation.

Step1:CreateyourcustomMarkovmodel

hcstatgen.binout.hcstat<passwords.txt

Step2.1:SupplyyournewMarkovmodeltoHashcatasmaskorruleattack.

hashcat-a3-m#typehash.txt--markov-hcstat=out.hcstat?a?a?a?a?a?a

hashcat-a0-m#typehash.txtdict.txt-rrule.txt--markov-hcstat=out.hcstat

Step2.2:ORSupplyyournewMarkovmodelwithsp64andpipeintoHashcat.

sp64.bin--pw-min3--pw-max5out.hcstat?1?1?1?1?1?1|hashcat-a0-m#typehash.txt

KEYBOARDWALKPROCESSOR

Keyboard-walkgeneratorwithconfigurablebasechars,keymappingsandroutes.https://github.com/hasheat/kwprocessor

Examplekeyboardwalkwithtinycharsetinenglishmappingandwith2-10adjacentkeyspipingoutresultsintoahashcatattack:kwp.binbasechar/tiny.basekeymaps/en.keymaproutes/2-to-10-max-3-0-z|hashcat-a0-m#typehash.txt

Examplekeyboardwalkwithfullcharsetinenglishmappingandwith3x3adjacentkeyspipingoutresultsintoahashcatattack:./kwpbasechars/full.basekeymaps/en.keymaproutes/3-to-3-exhaustive.route|hashcat-a0-m#typehash.txt

[FULLLISTOFOPTIONS]

MDXFIND/MDSPLIT

https://hashes.org/mdxfind.php(credit‘Waffle’)

MDXFINDisaprogramwhichallowsyoutorunlargenumbersofunsolvedhashesofanytype,usingmanyalgorithmsconcurrently,againstalargenumberofplaintextwordsandrules,veryquickly.It’smainpurposewastodealwithlargelists(20million,50million,etc)ofunsolvedhashesandrunthemagainstnewdictionariesasyouacquirethem.

SowhenwouldyouuseMDXFINDonapentest?Ifyoudumpadatabasetiedtowebsiteauthenticationandthehashesarenotcrackingbystandardattackplans.Thehashesmaybegeneratedinauniquenestedhashingseries.IfyouareabletoviewthesourcecodeofsaidwebsitetoviewthecustomhashingfunctionyoucandirectMDXFINDtoreplicatethathashingseries.Ifnot,youcanstillrunMDXFINDusingsomeofthebelow‘GenericAttackCommands’.MDXFINDistailoredtowardintermediatetoexpertlevelpasswordcrackingbutisextremelypowerfulandflexible.

ExamplewebsiteSHA1customhashingfunctionperformingmultipleiterations:

$hash=sha1($password.$salt);for($i=1;$i<=65000;++$i){

$hash=sha1($hash.$salt);}

MDXFIND

COMMANDSTRUCTURETHREEMETHODS1-STDOUT2-STDIN3-File

1-Readshashescomingfromcat(orother)commandsstdout.

cathash.txt|mdxfind-h<regex#type>-i<#iterations>dict.txt>out.txt

2-Takesstdinfromoutsideattacksourcesinplaceofdict.txtwhenusingtheoptionsvariable‘-f’tospecifyhash.txtfilelocationandvariable‘stdin’.

mp64.bin?d?d?d?d?d?d|mdxfind-h<regex#type>-i<#iterations>-fhash.txtstdin>out.txt

3-Specifyfilelocation‘-f’withnoexternalstdout/stdinsources.

mdxfind-h<regex#type>-i<#iterations>-fhash.txtdict.txt>out.txt

[FULLLISTOFOPTIONS]-a Doemailaddressmunging-b Expandeachwordintounicode,besteffort-c Replaceeachspecialchar(<>&,etc)withXMLequivalents-d De-duplicatewordlists,besteffort...butbesttodoaheadoftime-e Extendedsearchfortruncatedhashes-p Printsource(filename)offoundplain-texts

InternaliterationcountsforSHA1MD5X,andothers.Forexample,ifyouhaveahashthatis

-q SHA1(MD5(MD5(MD5(MD5($pass)))))),youwouldset-qto5.

-g Rotatecalculatedhashestoattemptmatchtoinputhash-s Filetoreadsaltsfrom-u FiletoreadUserid/Usernamesfrom-k Filetoreadsuffixesfrom

-n Numberofdigitstoappendtopasswords.Otheroptions,like:-n6xwouldappend6digithexvalues,and8iwouldappendallipv4dotted-quadIP-addresses.

-i Thenumberofiterationsforeachhash-t Thenumberofthreadstorun-f filetoreadhashesfrom,elsestdin-1 AppendCR/LF/CRLFandprintinhex-r Filetoreadrulesfrom-v Donotmarksaltsasfound.-w Numberoflinestoskipfromfirstwordlist-y Enabledirectoryrecursionforwordlists-z Enabledebugginginformation/hashresults-h Thehashtypes:459TOTALHASHESSUPPORTED

GENERICATTACKPLANS

ThisisagoodgeneralpurposeMDXFINDcommandtorunyourhashesagainstifyoususpectthemtobe“non-standard”nestedhashingsequences.Thiscommandsays“Runallhashesagainstdict.txtusing10iterationsexceptoneshavingasalt,user,ormd5xvalueinthename.”It’ssmarttoskipsalted/userhashtypesinMDXFINDunlessyouareconfidentasaltvaluehasbeenused.

cathash.txt|mdxfind-hALL-h‘!salt,!user,!md5x’-i10dict.txt>out.txt

ThedeveloperofMDXFINDalsorecommendsrunningthebelowcommandoptionsasagoodgeneralpurposeattack:

cathash.txt|mdxfind-h<^md5$,^sha1$,^md5md5pass$,^md5sha1$’-i5dict.txt>out.txt

Andyoucouldaddaruleattackaswell:

cathash.txt|mdxfind-h<^md5$,^sha1$,^md5md5pass$,^md5sha1$’-i5dict.txt-rbest64.rule>out.txt

GENERALNOTESABOUTMDXFIND-Candomultiplehashtypes/filesallduringasingleattackrun.

catsha1/*.txtsha256/*.txtmd5/*.txtsalted/*.txt|mdxfind-Supports459differenthashtypes/sequences-Cantakeinputfromspecial‘stdin’mode-SupportsVERYlargehashlists(l00mil)and10kbcharacterpasswords-Supportsusinghashcatrulefilestointegratewithdictionary

-Option‘-z’outputsALLviablehashingsolutionsandfilecangrowverylarge-Supportsincluding/excludinghashtypesbyusingsimpleregexparameters-Supportsmultipleiterations(upto4billiontimes)bytweaking-iparameterforinstance:MD5X01isthesameasmd5($Pass)MD5x02isthesameasmd5(md5($pass))MD5X03isthesameasmd5(md5(md5($pass)))...MD5xl0isthesameasmd5(md5(md5(md5(md5(md5(md5(md5(md5(md5($pass))))))))))-Separateout-usernames-email-ids-saltstocreatecustomattacks-Ifyouaredoingbrute-forceattacks,thenhashcatisprobablybetterroute-WhenMDXfindfindsanysolution,itoutputsthekindofsolutionfound,followedbythehash,followedbythesaltand/orpassword.Forexample:

MD5X01000012273bc5cab48bf3852658b259ef:lEb0TBK3MD5X05033blll073e5f64ee59f0be9d6b8a561:08061999MD5X09aadb9dlb23729a3e403d7fc62d507df7:1140MD5X09326d921d591162eed302ee25a09450ca:1761974

MDSPLIT

Whencrackinglargelistsofhashesfrommultiplefilelocations,MDSPLITwillhelpmatchwhichfilesthecrackedhasheswerefoundin,whilealsooutputingthemintoseparatefilesbasedonhashtype.Additionallyitwillremovethefoundhashesfromtheoriginalhashfile.

COMMANDSTRUCTURETWOMETHODS1-STDOUT2-STDIN3-File

1-MatchingMDXFINDresultsfileswiththeiroriginalhash_orig.txtfiles.

cathashes_out/out_results.txt|mdsplithashes_orig/hash_orig.txt

ORperformmatchingagainstadirectoryoforiginalhashesandtheirresults.

cathashes_out/*|mdsplithashes_orig/*

2-PipingMDXFINDdirectlyintoMDSPLITtosortinreal-timeresults.

cat*.txt|mdxfind-hALL-h‘!salt,!user,!md5x’-i10dict.txt|mdsplit*.txt

3-SpecifyingafilelocationinMDXFINDtomatchresultsinreal-time.

mdxfind-hALL-fhashes.txt-i10dict.txt|mdsplithashes.txt

GENERALNOTESABOUTMDSPLIT

-MDSPLITwillappendthefinalhashsolutiontotheendofthenewfilename.Forexample,ifwesubmitteda‘hashes.txt’andthesolutiontothehasheswas“MD5x01”thentheresultsfilewouldbe‘hashes.MD5x01’.IfmultiplehashsolutionsarefoundthenMDSPLITknowshowtodealwiththis,andwillthenremoveeachofthesolutionsfromhashes.txt,andplacetheminto‘hashes.MD5x01’,‘hashes.MD5x02’,‘hashes.SHA1’...andsoon.

