#Key Terms
Plaintext :- Data before encryption or hashing, often text but not always as it could be a photograph or other file instead.
Encoding :- This is NOT a form of encryption, just a form of data representation like base64 or hexadecimal. Immediately reversible.
Hash :- A hash is the output of a hash function. Hashing can also be used as a verb, "to hash", meaning to produce the hash value of some data.
Brute force :- Attacking cryptography by trying every different password or every different key
Cryptanalysis :- Attacking cryptography by finding a weakness in the underlying maths
What's a hash function ?
A hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called hash values,** hash codes, digests, or simply hashes. The values are usually used to index a fixed-size table called a hash table.
#Uses For hashing
What can we do with hashing?
Hashing is used for 2 main purposes in Cyber Security. To verify integrity of data (More on that later), or for verifying passwords.
https://nakedsecurity.sophos.com/20...ter-adobes-giant-sized-cryptographic-blunder/ :- adobe data breach blog.
Why we use hashes ?
You can't encrypt the passwords, as the key has to be stored somewhere. If someone gets the key, they can just decrypt the passwords.
This is where hashing comes in. What if, instead of storing the password, you just stored the hash of the password? This means you never have to store the user's password, and if your database was leaked then an attacker would have to crack each password to find out what the password was. That sounds fairly useful.
There's just one problem with this. What if two users have the same password? As a hash function will always turn the same input into the same output, you will store the same password hash for each user. That means if someone cracks that hash, they get into more than one account. It also means that someone can create a "Rainbow table" to break the hashes.
A rainbow table is a lookup table of hashes to plaintexts, so you can quickly find out what password a user had just from the hash. A rainbow table trades time taken to crack a hash for hard disk space, but they do take time to create.
#example :- Here's a quick example so you can try and understand what they're like.
**Hash Password
02c75fb22c75b23dc963c7eb91a062cc zxcvbnm
b0baee9d279d34fa1dfd71aadb908c3f 11111
c44a471bd78cc6c2fea32b9fe028d30a asdfghjkl
d0199f51d2728db6011945145a1b607a basketball
dcddb75469b4b4875094e14561e573d8 000000
e10adc3949ba59abbe56e057f20f883e 123456
e19d5cd5af0378da05f63f891c7467af abcd1234
e99a18c428cb38d5f260853678922e03 abc123
fcea920f7412b5da7be0cf42b8c93759 1234567
Websites like Crackstation internally use HUGE rainbow tables to provide fast password cracking for hashes without salts. Doing a lookup in a sorted list of hashes is really quite fast, much much faster than trying to crack the hash.
Protecting against rainbow tables
To protect against rainbow tables, we add a salt to the passwords. The salt is randomly generated and stored in the database, unique to each user.** In theory, you could use the same salt for all users but that means that duplicate passwords would still have the same hash, and a rainbow table could still be created specific passwords with that salt.
The salt is added to either the start or the end of the password before it’s hashed, and this means that every user will have a different password hash even if they have the same password. Hash functions like bcrypt and sha512crypt handle this automatically. Salts don’t need to be kept private.
#Recognising Password Hashes
Unix style password hashes are very easy to recognise, as they have a prefix. The prefix tells you the hashing algorithm used to generate the hash. The standard format is $format$rounds$salt$hash.
Windows passwords are hashed using NTLM, which is a variant of md4. They're visually identical to md4 and md5 hashes, so it's very important to use context to work out the hash type.
On Linux, password hashes are stored in /etc/shadow. This file is normally only readable by root. They used to be stored in /etc/passwd, and were readable by everyone.
On Windows, password hashes are stored in the SAM. Windows tries to prevent normal users from dumping them, but tools like mimikatz exist for this. Importantly, the hashes found there are split into NT hashes and LM hashes.
Here's a quick table of the most Unix style password prefixes that you'll see.
**Prefix Algorithm
$1$ md5crypt, used in Cisco stuff and older Linux/Unix systems
$2$, $2a$, $2b$, $2x$, $2y$ Bcrypt (Popular for web applications)
$6$ sha512crypt (Default for most Linux/Unix systems)
A great place to find more hash formats and password prefixes is the hashcat example page, available here: https://hashcat.net/wiki/doku.php?id=example_hashes.
