Now we will use hashcat and the rockyou wordlist to crack the passwords for the hashes we extracted in part 2.
With this command we let hashcat work on the LM hashes we extracted:
hashcat-3.00\hashcat64.exe -a 0 -m 3000 --potfile-path hashcat-rockyou-lm.pot --username lm.ocl.out rockyou.txt
Option -a 0 instructs hashcat to perform a straight attack.
Option -m 3000 informs hashcat that we provide LM hashes.
Option –username informs hashcat that the hash file lm.ocl.out includes usernames.
Argument lm.ocl.out is the hash file.
Argument rockyou.txt is the wordlist.
I also use option –potfile-path to instruct hashcat to use a specific pot file (a file containing the cracked hashes with corresponding passwords).
Here is the output:
hashcat (v3.00-1-g67a8d97) starting... OpenCL Platform #1: Intel(R) Corporation ======================================== - Device #1: Intel(R) HD Graphics 5000, 356/1425 MB allocatable, 40MCU - Device #2: Intel(R) Core(TM) i7-4650U CPU @ 1.70GHz, skipped Hashes: 62 hashes; 48 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable Optimizers: * Zero-Byte * Precompute-Final-Permutation * Not-Iterated * Single-Salt Watchdog: Temperature abort trigger disabled Watchdog: Temperature retain trigger disabled aad3b435b51404ee: [s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => Cache-hit dictionary stats rockyou.txt: 154179996 bytes, 14343328 words, 14343328 keyspace c2265b23734e0dac:1 944e2df489a880e4:R 1104594f8c2ef12b:F 9fdfa4280126e140:AS 56c94ea187dbb8d6:RACHELL 8358f3d2c80c1dc5:ON 27bcbf149915a329:T1 d0d0b0a89785fea7:AMOROSA fdcfc2afb2d1be34:V 7a01665eb2eb6c14:007 e69e57fcbfc37426:BEAUFOR 158759f68c114883:92 843201b3eec511e6:GIRLISH 19d76dfe3931be22:2020 ee3c975e9312263a:THURLOW dacc48edf1058ae1:OVEJA d4b8a9676de6053e:EANNE 3c152122664981d0:MAISIE2 58ee1ecfcb1952c1:ZORDIC7 8dfa87789573aa6c:TADOB bfa8b0f05b2ce944:LM11819 22d8afdd59cc02d1:KURT!!! INFO: approaching final keyspace, workload adjusted Session.Name...: hashcat Status.........: Exhausted Input.Mode.....: File (rockyou.txt) Hash.Target....: 88d84c068ac05e0a, c8e4acdacab3b812 Hash.Type......: LM Time.Started...: Mon Jul 11 22:54:46 2016 (2 secs) Speed.Dev.#1...: 5193.2 kH/s (13.32ms) Recovered......: 23/48 (47.92%) Digests, 0/1 (0.00%) Salts Progress.......: 14343328/14343328 (100.00%) Rejected.......: 0/14343328 (0.00%) Started: Mon Jul 11 22:54:46 2016 Stopped: Mon Jul 11 22:54:52 2016
To display the cracked passwords, we use option –show:
hashcat-3.00\hashcat64.exe --show -m 3000 --outfile-format 2 --potfile-path hashcat-rockyou-lm.pot --username lm.ocl.out
Option –show instructs hashcat to display the cracked passwords.
Option -m 3000 informs hashcat that we provide LM hashes. This is necessary for –show.
Option –username informs hashcat that the hash file lm.ocl.out includes usernames.
Option –outfile-format 2 instructs hashcat to output the password without the hash.
Argument lm.ocl.out is the hash file.
I also use option –potfile-path to instruct hashcat to use a specific pot file (a file containing the cracked hashes with corresponding passwords).
Here is the output:
hashcat (v3.00-1-g67a8d97) starting... Administrator:[notfound] user01:[notfound] user03:RACHELLEANNE user04:ZORDIC7 user05:KURT!!! user06:GIRLISH2020 user07:AMOROSAOVEJA user09:THURLOW1 user10:BEAUFORT1 user12:MAISIE2007 user14:[notfound] user15:TADOB user16:LM1181992 user17:[notfound] user19:[notfound] user20:[notfound]ON user21:V user22:AS user23:[notfound] user24:[notfound] user25:[notfound] user26:[notfound] user27:[notfound] user28:[notfound]R user29:[notfound]F
As you can see we cracked most of the passwords for users 1 through 20, except when the password is longer than 14 characters. Also remark that all passwords are uppercase.
