Password cracking — John the Ripper & Hashcat
We have successfully retrieved the hashes of the system users' passwords.
In the results of our extraction, we find that for the user John, we have a first part corresponding to the LM hash and a second corresponding to the NTLM hash.
It is this second part, the NTLM hash, that interests us because it contains the password fingerprint that we can try to crack using different tools.
You should know that the hash itself, even in its raw form, is extremely useful for conducting other types of attacks, in particular "pass-the-hash" (PtH) attacks.
When you audit an Active Directory environment, simply holding a user's hash can be enough to authenticate to other servers on the network, without needing to discover the password in clear text.
However, for this demonstration, I am going to show you how to crack these hashes.
Let's focus on the user John.
I copy his NTLM hash.
By default, Kali Linux offers two very popular password cracking tools: John the Ripper and Hashcat.
By typing `john` in the terminal, you display its help menu.
Hashcat is also an extremely powerful tool.
The main difference lies in the fact that Hashcat is optimized to exploit the computing power of graphics processors (GPU), while John the Ripper uses the processor (CPU) by default.
If you use Kali Linux in a virtual machine, it will generally not have access to the physical resources of the graphics card of your host computer, which will make Hashcat inefficient.
In this case, it is often better to install the Windows version of Hashcat on your host machine to benefit from the GPU, or to use John the Ripper on your virtual machine.
Using John the Ripper is very simple.
You just have to place the hashes in a text file.
For example, let's create a `hash.txt` file with the `nano` editor.
Let's put a test hash in it (for example, that of a user named Karl).
To launch the cracking, simply type `john hash.txt`.
If John the Ripper has already cracked this hash before, it will not redo the calculation but will display the result using the `--show` option: `john --show hash.txt`.
Here, we see that the password associated with Karl's account is "doggie".
To crack John's password, we will replace the content of our `hash.txt` file with his NTLM hash, then save the file.
We can launch John the Ripper by associating a password dictionary (a wordlist) with it using the `--wordlist=` option.
Under Kali Linux, password lists are generally found in the `/usr/share/wordlists/` directory.
We will use the famous `rockyou.txt` dictionary: `john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt`.
If the password is simple, John will crack it in a few milliseconds.
If John the Ripper does not find the password with the dictionary, the `--show` option will display nothing.
This means that the password is not present in the `rockyou.txt` list.
In this case, you can launch John the Ripper in brute force attack mode (without specifying a dictionary), which will push your virtual machine's processor to 100% to test all possible combinations.
This can take a lot of time.
Fortunately, there is a quick alternative: using online cracking services (reverse hash lookup databases) like CrackStation (crackstation.net).
You just need to go to the site, paste the NTLM hash, validate the captcha and click on "Crack Hashes".
In a few milliseconds, CrackStation compares the hash with its giant database of pre-calculated passwords (rainbow tables).
In our case, CrackStation immediately finds the match: the hash type is indeed NTLM, and the associated cleartext password is "alkfna22".
We can therefore return to our terminal and stop the John the Ripper process.
Always think of submitting a hash to CrackStation first.
If it does not work, you can then use John the Ripper or run Hashcat on your Windows host machine.
The more powerful your graphics card, the more passwords per second you will be able to test.
John the Ripper supports a very large number of hash formats (MD5, SHA-256, NTLM, etc.).
Once you have retrieved your target's cleartext password, note it down carefully in your CherryTree document for the rest of your penetration testing.