Tip of the day

[freeroute]

Utility "raw2dyna" (included in the John the Ripper package)

┌──(freeroute㉿Orion-Nebula)-[/usr/local/src/john/run]
└─$ ./raw2dyna --h
usage ./raw2dyna [options] < input > output
Options:
-d=# dyna number (-d=12 and $dynamic_12$hash$salt is used)
-a ALL hashes get $HEX$ and not simply hashes which have problems
-ls=# The salt is the leading data, and it is # bytes long
-ss=b The salt separator char is b a blank -ss= means no separator char
-hl=n The length of hash. SHA1 is 40, MD4/5 is 32, SHA256 is 64, etc
-2h=r perform a simple convert to hex. the string r is converted to $HEX$hhhh...
-2r=h perform a simple convert out of hex. the hex string h is converted to raw data
if either -2h or -2r are used, then the convert is done and the program exits
defaults are -d=12 -ss=: -hl=32

To convert any string to hexadecimal, use the -2h option:
└─$ ./raw2dyna -2h='Orion' 1 ⨯
$HEX$4f72696f6e

To convert hexadecimal string to raw data, use -2r option:
└─$ ./raw2dyna -2r='4f72696f6e'
Orion

 

[freeroute]

Sample password hash encoding strings
https://openwall.info/wiki/john/sample-hashes

Sample non-hashes (to be) supported by JtR
https://openwall.info/wiki/john/sample-non-hashes?s[]=office

John The Ripper Hash Formats
http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats

A collection of samples for development and testing of John the Ripper and other password security auditing and password recovery tools
https://github.com/openwall/john-samples

Example hashes
https://hashcat.net/wiki/doku.php?id=example_hashes

 

[freeroute]

Generate MD5 hashes, iteration 10

Command:
echo -n 'Password' | ./mdxfind -h '^MD5$' -i 10 -h '!salt,!user' -z -f /dev/null stdin 2>&1
Debug output - output all hashes, explore long hash chains
Iterations set to 10
Working on hash types: MD5
Took 0.00 seconds to read hashes
Searching through 0 unique hashes from /dev/null
Maximum hash chain depth is 0
Minimum hash length is 512 characters
Using 4 cores
MD5x01 dc647eb65e6711e155375218212b3964:Password
MD5x02 b8498ee29e56e711a268ae8cc461ae94:Password
MD5x03 d95a7c1d16d52134dafc6d1c1f9f2695:Password
MD5x04 e5e79fac774f77000a0e5c1e6404ac1b:Password
MD5x05 fe9ca65247fdfa34ae6127b9cd975017:Password
MD5x06 27024bb6ed2c5e35bb2d74fde9c27d33:Password
MD5x07 7bd582adab8f80fb1519dca257c48c25:Password
MD5x08 ddb38f338cad584aa03cccc3fff5aa27:Password
MD5x09 856a78ac57a0e6f5165d8f31d1deac19:Password
MD5x10 86b41cafc64ccec288190b1f3c97cce2:Password

 

[freeroute]

Source:

https://twitter.com/i/web/status/1437647968409030657

"Hash enthusiasts: new version of combinatorX (passphrase combination tool). Part of hashcat-utils. Now both faster and supporting more sources/positions."

Added combinatorX, version 1.0 by matrix · Pull Request #58 · hashcat/hashcat-utils

Hi Jens, i modified your combinator3, creating an improved version which I called "combinatorX". Following the help with an example. Usage: ./combinatorX.bin [<options>] Options: ...

github.com

 

[freeroute]

tldr - short man page with example

Source: https://github.com/tldr-pages/tldr
Install: pip3 install tldr

┌──(freeroute㉿Orion-Nebula)-[~]
└─$ tldr john

john

Password cracker.
More information: https://www.openwall.com/john/.

