Password Recovery

Password recovery can be used:

• To identify the type of password encryption algorithms used by a system to determine if the security is sufficient,

• Determine if users are using weak passwords or

• Identify the plaintext password used during a penetration test.

The most popular password recovery techniques are brute-force and dictionary attacks against a password hash.

A decent IT system will not store passwords in plaintext but will instead encrypt the password to generate a unique hash. The security of such systems will depend on the encryption algorithm used (stronger is better) and the complexity of the password (longer and more complex is better.

Better IT systems will add a salt variable to the encryption of the password when generating the hash value. The salt variable makes it harder to perform dictionary or brute-force attacks, especially if the IT admin or pentester does not know the salt value.

Secure password hashing with salt

The general process of password recovery includes these 4 steps:

1. Retrieve stored hash value (and possible salt variable)

2. Identify the type of hash (and therefore the type of encryption used)

3. Use a password recovery/cracking tool (online, JtR, or hashcat) to attempt recovery based on the several options - a type of hash, wordlist, rule set, and hardware.

4. Test the recovered password to confirm it works.

Identifying Hashes

Use the following site to generate hashes: https://www.browserling.com/tools/all-hashes

The following tools can be used to identify the password hash type or perform password recovery:

Crackstation

• Crackstation (https://crackstation.net/): an online utility that uses pre-computed lookup tables to crack and identify password hashes.

• Hashes.com (https://hashes.com/en/tools/hash_identifier): an online utility that can identify hashes.

• Hash-Identifier (https://www.kali.org/tools/hash-identifier/): CLI tool that identifies different types of hashes. Use the command hash-identifierto launch the utility and then input the hash.

• Hash-id (https://snapcraft.io/hash-id): CLI tool for identifying hash types. Use the command hash-id -h <hash_string> or hash-id -f <file_with_hash_string.txt>to identify the hash type.

Hashcat

• It is a fast password recovery tool that helps break complex password hashes.

• General hashcat syntax:

hashcat -a (attack mode) -m (hash mode) path/to/hashfile path/to/wordlist

• It supports the following attack modes that determine the attack type:

-a 0 Dictionary Attack (default)
-a 1 Combinator - try different word combos from the wordlist
-a 3 Mask/Bruteforce
-a 6 Hybrid + Mask
-a 7 Mask + Hybrid
-a 9 Association

• Dictionary Attack is the default attack and is a good choice most of the time. The other attacks are tailored to different situations and develop their strengths there.

• Hash Mode - specifies which hash type should be cracked and is specified using the -m flag. List of supported modes.

• Use the --forceflag option to force CPU use instead of GPU; the latter is recommended and performs better.

• Use the hashcat -h help menu to view the list of available options.

# Output to file (MD5) 
hashcat -m0 -o found.txt hash.txt rockyou.txt

# Hashcat using the external rules (MySQL)
hashcat  -m300 --status -o found.txt -r rules\OneRuleToRuleThemAll.rule hash.txt rockyou.txt

# Do not write to potfile & remove hashes once cracked
hashcat -m300 --remove --potfile-disable hash.txt rockyou.txt

Cracking NTLM Hashes

Microsoft Windows NTLM hashes can be obtained by dumping the NTDS.dit and SYSTEM registry hive or dumping LSASS memory.

NTLM Hashes can be obtained from the SAM file as well.

Path	Description
C:\Windows\NTDS\ntds.dit	Active Directory database (Domain Controller)
C:\Windows\System32\config\SYSTEM	Registry hive containing the key used to encrypt hashes
C:\Windows\System32\config\SAM	Security Accounts Manager stores passwords locally on the Windows machine.

Use impacket to dump the hashes:

impacket-secretsdump -system SYSTEM -ntds ntds.dit -hashes lmhash:nthash LOCAL -outputfile ntlm-extract

Use hashcat to crack the NTLM hash dump:

hashcat -m 1000 -a 0 hashsample.hash rockyou.txt -r OneRuleToRuleThemAll.rule

Crack Kerboroasting Hashes (KRB5TGS)

Service Principal Name (SPN - service instance unique identifier) is used by Kerberos authentication to associate a service instance with a service logon account, allowing the client application to request that the service authenticate an account even if the client does not have the account name.

After identifying Kerberoastable service accounts (Bloodhound), any AD user can request a KRB5TGS hash from which the password can be cracked; KRB5TGS cracking is 28 times slower than NTLM.

Hashcat supports multiple versions of the KRB5TGS hash (easily identified by the number between the $ symbols):

• 13100 - Type 23 - $krb5tgs$23$

• 19600 - Type 17 - $krb5tgs$17$

• 19700 - Type 18 - $krb5tgs$18$

• 18200 - ASREP Type 23 - $krb5asrep$23$

hashcat64 -m 13100 -a 0 krb5tgs.hash rockyou.txt -r OneRuleToRuleThemAll.rule

Cracking NTLMv2 (NetNTLMv2) Hashes

Obtain the NTLM hash during the NTLM authentication process to perform several attacks, including 'Pass the Hash' or attempt to recover the password.