-MDSPLITcanhandlesortingmultiplehashfiles,types,andtheirresultsallatonetime.AnysolutionswillbeautomaticallyremovedfromallofthesourcefilesbyMDSPLIT,andtabulatedintothecorrectsolvedfiles.Forexample:

catdirl/*.txtdir2/*.txtdir3/*.txt|mdxfind-h‘^md5$,^sha1$,^sha256$’-i10dict.txt|mdsplitdirl/*.txtdir2/*.txtdir3/*.txt

DISTRIBUTED/PARALLELIZATIONCRACKING

HASHCAT

https://hashcat.net/forum/thread-3047.html

Step1:Calculatekeyspaceforattack(ExampleMD5BruteForcex3nodes)hashcat-a3-m0?a?a?a?a?a?a--keyspace81450625

Step2:Distributeworkthroughkeyspacedivision(s)kipand(l)imit81450625/3=27150208.3Node1#hashcat-a3-m0hash.txt?a?a?a?a?a?a-s0-127150208Node2#hashcat-a3-m0hash.txt?a?a?a?a?a?a-s27150208-127150208Node3#hashcat-a3-m0hash.txt?a?a?a?a?a?a-s54300416-127150209

JOHN

http://www.openwall.com/john/doc/OPTIONS.shtmlManualdistributionusingOptions--node&--forkto3similarCPUnodesutilizing8cores:Node#john--format=<#>hash.txt--wordlist=dict.txt--rules=All--fork=8--node=1-8/24Node2#john--format=<#>hash.txt--wordlist=dict.txt--rules=All--fork=8--node=9-16/24Node3#john--format=<#>hash.txt--wordlist=dict.txt--rules=All--fork=8--node=17-24/24

OtherJohnOptionsforparallelization:Option1:EnableOpenMPthroughuncommentinginMakefileOption2:Createadditionalincrementalmodesinjohn.confOption3:Utilizebuilt-inMPIparallelization

PASSWORDGUESSINGFRAMEWORK

https://github.com/RUB-SysSec/Password-Guessing-Frameworkhttps://www.password-guessing.org/

PasswordGuessingFrameworkisanopensourcetooltoprovideanautomatedandreliablewaytocomparepasswordguessers.Itcanhelptoidentifyindividualstrengthsandweaknessesofaguesser,it’smodesofoperation,oreventheunderlyingguessingstrategies.Therefore,itgathersinformationabouthowmanypasswordsfromaninputfile(passwordleak)havebeencrackedinrelationtotheamountofgeneratedguesses.Subsequenttotheguessingprocessananalysisofthecrackedpasswordsisperformed.

OTHERCREATIVEADVANCEDATTACKS

Randomcreativepasswordattacksusingthepowerofstdinandstdout.Notimplyingthey’reusefulbuttodemonstratethepowerofmixingandmatching.Goforthandcreatesomethinguseful.

PRINCE-MDXFINDATTACK

pp64.bindict.txt|mdxfind-hALL-fhash.txt-i10stdin>out.txt

HASHCAT-UTILCOMBONATORPRINCEcombinator.bindict.txtdict.txt|pp64.bin|hashcat-a0-m#typehash.txt-rbest64.rule

combinator3.bindict.txtdict.txtdict.txt|pp64.bin|hashcat-a0-m#typehash.txt-rrockyou-30000.rule

HASHCATSTDOUTATTACKSPRINCEhashcat-a0dict.txt-rdive.rule--stdout|pp64.bin|hashcat-a0-m#typehash.txt

hashcat-a6dict.txt?a?a?a?a--stdout|pp64.bin--pw-min=8|hashcat-a0-m#typehash.txt

hashcat-a7?a?a?a?adict.txt--stdout|pp64.bin--pw-min=8|hashcat-a0-m#typehash.txt

hashcat-a6dict.txtrockyou-1-60.hcmask--stdout|pp64.bin--pw-min=8--pw-max=14Ihashcat-a0-m#typehash.txt

hashcat-a7rockyou-1-60.hcmaskdict.txt--stdout|pp64.bin--pw-min=8--pw-max=14Ihashcat-a0-m#typehash.txt

DISTRIBUTEDCRACKINGSOFTWARE

HASHTOPUSSYhttps://bitbucket.org/seinlc/hashtopussy/

HASHSTACKhttps://sagitta.pw/software/

DISTHChttps://github.com/unix-ninja/disthc

CRACKLORDhttp://jmmcatee.github.io/cracklord/

HASHTOPUShttp://hashtopus.org/Site/

HASHVIEWhttp://www.hashview.io/

CLORTHOhttps://github.com/ccdes/clortho

ONLINEHASHCRACKINGSERVICES

GPUHASHhttps://gpuhash.me/

CRACKSTATIONhttps://crackstation.net/

ONLINEHASHCRACKhttps://www.onlinehashcrack.com/

HASHHUNTERShttp://www.hashhunters.net/

Informationinthischapterisanattempttosummarizeafewofthebasicandmorecomplexconceptsinpasswordcracking.ThisallowsallskilllevelstograsptheseconceptswithoutneedingaLinguisticsorMathematicsDegree.It’sanalmostimpossibletasktocondenseintooneparagraph,butthefollowingisanattempt.Foradeeperunderstanding,IhighlyencourageyoutoreadtheResourcelinksincludedbeloweachsection.

PASSWORDENTROPYvsCRACKTIME

Passwordentropyisameasureofhowrandom/unpredictableapasswordcouldhavebeen,soitdoesnotreallyrelatetothepassworditself,buttoaselectionprocess.Whenjudginghumangeneratedpasswordsforentropy,itfranklyisn’tanaccuratemeasurement.Thisistruemainlybecausehumansliketousememorablewords/sequencesandthusamyriadofattacksaccountforthatbehavior.however,entropyisgoodformeasuringrandomlygeneratedpasswordsfrompasswordmanagers,suchas1PasswordorKeepass,inthateachdefaultcharactersetusedcanbecalculated.PasswordentropyismeasuredinbitsandusesthefollowingformulawhereC=SizeofCharacterset&L=Lengthofpassword:log(C)/log(2)*LTocalculatethetimetocrack,justusethebenchmarkingfunctiononyourfavoritecrackingsoftwareagainstyourmodeofhashtoobtaincrackspersecond.ThetablebelowestimatespasswordlengthusinganMD4hashingfunctionagainstan8GPUxNvidiaGTX1080system:

*Tableonlytrulymattersforrandomlygeneratedpasswords

ResourcesPasswordComplexityversusPasswordEntropyhttps://blogs.technet.microsoft.com/msftcam/2015/05/19/password-complexity-versus-password-entropy/

WHATISACRYPTOGRAPHICHASH?

Acryptographichashfunctionisasubclassofthegeneralhashfunctionwhichpossessespropertieslendingitsuseincryptography.Cryptographichashfunctionsaremathematicalalgorithmswhichmapdataofanysizetoastringcontainingafixedlength,andshouldmakeitinfeasibletoreverse.Forinstance,thestring“password,”whenmappedusingtheMD5hashfunction,returnsafixedlength32characterstring“5f4dcc3b5aa765d61d8327deb882cf99”.The32characterstringcannottheoreticallybereversedwithanyothermappedinputdataexcept“password”.Thecurrentmethodofrecreatingthisinputdata“password”isthroughadictionary/mask/brute-forceattackofallpossibleinputsmatchingthehashedvalue;alsocalledapre-imageattack.Generallyspeaking,hashfunctionsshouldpossessthebelowcharacteristics:-Becomputationallyinfeasibletofindtwodifferentsetsofinputdatawiththesamehashvalue(alsocalledacollision).-Thehashvalueshouldbe“quick”tocompute(i.e.>~1second).-ItshouldbedifficulttogeneratetheinputdataJustbylookingatthehashvalue.-Onesimplechangetotheinputdatashoulddrasticallychangetheresultanthashvalue.

