Jump to content
Sign in to follow this  

[sunjester tuts] Tutorial Understanding and Cracking Password Hashes

1 post in this topic


Password hashes can be very challenging to crack. I see a lot of people online who just don't understand how password hashes work or even how they are made. I will use the PHP interactive shell in some cases during the tutorial. I will try to add as many links throughout the tutorial for extra research and reading.

Hash Identification
One of the most important parts for cracking a hash is identifying what type of hash you have. The JTR website (openwall) has a nice list of hashes that can help you identify what type of hash you have, https://openwall.info/wiki/john/sample-hashes. It is important to be able to recognize hashes. I am a fan of regular expressions so let's do some regex and see if we can make something that identifies (or attempts to identify) hashes.

We'll start with an easy one, MD5, which will also match the first 32 characters of SHA-1


SHA-1 is always 160 bits, 40 characters




One-Way Hashing
MD5 is a widely used one-way hashing function. One-way hashes are difficult to crack. When you hash a string, with MD5 for example, you take two inputs and get one output. In 2008 the CCC showed us that they could use collision checking to forge new SSL certificates. Since then, Verisign does not generate SSL certificates with MD5. This is a flaw in the MD5 one-way hashing algorithm. There is another kind of "collision" checking that is pretty basic and is used by most "md5 cracking" websites. That is to generate a hash of a known word and check it against the hash the user is trying to crack. The problem with this brute force method is the same as other brute force methods, it's fucking time consuming.

When you create an MD5 password hash you probably want to do it with a salt. A salt is like a special code/passphrase to add that extra layer of protection to the hash. If you hash a password with a salt, chances are, that unless a person has the hash and the salt, it won't be cracked. I'm not saying it can't be cracked. The PHP password_hash function automatically generates a random salt if you don't provide one.

There are different ways to use salts but one way is to just append the salt to the password or the hash and hash it again. Below is some PHP code that uses a salt to change the MD5 of the password. Typically you would store the salts out of your web directory or in a different database to prevent hackers from cracking password hashes. Also, in the example I use the word 'haha' as the salt, you should use a random string of characters.

php > $salt='haha';
php > echo md5($salt.'password');
php > echo md5('password');

Generating Hashes
Let's see what kind of hashes PHP can make for us and what they look like.


php > echo md5('hello world');


php > echo sha1('hello world');

PHP password_hash with bcrypt

php > echo password_hash('hello world', PASSWORD_BCRYPT);

PHP password_hash by default

php > echo password_hash('hello world', PASSWORD_DEFAULT);

In Python, to generate and print an MD5 hash you can use hashlib.

(xenial)[email protected]:~$ python
Python 2.7.12 (default, Nov 12 2018, 14:36:49) 
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> hash = hashlib.md5(str.encode('password'))
>>> print hash.hexdigest()

Simple Collision Cracking
I have been in arguments with people who think that because a hash appears to be an MD5 hash, makes it an MD5 hash. This isn't the case for all hashes. Let's say we have a password, password. We can hash that thing as much as we want with other algorithms and then hash it with MD5. People who don't understand how it was originally hashed will just think it's some strong password that can't be cracked. It's password for christ sake, it can be cracked. You can crack it open if you know HOW it was created in the first place. Some people want you to crack a hash but can't even tell you what software it came from. For example, let's hash up the password hash a few different ways.

php > echo sha1(md5('password'));

Above we have wrapped the md5 in a SHA1. To crack the password we cant simply check it with a sha1() php function, using a hash collision as stated before. We would need to use sha1(md5()), since that was how it was created. Below is a sample function to show how you would construct something like that.

//return true/1 if the word we give it is the password
function crackPass($hash, $word)
        return sha1(md5($word)) == $hash ? true:false;
	echo crackPass("55c3b5386c486feb662a0785f340938f518d547f", "password")."\n";

And running it in the terminal would give you..

(xenial)[email protected]:/var/www/html$ php crack.php 

You can do some research on your own and dive into some open software forums and see how they hash their passwords. Most use BCrypt now and not just regular MD5, a topic here for MyBB shows the hashing algorithm for MyBB 1.x. So the code above you could simply change it to accommodate for the salt and different way they hashed their password, and you have created yourself a MyBB 1.x password cracker. It's neat to learn.

Cracking Hashes with JTR
The best password cracker I have ever used is JohnTheRipper. I have been using this software for over 10 years, maybe 15? I forget. The point is, it works. You can find all kinds of guides for using it on many different websites and forums. Basically you will create a file with your password hashes in it, then feed it to John. You don't have to supply a username if you don't want, and you don't even have to supply a wordlist if you don't want. At the time of writing this JTR is in version 1.8. You can see some commands below for download, unzipping and installing john, from source.


wget https://www.openwall.com/john/j/john-1.8.0.tar.xz


tar -xvf john-1.8.0.tar.xz


sudo make GENERIC

When you install john it will go through a benchmark and depending on the speed of your processor(s), it can be fast or slow. If you want the jumbo version of JTR you can get it from Github. I recommend this version. Below is how to clone it into a new repo.

git clone https://github.com/magnumripper/JohnTheRipper.git

Once you clone it, move into the src directory and build it with the following commands, as stated in the documentation.

sudo ./configure && make -s clean && make -sj4

After you have cloned it and built it you can start cracking hashes immediately, however I suggest giving it a benchmark. If you are cracking a list of MD5's, this is probably the version you want. You can get started by using the following command (changing the filenames of course).

(xenial)[email protected]:~/Downloads/JohnTheRipper/run$ ./john -wordlist=password.lst -format=raw-md5 /home/sunjester/Downloads/passwords.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 SSE4.1 4x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (admin)
1g 0:00:00:00 DONE (2018-12-05 13:54) 25.00g/s 4800p/s 4800c/s 4800C/s 123456..knight
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed

and you can view the cracked passwords for that file like this..

./john -format=raw-md5 -show /home/sunjester/Downloads/passwords.txt


Share this post

Link to post
Share on other sites

Your content will need to be approved by a moderator

You are commenting as a guest. If you have an account, please sign in.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

×   Your link has been automatically embedded.   Display as a link instead

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

About us

3rdWorld.cc is a cracking forum community that suits the purpose of everyone. We offer paid program for free, cracking tools, combolists, marketplace and many more. You can also expand on knowledge and participate in active discussions.