2 min read

Guide to Password Cracking

Hashing is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string.
Guide to Password Cracking
  • Hashing
  • Hash analysis
  • Cracking the hash

Hashing

Hashing is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string. Hashing is used to index and retrieve items in a database because it is faster to find the item using the shorter hashed key than to find it using the original value. It is also used in many encryption algorithms.

Salting refers to adding additional data to the passwords and storing them in the database to make it difficult to crack.

Hash analysis

Different hash algorithms produce hashes of different bit lengths, So we can guess it most of the time by looking at the hash. the hash bit length according to the few algorithms listed below:

MD2 128 bits
MD4 128 bits
MD5 128 bits
MD6 Up to 512 bits
RIPEMD-128 128 bits
RIPEMD-160 160 bits
RIPEMD-320 320 bits
SHA-1 160 bits
SHA-224 224 bits
SHA-256 256 bits
SHA-384 384 bits
SHA-512 512 bits
Tiger 192 bits
Whirlpool 512 bits

You can also make an easy guess with an experience like MYSQL usually store passwords as MD5

But if you are lazy enough, you can use many tools and other websites in this case like you have Hash Analyzer - TunnelsUP or just install "hash-identifier" by

💡
apt-get install hash-identifier

Just run it and input the hash, this tool will guess the hash algorithm. Now let's get to the main thing

Cracking

The best tool to crack passwords after getting the hash is hashcat example_hashes [hashcat wiki] there are other good tools such as John the ripper.

To install hashcat: Go to https://hashcat.net/hashcat/

Start cracking the hashes contained in the target_hashes.txt file. We will use the following command line, as illustrated below:

💡
# hashcat -m 0 -a 0 -o cracked.txt target_hashes.txt /usr/share/wordlists/rockyou.txt
  1. -m 0 designates the type of hash we are cracking (MD5)
  2. -a 0 designates a dictionary attack
  3. -o cracked.txt is the output file for the cracked passwords
  4. target_hashes.txt is our input file of hashes
  5. /usr/share/wordlists/rockyou.txt is the absolute path to the wordlist file for this dictionary attack

To know the codes of other hashing algorithms, use "hashcat -h" to see all the algorithm codes.

All The Best