ResourcesHowHashAlgorithmsWorkhttp://www.metamorphosite.com/one-way-hash-encryption-sha1-data-software

MARKOVCHAINS

MarkovChainsarecreated,forourpasswordcrackingpurposes,bystatisticalanalysisofalargelistofpasswords/words(i.e.theRockYoupassworddataset).Theresultantanalysisofthesewordsandtheirper-positioncharacterfrequency/probabilityarestoredinatable.Thistableisreferencedwhenperformingbrute-force/maskattackstopreventhavingtogeneratepasswordcandidatesinasequentialorder,whichisveryinefficient.Instead,themostcommoncharactersareattemptedfirstinorderofprecedingcharacterprobability.Solet’sseesequentialbrute-force?a?a?a?awithoutMarkovChainsapplied:

Nowthesamebrute-forceattackwithMarkovChainsapplied:

MarkovChainspredicttheprobabilityofthenextcharacterinapasswordbasedontheprevious

characters,orcontextcharacters.It’sthatsimple.

ResourcesFastDictionaryAttacksonPasswordsUsingTime-SpaceTradeoffhttp://www.cs.utexas.edu/~shmat/shmat_ccs05pwd.pdf

OMEN:FasterPasswordGuessingUsinganOrderedMarkovEnumeratorhttps://hal.inria.fr/hal-01112124/document

PROBABILISTICCONTEXT-FREEGRAMMARS(PCFG)

AProbabilisticContextFreeGrammar(PCFG)consistsofterminalandnonterminalvariables.Eachfeaturetobemodeledhasaproductionrulethatisassignedaprobability,estimatedfromatrainingsetofRNAstructures.Productionrulesarerecursivelyapplieduntilonlyterminalresiduesareleft.ThenotionsupportingPCFGsisthatpasswordsareconstructedwithtemplatestructuresandterminalsthatfitintothosestructures.Forexample,thepasswordcandidate‘passwordl23!’is8letters,3digits,1specialandwouldbenotedas‘L8D3S1’.Apassword’sprobabilityofoccurringistheprobabilityofitsstructure,multipliedbythoseofitsunderlyingterminals.

ResourcesPasswordCrackingUsingProbabilisticContext-FreeGrammarshttps://sites.google.com/site/reusablesec/Home/password-cracking-tools/probablistic_cracker

NextGenPCFGPasswordCrackinghttps://github.com/lakiw/pcfg_cracker

NEURALNETWORKS

ArtificialNeuralNetworksorNeuralNetworks(NN)isamachine-learningtechniquecomposedofnodescalledArtificialNeurons,justlikethebrainpossesses.SuchsystemsuseMachineLearningtoapproximatehighlydimensionalfunctionsandprogressivelylearnthroughexamplesoftrainingsetdata,orinourcasealargepassworddump.Theyhaveshowninitialpromisetobeeffectiveatgeneratingoriginalyetrepresentativepasswordcandidates.AdvantagestoNN’sforpasswordcrackingarethelowoverheadforstoringthefinalNNmodel,approximately500kb,andtheabilitytocontinuallylearnovertimethroughretrainingortransferlearning.

ResourcesFast,Lean,andAccurate:ModelingPasswordGuessabilityUsingNeuralNetworks(USENIX‘16)https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_melicher.pdfhttps://github.com/cupslab/neural_network_cracking

COMMONHASHEXAMPLES

MD5,NTLM,NTLMv2,LM,MD5crypt,SHA1,SHA256,bcrypt,PDF1.4-1.6(Acrobat5-8),MicrosoftOFFICE2013,RAR3-HP,Winzip,7zip,Bitcoin/Litecoin,MACOSXv10.5-v10.6,MySQL4.1-5+,Postgres,MSSQL(2012)-MSSQL(2014),Oracle11g,CiscoTYPE4589,WPAPSK/WPA2PSK

MDS

HASHCATHASHFORMAT8743b52063cd84097a65dl633f5c74f5

BRUTEFORCEATTACKhashcat-m0-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m0-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m0-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMAT8743b52063cd84097a65dl633f5c74f5

BRUTEFORCEATTACKjohn--format=raw-md5hash.txtWORDLISTATTACKjohn--format=raw-md5wordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=raw-md5wordlist=dict.txt--ruleshash.txt

NTLM(PWDUMP)

HASHCAT

HASHFORMATb4b9b02e6f09a9bd760f388b67351e2b

BRUTEFORCEATTACKhashcat-m1000-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m1000-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m1000-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMATb4b9b02e6f09a9bd760f388b67351e2b

BRUTEFORCEATTACKjohn--format=nthash.txtWORDLISTATTACKjohn--format=ntwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=ntwordlist=dict.txt--ruleshash.txt

NTLMV2

HASHCATHASHFORMATusername::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966al53a0064958dac6:5c7830315C7830310000000000000b45c67103d07d7b95acdl2ffall230e0000000052920b85f78d013c31cdb3b92f5d765c783030

BRUTEFORCEATTACKhashcat-m5600-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m5600-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m5600-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMATusername:$NETNTLMv2$NTLMV2TESTWORKGROUP$1122334455667788$07659A550D5E9D02996DFD95C87EC1D5$0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000

BRUTEFORCEATTACKjohn--format=netntlmv2hash.txtWORDLISTATTACKjohn--format=netntlmv2wordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=netntlmv2wordlist=dict.txt--ruleshash.txt

LM

HASHCATHASHFORMAT299bdl28cll01fd6

BRUTEFORCEATTACKhashcat-m3000-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m3000-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m3000-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMAT$LM$a9c604d244c4e99d

BRUTEFORCEATTACKjohn--format=lmhash.txtWORDLISTATTACKjohn--format=lmwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=lmwordlist=dict.txt--ruleshash.txt

MD5CRYPT

HASHCATHASHFORMAT$1$28772684$iEwNOgGugq09.bIz5sk8k/BRUTEFORCEATTACKhashcat-m500-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m500-a0hash.txtdict.txt

WORDLIST+RULEATTACKhashcat-m500-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMAT$l$28772684$iEwNOgGugq09.bIz5sk8k/

BRUTEFORCEATTACKjohn--format=md5crypthash.txtWORDLISTATTACKjohn--format=md5cryptwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=md5cryptwordlist=dict.txt--ruleshash.txt

SHA1

HASHCATHASHFORMATb89eaac7e61417341b710b727768294d0e6a277b

BRUTEFORCEATTACKhashcat-m100-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m100-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m100-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMATb89eaac7e61417341b710b727768294d0e6a277b

BRUTEFORCEATTACKjohn--format=raw-sha1hash.txtWORDLISTATTACKjohn--format=raw-sha1wordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=raw-sha1wordlist=dict.txt--ruleshash.txt

SHA256

HASHCATHASHFORMAT127e6fbfe24a750e72930c220a8el38275656b8e5d8f48a98c3c92df2caba935

BRUTEFORCEATTACKhashcat-m1400-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m1400-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m1400-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMAT127e6fbfe24a750e72930c220a8el38275656b8e5d8f48a98c3c92df2caba935

BRUTEFORCEATTACKjohn--format=raw-sha256hash.txtWORDLISTATTACKjohn--format=raw-sha256wordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=raw-sha256wordlist=dict.txt--ruleshash.txt

BCRYPT

HASHCATHASHFORMAT$2a$05$LhayLxezLhKlLhWvKxCyLOj0jlu.Kj0jZ0pEmml34uzrQlFvQDLF6

BRUTEFORCEATTACKhashcat-m3200-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m3200-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m3200-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMAT$2a$05$LhayLxezLhKlLhWvKxCyLOj0jlu.Kj0jZ0pEmml34uzrQlFvQDLF6

BRUTEFORCEATTACKjohn--format=bcrypthash.txtWORDLISTATTACKjohn--format=bcryptwordlist=dict.txthash.txt

WORDLIST+RULEATTACKjohn--format=bcryptwordlist=dict.txt--ruleshash.txt

PDF1.4-1.6(ACROBAT5-8)

HASHCATHASHFORMAT$pdf$2*3*128*-1028*l*16*da42eel5d4b3e08fe5b9ecea0e02ad0f*32*c9b59d72c7c670c42eeb4fcald2cal5000000000000000000000000000000000*32*c4ff3e868dc87604626c2b8c259297al4d58c6309c70b00afdfblfbbal0ee571

EXTRACTHASHpdf2hashcat.pyexample.pdf>hash.txt

BRUTEFORCEATTACKhashcat-m10500-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m10500-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m10500-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMAT$pdf$Standard*badadle86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badfl01112131415161718191alblcldlelf*16*34blb6e593787af681a9b63fa8bf563b*l*l*0*l*4*128*-4*3*2

EXTRACTHASHpdf2john.pyexample.pdf>hash.txt

BRUTEFORCEATTACKjohn--format=pdfhash.txtWORDLISTATTACKjohn--format=pdfwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=pdfwordlist=dict.txt--ruleshash.txt

