Password Cracking Primer

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back to another video today we're going to be looking at the tools and techniques of password cracking now before we dive in what is hashing well I like to think of it as a fingerprint a process that takes some data of an arbitrary length and converts it into a fixed length string of characters or value we can then use this to verify the original data I'll take a moment to mention that of course not all hashing functions are created equal so when we're talking about theory of course there are always exceptions sometimes we have what's called collisions where different data will often produce the same outputs now I'm not a mathematician but as far as I understand it's impossible for a hashing function to be completely Collision free and this makes sense because what we're doing is we're taking a small set of values to represent a larger set but hashes are designed to be Collision resistant and will touch more on some insecure hashing algorithms later on so the process of creating a hash involves taking the original data and running it through a hashing function the output of the function is the hash which is a fixed length string of characters the same input data will always produce the same outputs but it is or at least should be practically impossible to recreate the original data from the hash alone I saw a great analogy on the web once it's basically like a cat poo the cat has eaten the food so it's mixed digested dehydrated and what comes out is your hash the main use cases are things like password storage data Integrity checking digital signatures and the main attacks that we're going to look at are dictionary attacks Brute Force attacks lookup tables and finally rainbow tables as we go through these attacks I'll try and demonstrate a couple of different tools like hash cat and John and if you like the video don't forget to hit the like And subscribe buttons let's dive in let's take a look at some hashes that you will run into when you're testing web applications starting with the infamous md5 of course that's been around since the early 90s it's fast but considered insecure because it's vulnerable to Collision length extension and pre-image attacks but today is all about cracking so the fact that it's very fast to calculate means that it's also very fast to crack next we have xiaowan which has mostly been replaced by sha-256 and sha3 and other algorithms but you might see it from time to time and is also a relatively fast algorithm and considered insecure now I'll take a moment to say that I'm not going to cover every single hashing algorithm just some of the key ones that I think you'll bump into when you're testing web applications of course you may need to do further research next up we have bcrypt which I personally use when I'm building web applications it's a variation of the Blowfish algorithm and is built to be hard to crack and we might see this later on when we try and crack a b Crypt hash it uses techniques called iterative hashing and adaptive hashing to basically be time consuming and computationally expensive the last on our list is argon2 which I suppose if you're using a slightly older algorithm like bcrypt is the next step up if you're not sure what algorithm to use to Hash passwords then chances are you should go with this one now all of these were generated on my local Kali instance so here are the commands I used if you want to create some hashes and then try cracking them for yourself for Icon 2 you probably need to pseudo apt install argon2 but for the others I think they all come pre-packaged with the latest Kali instance now let's take a look at how we can identify hashes sometimes you'll know exactly what hash is being used because of the structure where it came from maybe you have access to the source code if we do manage to get our hands on a hash and we aren't exactly sure what it is there are a few different ways to try and identify it so first up we'll take a look at a couple of tools in Kali so hash identifier which comes pre-installed and Haiti which is actually a tool that a viewer recommended to me during a live stream and I've basically been using it since so let's take a quick look so I have this file with all of the hashes in here and also I've separated them out into text files just to make life a little bit easier so what we're going to do is we're going to use a hash identifier first so I'll just load this up quickly and let's see how it identifies each of these hashes so we're just going to grab the md5 to begin with paste this in you can see that it comes up with a lot of results but actually these results are the unlikely ones you want to scroll up and you want to see the possible hashes and you can see that it does identify md5 and it also says Ah this also looks like domain cached credentials that gives us a pretty clear indication of where we want to begin which is pretty handy next up we're gonna take a look at Char one so I just copy paste and it does the same thing and if we scroll up it says shot one and my SQL 5 Shao one as well so this is a pretty good indication of what the hash is our next one what was next shot 256 and then we will grab this paste it in and we get shot 256 and have all 256 as well and we don't see this very