Information
Room#
- Name: Crack The Hash Level 2
- Profile: tryhackme.com
- Difficulty: Medium
- Description: Advanced cracking hashes challenges and wordlist generation
Write-up
Overview#
Install tools used in this WU on BlackArch Linux:
1 | $ sudo pacman -S john wordlistctl mentalist lyricpass cewl haiti ttpassgen |
John the ripper rules:
1 | [List.Rules:norajCommon01] |
Task 6 - It's time to crack hashes#
Hash 1 - English male name - f76a69033cc94d1fb3b2122becf46828 (MD5)#
Border mutation - commonly used combinations of digits and special symbols can be added at the end or at the beginning, or both
1 | $ john hash.txt --format=raw-md5 --wordlist=/usr/share/wordlists/misc/top_1000_usa_malenames_english.txt --rules=norajCommon02 |
Hash 2 - English female name - 01bf0eb071a40ba731ccb3cb47319375 (MD5)#
Border mutation - commonly used combinations of digits and special symbols can be added at the end or at the beginning, or both
1 | $ john hash.txt --format=raw-md5 --wordlist=/usr/share/wordlists/misc/top_1000_usa_femalenames_english.txt --rules=norajCommon01 |
Hash 3 - Town name of Mexico - 8ebe45d61ef53c7d748b80c592436e23 (MD5)#
Freak mutation - letters are replaced with similarly looking special symbols
1 | $ cat /usr/share/wordlists/misc/city-state-country.txt | dos2unix | rg 'Mexico$' | cut -f 1 -d ',' | uniq > mexico.txt |
Then with mentalist
or by any other mean, substitute some letters into leet, eg a
-> @
or o
-> 0
.
Then use the generated dict with John.
1 | $ john hash.txt --format=raw-md5 --wordlist=mentalist.txt |
Hash 4 - Own name - 1f474c6dadb3cb2370f6cb88d4576ede0db9ff43 (SHA1)#
Case mutation - the program checks all variations of uppercase/lowercase letters for any character
Build a short dictionary with the guy name:
1 | david |
Then use john with a case permutation rule:
1 | $ john hash.txt --format=raw-sha1 --wordlist=david.txt --rules=NT --fork=3 |
Hash 5 - Lyrics - 140d61a5ecbe4dc82b61d68c8fc05e42 (MD5)#
Order mutation - character order is reversed
Adele
Generate wordlist of her songs.
1 | $ lyricpass -a adele |
Then use the lyrics list and a reverse mutation rule:
1 | $ john hash.txt --format=raw-md5 --wordlist=adele.txt --rules=norajCommon03 --fork=3 |
Hash 6 - Phone number - a6319095c2cff7ffb0f3d5e930e902f3 (MD5)#
No mutations
https://en.wikipedia.org/wiki/List_of_mobile_telephone_prefixes_by_country
Sint Maarten: +1
and 721
prefix for mobile phone number
Modify prefix.txt
and python pnwgen.py
(https://github.com/toxydose/pnwgen) or do it with your own script.
1 | $ python pnwgen.py +1721 '' 7 |
Then use the list with john:
1 | $ john hash.txt --format=raw-md5 --wordlist=/tmp/pnwgen/wordlist.txt |
Hash 7 - Rockyou - 7f921bcacce131426fc5111e664feb80f509796299a764dfbfb834cd97ce3217ca8015f699bdb517ed913aac3e207cf5b566859470ce7dea33ec5cea30603fb0 (SHA3-512)#
No mutations
SHA3
1 | $ john hash.txt --format=raw-sha3 --wordlist=/usr/share/wordlists/passwords/rockyou.txt --fork=3 |
Hash 8 - Web scrapping - 9eb3430dc236ec9d3d5cfc6c3390523fc498037bb3de7d7e58254f7e253307a8d102b374713f425eaf1e71f33d3de9094b6a205b78510c9c3b754107a3b09c53 (blake2)#
Repetition (4)
1 | $ git clone https://github.com/digininja/CeWL.git |
Hash 9 - Rockyou - $6$norajPass$rQe8.6rPhZcivym.tpPacR2u360yUZBKTuXbXIJ/zKrzhC4v4eayiNfW/HlcaFVkmVh7Hps5Rupc3ZINTwhmL1 (SHA512-crypt)#
No mutations
1 | $ john --format=sha512crypt hash.txt --wordlist=/usr/share/wordlists/passwords/rockyou.txt --show |