MICROSOFTOFFICE2013

HASHCAT

HASHFORMATexample.docx:$office$*2013*100000*256*16*7dd611d7eb4c899f74816dldec817b3b*948dc0b2c2c6c32fl4b5995a543ad037*0b7ee0e48e935f937192a59de48a7d561ef2691d5c8a3ba87ec2d04402a94895

EXTRACTHASHoffice2hashcat.pyexample.docx>hash.txt

BRUTEFORCEATTACKhashcat-m9600-a3--usernamehash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m9600-a0--usernamehash.txtdict.txtWORDLIST+RULEATTACKhashcat-m9600-a0--usernamehash.txtdict.txt-rrule.txt

JOHNHASHFORMATexample.docx:$office$*2013*100000*256*16*7dd611d7eb4c899f74816dldec817b3b*948dc0b2c2c6c32f14b5995a543ad037*0b7ee0e48e935f937192a59de48a7d561ef2691d5c8a3ba87ec2d04402a94895

EXTRACTHASHoffice2john.pyexample.docx>hash.txt

BRUTEFORCEATTACKjohn--format=office2013hash.txtWORDLISTATTACKjohn--format=office2013wordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=office2013wordlist=dict.txt--ruleshash.txt

RAR3-HP(ENCRYPTEDHEADER)

HASHCATHASHFORMAT$RAR3$*0*45109af8ab5f297a*adbf6c5385d7a40373e8f77d7b89d317#!Ensuretoremoveextraneousrar2johnoutputtomatchabovehash!#EXTRACTHASHrar2john.pyexample.rar>hash.txt

BRUTEFORCEATTACKhashcat-m12500-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m12500-a0hash.txtdict.txt

WORDLIST+RULEATTACKhashcat-m12500-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMATexample.rar:$RAR3$*l*20e041a232b4b7f0*5618c5f0*1472*2907*0*/Path/To/example.rar*138*33:1::example.txt

EXTRACTHASHrar2john.pyexample.rar>hash.txt

BRUTEFORCEATTACKjohn--format=rarhash.txtWORDLISTATTACKjohn--format=rarwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=rarwordlist=dict.txt--ruleshash.txt

WINZIP

HASHCATHASHFORMAT$zip2$*0*3*0*b5d2b7bf57ad5e86a55c400509c672bd*d218*0**ca3d736d03a34165cfa9*$/zip2$#!Ensuretoremoveextraneouszip2johnoutputtomatchabovehash!#EXTRACTHASHzip2john.pyexample.zip>hash.txt

BRUTEFORCEATTACKhashcat-m13600-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m13600-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m13600-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMATexample.zip:$zip2$*0*3*0*5b0a8bl53fb94bf719abb81a80e90422*8e91*9*0b76bf50al5938ce9c*3f37001e241el96195al*$/zip2$:::::example.zip

EXTRACTHASHzip2john.pyexample.zip>hash.txt

BRUTEFORCEATTACK

john--format=ZIPhash.txtWORDLISTATTACKjohn--format=ZIPwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=ZIPwordlist=dict.txt--ruleshash.txt

7-ZIP

HASHCATHASHFORMAT$7z$0$19$0$salt$8$f6196259a7326e3f0000000000000000$185065650$112$98$f3bc2a88062c419a25acd40c0c2d75421cf23263f69c51bl3f9blaada41a8a09f9adeae45d67c60b56aad338f20c0dcc5eb811c7a61128ee0746f922cdb9c59096869f341c7a9cblac7bb7d771f546b82cf4e6flla5eCd4b61751e4d8de66dd6e2dfb5b7dl022d2211e2d66eal703f96#!Ensuretoremoveextraneous7zip2johnoutputtomatchabovehash!#EXTRACTHASH7z2john.pyexample.7z>hash.txt

BRUTEFORCEATTACKhashcat-m11600-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m11600-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m11600-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMATexample.7z:$7z$0$19$0$salt$8$f6196259a7326e3f0000000000000000$185065650$112$98$f3bc2a88062c419a25acd40c0c2d75421cf23263f69c51bl3f9blaada41a8a09f9adeae45d67c60b56aad338f20c0dcc5eb811c7a61128ee0746f922cdb9c59096869f341c7a9cblac7bb7d771f546b82Cf4e6flla5ecd4b61751e4d8de66dd6e2dfb5b7dl022d2211e2d66eal703f96

EXTRACTHASH7z2john.pyexample.7z>hash.txt

BRUTEFORCEATTACKjohn--format=7zhash.txtWORDLISTATTACKjohn--format=7zwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=7zwordlist=dict.txt--ruleshash.txt

BITCOIN/LITECOIN

HASHCATHASHFORMAT$bitcoin$96$d011alb6a8d675b7a36d0cd2efaca32a9f8dcld57d6d01a58399ea04e703e8bbb44899039326f7a00fl71a7bbc854a54$16$1563277210780230$158555$96$628835426818227243334570448571536352510740823233055715845322741625407685873076027233865346542174$66$625882875480513751851333441623702852811440775888122046360561760525EXTRACTHASHbitcoin2john.pywallet.dat>hash.txtBRUTEFORCEATTACKhashcat-m11300-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m11300-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m11300-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMAT$bitcoin$96$d011alb6a8d675b7a36d0cd2efaca32a9f8dcld57d6d01a58399ea04e703e8bbb44899039326f7a00fl71a7bbc854a54$16$1563277210780230$158555$96$628835426818227243334570448571536352510740823233055715845322741625407685873076027233865346542174$66$625882875480513751851333441623702852811440775888122046360561760525EXTRACTHASHbitcoin2john.pywallet.dat>hash.txtBRUTEFORCEATTACKjohn--format=bitcoinhash.txtWORDLISTATTACKjohn--format=bitcoinwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=bitcoinwordlist=dict.txt--ruleshash.txt

MACOSX10.8-10.12

HASHCATHASHFORMATusername:$ml$35714$50973de90d336b5258f01e48ab324aa9ac81ca7959ac470d3d9c4395af624398$631a0ef84081b37cfe594a5468cf3a63173cd2ec25047b89457ed300f2b41b30a0792a39912fC5f3f7be8f74b7269ee3713172642de96ee482432a8dl2bf291aEXTRACTHASHsudoplist2hashcat.py/var/db/dslocal/nodes/Default/users/<username>.plistBRUTEFORCEATTACK

hashcat-m122-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m122-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m122-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMATusername:$pbkdf2-hmac-sha512$31724.019739e90d326b5258f01e483bl24aa9ac81ca7959acb70c3d9c4297af924398.631a0bf84081b37dae594a5468cf3a63183cd2ec25047b89457ed300f2bf1b40a0793a39512fc5a3f7ae8f74b7269ee3723172642de96eee82432a8dllbf365e:501:20:HOSTNAME:/bin/bash:/var/db/dslocal/nodes/Default/users/username.plistEXTRACTHASHsudoml2john.py/var/db/dslocal/nodes/Default/users/<username>.plistBRUTEFORCEATTACKjohn--format=xshahash.txtWORDLISTATTACKjohn--format=xshawordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=xshawordlist=dict.txt--ruleshash.txt

MYSQL4.1/MYSQL5+(DOUBLESHA1)

HASHCATHASHFORMATFCF7C1B8749CF99D88E5F34271D636178FB5D130EXTRACTHASHSELECTuser,passwordFROMmysql.userINTOOUTFILE‘/tmp/hash.txt’;BRUTEFORCEATTACKhashcat-m300-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m300-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m300-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMAT*FCF7C1B8749CF99D88E5F34271D636178FB5D130EXTRACTHASHSELECTuser,passwordFROMmysql.userINTOOUTFILE‘/tmp/hash.txt’;BRUTEFORCEATTACKjohn--format=mysql-sha1hash.txtWORDLISTATTACK

john--format=mysql-sha1wordlist=dict.txthash.txt

POSTGRESQL

HASHCATHASHFORMATa6343a68d964ca596d9752250d54bb8a:postgresEXTRACTHASHSELECTusername,passwdFROMpg_shadow;BRUTEFORCEATTACKhashcat-m12-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m12-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m12-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMATa6343a68d964ca596d9752250d54bb8a:postgresEXTRACTHASHSELECTusername,passwdFROMpg_shadow;BRUTEFORCEATTACKjohn--format=postgreshash.txtWORDLISTATTACKjohn--format=postgreswordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=postgreswordlist=dict.txt--ruleshash.txt

MSSQL(2012),MSSQL(2014)

HASHCATHASHFORMAT0x02000102030434ealbl7802fd95ea6316bd61d2c94622ca3812793e8fbl672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375EXTRACTHASHSELECTSL.name,SL.password_hashFROMsys.sql_loginsASSL;BRUTEFORCEATTACKhashcat-m1731-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m1731-a0hash.txtdict.txt

