fbpx
One of the first technical needs of a pentester at the outset of an engagement is access, and one of the best ways to gain access is through collecting and cracking password hashes of valid user accounts. The complexity of this process can vary depending on factors such as the strength of an organization’s password policy and whether or not a culture of personal op-sec has been fostered within the organization. Many technical controls and network monitoring efforts can be rendered inert with the right set of credentials, and now we will take a look at five simple steps for cracking password hashes to quickly collect the low-hanging fruit and get your engagement underway.

What is Password Cracking?

In cyber security, password cracking refers to comparing a list of obtained hashes (algorithmically scrambled passwords) against a ‘dictionary’ (list of hashes of common passwords), finding a match, and thus, the plain text password. A rule can also be applied to the dictionary of passwords, which will use common methods of password modification, such as ‘leet speak’ or number/letter substitutions, and reveal their corresponding hashes.

It can be a race against time for a pentester to translate hashes into usable credentials in order to have more time to invade the target network and explore all of the ways that malicious actors could cause problems. So, knowing an efficient methodology for getting passwords fast can be the difference between discovering useful findings or not during a limited-time engagement.

Factors to Consider

The method you choose will be a factor of time, equipment, and necessity. We will go in order from most efficient quick wins for urgently needed passwords to methods that require more time and resources, but can be much more thorough.

Limited time / Limited equipment / High necessity

If you are under a time crunch and just need any credentials at all for a foothold, then a shorter dictionary and less sophisticated ruleset will likely get you some cracked hashes to work with.

Unlimited time / Advanced equipment / Low necessity

If time is not a factor and you have access to a high-end, up-to-date cracking rig, then running your hashes against larger dictionaries or custom dictionaries modified by more advanced rulesets will net you more cracked hashes.

What Password Cracking Tools to Use

New tools are always being developed and updated in the realm of cyber security, but here are a few tried and true password cracking essentials. These are some of the tools used in real engagements by TCM Security’s own penetration testing team.

Password Cracking Software: 

Password Dictionaries:

  • rockyou.txt
  • rockyou2021.txt

Password Rule List:

Hash Collection

You will also need hashes to crack. Adversary-in-the-Middle attacks, such as ARP Cache Poisoning or LLMNR poisoning, can be used to listen in on network traffic and collect transmitted password hashes. Once you have hashes in hand, you can then begin the process of cracking them and getting to the password inside.

Heath Adams’ 5-Step Password Cracking Methodology for Pentesters

Step 1: Quick Wins

If you are in a bind and just need any password you can find quickly, use rockyou.txt with a ruleset like OneRule. This should take a few minutes to run.

hashcat.exe -m 1000 hashes.txt rockyou.txt -r OneRuleToRuleThemStill.rule -O
This should give you some passwords to establish a foothold within a network, but you may need to employ other methods in order to capture the credentials of the more security-minded users.

Step 2: Time To Spare

If you have some breathing room, running a longer wordlist, such as rockyou2021.txt with a ruleset, will deliver more cracked hashes to choose from, but this will also take more time.

hashcat.exe -m 1000 hashes.txt rockyou2021.txt -r OneRuleToRuleThemStill.rule -O
Between steps 1 and 2, you’ll likely find 70% of your hashes.

Step 3: Digging Deeper

If you have the luxury of time, then there are many strategies to crack hashes that would not be revealed in steps 0 or 1.

Custom Wordlists

An effective strategy is building your own wordlist based on known cracked passwords, computer names, usernames, etc. You can also include words unique to the company by crawling the organization’s website with a tool like CeWL or even using ChatGPT.

hashcat.exe -m 1000 hashes.txt customwordlist.txt -r OneRuleToRuleThemStill.rule -O

Sophisticated Rulesets

Once you have your word list, you can use other rulesets to modify it. You can use several large rulesets for as many hash possibilities as your list can create. This should not take long with a small word list.

Hash Recycling

Once you crack a new hash, add that word to your list and run it through your rulesets again. Repeat until you get no new hashes.

Step 4: Apply The Mask

Once you’ve exhausted the hash-cracking route, the next step should be a mask attack. If the password policy is 8 characters, you could do the following to brute force all known 8-character passwords:

hashcat.exe -a 3 -m 1000 hashes.txt ?a?a?a?a?a?a?a?a -O
This can be time-consuming, taking hours or even days for an MD5 hashed password, so let’s examine what we’ve learned so far and develop a better methodology.

Look For Common Patterns

Since you have armed yourself with some known passwords, you might be able to divine a pattern and deduce some aspects of an organization’s password policy, which will help craft a more efficient mask pattern. 

Quick wins could be achieved by looking for common traits, such as: a capital letter, six ‘any’ characters, and a special character at the end. The original brute-force pattern listed above would eventually accomplish this, but this more specific pattern would take a fraction of the time (only an hour with higher-end equipment).

hashcat.exe -a 3 -m 1000 hashes.txt ?u?a?a?a?a?a?a?s -O
A more advanced strategy would be to review commonalities among your known passwords. Some people in the organization might have a tendency toward closely associated password choices like the names of seasons, local sports teams, books, or movies – see if you can make a connection. A simple example: If you see “Welcome” is being used a few times with the addition of four random numbers and a special character, try –
hashcat.exe -a 3 -m 1000 hashes.txt Welcome?d?d?d?d?s -O
Once you have essentially run out of mask attack patterns, feed your new findings into your word list and run it through your rulesets, repeating step 2.

Step 5: The Sky Is The Limit

Get creative! 

If you haven’t already, you can conduct some OSINT and use your findings in your word list. Scrape a social media profile for unique words. Create a list based on current events or applicable pop-culture references. You can take this methodology as far as time and imagination allow you to create word lists that will crack password hashes.

Thorough OSINT can be a real boost for potential password targets, so if you’re looking for training to learn professional methodology and tactics, the OSINT Fundamentals course will bring you up to speed and the Practical OSINT Research Professional certification will pit your skills against a simulated Intelligence gathering exam complete with a report of findings that will be professionally reviewed.

Conclusion

Credentials are the lifeblood of a pentest. The more accounts you can collect and unlock through cracked password hashes, the higher your chances of finding an efficient key to the system you are trying to compromise. In large organizations with a lax password policy, quickly harvesting the low-hanging fruit can yield more time for lateral movement and privilege escalation, leaving your clients better informed on how to defend their network.

For more information on password cracking tactics and methods, check out the Practical Ethical Hacking course. If you are looking to demonstrate these abilities through certification, the Practical Junior Penetration Tester and Practical Network Penetration Tester combine these skills with others necessary for a well-rounded pentester. 

About the Author: Josh Daniels

Josh is an avid storyteller and writer who loves learning about the behind-the-scenes of the digital world we live in. While his professional experience is in content marketing, Josh began pursuing a career in cybersecurity in 2022, gaining a Sec+ certificate along with other training from industry professionals and a life long learner attitude.

When he is not writing, Josh enjoys outdoor adventures with his family, watching movies, reading, and an unofficial (unpaid) side gig as a Game Master Consultant for several friends who play table top RPGs. At TCM, Josh has found a home where his passion for storytelling and cybersecurity meet.

“Once men turned their thinking over to machines in the hope that this would set them free. But that only permitted other men with machines to enslave them.”
– Frank Herbert

About TCM Security

TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers. Pentest Services: https://tcm-sec.com/our-services/ Follow Us: Email List | LinkedIn | YouTube | Twitter | Facebook | Instagram | TikTok
Contact Us: [email protected]

See How We Can Secure Your Assets

Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.

tel: (877) 771-8911 | email: [email protected]