John the Ripper & Hashcat: Password Cracking

John the Ripper & Hashcat: Cracking

Apr 1, 2022

Password Cracking is not guessing passwords online against a web server. It is an offline process: you first steal the database file containing the "Hashes" and then use the full power of your CPU or GPU to attempt to reverse them on your own machine.

1. Theory: Hashing vs Encryption & Salts

Unlike encryption (which is reversible if you have the key), a Hash function (like MD5 or SHA-256) is a one-way path. To "crack" a hash, you must hash millions of words per second until one matches the stolen hash.

The Salt Problem: To prevent precomputed tables (Rainbow Tables), modern OS append a "Salt" (random string) to the password before hashing.

# Classic Linux format (/etc/shadow):
$id$salt$hashed_string

# IDs indicate the algorithm:
$1$ = MD5
$5$ = SHA-256
$6$ = SHA-512

2. Extracting Hashes

# LINUX: Combine /etc/passwd and /etc/shadow for John:
unshadow /etc/passwd /etc/shadow > hashes_linux.txt

# WINDOWS: Dump NTLM hashes using Impacket:
impacket-secretsdump ADMINISTRATOR:Password@192.168.1.50

3. John the Ripper (Jumbo Edition)

John the Ripper is primarily CPU-based. It is excellent for low-volume cracking or when you are unsure of the hash type.

# Dictionary Attack:
john --wordlist=/usr/share/wordlists/rockyou.txt hashes_linux.txt

# Single Crack Mode (Smartest mode using GECOS info):
john --single hashes_linux.txt

# Wordlist Manging Rules (e.g., "password" -> "Password1!"):
john --wordlist=rockyou.txt --rules hashes.txt

🔴 Hashcat Rig Operator

You just extracted the root user line from an Ubuntu server's shadow file. You need to construct the exact Hashcat command to crack it using your GPU, a dictionary attack, and mutation rules.

>_ START CTF 19 CHALLENGE

4. Hashcat — The GPU Cracking Beast

Hashcat is the world's fastest password cracker, utilizing massive parallel processing from GPUs (NVIDIA/AMD).

Attack Modes (`-a`)

# Straight Dictionary Attack (-a 0):
hashcat -a 0 -m 1000 hashes.txt rockyou.txt

# Pure Brute-force (-a 3) with Masks:
# Crack any 8 lowercase letter password:
hashcat -a 3 -m 0 hash.txt ?l?l?l?l?l?l?l?l

# Hybrid Attack (Wordlist + Mask):
hashcat -a 6 -m 0 hash.txt rockyou.txt ?d?d?d?d

5. Critical Hashcat Modes

Hashcat doesn't auto-detect hashes. You must specify the exact module using -m.

-m 0: MD5
-m 1000: Windows NTLM
-m 5600: NetNTLMv2 (Responder captures)
-m 1800: sha512crypt (Linux $6$)
-m 22000: WPA/WPA2 WiFi Handshakes

6. Hardware Tuning

# Maximize GPU performance (locks desktop):
hashcat -a 0 -m 1000 hashes.txt rockyou.txt -w 3 -O

# Restore interrupted session:
hashcat --session my_attack --restore