WORDLIST+RULEATTACKhashcat-m1731-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMAT0x02000102030434ealbl7802fd95ea6316bd61d2c94622ca3812793e8fbl672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375EXTRACTHASHSELECTSL.name,SL.password_hashFROMsys.sql_loginsASSL;BRUTEFORCEATTACKjohn--format=mssql12hash.txtWORDLISTATTACKjohn--format=mssql12wordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=mssql12wordlist=dict.txt--ruleshash.txt

ORACLE11G

HASHCATHASHFORMATac5fle62d21fd0529428b84d42e8955b04966703:38445748184477378130EXTRACTHASHSELECTSL.name,SL.password_hashFROMsys.sql_loginsASSL;BRUTEFORCEATTACKhashcat-m112-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m112-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m112-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMATac5fle62d21fd0529428b84d42e8955b04966703:38445748184477378130EXTRACTHASHSELECTSL.name,SL.password_hashFROMsys.sql_loginsASSL;BRUTEFORCEATTACKjohn--format=oraclellhash.txtWORDLISTATTACKjohn--format=oraclellwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=oraclellwordlist=dict.txt--ruleshash.txt

CISCOTYPE4(SHA256)

HASHCATHASHFORMAT2btjjy78REtmYkkW0csHUbDZOstRXoWdX1mGrmmfeHI

BRUTEFORCEATTACKhashcat-m5700-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m5700-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m5700-a0hash.txtdict.txt-rrule.txt

CISCOTYPE5(MD5)

HASHCATHASHFORMAT$l$28772684$iEwN0gGugq09.bIz5sk8k/

BRUTEFORCEATTACKhashcat-m500-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m500-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m500-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMAT$1$28772684$iEwN0gGugq09.bIz5sk8k/

BRUTEFORCEATTACKjohn--format=md5crypthash.txtWORDLISTATTACKjohn--format=md5cryptwordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=md5cryptwordlist=dict.txt--ruleshash.txt

CISCOTYPE8(PBKDF2+SHA256)

HASHCATHASHFORMAT$8$TnGX/fE4KGH0VU$pEhnEvxrvaynpi8j4f.EMHr6M.FzU8xnZnBr/tJdFWk

BRUTEFORCEATTACKhashcat-m9200-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m9200-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m9200-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMAT$8$TnGX/fE4KGH0VU$pEhnEvxrvaynpi8j4f.EMHr6M.FzU8xnZnBr/tJdFWk

BRUTEFORCEATTACKjohn--format=pbkdf2-hmac-sha256hash.txtWORDLISTATTACKjohn--format=pbkdf2-hmac-sha256wordlist=dict.txthash.txtWORDLIST+RULEATTACKjohn--format=pbkdf2-hmac-sha256wordlist=dict.txt--ruleshash.txt

CISCOTYPE9(SCRYPT)

HASHCATHASHFORMAT$9$2MJBozw/9R3UsU$21FhcKvpghcyw8deP25G0fyZaagyU0GBymkryv0dfo6

BRUTEFORCEATTACKhashcat-m9300-a3hash.txt?a?a?a?a?a?aWORDLISTATTACKhashcat-m9300-a0hash.txtdict.txtWORDLIST+RULEATTACKhashcat-m9300-a0hash.txtdict.txt-rrule.txt

JOHNHASHFORMAT$9$2MJBozw/9R3UsU$21FhcKvpghcyw8deP25G0fyZaagyU0GBymkryv0dfo6

BRUTEFORCEATTACKjohn--format=scrypthash.txtWORDLISTATTACKjohn--format=scryptwordlist=dict.txthash.txt

WORDLIST+RULEATTACKjohn--format=scryptwordlist=dict.txt--ruleshash.txt

WPAPSK/WPA2PSK

HASHCATHASHFORMAT*Capture4-wayauthenticationhandshake>capture.capcap2hccapx.bincapture.capcapture_out.hccapxBRUTEFORCEATTACKhashcat-m2500-a3capture_out.hccapx?a?a?a?a?a?aWORDLISTATTACKhashcat-m2500-a3capture_out.hccapxdict.txtWORDLIST+RULEATTACKhashcat-a0capture_out.hccapxdict.txt-rrule.txt

JOHNHASHFORMAT*Capture4-wayauthenticationhandshake>capture.capcap2hccap.bin-e‘<ESSID>’capture.capcapture_out.hccaphccap2johncapture_out.hccap>jtr_captureBRUTEFORCEATTACKjohn--format=wpapskjtr_captureWORDLISTATTACKjohn--format=wpapskwordlist=dict.txtjtr_captureWORDLIST+RULEATTACKjohn--format=wpapskwordlist=dict.txt--rulesjtr_capture

APPENDIX

TERMS

BRUTE-FORCEATTACK-theactoftryingeverypossiblecombinationofagivenkeyspaceorcharactersetforagivenlength

DICTIONARY-acollectionofcommonswords,phrases,keyboardpatterns,generatedpasswords,orleakedpasswords,alsoknownasawordlist

DICTIONARYATTACK-usingafilecontainingcommonorknownpasswordcombinationsorwordsinanattempttomatchagivenhashingfunction’soutputbyrunningsaidwordsthroughthesametargethashingfunction

HASH-thefixedbitresultofahashfunction

HASHFUNCTION-mapsdataofarbitrarysizetoabitstringofafixedsize(ahashfunction)whichisdesignedtoalsobeaone-wayfunction,thatis,afunctionwhichisinfeasibletoinvert

ITERATIONS-thenumberoftimesanalgorithmisrunoveragivenhash

KEYSPACE-thenumberofpossiblecombinationsforagivencharactersettothepowerofit’slength(i.e.charset^length)

MASKATTACK-usingplaceholderrepresentationstotryallcombinationsofagivenkeyspace,similartobrute-forcebutmoretargetedandefficient

PASSWORDENTROPY-anestimationofhowdifficultapasswordwillbetocrackgivenitscharactersetandlength

PLAINTEXT-unalteredtextthathasn’tbeenobscuredoralgorithmicallyalteredthroughahashingfunction

RAKING-generatingrandompasswordrules/candidatesinanattempttodiscoverapreviouslyunknownmatchingpasswordpattern

RAINBOWTABLE-aprecomputedtableofatargetedcryptographichashfunctionofacertainminimumandmaximumcharacterlength

RULEATTACK-similartoaprogramminglanguageforgeneratingcandidatepasswordsbasedonsomeinputsuchasadictionary

SALT-randomdatathatusedasadditionalinputtoaone-wayfunction

WORDLIST-acollectionofcommonswords,phrases,keyboardpatterns,generatedpasswords,orleakedpasswords,alsoknownasadictionary

TIMETABLE

60seconds 1minute3,600seconds 1hour86,400seconds 1day604,800seconds 1week1,209,600seconds 1fortnight2,419,200seconds 1month(30days)31,536,000seconds 1year

ONLINERESOURCES

JOHNhttp://openwall.info/wiki/johnhttp://openwall.info/wiki/john/sample-non-hasheshttp://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formatshttps://countuponsecurity.com/2015/06/14/jonh-the-ripper-cheat-sheet/https://xinn.org/blog/JtR-AD-Password-Auditing.htmlhttps://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf

HASHCAThttps://hashcat.net/wiki/https://hashcat.net/wiki/doku.php?id=hashcat_utils

https://hashcat.net/wiki/doku.php?id=statsprocessorhttp://www.netmux.com/blog/ultimate-guide-to-cracking-foreign-character-passwords-using-hashttp://www.netmux.com/blog/cracking-12-character-above-passwords

CRACKINGRIGShttp://www.netmux.com/blog/how-to-build-a-password-cracking-righttps://www.unix-ninja.com/p/Building_a_Password_Cracking_Rig_for_Hashcat_-_Part_III

EXAMPLEHASHGENERATIONhttps://www.onlinehashcrack.com/hash-generator.phphttps://www.tobtu.com/tools.phphttp://hash.online-convert.com/https://www.tools4noobs.com/online_tools/hash/https://quickhash.com/http://bitcoinvalued.com/tools.phphttp://www.sha1-online.com/http://www.freeformatter.com/hmac-generator.htmlhttp://openwall.info/wiki/john/Generating-test-hashes

OTHERhttp://blog.thireus.com/cracking-story-how-i-cracked-over-122-million-sha1-and-md5-hashed-passwords/http://www.utf8-chartable.de/http://thesprawl.org/projects/pack/https://blog.gotmilk.com/2011/06/dictionaries-wordlists/http://wpengine.com/unmasked/https://www.unix-ninja.com/p/A_cheat-sheet_for_password_crackershttps://room362.com/post/2017/05-06-2017-password-magic-numbers/http://www.netmux.com/blog/how-to-build-a-password-cracking-righttp://passwordchart.com/http://www.vigilante.pw

