Scribd
Upload
137 views6 pages

Hash Instructions

How to calculate Sha1, MD5 hashes using python and perform a dictionary attack and also using haxor function

Uploaded by

ILove Humanity
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
137 views6 pages

Hash Instructions

How to calculate Sha1, MD5 hashes using python and perform a dictionary attack and also using haxor function

Uploaded by

ILove Humanity
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

C.

3) SHA-1 cracking script


In the project code, I've provided you a very simple script for cracking unsalted SHA-1 digests:

passwords/[Link]

It takes a password file with SHA1 digests and a dictionary file, and tries to find matching words.
For example, you may be able to find some passwords using a command like:

python2.7 passwords/[Link] htpasswd-FILE /usr/share/dict/words

In the project code, I've also given you a larger dictionary of common passwords, so you may
be able to find more with this:

python2.7 passwords/[Link] htpasswd-FILE passwords/[Link]

🔎C.3.1) Crack molly_millions password to access and get me the contents of this file:
[Link]

🔎C.3.2) Crack lisbeth_salander password to access and get me the contents of this file:
[Link]

C.4) Write a simple MD5 dictionary attack script


Modify the SHA-1 cracking script to work with MD5, and see if you can re-find any passwords
which you previously cracked using a website.

python2.7 [Link] passwords/htpasswd-md5 passwords/[Link]

🧩C.4.1) Attach your script. It doesn't need to crack every password in the file, but it should do
a reasonable attempt at a dictionary search using a dictionary of my choice.

D) Cracking other password files


Let's try to attack password files other than unsalted htpasswd files.
D.1) Use an industry-grade cracker
On blue, I have installed a password cracker called John The Ripper. To find it, you need to
extend your path to include its location. This command will do that temporarily.

export PATH=$PATH:~cs340/bin/

Or, this command will run a script to modify your .bashrc file and permanently extend your path:

$ wget -O - [Link] | bash

To check your path is correctly modified, you can check it using:

$ which john
/home/faculty/cs340/bin/john

John can run in several modes:

● Single Crack Mode (--single): only uses variants of words found in the password file
itself, i.e., variants of the username.
● Wordlist Crack Mode (--wordlist): uses variants of words found in the word list.
● Incremental Mode (--incremental): uses a baseline character set and all possible
combinations of these to crack. Please don't use this in our lab. It just takes too long.

John understands many common password file formats, and it looks like there are a bunch of
stolen password files under [Link] that you can reach.

🧩D.1.1) Grab all of the password files at [Link] and


see how far john gets with them. Do not use incremental mode. Put any passwords you crack
in this spreadsheet and share it with me. I do not expect you to crack all of them, but
experiment with different word lists. List any other passwords you crack during the lab in this
spreadsheet, too.

For example, you can run John in wordlist mode using a command like the following:

$ john --wordlist=PATH FILE

The above command prompts for a password, where:

● FILE is the path to the password file. It will try to guess what format is used. You can
only list multiple files if they are the same format.
● PATH is the path to a dictionary list. There are a variety of dictionaries to select at
/home/faculty/cs340/share/john/word-lists/
$ ls -sh /home/faculty/cs340/share/john/word-lists/*.txt
16M /home/faculty/cs340/share/john/word-lists/[Link]
15G /home/faculty/cs340/share/john/word-lists/[Link]
134M /home/faculty/cs340/share/john/word-lists/[Link]

While John runs, you can get its status by typing any key. For example, it took about 3 minutes
using biglist with one of my files, and it cracked about 1/2 of the passwords in it.