often but I think there's a whole family of Havel hash functions that exist but I don't really have any experience using them but you might see them from time to time kicking around next up we have our bcrypt so I'll just grab this one paste this in and interestingly enough it doesn't find b-crypt so we get not found which given the structure is quite familiar as well so 2y is I think the most recent version or definitely a more secure version than 2A of B Crypt and 10 I think is the cost so you can increase the cost of generating the hash when you create it so it's a little surprising considering that it has quite a specific structure that you know hash identified didn't find this but that's okay and last step we have argon2 so we'll just grab this paste this in and it actually thinks this is shot 256 and Havel 256 as well so maybe the hash identifier tool is a little bit out of date and struggles with newer more up-to-date hashes so what we're going to do is have a quick look at it so I know we can just run Heidi and pass in the hash and this doesn't come packaged with Kali so you'll have to go to the GitHub and install it and let's just take a look at bcrypt so we'll just copy this paste here ah but of course it's using special characters so actually if we run this again and just add some quotes hopefully it will give us a results and there we go okay so we get decrypt as a result and we also get the hashcats attack mode and the John the Ripper format as well which is pretty handy let's give argon to a quick go and unfortunately thinks this is shot 256 or or something else so again kind of hitting this good for some algorithms and unfortunately misses for others another way to identify these hashes is using the webs so if I just whoops so if I just come to Google and if I search for identify a hash site and then we get things like tunnels up and hashes.com and online hashcrack.com so let's just try the first first one to begin with and what we want to do is try and get this decrypt one identified salt not found character length so it doesn't look like it knows what it is let's try argon2 things argon2 is shot 256 so interesting let's try one more so hashes.com and I think we can if I recall copy and paste in multiple hashes here so in fact let's just do the whole lot see what it comes back with and it does successfully identify because I'm going to zoom in a little bit so you can see this so you can see possible algorithms decrypts but it didn't identify the Argon 2 so mixed results which makes things a little bit tricky and you can see that it also returned the results of the first three hashes as well so cheesecake was the inputs for all of the algorithms although of course Blowfish and argon2 require assaults so you can't use rainbow tables unless you used a very predictable salt I suppose to identify these hashes which we'll talk about in the next section and last thing I want to show you all is if I just come back to Google quickly and we just go to hashcats identify hash and we find this examples page you can see that this is usually how we grab the hash mode or hashcat so when we're cracking hashes we need to tell it what type of hash we're trying to crack so if your hash mode is zero for example we're cracking md5 if it's a hundred we're cracking sha one and sorry if the text is a little bit small there we go so this is also a useful reference for you so definitely worth bookmarking this page so with 4 out of five hashes identified successfully we should try cracking some now we're going to start with a dictionary attack so we basically find or create a file full of common words or phrases that have a high probability of being the same thing that somebody used as their password such as password123 and sometimes we do further processing like we will change the ease to threes or the L's to ones or we'll add one or two or three on the end or exclamation marks for example each word is then hashed into and then the hash is compared to the original hash that we're trying to crack if they match then we know the original text file that was used to create that hash so this is a dictionary attack and let's give it a try using oops using hashcap so what I'm going to do is we're just going to go hash cats and I think we need the attack mode of zero for dictionary if you not if you're not sure you can just Dash H and then you know it will display the help and we can see somewhere in here the help file is actually very long but I'm pretty sure it's um Dash a0 hashcat dash a0 for dictionary attack dash m0 for md5 and then we're just going to pass in our md5 and then we're going to use the word list user share word lists rock you the very Infamous one and that's it so very very fast as we can see and if we want to see the cracked password we can just do dash dash show and it tells us that the password is cheesecake now if we wanted to do the same thing but for B Crypt which is going to be much much slower let me just pass in oops regrets and I think the mode is 3200 I'm gonna have to check let me come back to yeah 3200 and you can see the two and the star so this will be the older versions of B Crypt and the newer versions as well so if you see dollar two y or dollar two a you should be good to go with 3200 so Dash m3200 and we'll hit enter and if you look at the speed