NETMUXhttp://www.netmux.comhttp://www.hashcrack.iohttps://github.com/netmuxhttps://twitter.com/netmuxhttps://www.instagram.com/netmux/

***ANSWERTOCUSTOMDICTIONARYCREATIONHASH:e4821dl6a298092638ddb7cadc26d32f=letmein123456Netmux

10CRACKCOMMANDMENTS

1.Thoushaltknowhashtypesandtheirorigin/function2.Thoushaltknowcrackingsoftwarestrengths&weaknesses3.Thoushaltstudy&applypasswordanalysistechniques4Thoushaltbeproficientathashextractionmethods5.Thoushaltcreatecustom/targeteddictionaries6.Thoushaltknowthycrackingrigscapabilities7.Thoushaltunderstandbasichumanpsychology/behavior8.Thoushaltcreatecustommasks,rules,andMarkovchains9.Thoushaltcontinuallyexperimentwithnewtechniques10.Thoushaltsupportthyfellowcrackingcommunitymembers

JOHNTHERIPPERHELPMENU

JohntheRipperpasswordcracker,version1.8.0-jumbo-1[darwinl5.6.064-bitAVX2-autoconf]Copyright (c)1996-2014bySolarDesignerandothersHomepage: http://www.openwall.com/john/

Usage:john[OPTIONS][PASSWORD-FILES]--single[=SECTION] “singlecrack”mode--wordlist[=FILE]--stdin wordlistmode,readwordsfromFILEorstdin--pipe like--stdin,butbulkreads,andallowsrules--loopback[=FILE] like--wordlist,butfetchwordsfroma.potfile--dupe-suppression suppressalldupesinwordlist(andforcepreload)

--encoding=NAME inputencoding(eg.UTF-8,ISO-8859-1).Seealsodoc/ENCODINGand--list=hidden-options.

--rules[=SECTION] enablewordmanglingrulesforwordlistmodes--incremental[=MODE] “incremental”mode[usingsectionMODE]--mask=MASK maskmodeusingMASK--markov[=OPTIONS] “Markov”mode(seedoc/MARKOV)--external=MODE externalmodeorwordfilter--stdout[=LENGTH] justoutputcandidatepasswords[cutatLENGTH]--restore[=NAME] restoreaninterruptedsession[calledNAME]--session=NAME giveanewsessiontheNAME--status[=NAME] printstatusofasession[calledNAME]--make-charset=FILE makeacharsetfile.Itwillbeoverwritten

showcrackedpasswords[if=LEFT,then

--show[=LEFT] uncracked]

--test[=TIME] runtestsandbenchmarksforTIMEsecondseach--users=[-]LOGIN|UID[,..] [donot]loadthis(these)user(s)only--groups=[-]GID[,..] loadusers[not]ofthis(these)group(s)only--shells=[-]SHELL[,..] loaduserswith[out]this(these)shell(s)only--salts=[-]COUNT[:MAX] loadsaltswith[out]COUNT[toMAX]hashes--save-memory=LEVEL enablememorysaving,atLEVEL1..3--node=MIN[-MAX]/TOTAL thisnode’snumberrangeoutofTOTALcount--fork=N forkNprocesses--pot=NAME potfiletouse--list=WHAT listcapabilities,see--list=helpordoc/OPTIONS--devices=N[,..]devices) setOpenCLdevice(s)(listusing--list=opencl---format=NAME forcehashtypeNAME:7z7z-openclAFSagilekeychainagilekeychain-openclaix-smd5aix-ssha1aix-ssha256aix-ssha512asa-md5bcryptbcrypt-openclbfeggBitcoinblackberry-es10Blockchainblockchain-openclbsdicryptchapCitrix_NS10ClipperzcloudkeychaincqCRC32cryptdahuadescryptdescrypt-openclDjangodjango-scryptdmd5dmgdmg-opencldominosecdragonfly3-32dragonfly3-64dragonfly4-32dragonfly4-64Drupal7dummydynamic_neCryptfsEFSeigrpEncFSencfs-openclEPIEPiServerfdeFormSpringFortigategostgpggpg-openclHAVAL-128-4HAVAL-256-3hdaaHMAC-MD5HMAC-SHA1HMAC-SHA224HMAC-SHA256HMAC-SHA384HMAC-SHA512hMailServerhsrpIKEipb2KeePasskeychainkeychain-openclkeyringkeyring-openclkeystoreknown_hostskrb4krb5krb5-18krb5pa-md5krb5pa-md5-openclkrb5pa-sha1krb5pa-sha1-openclkwalletLastPassLMlotus5lotus5-opencllotus85LUKSMD2md4-genmd5cryptmd5crypt-openclmd5nsmdc2MediaWikiMongoDBMozillamscashmscash2mscash2-openclMSCHAPv2mschapv2-naivemssqlmssql05mssqll2mysqlmysql-sha1mysql-sha1-openclmysqlnanet-md5net-sha1nethalflmnetlmnetlmv2netntlmnetntlm-naivenetntlmv2nknsldapNTnt-openclnt2ntlmv2-openclo51ogono51ogon-openclODFODF-AES-openclODF-openclOfficeoffice2007-opencloffice2010-opencloffice2013-opencloldofficeoldoffice-openclOpenBSD-SoftRAIDopenssl-encOpenVMSoracleoraclelloscPanamaPBKDF2-HMAC-SHA1PBKDF2-HMAC-SHA1-openclPBKDF2-HMAC-SHA256PBKDF2-HMAC-SHA256-openclPBKDF2-HMAC-SHA512pbkdf2-hmac-sha512-openclPDFPFXphpassphpass-openclPHPSpix-md5PKZIPpopostgresPSTPuTTYpwsafepwsafe-openclRACFRAdminRAKPRAKP-openclrarrar-openclRAR5RAR5-openclRaw-Blake2Raw-KeccakRaw-Keccak-256Raw-MD4Raw-MD4-openclRaw-MD5Raw-MD5-openclRaw-MD5uRaw-SHARaw-SHA1Raw-SHA1-LinkedinRaw-SHA1-ngRaw-SHA1-openclRaw-SHA224Raw-SHA256Raw-SHA256-ngRaw-SHA256-openclRaw-SHA384Raw-SHA512Raw-SHA512-ngRaw-SHA512-openclripemd-128ripemd-160rsvpSalted-SHA1sapbsapgscryptsha1-gensha1cryptsha1crypt-openclsha256cryptsha256crypt-openclsha512cryptsha512crypt-openclSiemens-S7SIPskein-256skein-512skeySnefru-128Snefru-256SSHSSH-ngssha-openclSSHA512STRIPstrip-openclSunMD5sxcsxc-openclSybase-PROPsybaseasetc_aes_xtstc_ripemdl60tc_sha512tc_whirlpooltcp-md5TigertripcodeVNCvtpwbb3whirlpoolwhirlpool0whirlpoollWoWSRPwpapskwpapsk-openclxshaxsha512XSHA512-openclZIPzip-opencl

HASHCATHELPMENU

hashcat3.6-advancedpasswordrecovery

Usage:hashcat[options]...hash|hash-file|hccapxfile[dictionary|mask|directory]...

-[Options]-

Ifyoustillhavenoideawhatjusthappened,trythefollowingpages:

*https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild*https://hashcat.net/faq/

***HASHCRACKINGBENCHMARKtablesaremeanttobeareferencetoenableuserstogaugehowSLOWorFASTahashingalgorithmisbeforeformulatinganattackplan.NvidiaGTX2080waschosenasthedefaultduetoitsprevalenceamongthecrackingcommunityandit’spositionasatopperformingGPUcard.