$ time john --wordlist=[Link] stolen-shadow

Using default input encoding: UTF-8


Loaded 6 password hashes with 6 different salts
[...]
Press 'q' or Ctrl-C to abort, almost any other key for status
0g [Link] 1.81% [...]
3g [Link] 77.15% [...]
[...]
Use the "--show" option to display all of the cracked passwords
reliably
Session completed

real 3m15.200s
user 99m42.842s
sys 0m8.467s

As John cracks, it will save the cracked passwords into a database located in your home
directory, and you can show the cracked passwords using the --show option:

$ ls ~/.john/
[Link] [Link]

$ john --show stolen-*


0 password hashes cracked, 21 left

D.2) Write a simple haxor cracker


A few of the SHA1 passwords from ~cs340/public_html/.htpasswd were not in [Link].
However, the passwords that are missing are simple haxor variants of words from [Link].
🧩D.2.1) Create a new version of the passwords/[Link] script that incrementally tries
different haxor variants of the biglist words, and cracks all the SHA1 passwords. Attach your
completed script. It should be run the same way as the passwords/[Link] script and
have no dependencies on non-standard libraries.

You can google haxor to learn more, but it's just a simple substitution of letters. Start with these:
● I/i -> 1
● T/t -> 7
● O/o -> 0
● A/a -> 4
● E/e -> 3

So, if I had the words "ate" and "eat" in my word list, my first attempt might first try just a one
letter substitution
● haxor("ate", 1) gives ["4te", "a7e", "at3", ...]
● haxor("eat", 1) gives ["3at", "e4t", "ea7", ...]
On my second pass, I might try all two-letter substitutions:
● haxor("ate", 2) gives ["4te", "a73", "4t3", ...]
● haxor("eat", 2) gives ["3a7", "34t", "e47", ...]
This is a type of a "breadth-first" search, and can keep you from getting stuck in the
combinatorial explosion encountered when hitting a particularly long word.

⚠️Hint: You might find the python module itertools useful when implementing haxor(w, n).

🔎D.2.2) Crack the dennis_nedry password to access and get me the contents of this file:
[Link]

🔎D.2.3) Crack the chloe_sullivan password to access and get me the contents of this file:
[Link]

D.3) Use rcrack to use a rainbow table


I've created a set of rainbow tables using rtgen. The files are available at ~cs340/rtables.
These files comprise the table sha1_ascii-32-95#1-7 (all SHA1 digests for passwords of length
1–7 consisting of ASCII characters between 32–95). Because of a limitation I haven't fixed yet,
the rcrack utility only works when called from the directory ~cs340/rtables, so you need to
cd there to use it. If you do not see the pink output, then you are not in the right directory!

$ rcrack
RainbowCrack 1.8
Copyright 2020 RainbowCrack Project. All rights reserved.
[Link]

usage: rcrack path [path] [...] -h hash


rcrack path [path] [...] -l hash_list_file
rcrack path [path] [...] -lm pwdump_file
rcrack path [path] [...] -ntlm pwdump_file
path: directory where rainbow tables (*.rt, *.rtc) are
stored
-h hash: load single hash
-l hash_list_file: load hashes from a file, each hash in a line
-lm pwdump_file: load lm hashes from pwdump file
-ntlm pwdump_file: load ntlm hashes from pwdump file

implemented hash algorithms:


lm HashLen=8 PlaintextLen=0-7
ntlm HashLen=16 PlaintextLen=0-15
md5 HashLen=16 PlaintextLen=0-15
sha1 HashLen=20 PlaintextLen=0-20
sha256 HashLen=32 PlaintextLen=0-20

examples:
rcrack . -h 5d41402abc4b2a76b9719d911017c592
rcrack . -l [Link]
$ pwd
/home/faculty/cs340/rtables

From there, you can crack an individual digest by calling:

$ rcrack ~cs340/rtables -h HEX

● Where HEX is the hex string for the digest

🧩D.3.1) Revisit challenge D.1.1 and try to crack any remaining SHA1 digests using rcrack,
and add those to the spreadsheet you've submitted for D.1.1.

⚠️Note: You can convert from the base64 encoding of a digest to a hex string the sort of
commands introduced in section C.2, like:

$ echo Hi | base64
SGkK
# this is the base64 encoded version of 'Hi\n'
$ echo Hi | xxd -p
48690a
# this is 'Hi\n' in hex

$ echo SGkK | base64 -d | xxd -p


48690a
# decodes the base64 string and turns it into hex

You might also like