values so 3100 at 131 and we can compare this to how fast it's going to crack the decrypt password as well so I'm just going to hit s for the status and you can see that it's much much slower and this is actually going to take a little while so what we're going to do is probably just hit Q to quit and it's progress it got through about 2002 passwords so getting through 14 million is obviously going to take quite a long time I know we stopped it quite early but 0.02 percent through the 14 million words that are in Rocky all right so next up we have Brute Force attacks so if we're not sure what the password is or if we think it's been randomly generated so using like alphanumeric 0 to 9 special characters different cases then a Brute Force attack is probably the best way to go and this basically tries every combination of characters possible so it's going to be go something like a b c d and then a a a b a c whoops a c a d and then AAA a a b a a c a a d and it's going to go through every single iteration up to whatever character length you chose so obviously as the password gets longer or the original text that we hashed gets longer the strength increases dramatically so going from nine characters to 10 characters obviously it's going to take longer to crack than going from 10 to 11 it's going to take even longer it's going to get exponentially harder and when we add more characters such as numbers and special characters in different cases we can say that this has higher entropy so let's do this one with John's sorry about that my VM just crashed so what we're going to do is we're going to run John but if we run it without any word list it's just going to give us a default word list so what we're going to do is we're going to use incremental mode and set it to Alpha which I think is just basically all lowercase characters we can Define custom rules like length and character sets but for now this should work so pseudo John md5 incremental equals oops Alpha and then we're just going to pass in the format Raw md5 and we'll give this a second to run so if the password is long and complex this will take a very very long time but as you can see we have a relatively short and simple password so it takes no time at all so it's still fairly easy to crack with this method so that's hashcat and John out of the way now the next attack is called a lookup table and this attack is not quite as well known as the previous two but it's a really effective way of cracking large numbers of hashes so in a previous pen test that I've done we used this method to audit the passwords of the organization after dumping all of the hashes from the domain controller also if you manage to dump a large number of hashes out of a database from a web application you can try this attack as well and the idea is to pre-compute the hashes of passwords and store them in a lookup table when we take each hash we do a lookup and see if it exists so as I'm sure you can tell this saves a tremendous amount of computing power versus the dictionary attack as we don't need to recalculate the hash of each entry in our list each time we feed it a new hash we just do it once and the rest is lookups and finally we have rainbow tables that are basically pre-computed lookup tables after we have our tables we can proceed with the lookup attack so finally I want to talk to you about salt and pepper these are used to make hashes stronger and more resistant to attacks salting is where a random value is added to each password before it's hashed and then generally stored alongside that password in the database now that assaults has been added it makes using pre-computed tables such as rainbow tables impossible if two users have the same password the hashes for that password with salting would be different from the standard hash generated from the same password and different to each other so in this case an attacker would need to create hash tables for each individual password if the salt is the same for every password in the database then this is a mistake I'd say a misconfiguration or development mistake I should also mention here that assault is not a secret and in theory shouldn't need protecting Beyond being stored in the database and only read when generating a password hash for comparison such as when the user logs in it's not a secret pepper on the other hand is a secret value added to each password before it's hashed it's the same value for all users and not stored in the database it's important that it isn't stored here because it helps protect the hashes even when the database is compromised essentially adding a secret layer of security to the password hashing process both of these methods make cracking passwords much more difficult so that's it for today's video now if you want a little bit of a challenge and take your knowledge further then I definitely recommend coming over to try hack me come to the search search for hash and then you've got some challenges like crack the hash and some other ctfs that involve cracking hashes this is a great place to continue your study and reinforce what we've learned today see you next time

Info

Channel: The Cyber Mentor

Views: 15,386

Rating: undefined out of 5

Keywords:

Id: yUrooa2aLBg

Channel Id: undefined

Length: 19min 9sec (1149 seconds)

Published: Mon Feb 27 2023