HASHCRACKINGBENCHMARKS(ALPHABETICAL)

1Password,agilekeychain 3319.2kH/s1Password,cloudkeychain 10713H/s3DES(PT=$salt,key=$pass) 594.3MH/s7-Zip 7514H/sAIX 14937.2kH/sAIX 44926.1kH/sAIX 6359.3kH/sAIX 9937.1kH/sAndroidFDE(SamsungDEK) 291.8kH/sAndroidFDE<=4.3 803.0kH/sAndroidPIN 5419.4kH/sArubaOS 6894.7MH/sAtlassian(PBKDF2-HMAC-SHA1) 283.6kH/sAxCrypt 113.9kH/sAxCryptinmemorySHA1 7503.3MH/sbcrypt,Blowfish(OpenBSD) 13094H/sBSDiCrypt,ExtendedDES 1552.5kH/sBitcoin/Litecoinwallet.dat 4508H/sBLAKE2-512 1488.9MH/sBlockchain,MyWallet 50052.3kH/sBlockchain,MyWallet,V2 305.2kH/sChaCha20 3962.0MH/sCisco$8$ 59950H/sCisco$9$ 22465H/sCisco-ASAMD5 17727.2MH/sCisco-IOSSHA256 2864.3MH/sCisco-PIXMD5 16407.2MH/sCitrixNetScaler 7395.3MH/sColdFusion10+ 1733.6MH/sDES(PT=$salt,key=$pass) 19185.7MH/sdescrypt,DES(Unix),TraditionalDES 906.7MH/sDNSSEC(NSEC3) 3274.6MH/s

Django(PBKDF2-SHA256) 59428H/sDjango(SHA-1) 6822.6MH/sDomainCachedCredentials(DCC),MSCache 11195.8MH/sDomainCachedCredentials2(DCC2),MSCache2 317.5kH/sDPAPImasterkeyfilev1andv2 73901H/sDrupal7 56415H/seCryptfs 13813H/sEthereumWallet,PBKDF2-HMAC-SHA256 4518H/sEthereumWallet,SCRYPT 29H/sEPiServer6.x<v4 6818.5MH/sEPiServer6.x>v4 2514.4MH/sFileZillaServer>=0.9.55 565.2MH/sFortiGate(FortiOS) 6386.2MH/sGOSTR34.11-2012(Streebog)256-bit 50018.8kH/sGOSTR34.11-2012(Streebog)512-bit 49979.4kH/sGOSTR34.11-94 206.2MH/sGRUB2 43235H/sHalfMD5 15255.8MH/shMailServer 2509.6MH/sIKE-PSKMD5 1834.0MH/sIKE-PSKSHA1 788.2MH/sIPB2+,MyBB1.2+ 5011.8MH/sIPMI2RAKPHMAC-SHA1 1607.3MH/siTunesbackup<10.0 140.2kH/siTunesbackup>=10.0 94H/sJKSJavaKeyStorePrivateKeys(SHA1) 7989.4MH/sJoomla<2.5.18 25072.2MH/sJuniperIVE 9929.1kH/sJuniper/NetBSDsha1crypt 144.1kH/sJuniperNetscreen/SSG(ScreenOS) 12946.8MH/sKeepass1(AES/Twofish)andKeepass2(AES) 139.8kH/sKerberos5AS-REQPre-Authetype23 291.5MH/sKerberos5TGS-REPetype23 291.1MH/sLM 18382.7MH/sLastpass 2331.2kH/sLotusNotes/Domino5 205.2MH/sLotusNotes/Domino6 69673.5kH/sLotusNotes/Domino8 667.2kH/sLUKS 8703H/sMD4 43722.9MH/sMD5 24943.1MH/smd5(md5($pass).md5($salt)) 4291.9MH/smd5($salt.md5($salt.$pass)) 5037.7MH/s

md5($salt.md5($pass.$salt)) 5401.6MH/smd5apr1,MD5(APR),ApacheMD5 9911.5kH/smd5crypt,MD5(Unix),FreeBSDMD5,Cisco-IOSMD5 9918.1kH/sMSOffice<=2003MD5+RC4,collision-mode#1 339.9MH/sMSOffice<=2003MD5+RC4,oldoffice$0,oldoffice$l 219.6MH/sMSOffice<=2003SHA1+RC4,collision-mode#1 330.8MH/sMSOffice<=2003SHA1+RC4,oldoffice$3,oldoffice$4 296.7MH/sMS-AzureSyncPBKDF2-HMAC-SHA256 10087.9kH/sMSSQL(2000) 8609.7MH/sMSSQL(2005) 8636.4MH/sMSSQL(2012) 1071.3MH/sMediawikiBtype 6515.8MH/sMySQLChallenge-ResponseAuthentication(SHA1) 2288.0MH/sMySQL323 51387.0MH/sMySQL4.1/MySQL5 3831.5MH/sNTLM 41825.0MH/sNetNTLMv1-VANILLA/NetNTLMv1+ESS 22308.5MH/sNetNTLMv2 1634.9MH/sosCommerce,xt 12883.7MH/sOSXV10.4,V10.5,V10.6 6831.3MH/sOSXV10.7 834.1MH/sOSXV10.8+ 12348H/sOffice2007 134.5kH/sOffice2010 66683H/sOffice2013 8814H/sOpenCart 2097.0MH/sOracleH 851.6MH/sOracleS 8565.0MH/sOracleT 104.7kH/sPasswordSafev2 332.0kH/sPasswordSafev3 1233.4kH/sPBKDF2-HMAC-MD5 7408.3kH/sPBKDF2-HMAC-SHA1 3233.9kH/sPBKDF2-HMAC-SHA256 1173.1kH/sPBKDF2-HMAC-SHA512 431.4kH/sPDF1.1-1.3(Acrobat2-4) 345.0MH/sPDF1.1-1.3(Acrobat2-4)+collider-mode#1 373.4MH/sPDF1.4-1.6(Acrobat5-8) 16048.0kH/sPDF1.7Level3(Acrobat9) 2854.1MH/sPDF1.7Level8(Acrobat10-11) 30974H/sPeopleSoft 8620.3MH/sPeopleSoftPS_TOKEN 3226.5MH/sphpass,MD5(Wordpress),MD5(phpBB3),MD5(Joomla) 6917.9kH/s

PHPS 6972.6MH/sPlaintext 37615.5MH/sPostgreSQL 25068.0MH/sPostgreSQLChallenge-ResponseAuth(MD5) 6703.0MH/sPrestaShop 8221.3MH/sPunBB 2837.7MH/sRACF 2528.4MH/sRAR3-hp 29812H/sRAR5 36473H/sRadmin2 8408.3MH/sRedmineProjectManagementWebApp 2121.3MH/sRipeMD160 4732.0MH/sSAPCODVNB(BCODE) 1311.2MH/sSAPCODVNF/G(PASSCODE) 739.3MH/sSAPCODVNH(PWDSALTEDHASH)iSSHA-1 6096.6kH/sscrypt 435.1kH/sSHA-1(Base64),nsldap,NetscapeLDAPSHA 8540.0MH/sSHA-3(Keccak) 769.8MH/sSHA1 8538.1MH/sSHA1(CX) 291.8MH/ssha1($salt.sha1($pass)) 2457.6MH/sSHA-224 3076.6MH/sSHA256 2865.2MH/ssha256crypt,SHA256(Unix) 388.8kH/sSHA384 1044.8MH/sSHA512 1071.1MH/ssha512crypt,SHA512(Unix) 147.5kH/sSIPdigestauthentication(MD5) 2004.3MH/sSKIP32 4940.9MH/sSMF>v1.1 6817.7MH/sSSHA-1(Base64),nsldaps,NetscapeLDAPSSHA 8584.5MH/sSSHA-256(Base64),LDAP{SSHA256} 3216.9MH/sSSHA-512(Base64),LDAP 1072.2MH/sSipHash 28675.1MH/sSkype 12981.9MH/sSybaseASE 398.1MH/sTrueCryptPBKDF2-HMAC-RipeMD160+XTS512bit+boot-mode 512.4kH/sTrueCryptPBKDF2-HMAC-RipeMD160+XTS512bit 277.0kH/sTrueCryptPBKDF2-HMAC-SHA512+XTS512bit 376.2kH/sTrueCryptPBKDF2-HMAC-Whirlpool+XTS512bit 36505H/svBulletin<V3.8.5 6947.7MH/svBulletin>V3.8.5 4660.5MH/sVeraCryptPBKDF2-HMAC-RipeMD160+XTS512bit 907H/s

VeraCryptPBKDF2-HMAC-RipeMD160+XTS512bit+boot-mode 1820H/sVeraCryptPBKDF2-HMAC-SHA256+XTS512bit 1226H/s

VeraCryptPBKDF2-HMAC-SHA256+XTS512bit+boot-mode 3012H/sVeraCryptPBKDF2-HMAC-SHA512+XTS512bit 830H/sVeraCryptPBKDF2-HMAC-Whirlpool+XTS512bit 74H/sWBB3,WoltlabBurningBoard3 1293.3MH/sWPA/WPA2 396.8kH/sWhirlpool 253.9MH/sWinZip 1054.4kH/s

*CRACKINGSPEEDBASEDONNVIDIAGTX1080&HASHCATv3.6

HASHCRACKINGSPEED(SLOW-FAST)