For other hash types, you'll normally need to go by length, encoding or some research into the application that generated them. Never underestimate the power of research.
#Password Cracking
We've already mentioned rainbow tables as a method to crack hashes that don't have a salt, but what if there's a salt involved?
You can't "decrypt" password hashes. They're not encrypted. You have to crack the hashes by hashing a large number of different inputs (often rockyou, these are the possible passwords), potentially adding the salt if there is one and comparing it to the target hash. Once it matches, you know what the password was. Tools like Hashcat and John the Ripper are normally used for this.
Why crack on GPUs?
Graphics cards have thousands of cores. Although they can’t do the same sort of work that a CPU can, they are very good at some of the maths involved in hash functions. This means you can use a graphics card to crack most hash types much more quickly. Some hashing algorithms, notably bcrypt, are designed so that hashing on a GPU is about the same speed as hashing on a CPU which helps them resist cracking.
Cracking on VMs?
It’s worth mentioning that virtual machines normally don’t have access to the host's graphics card(s) (You can set this up, but it’s a lot of work). If you want to run hashcat, it’s best to run it on your host (Windows builds are available on the website, run it from powershell). You can get Hashcat working with OpenCL in a VM, but the speeds will likely be much worse than cracking on your host. John the ripper uses CPU by default and as such, works in a VM out of the box although you may get better speeds running it on the host OS as it will have more threads and no overhead from running in a VM.
NEVER (I repeat, NEVER!) use --force for hashcat. It can lead to false positives (wrong passwords being given to you) and false negatives (skips over the correct hash).
UPDATE: As of Kali 2020.2, hashcat 6.0 will run on the CPU without --force. I still recommend cracking on your host OS if you have a GPU, as it will be much much faster.
#Hashing For Integrity Checking
Integrity Checking
Hashing can be used to check that files haven't been changed. If you put the same data in, you always get the same data out. If even a single bit changes, the hash will change a lot. This means you can use it to check that files haven't been modified or to make sure that they have downloaded correctly. You can also use hashing to find duplicate files, if two pictures have the same hash then they are the same picture.
Plaintext :- Data before encryption or hashing, often text but not always as it could be a photograph or other file instead.
Encoding :- This is NOT a form of encryption, just a form of data representation like base64 or hexadecimal. Immediately reversible.
Hash :- A hash is the output of a hash function. Hashing can also be used as a verb, "to hash", meaning to produce the hash value of some data.
Brute force :- Attacking cryptography by trying every different password or every different key
Cryptanalysis :- Attacking cryptography by finding a weakness in the underlying maths
What's a hash function ?
A hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called hash values,** hash codes, digests, or simply hashes. The values are usually used to index a fixed-size table called a hash table.
#Uses For hashing
What can we do with hashing?
Hashing is used for 2 main purposes in Cyber Security. To verify integrity of data (More on that later), or for verifying passwords.
https://nakedsecurity.sophos.com/20...ter-adobes-giant-sized-cryptographic-blunder/ :- adobe data breach blog.
Why we use hashes ?
You can't encrypt the passwords, as the key has to be stored somewhere. If someone gets the key, they can just decrypt the passwords.
This is where hashing comes in. What if, instead of storing the password, you just stored the hash of the password? This means you never have to store the user's password, and if your database was leaked then an attacker would have to crack each password to find out what the password was. That sounds fairly useful.
There's just one problem with this. What if two users have the same password? As a hash function will always turn the same input into the same output, you will store the same password hash for each user. That means if someone cracks that hash, they get into more than one account. It also means that someone can create a "Rainbow table" to break the hashes.
A rainbow table is a lookup table of hashes to plaintexts, so you can quickly find out what password a user had just from the hash. A rainbow table trades time taken to crack a hash for hard disk space, but they do take time to create.
#example :- Here's a quick example so you can try and understand what they're like.