- Crack password hashes:
john path/to/hashes.txt

- Show passwords cracked:
john --show path/to/hashes.txt

- Display users' cracked passwords by user identifier from multiple files:
john --show --users=user_ids path/to/hashes* path/to/other/hashes*

- Crack password hashes, using a custom wordlist:
john --wordlist=path/to/wordlist.txt path/to/hashes.txt

- List available hash formats:
john --list=formats

- Crack password hashes, using a specific hash format:
john --format=md5crypt path/to/hashes.txt

- Crack password hashes, enabling word mangling rules:
john --rules path/to/hashes.txt

- Restore an interrupted cracking session from a state file, e.g. `mycrack.rec`:
john --restore=path/to/mycrack.rec

┌──(freeroute㉿Orion-Nebula)-[~]
└─$ tldr hashcat

hashcat

Fast and advanced password recovery tool.
More information: https://manned.org/hashcat.

- Perform a brute-force attack (mode 3) with the default hashcat mask:
hashcat --hash-type hash_type_id --attack-mode 3 hash_value

- Perform a brute-force attack (mode 3) with a known pattern of 4 digits:
hashcat --hash-type hash_type_id --attack-mode 3 hash_value "?d?d?d?d"

- Perform a brute-force attack (mode 3) using at most 8 of all printable ASCII characters:
hashcat --hash-type hash_type_id --attack-mode 3 --increment hash_value "?a?a?a?a?a?a?a?a"

- Perform a dictionary attack (mode 0) using the RockYou wordlist of a Kali Linux box:
hashcat --hash-type hash_type_id --attack-mode 0 hash_value /usr/share/wordlists/rockyou.txt

- Perform a rule-based dictionary attack (mode 0) using the RockYou wordlist mutated with common password variations:
hashcat --hash-type hash_type_id --attack-mode 0 --rules-file /usr/share/hashcat/rules/best64.rule hash_value /usr/share/wordlists/rockyou.txt

- Perform a combination attack (mode 1) using the concatenation of words from two different custom dictionaries:
hashcat --hash-type hash_type_id --attack-mode 1 hash_value /path/to/dictionary1.txt /path/to/dictionary2.txt

- Show result of an already cracked hash:
hashcat --show hash_value

 

[freeroute]

Hashes, hashes everywhere, but all I see is plaintext - SecTor 2019, Will Hunt

"I will recap traditional cracking techniques before utilising combinator attacks to challenge recent password guidance of passphrases over passwords. I will then focus on more advanced methods, leveraging additional tools to launch attacks such as Fingerprint, PRINCE and Purple Rain. Non-deterministic techniques will be shown that are designed for infinite runtime, resulting in candidate generation that traditional dictionaries and rules would never achieve. An example algorithm will then be targeted that prohibits us from attacking with GPUs, after which the talk will conclude with attacks against non-ASCII characters, utilising hex to attack foreign character passwords."

https://sector.ca/sessions/hashes-hashes-everywhere-but-all-i-see-is-plaintext/

Presentation in format pdf: https://mega.nz/file/DEQyFZTK#VQ4QCb1BiGMbFIIwuox4ODnoaw2CRAFMtjYsVY6XBG0

 

[freeroute]

 

[freeroute]

 

[174region174]

Yeah. All this is very interesting. But the blogger shows how he searches for passwords from hashes that he generated himself. He knows roughly what to look for. I have already seriously dealt with various attacks. I used Markov chains. The attack -a 9, when all the hints were known and much more... The results were poor. I'll tell you what happened at my place. In Markov chains, I generated .hcstat from the found passwords from a huge number of the same hashes. I wanted to get a good result. The attack lasted a very long time and about 15% passwords were found.
The attack is -a 9 . With the application of the rules. If you create a wordlist with hints and arrange them in the wrong order as the hashes to which they belong are located. The result will be 0% . Even if the hints are accurate.
Most often, we are on this forum trying to find passwords from hashes about which nothing is known. According to this, the best thing that was possible ...It's just to use the rules. And the attacks are -a 1 , -a 6 , -a 7, -a 0.

