Sunday, 3 August 2014

Cracking Hashes - How-to's And What-Not's


By on 10:42

1. Intro
Ive seen a few requests for people to crack hashes, and some people aren't doing it right, just leaving a hash is not enough to help us help you.
This tutorial will walk threw the basics and try and help you out in your future of hashing.

2. Hashes
It is common practice for most web programmers to secure passwords by storing the encrypted value of the password in a database, because if they don't they risk a major security flaw which can harm their customers and themselves.

Hashes are also known as Cryptography, in a way.
Some hashes can decode on purpose, while others you need to brute force.
An example of encryption that allows decoding is Base64.

2.1 Need-To-Know's about Hashes

Widely used Hash Types include:
MD5 | SHA-1 | SHA-2
This means these 3 are the ones you need to be looking into when you grab a hash.

Type | Word Size| Collision |MD5 | 32 | | Yes |SHA-1 | 32 | Yes |SHA-2 | 64 | No |

2.1.1 Hash Collisions
From the graph I made above you can see MD5 and SHA-1 have Hash Collisions. This means that more then 1 value can equal the same hash value.
This is common sense seeing as MD5 and SHA-1 are both 32 Characters long, and there is a limit of how many 32 random characters you can make, I mean it isnt infinite. So their aught to be a Collision at some point.
Code:
H(a) = H(b)H representing the hash function.

3 Hash Decrypt Sites
many sites host services where you can md5 encode whatever you want, but at the same time this service saves both values for later.
So be aware when you use these services your md5 input and output will be saved in their database for their "md5 decode" service.

A list of Hash Decrypt Sites you can use.

- http://www.cmd5.com/english.aspx (457,354,352,282)
- http://www.md5crack.com
- http://www.hashchecker.com
- http://md5cracker.tk/ (MD5 Search engine by searches a total of 14 on-line crackers.)
- http://www.md5decrypter.com (5,889,729)
- http://www.md5oogle.com
- http://md5-db.com (The database is approximately 70gb)
- http://md5.rednoize.com (56,502,235)
- http://gdataonline.com/seekhash.php (3,251,106)
- http://www.tmto.org/?category=main&page=search_md5 (306.000.000.000)
- http://www.milw0rm.com/cracker/insert.php (Milw0rm Cracker db)
- http://blacklight.gotdns.org/cracker/crack.php (2,456,288)
- http://www.shell-storm.org/md5 ( The data base currently contains 169582 passwords )
- http://md5.xpzone.de (Need Account)
- http://passcracking.com/ (Register to increase your priority)
- http://www.xmd5.org

4 Brute Forcing
Most secure CMS's (Content Management Systems) use Salts and different algorithms.
an example is
Common: md5($password);PHP-Fusion: md5(md5($password));VBulliten: md5(md5($password).$salt);MyBB: md5(md5($salt).$password); 
Knowing the Hash + Hash Algorithm is needed when requesting help on cracking a hash.

Recommended Brute Forcing Programs
HashCat
Click Me To Download

HashCat = Linux
HashCat GUI = Windows.

PasswordsPro
Click Me To Download



4.1 WordLists
To brute force passwords its common sense you need a list of words.
Depending on the site of your CPU it all depends on how much space you want to use.
You can look at all the different word lists here

http://hashcrack.blogspot.com/p/wordlist-downloads.html

http://www.net-comber.com/wordurls.html

OR Download the wordlists I used.

NamesNumbers - 4MB - 4000800 Words
Really useful list, it provides top 200 popular male and female names followed by numbers.JacobJacob0Jacob1Jacob2....Jacob1000
28GB Wordlist - 28GB - 4103549326 Words
I Opened this up and it looked pretty useless as well as a waist of time to look threw. Around 28GB of just 6-7 characters long with special characters, letters, and numbers. Like ()D@WFOWI.
wordlist1 - 107MB - 9657365 Words
This file contains alot of number combination's as well as common passwords. This has gotten me afew cracks in the past.
UrbanDictionarySlangA-Z - 26KB - 3087 Words
I took the time and copying and pasting the top popular A-Z Urban Dictionary words, because some people use slang terms like friend and cumdumpster as a password.
Last Resort
If this tutorial doesn't help you or teach you how to crack hashes, then you can lead me to a nice one, but before you do look at this layout:
Hash:
Hash Algorithm(if known):Salt (if any):CMS(if known):

About Chirag Arya

Chirag is a young guy who is blessed with the art of Blogging,He love to Blog day in and day out,He is a Website Designer, Certified Hacker and a Certified Graphics Designer.

0 comments:

Post a Comment