**Hash Password
02c75fb22c75b23dc963c7eb91a062cc zxcvbnm
b0baee9d279d34fa1dfd71aadb908c3f 11111
c44a471bd78cc6c2fea32b9fe028d30a asdfghjkl
d0199f51d2728db6011945145a1b607a basketball
dcddb75469b4b4875094e14561e573d8 000000
e10adc3949ba59abbe56e057f20f883e 123456
e19d5cd5af0378da05f63f891c7467af abcd1234
e99a18c428cb38d5f260853678922e03 abc123
fcea920f7412b5da7be0cf42b8c93759 1234567
Websites like Crackstation internally use HUGE rainbow tables to provide fast password cracking for hashes without salts. Doing a lookup in a sorted list of hashes is really quite fast, much much faster than trying to crack the hash.
Protecting against rainbow tables
To protect against rainbow tables, we add a salt to the passwords. The salt is randomly generated and stored in the database, unique to each user.** In theory, you could use the same salt for all users but that means that duplicate passwords would still have the same hash, and a rainbow table could still be created specific passwords with that salt.
The salt is added to either the start or the end of the password before it’s hashed, and this means that every user will have a different password hash even if they have the same password. Hash functions like bcrypt and sha512crypt handle this automatically. Salts don’t need to be kept private.
#Recognising Password Hashes
Unix style password hashes are very easy to recognise, as they have a prefix. The prefix tells you the hashing algorithm used to generate the hash. The standard format is $format$rounds$salt$hash.
Windows passwords are hashed using NTLM, which is a variant of md4. They're visually identical to md4 and md5 hashes, so it's very important to use context to work out the hash type.
On Linux, password hashes are stored in /etc/shadow. This file is normally only readable by root. They used to be stored in /etc/passwd, and were readable by everyone.
On Windows, password hashes are stored in the SAM. Windows tries to prevent normal users from dumping them, but tools like mimikatz exist for this. Importantly, the hashes found there are split into NT hashes and LM hashes.
Here's a quick table of the most Unix style password prefixes that you'll see.
**Prefix Algorithm
$1$ md5crypt, used in Cisco stuff and older Linux/Unix systems
$2$, $2a$, $2b$, $2x$, $2y$ Bcrypt (Popular for web applications)
$6$ sha512crypt (Default for most Linux/Unix systems)
A great place to find more hash formats and password prefixes is the hashcat example page, available here: https://hashcat.net/wiki/doku.php?id=example_hashes.
For other hash types, you'll normally need to go by length, encoding or some research into the application that generated them. Never underestimate the power of research.
#Password Cracking
We've already mentioned rainbow tables as a method to crack hashes that don't have a salt, but what if there's a salt involved?
You can't "decrypt" password hashes. They're not encrypted. You have to crack the hashes by hashing a large number of different inputs (often rockyou, these are the possible passwords), potentially adding the salt if there is one and comparing it to the target hash. Once it matches, you know what the password was. Tools like Hashcat and John the Ripper are normally used for this.
Why crack on GPUs?
Graphics cards have thousands of cores. Although they can’t do the same sort of work that a CPU can, they are very good at some of the maths involved in hash functions. This means you can use a graphics card to crack most hash types much more quickly. Some hashing algorithms, notably bcrypt, are designed so that hashing on a GPU is about the same speed as hashing on a CPU which helps them resist cracking.
Cracking on VMs?
It’s worth mentioning that virtual machines normally don’t have access to the host's graphics card(s) (You can set this up, but it’s a lot of work). If you want to run hashcat, it’s best to run it on your host (Windows builds are available on the website, run it from powershell). You can get Hashcat working with OpenCL in a VM, but the speeds will likely be much worse than cracking on your host. John the ripper uses CPU by default and as such, works in a VM out of the box although you may get better speeds running it on the host OS as it will have more threads and no overhead from running in a VM.
NEVER (I repeat, NEVER!) use --force for hashcat. It can lead to false positives (wrong passwords being given to you) and false negatives (skips over the correct hash).
UPDATE: As of Kali 2020.2, hashcat 6.0 will run on the CPU without --force. I still recommend cracking on your host OS if you have a GPU, as it will be much much faster.
#Hashing For Integrity Checking
Integrity Checking
Hashing can be used to check that files haven't been changed. If you put the same data in, you always get the same data out. If even a single bit changes, the hash will change a lot. This means you can use it to check that files haven't been modified or to make sure that they have downloaded correctly. You can also use hashing to find duplicate files, if two pictures have the same hash then they are the same picture.