 

[pasnger57]

Yeah. All this is very interesting. But the blogger shows how he searches for passwords from hashes that he generated himself. He knows roughly what to look for. I have already seriously dealt with various attacks. I used Markov chains. The attack -a 9, when all the hints were known and much more... The results were poor. I'll tell you what happened at my place. In Markov chains, I generated .hcstat from the found passwords from a huge number of the same hashes. I wanted to get a good result. The attack lasted a very long time and about 15% passwords were found.
The attack is -a 9 . With the application of the rules. If you create a wordlist with hints and arrange them in the wrong order as the hashes to which they belong are located. The result will be 0% . Even if the hints are accurate.
Most often, we are on this forum trying to find passwords from hashes about which nothing is known. According to this, the best thing that was possible ...It's just to use the rules. And the attacks are -a 1 , -a 6 , -a 7, -a 0.

I thought -a 9 was for a hash list and salts to be used in pairs >> if my understading was right and (no i have not had time to watch/reed this set documentation myself just passing in reading when it was added to hashcat ... its on my list of things to read...

 

[freeroute]

Collection of stuff the team Hashcat made during contests CMIYC2021

team-hashcat/CMIYC2021 at main · hashcat/team-hashcat

Team hashcat event writeups and tools. Contribute to hashcat/team-hashcat development by creating an account on GitHub.

github.com

 

[freeroute]

R1Soft

Example:
yt2rR1p4InNNgK1h5Q6/S5i46DU=
sKncqu3UZ7noa8wCBZ7wDzHqCl0
egkvS2Q9QUzI7Jw5wvNFfvyIotQ=

Convert base64 to hex
┌──(freeroute㉿Orion-Nebula)-[~]
└─$ echo yt2rR1p4InNNgK1h5Q6/S5i46DU= | base64 -d - | xxd -p
caddab475a7822734d80ad61e50ebf4b98b8e835

caddab475a7822734d80ad61e50ebf4b98b8e835
b0a9dcaaedd467b9e86bcc02059ef00f31ea0a5d
7a092f4b643d414cc8ec9c39c2f3457efc88a2d4

Algo: SHA1
Hash.Mode........: 100 (SHA1)

caddab475a7822734d80ad61e50ebf4b98b8e835:laikinas123.

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 100 (SHA1)
Hash.Target......: caddab475a7822734d80ad61e50ebf4b98b8e835
Time.Started.....: Fri Oct 15 14:35:07 2021 (1 sec)
Time.Estimated...: Fri Oct 15 14:35:08 2021 (0 secs)

 

[freeroute]

yescrypt - scalable KDF and password hashing scheme​

yescrypt is now the default password hashing scheme on Debian 11 (released recently) and Fedora 35

yescrypt - scalable KDF and password hashing scheme

yescrypt is a password-based key derivation function (KDF) and password hashing scheme. It builds upon scrypt and includes classic scrypt, a minor extension of scrypt known as YESCRYPT_WORM, and the full native yescrypt also known as YESCRYPT_RW.

www.openwall.com

 

[174region174]

hashcat is able to output a dictionary to a text document. You can create a combined dictionary to sort by some mobile operators.
This is one example. Try to reproduce it yourself.
hashcat.exe -a 1 --stdout adjectives.txt nouns.txt > netgear.txt

 

[174region174]

PSKracker/dicts/netgear-spectrum at master · andrewjlamarche/PSKracker

An all-in-one WPA/WPS toolkit. Contribute to andrewjlamarche/PSKracker development by creating an account on GitHub.

github.com

On this resource there are two more text documents for compiling a combined dictionary.

 

[freeroute]

https://twitter.com/i/web/status/1460267269146255367

 

[freeroute]

https://twitter.com/i/web/status/1461367642174803977

 

[telemsoo]

thank you for these tips can you respond to me please ? i'm new here

 

[freeroute]

Actually hashcat does have a plaintext mode (-m 99999). It's there for testing your own written rules.

 

[julias]

Attached a very simple bash script to do this (create_md5_hashlist_for_edmodo.sh)

I know this post is old but is there any way you could repost this script the link is not working.
Thanks