Password Recovey Using Hashcat


A hash is a signature that identifies data, such as a file or message. It's a one-way mathematical function that turns data into a string of unreadable text that can't be decoded or reversed.

What is Hashcat?

Hashcat is a password cracking tool used for licit and illicit purposes. Hashat is a particularly fast, efficient, and versatile hacking tool that assists brute-force attacks by conducting them with hash values of passwords that the tool is guessing or applying.

To crack a password using Hashcat, follow these steps:

1. Find the hash of the file for which you need to crack the password.

2. Save the hash to a text file.

3. Find or create a dictionary for use in the password-cracking process.

4. Use Hashcat commands to crack the password.


  • There are numerous options available to find a file's hash. In this case, we are using a Python file to obtain the hash of the file.
  •  In this blog post, we will be focusing on finding the password of a Word document, so there is a separate Python file for each type of file. The screenshot and the link of the website is given below.

Refer to this link for the Python files: https://github.com/openwall/john/blob/bleeding-jumbo/run/pcap2john.py

  • different Python files to get the hash of files with different file extensions is in the left side red square box.
  • click on the file for which you want the hash and click on the download button on the top right.
  • use the below command and get the hash of the file

                                  Command: Python3 office2john.py sample.docx.


  • copy the whole hash, the whole thing after your file's name, into a text file.
  • Download the hashcat file from its website, extract all the files, and save the text file of the hash in it. Procsss are shown in the figures below.


  • There is a text file named "rockyou.txt" containing billions of password collections that can be downloaded but For simplicity, a custom dictionary named "rock.txt" has been created for use in this blog. The dictionary and hash text files should be located in the Hashcat file, or you can specify the path.


  • The figure above depicts the Hashcat file containing two files: rock.txt, which is the custom dictionary, and sample hash.txt, which is the hash of the word file retrieved.
  • Note: Make sure the Hashcat.exe file is available. It is a crucial file, and some security systems may delete it automatically. If it is getting deleted automatically, disable the Real-time Protection option on your system.
  • Now we will use Hashcat commands to find the password. Hashcat requires four main arguments: attack mode, hash type, hash text file, and the dictionary. 

      There are 3 attack modes:

  • Dictionary attack- trying all words in a list; also called "straight" mode(attack mode 0,-a 0)
  • Combinator attack-concatenating words from multiple wordlists(-a 1)
  • Brute-force attack- trying all characters from given charsets, per position(-a 3)

  • There are so many hash types or hash modes, and each is different with respect to different files and their versions. We can find all the hash modes and attack modes using the Hashcat.exe -h command.




  • After understanding which attack mode we are going to use and finding the hash mode, we will use the command below to get the password.


Hashcat command: Hashcat.exe -a 0 -m 9600 "sample.hash" "rock.txt".


  • If the hash is correct and the password is found in the dictionary, the password will be displayed after the hash, which is highlighted in red in the figure below.



  • This is how we crack the password of word file. The same procedure can be obtained for cracking password of different files.




    Contributors: 
      
   1. Mr. Salagrama Aditya, B.E CSE 6th semester, MVSR Engineering College, Hyderabad, Telangana, India
     
    2. Dr. Nitesh K Bharadwaj, Assistant Professor, Dept. of CSE, NIT Raipur.

    3. Dr. Bhupendra Singh, Assistant Professor, Dept. of CSE, IIIT Pune, India.

















Comments

Post a Comment

Popular posts from this blog

Analysis of Volatile Memory(RAM) Using Volatility3

Image
  Introduction: Volatility3 is the most advanced and newest volatile memory forensics framework in the world. It is also Open Source, this framework is written in python. It is also the most widely used framework for extracting digital artefacts from volatile memory i.e. RAM image. The framework is intended to introduce people to the techniques for extracting digital artefacts from volatile memory(RAM) samples and provide a platform for further work into this exciting area of research. Downloading and Installation: Requirements: Python 3.5.3 or higher Pefile 2017.8.1 or later. Download volatility from   here  or run the following command in command line to clone the repository. git clone https://github.com/volatilityfoundation/volatility3.git RAM Image Creation: To create a memory dump for analysis we can use DumpIt memory tool which can be downloaded from here . Also, we can use ftkimager to create a memory dump, which can be downloaded from  here . To create the image using ftkima
Read more

$Recycle.Bin Forensics: Analysis of $I (metadata file) and $R (actual content)

Image
  Forensic Insight into Windows 10 $Recycle.Bin  In Windows 10, the deleted files are temporarily located in  "C:\$Recycle.Bin>",  a sub directory under root directory. The completion of file deletion process yields two separate files placed within the $Recycle.Bin path, as follows: $I – Contains metadata specific to the deleted file (original file name path, file size, deletion timestamp, file name size and, file name). $R – Contains the actual contents of the file. The two files ($I and $R) corresponding to the deleted file are named/suffixed with a random six character value after $I and $R, resulting  into a 8–character file name. The system creates SID based folders corresponding to each user account.   In the SID sub-folder, you will find the SID of the user who deleted the file. Each time a user deletes a file from the Recycle Bin, a sub-folder is created for them. As per the requirement an analyst can analyse the contents inside the SID sub-folders.  Let’s
Read more

Usefulness of Epoch in Digital Forensics Investigation (UNIX and MacOS perspective)

Image
 Usefulness of Epoch in Digital Forensics Investigation  (UNIX and MacOS perspective)  In digital forensics investigation, epoch plays an important role in event reconstruction. Hence, we try to provide detailed insight into the UNIX and MAC OS epoch values. An epoch is a date and time that a computer uses to determine the computer's clock and timestamp values. Epoch is sometimes also referred to as epoch time, POSIX time, and Unix time. In simple words, it is the starting point of the operating system that determines a computer’s date and time by counting ticks (seconds/ nanoseconds/picoseconds). Epochs can persist into the file metadata, system files, log files, and other metadata files. The value of epoch varies from operating system (OS) to OS and file system to file system.   The epoch traditionally corresponds to 0 hours, 0 minutes, and 0 seconds Coordinated Universal Time (UTC) on a specific date, which varies from system to system, as the starting date of each system i
Read more