EthereumWallet,SCRYPT 29H/sVeraCryptPBKDF2-HMAC-Whirlpool+XTS512bit 74H/siTunesbackup>=10.0 94H/sVeraCryptPBKDF2-HMAC-SHA512+XTS512bit 830H/sVeraCryptPBKDF2-HMAC-RipeMD160+XTS512bit 907H/sVeraCryptPBKDF2-HMAC-SHA256+XTS512bit 1226H/sVeraCryptPBKDF2-HMAC-RipeMD160+XTS512bit+boot-mode 1820H/sVeraCryptPBKDF2-HMAC-SHA256+XTS512bit+boot-mode 3012H/sBitcoin/Litecoinwallet.dat 4508H/sEthereumWallet,PBKDF2-HMAC-SHA256 4518H/s7-Zip 7514H/sLUKS 8703H/sOffice2013 8814H/s1Password,cloudkeychain 10713H/sOSXV10.8+ 12348H/sbcrypt,Blowfish(OpenBSD) 13094H/seCryptfs 13813H/sCisco$9$ 22465H/sRAR3-hp 29812H/sPDF1.7Level8(Acrobat10-11) 30974H/sRAR5 36473H/sTrueCryptPBKDF2-HMAC-Whirlpool+XTS512bit 36505H/sGRUB2 43235H/sDrupal7 56415H/sDjango(PBKDF2-SHA256) 59428H/sCisco$8$ 59950H/sOffice2010 66683H/sDPAPImasterkeyfilev1andv2 73901H/sOracleT 104.7kH/sAxCrypt 113.9kH/sOffice2007 134.5kH/sKeepass1(AES/Twofish)andKeepass2(AES) 139.8kH/siTunesbackup<10.0 140.2kH/sJuniper/NetBSDsha1crypt 144.1kH/s

sha512crypt,SHA512(Unix) 147.5kH/sTrueCryptPBKDF2-HMAC-RipeMD160+XTS512bit 277.0kH/sAtlassian(PBKDF2-HMAC-SHA1) 283.6kH/sAndroidFDE(SamsungDEK) 291.8kH/sBlockchain,MyWallet,V2 305.2kH/sDomainCachedCredentials2(DCC2),MSCache2 317.5kH/sPasswordSafev2 332.0kH/sTrueCryptPBKDF2-HMAC-SHA512+XTS512bit 376.2kH/ssha256crypt,SHA256(Unix) 388.8kH/sWPA/WPA2 396.8kH/sPBKDF2-HMAC-SHA512 431.4kH/sscrypt 435.1kH/sTrueCryptPBKDF2-HMAC-RipeMD160+XTS512bit+boot-mode 512.4kH/sLotusNotes/Domino8 667.2kH/sAndroidFDE<=4.3 803.0kH/sWinZip 1054.4kH/sPBKDF2-HMAC-SHA256 1173.1kH/sPasswordSafev3 1233.4kH/sBSDiCrypt,ExtendedDES 1552.5kH/sLastpass 2331.2kH/sPBKDF2-HMAC-SHA1 3233.9kH/s1Password,agilekeychain 3319.2kH/sAndroidPIN 5419.4kH/sSAPCODVNH(PWDSALTEDHASH)iSSHA-1 6096.6kH/sAIX 6359.3kH/sphpass,MD5(Wordpress),MD5(phpBB3),MD5(Joomla) 6917.9kH/sPBKDF2-HMAC-MD5 7408.3kH/smd5apr1,MD5(APR),ApacheMD5 9911.5kH/smd5crypt,MD5(Unix),FreeBSDMD5,Cisco-IOSMD5 9918.1kH/sJuniperIVE 9929.1kH/sAIX 9937.1kH/sMS-AzureSyncPBKDF2-HMAC-SHA256 10087.9kH/sAIX 14937.2kH/sPDF1.4-1.6(Acrobat5-8) 16048.0kH/sAIX 44926.1kH/sGOSTR34.11-2012(Streebog)512-bit 49979.4kH/sGOSTR34.11-2012(Streebog)256-bit 50018.8kH/sBlockchain,MyWallet 50052.3kH/sLotusNotes/Domino6 69673.5kH/sLotusNotes/Domino5 205.2MH/sGOSTR34.11-94 206.2MH/sMSOffice<=2003MD5+RC4,oldoffice$0,oldoffice$l 219.6MH/sWhirlpool 253.9MH/s

Kerberos5TGS-REPetype23 291.1MH/sKerberos5AS-REQPre-Authetype23 291.5MH/sSHA1(CX) 291.8MH/sMSOffice<=2003SHA1+RC4,oldoffice$3,oldoffice$4 296.7MH/sMSOffice<=2003SHA1+RC4,collision-mode#1 330.8MH/sMSOffice<=2003MD5+RC4,collision-mode#1 339.9MH/sPDF1.1-1.3(Acrobat2-4) 345.0MH/sPDF1.1-1.3(Acrobat2-4)+collider-mode#1 373.4MH/sSybaseASE 398.1MH/sFileZillaServer>=0.9.55 565.2MH/s3DES(PT=$salt,key=$pass) 594.3MH/sSAPCODVNF/G(PASSCODE) 739.3MH/sSHA-3(Keccak) 769.8MH/sIKE-PSKSHA1 788.2MH/sOSXV10.7 834.1MH/sOracleH 851.6MH/sdescrypt,DES(Unix),TraditionalDES 906.7MH/sSHA384 1044.8MH/sSHA512 1071.1MH/sMSSQL(2012) 1071.3MH/sSSHA-512(Base64),LDAP 1072.2MH/sWBB3,WoltlabBurningBoard3 1293.3MH/sSAPCODVNB(BCODE) 1311.2MH/sBLAKE2-512 1488.9MH/sIPMI2RAKPHMAC-SHA1 1607.3MH/sNetNTLMv2 1634.9MH/sColdFusion10+ 1733.6MH/sIKE-PSKMD5 1834.0MH/sSIPdigestauthentication(MD5) 2004.3MH/sOpenCart 2097.0MH/sRedmineProjectManagementWebApp 2121.3MH/sMySQLChallenge-ResponseAuthentication(SHA1) 2288.0MH/ssha1($salt.sha1($pass)) 2457.6MH/shMailServer 2509.6MH/sEPiServer6.x>v4 2514.4MH/sRACF 2528.4MH/sPunBB 2837.7MH/sPDF1.7Level3(Acrobat9) 2854.1MH/sCisco-IOSSHA256 2864.3MH/sSHA256 2865.2MH/sSHA-224 3076.6MH/sSSHA-256(Base64),LDAP{SSHA256} 3216.9MH/sPeopleSoftPS_TOKEN 3226.5MH/s

DNSSEC(NSEC3) 3274.6MH/sMySQL4.1/MySQL5 3831.5MH/s

ChaCha20 3962.0MH/smd5(md5($pass).md5($salt)) 4291.9MH/svBulletin>V3.8.5 4660.5MH/sRipeMD160 4732.0MH/sSKIP32 4940.9MH/sIPB2+,MyBB1.2+ 5011.8MH/smd5($salt.md5($salt.$pass)) 5037.7MH/smd5($salt.md5($pass.$salt)) 5401.6MH/sFortiGate(FortiOS) 6386.2MH/sMediawikiBtype 6515.8MH/sPostgreSQLChallenge-ResponseAuthentication(MD5) 6703.0MH/sSMF>v1.1 6817.7MH/sEPiServer6.x<v4 6818.5MH/sDjango(SHA-1) 6822.6MH/sOSXV10.4,V10.5,V10.6 6831.3MH/sArubaOS 6894.7MH/svBulletin<V3.8.5 6947.7MH/sPHPS 6972.6MH/sCitrixNetScaler 7395.3MH/sAxCryptinmemorySHA1 7503.3MH/sJKSJavaKeyStorePrivateKeys(SHA1) 7989.4MH/sPrestaShop 8221.3MH/sRadmin2 8408.3MH/sSHA1 8538.1MH/sSHA-1(Base64),nsldap,NetscapeLDAPSHA 8540.0MH/sSSHA-1(Base64),nsldaps,NetscapeLDAPSSHA 8584.5MH/sMSSQL(2000) 8609.7MH/sPeopleSoft 8620.3MH/sMSSQL(2005) 8636.4MH/sOracleS 8565.0MH/sDomainCachedCredentials(DCC),MSCache 11195.8MH/sosCommerce,xt 12883.7MH/sJuniperNetscreen/SSG(ScreenOS) 12946.8MH/sSkype 12981.9MH/sHalfMD5 15255.8MH/sCisco-PIXMD5 16407.2MH/sCisco-ASAMD5 17727.2MH/sLM 18382.7MH/sDES(PT=$salt,key=$pass) 19185.7MH/sNetNTLMv1-VANILLA/NetNTLMv1+ESS 22308.5MH/s

MD5 24943.1MH/sPostgreSQL 25068.0MH/sJoomla<2.5.18 25072.2MH/sSipHash 28675.1MH/s

Plaintext 37615.5MH/sMD4 43722.9MH/sNTLM 41825.0MH/sMySQL323 51387.0MH/s

*SpeedbasedonNVIDIAGTX1080RunningHashcatv3.6

NOTES