Didier Stevens

Thursday 14 July 2016

Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist

Filed under: Encryption — Didier Stevens @ 0:00

Now we will use hashcat and the rockyou wordlist to crack the passwords for the hashes we extracted in part 2.

With this command we let hashcat work on the LM hashes we extracted:

hashcat-3.00\hashcat64.exe -a 0 -m 3000 --potfile-path hashcat-rockyou-lm.pot --username lm.ocl.out rockyou.txt

Option -a 0 instructs hashcat to perform a straight attack.

Option -m 3000 informs hashcat that we provide LM hashes.

Option –username informs hashcat that the hash file lm.ocl.out includes usernames.

Argument lm.ocl.out is the hash file.

Argument rockyou.txt is the wordlist.

I also use option –potfile-path to instruct hashcat to use a specific pot file (a file containing the cracked hashes with corresponding passwords).

Here is the output:

hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: Intel(R) Corporation
========================================
- Device #1: Intel(R) HD Graphics 5000, 356/1425 MB allocatable, 40MCU
- Device #2: Intel(R) Core(TM) i7-4650U CPU @ 1.70GHz, skipped

Hashes: 62 hashes; 48 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable Optimizers:
* Zero-Byte
* Precompute-Final-Permutation
* Not-Iterated
* Single-Salt
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

aad3b435b51404ee:
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => Cache-hit dictionary stats rockyou.txt: 154179996 bytes, 14343328 words, 14343328 keyspace

c2265b23734e0dac:1
944e2df489a880e4:R
1104594f8c2ef12b:F
9fdfa4280126e140:AS
56c94ea187dbb8d6:RACHELL
8358f3d2c80c1dc5:ON
27bcbf149915a329:T1
d0d0b0a89785fea7:AMOROSA
fdcfc2afb2d1be34:V
7a01665eb2eb6c14:007
e69e57fcbfc37426:BEAUFOR
158759f68c114883:92
843201b3eec511e6:GIRLISH
19d76dfe3931be22:2020
ee3c975e9312263a:THURLOW
dacc48edf1058ae1:OVEJA
d4b8a9676de6053e:EANNE
3c152122664981d0:MAISIE2
58ee1ecfcb1952c1:ZORDIC7
8dfa87789573aa6c:TADOB
bfa8b0f05b2ce944:LM11819
22d8afdd59cc02d1:KURT!!!
INFO: approaching final keyspace, workload adjusted


Session.Name...: hashcat
Status.........: Exhausted
Input.Mode.....: File (rockyou.txt)
Hash.Target....: 88d84c068ac05e0a, c8e4acdacab3b812
Hash.Type......: LM
Time.Started...: Mon Jul 11 22:54:46 2016 (2 secs)
Speed.Dev.#1...:  5193.2 kH/s (13.32ms)
Recovered......: 23/48 (47.92%) Digests, 0/1 (0.00%) Salts
Progress.......: 14343328/14343328 (100.00%)
Rejected.......: 0/14343328 (0.00%)

Started: Mon Jul 11 22:54:46 2016
Stopped: Mon Jul 11 22:54:52 2016

To display the cracked passwords, we use option –show:

hashcat-3.00\hashcat64.exe --show -m 3000 --outfile-format 2 --potfile-path hashcat-rockyou-lm.pot --username lm.ocl.out

Option –show instructs hashcat to display the cracked passwords.

Option -m 3000 informs hashcat that we provide LM hashes. This is necessary for –show.

Option –username informs hashcat that the hash file lm.ocl.out includes usernames.

Option –outfile-format 2 instructs hashcat to output the password without the hash.

Argument lm.ocl.out is the hash file.

I also use option –potfile-path to instruct hashcat to use a specific pot file (a file containing the cracked hashes with corresponding passwords).

Here is the output:

hashcat (v3.00-1-g67a8d97) starting...

Administrator:[notfound]
user01:[notfound]
user03:RACHELLEANNE
user04:ZORDIC7
user05:KURT!!!
user06:GIRLISH2020
user07:AMOROSAOVEJA
user09:THURLOW1
user10:BEAUFORT1
user12:MAISIE2007
user14:[notfound]
user15:TADOB
user16:LM1181992
user17:[notfound]
user19:[notfound]
user20:[notfound]ON
user21:V
user22:AS
user23:[notfound]
user24:[notfound]
user25:[notfound]
user26:[notfound]
user27:[notfound]
user28:[notfound]R
user29:[notfound]F

As you can see we cracked most of the passwords for users 1 through 20, except when the password is longer than 14 characters. Also remark that all passwords are uppercase.

