Password Recovery

PreviousCryptography & Encoding NextNetwork Tools

Last updated 4 months ago

Password Recovery

Password recovery can be used:

To identify the type of password encryption algorithms used by a system to determine if the security is sufficient,
Determine if users are using weak passwords or
Identify the plaintext password used during a penetration test.

The most popular password recovery techniques are brute-force and dictionary attacks against a password hash.

A decent IT system will not store passwords in plaintext but will instead encrypt the password to generate a unique hash. The security of such systems will depend on the encryption algorithm used (stronger is better) and the complexity of the password (longer and more complex is better.

Better IT systems will add a salt variable to the encryption of the password when generating the hash value. The salt variable makes it harder to perform dictionary or brute-force attacks, especially if the IT admin or pentester does not know the salt value.

The general process of password recovery includes these 4 steps:

Retrieve stored hash value (and possible salt variable)
Identify the type of hash (and therefore the type of encryption used)
Use a password recovery/cracking tool (online, JtR, or hashcat) to attempt recovery based on the several options - a type of hash, wordlist, rule set, and hardware.
Test the recovered password to confirm it works.

Identifying Hashes

The following tools can be used to identify the password hash type or perform password recovery:

Hashcat

It is a fast password recovery tool that helps break complex password hashes.
General hashcat syntax:

hashcat -a (attack mode) -m (hash mode) path/to/hashfile path/to/wordlist

It supports the following attack modes that determine the attack type:

-a 0 Dictionary Attack (default)
-a 1 Combinator - try different word combos from the wordlist
-a 3 Mask/Bruteforce
-a 6 Hybrid + Mask
-a 7 Mask + Hybrid
-a 9 Association

Dictionary Attack is the default attack and is a good choice most of the time. The other attacks are tailored to different situations and develop their strengths there.
Use the --forceflag option to force CPU use instead of GPU; the latter is recommended and performs better.

# Output to file (MD5) 
hashcat -m0 -o found.txt hash.txt rockyou.txt

# Hashcat using the external rules (MySQL)
hashcat  -m300 --status -o found.txt -r rules\OneRuleToRuleThemAll.rule hash.txt rockyou.txt

# Do not write to potfile & remove hashes once cracked
hashcat -m300 --remove --potfile-disable hash.txt rockyou.txt

Cracking NTLM Hashes

Microsoft Windows NTLM hashes can be obtained by dumping the NTDS.dit and SYSTEM registry hive or dumping LSASS memory.

NTLM Hashes can be obtained from the SAM file as well.

Path

Description

C:\Windows\NTDS\ntds.dit

Active Directory database (Domain Controller)

C:\Windows\System32\config\SYSTEM

Registry hive containing the key used to encrypt hashes

C:\Windows\System32\config\SAM

Security Accounts Manager stores passwords locally on the Windows machine.

Use impacket to dump the hashes:

impacket-secretsdump -system SYSTEM -ntds ntds.dit -hashes lmhash:nthash LOCAL -outputfile ntlm-extract

Use hashcat to crack the NTLM hash dump:

hashcat -m 1000 -a 0 hashsample.hash rockyou.txt -r OneRuleToRuleThemAll.rule

Crack Kerboroasting Hashes (KRB5TGS)

Service Principal Name (SPN - service instance unique identifier) is used by Kerberos authentication to associate a service instance with a service logon account, allowing the client application to request that the service authenticate an account even if the client does not have the account name.

After identifying Kerberoastable service accounts (Bloodhound), any AD user can request a KRB5TGS hash from which the password can be cracked; KRB5TGS cracking is 28 times slower than NTLM.