After recovering the NTLMv2 hash, use hashcat to recover the password:

1. Save the hash to an independent file: ntlm_hash.txt

2. Execute hashcat:

hashcat -m 5600 --force ntlm_hash.txt rockyou.txt

Cracking Linux Hashes

1. We require access to the /etc/passwdand /etc/shadowfiles.

2. Use unshadowto 'combine' these files:

unshadow /etc/passwd /etc/shadow > unshadowed.txt

1. Use hashcat to recover the password:

hashcat -m 1800 -a 0 --force unshadaw.txt rockyou.txt

1. View recovered password:

Common Hashcat Modes

Cracking Linux Hashes (/etc/shadow file)

ID	Description
500	md5crypt 1 , MD5(Unix)
200	bcrypt 2 ∗ , Blowfish(Unix)
400	sha256crypt 5 , SHA256(Unix)
1800	sha512crypt 6 , SHA512(Unix)

Cracking Windows Hashes

ID	Description
3000	LM
1000	NTLM

Cracking Common Application Hashes

ID	Description
900	MD4
0	MD5
100	SHA1
1400	SHA256
1700	SHA512

Cracking Common File Password Protections

ID	Description
11600	7-Zip
13600	WinZip
9400	MS Office 2007
9500	MS Office 2010
9600	MS Office 2013
10400	PDF 1.1 - 1.3 (Acrobat 2 - 4)
10410	PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1
10420	PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2
10500	PDF 1.4 - 1.6 (Acrobat 5 - 8)
10600	PDF 1.7 Level 3 (Acrobat 9)
10700	PDF 1.7 Level 8 (Acrobat 10 - 11)

Cracking Common Database Hashes

ID	Description
12	PostgreSQL
131	MSSQL (2000)
132	MSSQL (2005)
1731	MSSQL (2012, 2014)
200	MySQL323
300	MySQL4.1/MySQL5
3100	Oracle H: Type (Oracle 7+)
112	Oracle S: Type (Oracle 11+)
12300	Oracle T: Type (Oracle 12+)
8000	Sybase ASE

John the Ripper (JtR)

• It is used to perform brute-force attacks using different encryption technologies and wordlists.

• It has several modules for generating hashes from various file types, such as SSH keys (ssh2john), .kbdx files (keepass2john), and password-protected zip archives (zip2john). The generated hashes are used as input to find the password with John the Ripper.

• The johncommand has an extensive range of options and flags and built-in wordlists, but it can be supplied 3rd third-party wordlists.

• JtR's primary modes are:

  • Single crack mode (default) - the fastest and best mode if you have a full password file to crack.

  • Wordlist mode - compares the hash to known list of potential password matches.

  • Incremental mode - is the most powerful and possibly will not complete; it the classic brute-force mode that tries every possible character combination.

• Using JtR installed via APT or Snap supports limited encryption: descrypt, bsdicrypt, md5crypt, bcrypt, LM, AFS, tripcode, dummy, crypt

• Either use the included Kali JtR or install the Jumbo package from Openwall (https://www.openwall.com/john/)

Recovering Zip archive with zip2john & JtR

Sample Syntax

# Simple Password Recovery (JtR tries to figure out the encryption)
john file_with_hash.txt --wordlist=path/to/wordlist_file

# Specify Encryption format
john file_with_hash.txt --wordlist=path/to/wordlist_file --format=Raw-MD5
john file_with_hash.txt --wordlist=path/to/wordlist_file --format=md5crypt

#Show Recovered Passwords (for particular hash_file)
john --show file_with_hash.txt
john --show --format=Raw-MD5 file_with_hash.txt

# Recover SSH Private Key Passwords
# --------------------------------------------------------------
#    Copy the target id_rsa file (/home/username/.ssh/id_rsa)
#    Convert the private key to a JtR-compatible hash \
#     (Kali - /usr/share/john/ssh2john.py)
python ssh2john.py id_rsa > id_rsa.hash
#    Crack the hash using JtR
john id_rsa.hash --wordlist=path/to/wordlist_file
#    View the retrieved password (use to log in via SSH)
john --show id_rsa.hash

# Recover ZIP Archive Passwords
# --------------------------------------------------------------
#    Use the zip2john (/usr/sbin/zip2john) utility to create a \
#    hash of the zip archive
zip2john file.zip > zip_hash.txt
#    Use JtR to recover the password
john zip_hash.txt --wordlist=path/to/wordlist_file

Additional Resources

Hashcat Modes

Hashcat Cheatsheet - GitHub Resource

Awesome Password Cracking - GitHub Resource

Stealing and Cracking NTLMv2 Hashes - YouTube

Recovering Complex Passwords with Rules & Munging - John Hammond (YouTube)

OneRuleToRuleThemStill - Stealthsploit (GitHub)

Password Munging - Th3S3cr3tAg3nt (GitHub)

John The Ripper Hash Formats - Pentest Monkey

John The Ripper Cheatsheet

JtR Cheatsheet (PDF)