Cryptography is a method of protecting information and communications through the use of codes, so that only those for whom the information is intended can read and process it.
Hashing
Introduction
A hash is a function that converts one value to another. Hashing data is a common practice in computer science and is used for several different purposes. Examples include cryptography, compression, checksum generation, and data indexing.
Hashing is a natural fit for cryptography because it masks the original data with another value. A hash function can be used to generate a value that can only be decoded by looking up the value from a hash table. The table may be an array, database, or other data structure. A good cryptographic hash function is non-invertible, meaning it cannot be reverse engineered.
Password Cracking Attacks
In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system.
Hashcat is one of the most powerful password cracking tools at the moment. First we need to fount which type of hash we are trying to crack, this guide contains all hash types that hashcat supports.
hashcat -a 0 -m mode passwd.hash wordlist
Caution: In order to avoid false positives or false negatives never use –force parameter.
Or you can use Google Colab to crack the hashes:
Rainbow Tables
A rainbow table works by doing a cryptanalysis very quickly and effectively. Unlike bruteforce attack, which works by calculating the hash function of every string present with them, calculating their hash value and then compare it with the one in the computer, at every step. A rainbow table attack eliminates this need by already computing hashes of the large set of available strings.
There are some online resources where has a rainbow table pre calculated for some hash types.
Note: Some modern hashes such as bcrypt make use of salt, which prevents Rainbow Tables attacks.
Dictionary Attack
In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands or millions of likely possibilities often obtained from lists of past security breaches.
Te most common dictionaries used for password cracking:
- Rockyou: https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
- Kaonashi: https://github.com/kaonashi-passwords/Kaonashi
- SecLists: https://github.com/danielmiessler/SecLists
hashcat -a 0 -m mode passwd.hash wordlist
Note: Hashcat
-a 0parameter is used to perform a dictionary attack.
Rules
Typical password-enforcement rules are collected in some dictionaries, these types of rules generally require the use of upper and olwe-case characters, numbers and special characters.
hashcat -a 0 -m mode passwd.hash -r rules wordlist
Note: Hashcat rules are located in
/usr/share/hashcat/rules/
Selecting a correct Wordlist
We can use common wordlists like rockyou.txt or some from SecLists, but also we can create a custom one.
- Cewl
Cewl gives us the opportunity to browse the website and manually add commonly-used termns and product names to our custom wordlists. Also we can select the minimum length of the passwords wit -m parameter.
cewl www.example.com -m 6 -2 wordlist.out
- kwprocessor
Kwprocessor is an external utility from hashcat that generates key-walk passwords, which are based on adjacent keys. Has three main componentes, the base characters which are the alphabet of the target language, the keyboard layout and the routes (directions to walk in).
https://github.com/hashcat/kwprocessor
kwp64.exe basechars\custom.base keymaps\es.keymap routes\2-to-10-max-3-direction-changes.route -o .\keywalk.txt
Note: Some candidates could be generated multiples times.
Combinator Attack
The combinator attack combines the entries from two dictionaries into single-words. We can also aply a rule to each word on the left or right using the options -j and -k.
hashcat -a 1 -m mode hash wordlist1 wordlist2 -j $- -k $!
Note: Hashcat
-a 1parameter is used to perform a combinator attack.
Mask Attack
Mask attacks are similar to brute-force attacks given they try all combinations from a set of characters. With brute-force attacks, all possible characters that exist are tried. Mask attacks are more specific as the set of characters you try is reduced based on information you know.
Note: Hashcat
-a 3parameter is used to perform a mask attack.
Hashcat Parameters
- Built-in charsets:
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff
- Custom charsets:
-1, --custom-charset1=CS User-defined charsets
-2, --custom-charset2=CS Example:
-3, --custom-charset3=CS --custom-charset1=?dabcdef : sets charset ?1 to 0123456789abcdef
-4, --custom-charset4=CS -2 mycharset.hcchr : sets charset ?2 to chars contained in file
Example:
-1 ?u -2 ?u?l?d -3 ?d
We can also use static strings as part of a mask.
Company?d
Running the Attack
After running the command, the attack will start and you should get output similar to the following:
hashcat -a 3 -m mode -1 ?u -2 -?l?u?d -3 ?d hash ?1?2?2?2?3?3?3
We can use the --increment parameter to go trhough all combinations and no only try passwords of the same length:
?1
?1?2
?1?2?2
?1?2?2?2
?1?2?2?2?3
?1?2?2?2?3?3
?1?2?2?2?3?3?3
Command:
hashcat -a 3 -m mode -1 ?u -2 -?l?u?d -3 ?d --increment hash ?1?2?2?2?3?3?3
Mask Files
We can create a file with different masks.
Note: We can specify custom chars at the beginning of the line with
,as a separator.
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
And finally run it:
hashcat -a 3 -m mode hash mask.hcmask
Hybrid Attack
The hybrid attack is a combination of wordlists and mask attack.
Note: Hashcat
-a 6parameter is used to perform a hybrid attack where first come the wordlist and after the mask mode.
hashcat -a 6 -m mode hash wordlist ?d?d?d?d
# Password5555
Note: Hashcat
-a 7parameter it is also used for hybrid attacks but first comes the mask and after that the wordlists.
hashcat -a 7 -m mode hash ?d?d?d?d wordlist
# 5555Password
Encryption
Introduction
The two main categories of Encryption are symmetric and asymmetric.
Symmetric encryption uses the same key to encrypt and decrypt the data. Examples of Symmetric encryption are DES (Broken) and AES. These algorithms tend to be faster than asymmetric cryptography, and use smaller keys (128 or 256 bit keys are common for AES, DES keys are 56 bits long).
Asymmetric encryption uses a pair of keys, one to encrypt and the other in the pair to decrypt. Examples are RSA and Elliptic Curve Cryptography. Normally these keys are referred to as a public key and a private key. Data encrypted with the private key can be decrypted with the public key, and vice versa. Your private key needs to be kept private, hence the name. Asymmetric encryption tends to be slower and uses larger keys, for example RSA typically uses 2048 to 4096 bit keys.
Cracking SSH private key
After getting the private ssh key protected with a passphrase, in order to obtain this passphrase we will need to convert that ssh key to john format, for that run ssh2john script:
python ssh2john id_rsa > id_rsa.hash
And crack it with your fav list:
john id_rsa.hash -wordlist=[wordlist]
Cracking KDBX (KeePass Files)
First we need to convert our file to a hash.
python keepass2john file.kdbx > kdbx.hash
And crack it with your fav list:
john kdbx.hash -wordlist=[wordlist]
hashcat -a 0 -m 13400 kdbx.hash [wordlist]
Decrypting openssl enc data with salted password
When we found some file like that:
❯ file file.enc
file.enc: openssl enc'd data with salted password
We can crack the password with bruteforce-salted-openssl specifying the digest and cipher (AES-256-CBC by default).
bruteforce-salted-openssl -t 50 -f rockyou.txt -d <digest> file.enc -1
Finally we need to decrypt the file with the key obtained while bruteforcing.
openssl aes-256-cbc -d -in file.enc -out file.txt -k <KEY>
Ciphers Detection
There are many online tools that helps to detect which type of cipher is applied based on entropy.
Also there are a lot of online tools to decode or encode with different ciphers:
Note: quipqiup is a powerfull tool that solves simple subsitution ciphers.