Cracking Salted Password Hashes
When it comes to cracking or abusing password hashes, you often have three realistic options:
- Reversing the hash due to flaws in the algorithm.
- Brute forcing the hashes with a dictionary wordlist or rainbow tables.
- With update privileges on a database and knowing the generating algorithm, you can simply replace it with a known password.
On penetration testing engagements or CTF challenges, you might often come across hashed and salted passwords either in a database, packet capture file, or hard-coded in a configuration file or in code.
After escalating privileges or exploiting misconfigurations, a common method for lateral movement inside a network is to crack the salted and hashed passwords inside a GNU/Linux /etc/shadow file.
In this example, we have a SHA-512 salted and hashed password:
$6$xyz$sh0AtFyFg6tveXzYKKxVrqLP6JvwKlRmmz7ocaI5wztyoPv/HC9WOP4TNsiAglH5cXOctdR.NwTxiKqORuoaj1
We can now use a tool like hashcat and a good password list to attack this salted hash:
kali@kali:~/sandbox$ echo '$6$xyz$sh0AtFyFg6tveXzYKKxVrqLP6JvwKlRmmz7ocaI5wztyoPv/HC9WOP4TNsiAglH5cXOctdR.NwTxiKqORuoaj1' > creds.txt
kali@kali:~/sandbox$ hashcat -m 1800 -a 0 -o cracked.txt creds.txt /usr/share/seclists/Passwords/Leaked-Databases/alleged-gmail-passwords.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 9.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz, 5836/5900 MB (2048 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Uses-64-Bit
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 65 MB
Dictionary cache built:
* Filename..: /usr/share/seclists/Passwords/Leaked-Databases/alleged-gmail-passwords.txt
* Passwords.: 3132006
* Bytes.....: 29700652
* Keyspace..: 3131999
* Runtime...: 0 secs
Session..........: hashcat
Status...........: Cracked
Hash.Name........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$xyz$sh0AtFyFg6tveXzYKKxVrqLP6JvwKlRmmz7ocaI5wzty...Ruoaj1
Time.Started.....: Tue Dec 14 19:57:29 2021 (2 mins, 1 sec)
Time.Estimated...: Tue Dec 14 19:59:30 2021 (0 secs)
Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/alleged-gmail-passwords.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1716 H/s (7.53ms) @ Accel:32 Loops:512 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 207232/3131999 (6.62%)
Rejected.........: 0/207232 (0.00%)
Restore.Point....: 207104/3131999 (6.61%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4608-5000
Candidates.#1....: 1amadeua -> 1anamika
Started: Tue Dec 14 19:56:25 2021
Stopped: Tue Dec 14 19:59:32 2021
kali@kali:~/sandbox$ cat cracked.txt
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: cracked.txt
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ $6$xyz$sh0AtFyFg6tveXzYKKxVrqLP6JvwKlRmmz7ocaI5wztyoPv/HC9WOP4TNsiAglH5cXOctdR.NwTxiKqORuoaj1:1ambatman
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
In a few moments, we have the password: 1ambatman.
Depending on the hashing algorithm and where the hash and salt have been dumped from, there may also be instances where you have to use a colon to separate the hash and salt, e.g. $pass:$salt.
This is yet another reminder of how important it is to choose a strong password with a high level of complexity. With password managers providing easy options these days to generate and manage strong passwords, there’s no excuse to use (and re-use) weak passwords. Just make sure to use a strong password combined with multi-factor authentication for your password manager, or you just might find someone easily cracking the hash to your password vault.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.