# Cracking

## online

* [https://crackstation.net](https://crackstation.net/) --pretty good cracking online!
* <https://hashes.com> --find/crack multiple hashes

## john

```
Basics:
4 modes: Single, Wordlist, Incremental, Custom

john.conf  ..linux
john.ini   ..win
john.pot   ..cracks stored here
jack.pot   ..previously !!
john.rec   ..current record progress

john --test            ..speedtest
john --show /hashfile  ..prev cracks
john --restore         ..resume
<ctrl-C>  ..will record here
x2        ..too fast, youll lose prog

<anykey>  ..current status
c/s       ..combinations per/sec

Run Native OS for fastest speed (not vm)
Compiled John is faster too 'make'

Cant splitup jobs easily
Maybe: split the wordlist between servers
or: Min/Max Length 6,7,8,9 between

Distributed cracking Option: use diff session name for each instance
```

## john usage

```
john hash.txt
john --format=NT sam.txt
```

## john unshadow

```
cp /etc/passwd passCopy
sudo cat /etc/shadow > shadowCopy
unshadow passCopy ShadowCopy > Combined.txt

john combined.txt --format=crypt

$1$ - MD5
$6$ - SHA512

john --format=crypt combined.txt  ..for MD5
cat .john/john.pot                ..view cracks
```

* john can also crack "[SSH PrivKey Passphrase](/05-passwords-ciphers/05-crask-sshprivkey-passphrase.md)"

## hashcat

```
Rules and Scenarios:
https://hashcat.net/wiki/doku.php?id=rule_based_attack

hashcat -m       ..mode, tons of them!
hashcat -m 500   ..md5crypt $1$

hashcat --help
hashcat --help | less
hashcat --help | grep md5
hashcat --help | grep '\$6$\'   ..sha512
hashcat --help | grep LM        ..3000
hashcat --help | grep md5crypt  ..500  
hashcat --help | grep sha512    ..1800

hashcat.potfile  ..results saved

Word Rules:
cd /opt/hashcat/rules
cd /user/local/share/doc/hashcat/rules
cat best64.rule

Examples:
hashcat -a 0 -m 400 example400.hash examp.dict ..basic
hashcat -a 0 -m 0 examp0.hash examp.dict -r rules/best64.rule
hashcat -a 3 -m 0 examp0.hash ?a?a?a?a?a?a   ..6char any
hashcat -a 6 -m 0 examp0.hash ecamp.dict ?a?a?a
  ..dictionary + append 6char

-a 0  ..basic
-a 3  .. means brute force
-a 1  ..
-a 6  .. hybrid

<space> or 's'tatus .. to view details and TEMP
Adding more GPU will get faster Cracks

./hashcat64 -m 3000 --show sam.txt     ..view cracked results
./hashcat64 -m 3000 --restore sam.txt  ..resume scan
```

## hashcat usage

```
Workload: -w
1 = low
2 =
3 = high
4 = nightmare, lol

hashcat --benchmark -m 3000 -w 3


cat cracked.txt
cat .hashcat/hashcat.potfile

cat coursefiles/sam.txt
cut -d: -f 1 coursefiles/sam.txt > names.txt

hashcat -w 3 -a 0 -m 5600 hash.txt
hashcat -w 3 -a 0 -m 3000 -o cracked.txt sam.txt /opt/dict.lst
hashcat -w 3 -a 0 -m 3000 -o cracked.txt sam.txt /opt/dict.lst names.txt
                                                         |         |
                                                       sent both files: 
```

## hashcat rules

```
ls -l /usr/local/share/doc/hashcat/rules/

Best Rules: 
best64.rule
d3ad0ne.rule

cat /usr/local/share/doc/hashcat/rules/best64.rule

hashcat -w 3 -a 0 -m 3000 -o cracked2.txt sam.txt /opt/dict.lst names.txt
-r /usr/local/share/doc/hashcat/rules/best64.rule

cat cracked2.txt
cat .hashcat/hashcat.potfile  ..found reverse 'charlie' password

cut -d: -f 2 cracked.txt > clear.txt

Crazy what hashcat can do:
Tell it to use 'users', 'pwlist', 'rules', etc...
hashcat -w 3 -a 0 -m 1800 -o cracked.txt shadow_copy names.txt clear.txt
/opt/pass.lst -r /usr/local/share/doc/hashcat/rules/best64.rule
```

## hashcat mangling

```
hashcat -a 6 -m 0 example0.hash example.dict ?a?a?a
hashcat -a 6 -m 0 example0.hash ?a?a?a example.dict 

6: hybrid/brute
0: method
hash file
dictionary + 3 chars at the end


Results:
cat ~./hashcat/hashcat.potfile
or: yuck like this:
hashcat -m 5600 --potfile-path ~/.hashcat/hashcat.potfile --show --outfile-format 2 hash.txt

```

## lm2ntcrack.rb

```
Ruby crack from LM to NT:
If you have LM cracked, but not the NT:

> lm2ntcrack.rb -t NTLM -p MYLMPASS -a BAXOFLYKD
   
> /opt/metasploit-framework/tools/password/lm2ntcrack.rb
   -t NTLM        ..get the NTLM
   -p MYLMPASS    ..current LM
   -a BAXOFLYKD   ..the NT Hash (2nd half string)
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/05-passwords-ciphers/cracking.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.