With this command we let hashcat work on the NTLM hashes we extracted:
hashcat-3.00\hashcat64.exe -a 0 -m 1000 --potfile-path hashcat-rockyou-nt.pot --username nt.ocl.out rockyou.txt
The options and arguments are almost the same as for the LM command, except:
Option -m 1000 informs hashcat that we provide NTLM hashes.
Argument nt.ocl.out is the hash file.
Here is the output:
hashcat (v3.00-1-g67a8d97) starting... OpenCL Platform #1: Intel(R) Corporation ======================================== - Device #1: Intel(R) HD Graphics 5000, 356/1425 MB allocatable, 40MCU - Device #2: Intel(R) Core(TM) i7-4650U CPU @ 1.70GHz, skipped Hashes: 43 hashes; 43 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable Optimizers: * Zero-Byte * Precompute-Init * Precompute-Merkle-Demgard * Meet-In-The-Middle * Early-Skip * Not-Salted * Not-Iterated * Single-Salt * Raw-Hash Watchdog: Temperature abort trigger disabled Watchdog: Temperature retain trigger disabled Cache-hit dictionary stats rockyou.txt: 154179996 bytes, 14343328 words, 14343328 keyspace 32ed87bdb5fdc5e9cba88547376818d4:123456 e550853afc9a68106d73fd6680b25604:mychemicalromance 125fee170ce858738fc08d61291174ed:beautifulprincess c1d5ff9561074a64e8164745f7e057a3:beaufort1 0d870c8d2ed66211a6cd19b6c8c6939a:thurlow1 9aeae4ad385c29a8d3e25a2032df95ec:rachelleanne 3081116936973f2a1019178a085e77cd:maisie2007 3f77a049f85d9ecb089313d68dc64796:maiseythorne2007 2a54f9c00701830e44923a19eea7df62:zordic7 7f5ab070d31e61251ab4ef78b6601941:yeliz6 0794f987708fd36dc158c3435d1e9d65:tadob f85bbc519f1d4b9453d0d316d2f43efd:lm1181992 336413710df33e5d6ef4ba82ba762543:kurt!!! 8810b6cff094d7bbfa9254a47e460e8c:girlish2020 5bd6fddd235507a2baf82843b6174b4e:cuningo d10107259670c218d8389bb05a6ca9a5:amorosaoveja c09c4e921a0f7763e22aa5f38d73016a:Lzac08@ 8d15a7e3fe3271b73180de20f9532111:Horselover1493@hotmail.com 9180c11efd4cb6149557f59b0cf80573:FEPARAGON INFO: approaching final keyspace, workload adjusted 81ed9d39c208fb710f16fd01df2c5ea3:453758487l Session.Name...: hashcat Status.........: Exhausted Input.Mode.....: File (rockyou.txt) Hash.Target....: File (nt.ocl.out) Hash.Type......: NTLM Time.Started...: Mon Jul 11 23:26:10 2016 (2 secs) Speed.Dev.#1...: 6402.3 kH/s (12.17ms) Recovered......: 20/43 (46.51%) Digests, 0/1 (0.00%) Salts Progress.......: 14343328/14343328 (100.00%) Rejected.......: 1150/14343328 (0.01%) Started: Mon Jul 11 23:26:10 2016 Stopped: Mon Jul 11 23:26:17 2016
Remark that this time we cracked all passwords for users 1 through 20 (also the ones longer than 14 characters), and with the proper case.
Didier Stevens 
[…] The third part in this series covers using hashcat and the “rockyou” database to crack both LM and NTLM passwords. Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist […]
Pingback by Week 28 – 2016 – This Week In 4n6 — Sunday 17 July 2016 @ 12:52
[…] password cracking examples with hashcat, I want to show you how to crack passwords with John the Ripper (remember we also produced hashes […]
Pingback by Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist | Didier Stevens — Tuesday 19 July 2016 @ 0:01
[…] Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist […]
Pingback by Practice ntds.dit File Overview | Didier Stevens — Monday 25 July 2016 @ 9:15
[…] Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist […]
Pingback by Overview of Content Published In July | Didier Stevens — Monday 1 August 2016 @ 0:00