Hashcat supports multiple versions of the KRB5TGS hash (easily identified by the number between the $ symbols):

13100 - Type 23 - $krb5tgs$23$
19600 - Type 17 - $krb5tgs$17$
19700 - Type 18 - $krb5tgs$18$
18200 - ASREP Type 23 - $krb5asrep$23$

hashcat64 -m 13100 -a 0 krb5tgs.hash rockyou.txt -r OneRuleToRuleThemAll.rule

Cracking NTLMv2 (NetNTLMv2) Hashes

After recovering the NTLMv2 hash, use hashcat to recover the password:

Save the hash to an independent file: ntlm_hash.txt
Execute hashcat:

hashcat -m 5600 --force ntlm_hash.txt rockyou.txt

Cracking Linux Hashes

We require access to the /etc/passwdand /etc/shadowfiles.
Use unshadowto 'combine' these files:

unshadow /etc/passwd /etc/shadow > unshadowed.txt

Use hashcat to recover the password:

hashcat -m 1800 -a 0 --force unshadaw.txt rockyou.txt

View recovered password:

Common Hashcat Modes

Cracking Linux Hashes (/etc/shadow file)

Description

500

md5crypt 1 , MD5(Unix)

200

bcrypt 2 ∗ , Blowfish(Unix)

400

sha256crypt 5 , SHA256(Unix)

1800

sha512crypt 6 , SHA512(Unix)

Cracking Windows Hashes

Description

3000

1000

NTLM

Cracking Common Application Hashes

Description

900

MD4

MD5

100

SHA1

1400

SHA256

1700

SHA512

Cracking Common File Password Protections

Description

11600

7-Zip

13600

WinZip

9400

MS Office 2007

9500

MS Office 2010

9600

MS Office 2013

10400

PDF 1.1 - 1.3 (Acrobat 2 - 4)

10410

PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1

10420

PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2

10500

PDF 1.4 - 1.6 (Acrobat 5 - 8)

10600

PDF 1.7 Level 3 (Acrobat 9)

10700

PDF 1.7 Level 8 (Acrobat 10 - 11)

Cracking Common Database Hashes

Description

PostgreSQL

131

MSSQL (2000)

132

MSSQL (2005)

1731

MSSQL (2012, 2014)

200

MySQL323

300

MySQL4.1/MySQL5

3100

Oracle H: Type (Oracle 7+)

112

Oracle S: Type (Oracle 11+)

12300

Oracle T: Type (Oracle 12+)

8000

Sybase ASE

John the Ripper (JtR)

It is used to perform brute-force attacks using different encryption technologies and wordlists.
It has several modules for generating hashes from various file types, such as SSH keys (ssh2john), .kbdx files (keepass2john), and password-protected zip archives (zip2john). The generated hashes are used as input to find the password with John the Ripper.
The johncommand has an extensive range of options and flags and built-in wordlists, but it can be supplied 3rd third-party wordlists.
JtR's primary modes are:
- Single crack mode (default) - the fastest and best mode if you have a full password file to crack.
- Wordlist mode - compares the hash to known list of potential password matches.
- Incremental mode - is the most powerful and possibly will not complete; it the classic brute-force mode that tries every possible character combination.
Using JtR installed via APT or Snap supports limited encryption: descrypt, bsdicrypt, md5crypt, bcrypt, LM, AFS, tripcode, dummy, crypt

Sample Syntax

# Simple Password Recovery (JtR tries to figure out the encryption)
john file_with_hash.txt --wordlist=path/to/wordlist_file

# Specify Encryption format
john file_with_hash.txt --wordlist=path/to/wordlist_file --format=Raw-MD5
john file_with_hash.txt --wordlist=path/to/wordlist_file --format=md5crypt

#Show Recovered Passwords (for particular hash_file)
john --show file_with_hash.txt
john --show --format=Raw-MD5 file_with_hash.txt

# Recover SSH Private Key Passwords
# --------------------------------------------------------------
#    Copy the target id_rsa file (/home/username/.ssh/id_rsa)
#    Convert the private key to a JtR-compatible hash \
#     (Kali - /usr/share/john/ssh2john.py)
python ssh2john.py id_rsa > id_rsa.hash
#    Crack the hash using JtR
john id_rsa.hash --wordlist=path/to/wordlist_file
#    View the retrieved password (use to log in via SSH)
john --show id_rsa.hash

# Recover ZIP Archive Passwords
# --------------------------------------------------------------
#    Use the zip2john (/usr/sbin/zip2john) utility to create a \
#    hash of the zip archive
zip2john file.zip > zip_hash.txt
#    Use JtR to recover the password
john zip_hash.txt --wordlist=path/to/wordlist_file

Additional Resources

PreviousCryptography & Encoding NextNetwork Tools

Last updated 4 months ago