With this command we let hashcat work on the NTLM hashes we extracted:

hashcat-3.00\hashcat64.exe -a 0 -m 1000 --potfile-path hashcat-rockyou-nt.pot --username nt.ocl.out rockyou.txt

The options and arguments are almost the same as for the LM command, except:

Option -m 1000 informs hashcat that we provide NTLM hashes.

Argument nt.ocl.out is the hash file.

Here is the output:

hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: Intel(R) Corporation
========================================
- Device #1: Intel(R) HD Graphics 5000, 356/1425 MB allocatable, 40MCU
- Device #2: Intel(R) Core(TM) i7-4650U CPU @ 1.70GHz, skipped

Hashes: 43 hashes; 43 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

Cache-hit dictionary stats rockyou.txt: 154179996 bytes, 14343328 words, 14343328 keyspace

32ed87bdb5fdc5e9cba88547376818d4:123456
e550853afc9a68106d73fd6680b25604:mychemicalromance
125fee170ce858738fc08d61291174ed:beautifulprincess
c1d5ff9561074a64e8164745f7e057a3:beaufort1
0d870c8d2ed66211a6cd19b6c8c6939a:thurlow1
9aeae4ad385c29a8d3e25a2032df95ec:rachelleanne
3081116936973f2a1019178a085e77cd:maisie2007
3f77a049f85d9ecb089313d68dc64796:maiseythorne2007
2a54f9c00701830e44923a19eea7df62:zordic7
7f5ab070d31e61251ab4ef78b6601941:yeliz6
0794f987708fd36dc158c3435d1e9d65:tadob
f85bbc519f1d4b9453d0d316d2f43efd:lm1181992
336413710df33e5d6ef4ba82ba762543:kurt!!!
8810b6cff094d7bbfa9254a47e460e8c:girlish2020
5bd6fddd235507a2baf82843b6174b4e:cuningo
d10107259670c218d8389bb05a6ca9a5:amorosaoveja
c09c4e921a0f7763e22aa5f38d73016a:Lzac08@
8d15a7e3fe3271b73180de20f9532111:Horselover1493@hotmail.com
9180c11efd4cb6149557f59b0cf80573:FEPARAGON
INFO: approaching final keyspace, workload adjusted

81ed9d39c208fb710f16fd01df2c5ea3:453758487l

Session.Name...: hashcat
Status.........: Exhausted
Input.Mode.....: File (rockyou.txt)
Hash.Target....: File (nt.ocl.out)
Hash.Type......: NTLM
Time.Started...: Mon Jul 11 23:26:10 2016 (2 secs)
Speed.Dev.#1...:  6402.3 kH/s (12.17ms)
Recovered......: 20/43 (46.51%) Digests, 0/1 (0.00%) Salts
Progress.......: 14343328/14343328 (100.00%)
Rejected.......: 1150/14343328 (0.01%)

Started: Mon Jul 11 23:26:10 2016
Stopped: Mon Jul 11 23:26:17 2016

Remark that this time we cracked all passwords for users 1 through 20 (also the ones longer than 14 characters), and with the proper case.

4 Comments »

  1. […] The third part in this series covers using hashcat and the “rockyou” database to crack both LM and NTLM passwords. Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist […]

    Pingback by Week 28 – 2016 – This Week In 4n6 — Sunday 17 July 2016 @ 12:52

  2. […] password cracking examples with hashcat, I want to show you how to crack passwords with John the Ripper (remember we also produced hashes […]

    Pingback by Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist | Didier Stevens — Tuesday 19 July 2016 @ 0:01

  3. […] Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist […]

    Pingback by Practice ntds.dit File Overview | Didier Stevens — Monday 25 July 2016 @ 9:15

  4. […] Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist […]

    Pingback by Overview of Content Published In July | Didier Stevens — Monday 1 August 2016 @ 0:00


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: