Identifying the Hashes

One of the Best Tools to Identify Hashes is Name-That-Hash, as it will produce more Reliable Results and will Output the Correct Hashcat - John The Ripper Mode. There are also Older Tools if we are Interested Hashid - Hash-Identifier although they are not as Reliable.

Name-That-Hash

nth --text 'HASH'

:: [--text] - Hash Text.
:: [--file] - Hash File.
:: [--b64]  - Decodes Hashes in Base64.

HashID

hashid 'HASH'

:: [--extended] - List all possible Hash Algorithms including Salted Passwords.
:: [--mode] - Show corresponding Hashcat Mode in Output.
:: [--john] - Show corresponding JohnTheRipper Format in Output.

HashIdentifier

hash-identifier 'HASH'

Dictionary Attack

A Dictionary Attack is a Technique used to guess Passwords by using Well-Known Words or Phrases. The Dictionary Attack relies entirely on Pre-Gathered WordLists that were previously Generated or Found.

One of the most Popular Offline Dictionary Attack Tools is hashcat.

hashcat -a <Attack Mode> -m <Hash Type> "HASH" <WordList>

:: Basic Usage
:: [-a]      - Sets the Attacking Mode (Default [0] Dictionary Attack).
:: [-m]      - Hash Type.
:: [--force] - Ignore Warnings.
:: [--show]  - Show the Cracked Value.

Brute-Force Attack

Brute-Forcing is a common Attack used by the Attacker to gain Unauthorized access to a Personal Account. This method is used to guess the Victim's Password by sending standard Password Combinations.

In contrast to a Dictionary Attack, a Brute-Force Attack aims to try all Combinations of a Character or Characters.

Hashcat

:: Show Charset Options
:: Charset can be used to Generate our own Combinations
hashcat --help | grep "Charset" -A 10

:: Brute-Force Attack that Starts from [0000 - 9999]
hashcat -a 3 ?d?d?d?d --stdout

:: [-a 3]     - Sets the Attacking Mode as a Brute-Force Attack.
:: [?d?d?d?d] - The [?d] Tells Hashcat to use a Digit.
:: [--stdout] - Print the Results to the Terminal.

:: Brute-Force a Hash using our Custom Charset
hashcat -a 3 -m 0 "HASH" ?d?d?d?d

Output

? | Charset
--+----------------------------------
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff

:: Brute-Force Attack that Starts from [0000 - 9999]
:: Terminal Output
[...]
1234
0234
2234
3234
9234
4234
5234
8234
7234
6234
[...]

Rule-Based Attacks

Rule-Based Attacks are also known as Hybrid Attacks. Rule-Based Attacks assume the Attacker knows something about the Password Policy. Rules are applied to create Passwords within the Guidelines of the given Password Policy and should, in theory, only generate valid Passwords.

For this Task we can use John The Ripper. John has a Config File that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your Distro or how John was Installed.

We can read /etc/john/john.conf and look for List.Rules to see all the Available Rules.

cat /etc/john/john.conf | grep "List.Rules:" | cut -d"." -f3 | cut -d":" -f2 | cut -d"]" -f1 | awk NF

Rule-Based WordList

We can create a WordList with only one Password, to see how John is going to Expand the WordList for us.

:: Expand the WordList and Print the Result to the Terminal
john --wordlist=<WordList> --rules=<Rule Name> --stdout

Custom Rules

Note

Custom Rules must be Added at the end of john.conf Configuration File.

We can Build our own Rules and use it at run time while John is Cracking the Hash or use the Rule to Build a Custom Wordlist.

The Rule down below is going to add Special Characters [!@#$*&] to the Beginning of Each Word and add Numbers [0-9] at the End.

Custom Rule

[List.Rules:Custom-Password-Attacks] 
Az"[0-9]" ^[!@#$]

Using Custom Rules

john --wordlist=<WordList> --rules=<Rule> --stdout