Thursday, February 22, 2018

Hashcat: Cracking Windows Domain Hashes

Learning how to use hashcat.  Sharing some of my experience with it.  I've used JtR and Cain and Abel.  Hashcat I've used maybe once or twice.  I'm not going to go into depth about how to dump the hashes.  That is not the purpose of this post.  If you're interested in that, Rapid7, the creator of Metasploit has some good tutorials about how to use their modules to dump password hashes from Domain Controllers.

First, I had to manipulate the data that I had gathered in order for hash cat to understand it.  Many of the modules in Metasploit dump the hashes in JtR (John the Ripper) format.  I've seen some that dump the hashes in hashcat format, but not a lot.  Also, note, I may be missing some settings in Metasploit because I'm still new to using it.  This still may be useful for other purposes.


For windows domain hashes, JtR format looks like the following:


username:uid:lm hash:ntlm hash


Note:  There is a blank hash for lm hashes.  That blank hash is aad3b435b51404eeaad3b435b51404ee.  LM passwords are really easy to crack.  


Someone was kind enough to explain the LM password being that blank hash.  That means that the password is greater than 14 characters.  Thanks loyal reader!

Sometimes it's useful to first crack LM passwords - if they are available, then crack the NTLM passwords using a dictionary consisting of the LM passwords and what are known as mangling rules in JtR.

The format that hashcat understands is "username:lm" hash or "username:ntlm" hash.  Note:  This is as long as the --username switch is being used in the command to use hashcat, other wise, you'll get an error about the hash length.

I went about converting it the long way.  There are much easier ways.  I imagine I could use Powershell to remove the uid and one or the other of the password hash types.  Or, I could have simply used officetohashcat.py.

Use CSV with HashCat (Use at your own risk.  I haven't thoroughly tested this- it seems to work fine so far.)

I changed the List Separator in the Region settings in the Control Panel to use a : as a list separator instead of a comma.  When I save files as csv files, it will be a colon separated list, not a comma separated list.

I used Microsoft Excel 2016 to separate the data for me.  I like the sorting and filtering options with Excel.  To bring in a delimited text file - in my case it was formatted with colons, you go to the Data tab>Get External Data>From Text File.  Select the text file that contains the hashes from the list.  Follow the directions in the wizard.  On one part, it will ask you how it is delimited:  Choose Other, then type :.  

One the data was imported into Excel, I sorted out the LM passwords.  (I could tell that they were LM because they didn't have the blank LM hash.  The hashes were different.)  I deleted the uid and NTLM columns.  I saved that into a lm_hashes.csv file.

Then I separated out the NTLM hashes.  I deleted the uid and LM columns.  I saved this as ntlm_hashes.csv file.

If either of these files are opened in Notepad, they should be colon delimited.  Might check before trying to crack them.

Now the fun begins. :)

Hashcat takes some getting used to.  It is picky about the order of things, attack mode, formats of the hashes, the type of attack, etc.

Hashcat Dictionary attack

-a 0 : straight mode - this takes hashes from a dictionary
-m : the type of password hash.  1000 is NTLM, 3000 is LM, 900 is MD4
-o : an output file for the cracked hashes - If -o is not specified, the cracked hashes/passwords will be in hashcat.potfile  note if you want to save the hashes in a certain format, you can do that after cracking them with --show and other options.

Assuming hashcat is in the PATH.  Otherwise, specify a full path.

hashcat64.exe -a 0 -m 1000 ntlm_hashes.csv dictionary.txt -o ntlm_cracked.txt

Note:  You can specify more than one dictionary.  Just add the pathname/file after the first one.

Hashcat Brute-Force (Mask Attack)

-a 3 :  brute-force (mask) attack
-1 : user-defined character set.  ?u - Uppercase letters, ?d - digits, ?s - symbols
--incremental : don't just do a password length of the mask.  Do 1 character, 2 characters, 3 characters, etc with the same user-defined character set.  If a mask is set that is large - like more than 6 characters, you may get an error about an integer overflow detected.  This means that hashcat can't handle that mask.  It may be wise not to use a large mask anyway - because those hashes may not be cracked in your lifetime.  I always use incremental.  If it ever gets to a point where it estimates a long time - weeks or months to crack, I don't do it.  There are better ways.  Using rules to manipulate dictionary words, for instance.

hashcat64.exe -a 3 -m 1000 -1 ?u?d?s ntlm_hashes.csv -o ntlm_cracked.txt ?1?1?1?1?1?1?1? --incremental

There is a -p option which specifies a different delimiter for the hash file/output file, but I've not had good luck with it.  I recommend having your data the way it needs to be before putting it into hashcat.

Show Loot (IE the Cracked Passwords)

hashcat64.exe -m 1000 --show hashcat.potfile

Note:  That -m is the password type.  It must match the type of hashes that were cracked.

That last bit, hashcat.potfile is assuming you didn't add an output file when you were cracking. If you did, they will be in that path/filename.  I think that it still saves it to the pot file as well, but remember to add the path/filename if you aren't in the same directory as the hashcat.potfile.  It's usually in the same place that the hashcat binary is stored.

Show the Cracked Hashes in a Certain Format

hashcat64.exe -m 1000 --show --potfile-path hashcat.potfile --username -o ntlm_cracked.txt --outfile-format 2 C:\Users\user\ntlm_hashes.csv

--potfile-path : specifies where the loot is.
--username : specifies to ignore usernames.  This must be added if there are usernames in the original file.
-o : specifies an output file.
--outfile-format 2 : in this case, it shows the cracked hashes as plain text passwords in the file only.  If the original file has users, it will have user:password in the output file.
C:\Users\user\ntlm_hashes.csv : specifies the original file that contains the hashes.

I will add how to do cracking with rules later.  I haven't experimented with that functionality just yet.

No comments:

Post a Comment