Hashing-Crypt 101

Key Terms

Plaintext - Data before encryption or hashing, often text but not always as it could be a photograph or other file instead.

Encoding - This is NOT a form of encryption, just a form of data representation like base64 or hexadecimal. Immediately reversible.

Hash - A hash is the output of a hash function. Hashing can also be used as a verb, "to hash", meaning to produce the hash value of some data.

Brute force - Attacking cryptography by trying every different password or every different key

Cryptanalysis - Attacking cryptography by finding a weakness in the underlying maths

Hashing is used for 2 main purposes in Cyber Security. To verify integrity of data (More on that later), or for verifying passwords.

To protect against rainbow tables, we add a salt to the passwords. The salt is randomly generated and stored in the database, unique to each user.

Hash functions like bcrypt and sha512crypt handle this automatically. Salts don’t need to be kept private.

Online Tools

Crackstation

Hashcat

hashes.com

https://www.tunnelsup.com/hash-analyzer/

https://www.kali.org/tools/

Recognising password hashes

On Linux, password hashes are stored in /etc/shadow.

On Windows, password hashes are stored in the SAM

A great place to find more hash formats and password prefixes is the hashcat example page, available here: https://hashcat.net/wiki/doku.php?id=example_hashes.

Automated hash recognition tools such as https://pypi.org/project/hashID/ exist, but they are unreliable for many formats. The prefix tells you the hashing algorithm used to generate the hash. The standard format is$format$rounds$salt$hash.

Prefix	Algorithm
$1$	md5crypt, used in Cisco stuff and older Linux/Unix systems
$2$, $2a$, $2b$, $2x$, $2y$	Bcrypt (Popular for web applications)
$6$	sha512crypt (Default for most Linux/Unix systems)

Password Cracking

Tools like Hashcat and John the Ripper are normally used for this.

Hash cat syntax: hashcat -m algorithm 'hash' wordlist

Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...

Cracking this hash : $2a$06$7yoU3Ng8dHTXphAg913cyO6Bjs3K5lBnwq5FJyA6d01pMSrddr1ZG

hashcat -m 3200 '$2a$06$7yoU3Ng8dHTXphAg913cyO6Bjs3K5lBnwq5FJyA6d01pMSrddr1ZG' /usr/share/wordlists/rockyou.txt

s1: find hash algorithm using hashes.com or hash analyzer

s2: identify the algorithm mode number

s3: crach the has using hashcat

Crack this hash: 9eb7ee7f551d2f0ac684981bd1f1e2fa4a37590199636753efe614d4db30e8e1

search the hash on https://hashes.com/en/tools/hash_identifier | result: hallowen, sha 256

Crack this hash: $6$GQXVvW4EuM$ehD6jWiMsfNorxy5SINsgdlxmAEl3.yif0/c3NqzGLa0P.S7KRDYjycw5bnYkF5ZtB8wQy8KnskuWQS3Yr1wQ0

s1: find hash algorithm using https://hashes.com/en/tools/hash_identifier

s2: identify the algorithm number | sha512crypt $6$, SHA512 (Unix) 2, 1800

s3: crach the has using hashcat: hashcat -m 1800 '$6$GQXVvW4EuM$ehD6jWiMsfNorxy5SINsgdlxmAEl3.yif0/c3NqzGLa0P.S7KRDYjycw5bnYkF5ZtB8wQy8KnskuWQS3Yr1wQ0' /usr/share/wordlists/rockyou.txt | result: spaceman