Cracking password hashes is a crucial skill for ethical hackers and penetration testers. While numerous tools exist, two of the most popular are John the Ripper and Hashcat. This guide will walk you through how to crack password hashes using both tools and explain the underlying principles behind password cracking.
Disclaimer: This content is for educational purposes only. Ensure you have explicit legal permission before attempting any hacking activities.
Related Video:
Why Password Cracking Matters
Ethical hackers use password cracking to test the security of systems. Password hashes are the result of transforming plain-text passwords using a one-way encryption function (hashing algorithm). By cracking these hashes, ethical hackers can identify weak passwords and vulnerabilities, helping organizations strengthen their security.
Hashing: A Quick Overview
Before diving into the hands-on activity, it’s crucial to understand what hashing is:
Hashing is the process of converting data (like a password) into a fixed-length string of characters.
Hashes are one-way functions, meaning they cannot be reversed to recover the original data.
Common hashing algorithms include MD5, SHA-1, SHA-256, SHA-512, and more.
Hashes are used to ensure data integrity and are often stored in databases to protect sensitive information like passwords.
However, while you cannot reverse a hash, password-cracking tools can compare hashes generated from known passwords against the hashed value to discover the original password. This process is called brute-force or dictionary-based password cracking.
Crack Password Hashes with John the Ripper
John the Ripper (JtR) is a widely used password-cracking tool built into Kali Linux. To get started, ensure you have a file containing the password hashes you want to crack.
Example: I have a file named hash0.txt, which contains a hashed password. To crack it with John, use the following command:
john --wordlist=/usr/share/wordlists/rockyou.txt hash0.txt
--wordlist: Specifies the wordlist you’ll use for cracking. In this example, we’re using rockyou.txt, a famous wordlist pre-installed in Kali Linux.
John’s Hash Identification Feature
One of John’s strengths is that it can automatically identify many common hash types, making it easier to start cracking right away. When you run the above command, John will try to identify the hash type, and if it recognizes it, the cracking process will begin.
In this case, John has successfully cracked the hash, and the password is password123.
When John Fails to Identify a Hash
John doesn’t always get it right. For example, if you use a less common hash algorithm, John might not be able to identify it.
This means John could not determine the hash type, and you'll need to supply the format manually.
Identifying the Hash Type
There are several tools you can use to identify the type of hash manually:
HashID: Run hashid hash4.txt to identify the possible hash types. This will return a list of potential algorithms.
Hash-Identifier: Another tool that helps identify hash types with the command hash-identifier.
Online Tools: Websites like hashes.com and CrackStation.net allow you to paste in a hash and get possible hash types.
Once you identify the hash, you can provide it to John the Ripper using the --format argument.
Example:
john --format=whirlpool --wordlist=/usr/share/wordlists/rockyou.txt hash4.txt
In this example, we’ve identified the hash type as Whirlpool and used the correct format to successfully crack the password.
Crack Password Hashes with Hashcat
Hashcat is another powerful password-cracking tool, but unlike John the Ripper, it primarily uses your GPU instead of your CPU, making it significantly faster for certain tasks.
Finding the Hash Type in Hashcat
Before running Hashcat, you need to find the hash type. Go to Hashcat's wiki and look up the hash type you're dealing with. Each hash type has a specific ID.
Example: If you’re dealing with a Whirlpool hash, its Hashcat ID is 6100.
Running Hashcat
Once you know the hash type, you can construct your command. For example:
hashcat -m 6100 -a 0 -o cracked.txt hash4.txt /usr/share/wordlists/rockyou.txt
-m 6100: Specifies the hash type (Whirlpool).
-a 0: Specifies the attack mode (in this case, a dictionary attack).
-o cracked.txt: Specifies the output file where the cracked password will be saved.
Hashcat will then begin the cracking process. It may take longer than John for simple passwords but excels with more complex or longer passwords.
Online Password Cracking Tools (Use with Caution)
When dealing with Capture the Flag (CTF) challenges or certification exams, online tools can sometimes crack hashes faster than John or Hashcat. Never use these tools for real-world engagements, as they might compromise the security of the hash.
Hashes.com: Paste your hash into the online form, solve the CAPTCHA, and the tool will attempt to crack the hash.
CrackStation.net: Another useful online tool for cracking common password hashes.
These tools are extremely fast and convenient, but they should only be used in test environments or competitions.
Best Practices for Ethical Hacking and Real-World Scenarios
When engaging in penetration testing in real-world environments, always:
Avoid using online cracking tools to protect sensitive data.
Start with Hashcat for complex passwords, as it uses GPUs and can handle larger, more complex wordlists.
Use strong, customized wordlists to improve your chances of success in cracking hashes.
For CTF challenges or certification exams, you can rely on tools like John the Ripper, Hashcat, and online tools, but always limit the time you spend trying to crack a password. If a password doesn’t crack after 20 minutes, the challenge likely wasn’t designed for password cracking.
Understanding the Theory Behind Password Cracking
Password cracking involves matching known password hashes with unknown hashes. While hashes can’t be reversed, they can be cracked by comparing the hash of a guessed password to the captured hash. If the hashes match, you’ve found the password.
The process works as follows:
Hash the password (from a wordlist).
Compare the hash with the captured hash.
Move to the next password if there’s no match.
Repeat until a match is found.
Stronger passwords and longer wordlists make the process more time-consuming. Passwords that contain random characters, symbols, numbers, and both upper- and lowercase letters are harder to crack.
Conclusion
Password cracking is an essential skill for ethical hackers and penetration testers. Whether you're using John the Ripper for quick tasks or Hashcat for more intensive cracking, understanding how to crack password hashes is a fundamental part of testing security.
To master this skill:
Start with simpler tools and move toward more complex setups.
Practice identifying hash types and creating customized wordlists.
Never use online tools for real-world engagements.
By mastering password cracking, you’ll be better prepared to assess and improve the security of systems you’re testing.