Cracking

Basics:
4 modes: Single, Wordlist, Incremental, Custom

john.conf  ..linux
john.ini   ..win
john.pot   ..cracks stored here
jack.pot   ..previously !!
john.rec   ..current record progress

john --test            ..speedtest
john --show /hashfile  ..prev cracks
john --restore         ..resume
<ctrl-C>  ..will record here
x2        ..too fast, youll lose prog

<anykey>  ..current status
c/s       ..combinations per/sec

Run Native OS for fastest speed (not vm)
Compiled John is faster too 'make'

Cant splitup jobs easily
Maybe: split the wordlist between servers
or: Min/Max Length 6,7,8,9 between

Distributed cracking Option: use diff session name for each instance

john hash.txt
john --format=NT sam.txt

cp /etc/passwd passCopy
sudo cat /etc/shadow > shadowCopy
unshadow passCopy ShadowCopy > Combined.txt

john combined.txt --format=crypt

$1$ - MD5
$6$ - SHA512

john --format=crypt combined.txt  ..for MD5
cat .john/john.pot                ..view cracks

Rules and Scenarios:
https://hashcat.net/wiki/doku.php?id=rule_based_attack

hashcat -m       ..mode, tons of them!
hashcat -m 500   ..md5crypt $1$

hashcat --help
hashcat --help | less
hashcat --help | grep md5
hashcat --help | grep '\$6$\'   ..sha512
hashcat --help | grep LM        ..3000
hashcat --help | grep md5crypt  ..500  
hashcat --help | grep sha512    ..1800

hashcat.potfile  ..results saved

Word Rules:
cd /opt/hashcat/rules
cd /user/local/share/doc/hashcat/rules
cat best64.rule

Examples:
hashcat -a 0 -m 400 example400.hash examp.dict ..basic
hashcat -a 0 -m 0 examp0.hash examp.dict -r rules/best64.rule
hashcat -a 3 -m 0 examp0.hash ?a?a?a?a?a?a   ..6char any
hashcat -a 6 -m 0 examp0.hash ecamp.dict ?a?a?a
  ..dictionary + append 6char

-a 0  ..basic
-a 3  .. means brute force
-a 1  ..
-a 6  .. hybrid

<space> or 's'tatus .. to view details and TEMP
Adding more GPU will get faster Cracks

./hashcat64 -m 3000 --show sam.txt     ..view cracked results
./hashcat64 -m 3000 --restore sam.txt  ..resume scan

Workload: -w
1 = low
2 =
3 = high
4 = nightmare, lol

hashcat --benchmark -m 3000 -w 3


cat cracked.txt
cat .hashcat/hashcat.potfile

cat coursefiles/sam.txt
cut -d: -f 1 coursefiles/sam.txt > names.txt

hashcat -w 3 -a 0 -m 5600 hash.txt
hashcat -w 3 -a 0 -m 3000 -o cracked.txt sam.txt /opt/dict.lst
hashcat -w 3 -a 0 -m 3000 -o cracked.txt sam.txt /opt/dict.lst names.txt
                                                         |         |
                                                       sent both files: 

ls -l /usr/local/share/doc/hashcat/rules/

Best Rules: 
best64.rule
d3ad0ne.rule

cat /usr/local/share/doc/hashcat/rules/best64.rule

hashcat -w 3 -a 0 -m 3000 -o cracked2.txt sam.txt /opt/dict.lst names.txt
-r /usr/local/share/doc/hashcat/rules/best64.rule

cat cracked2.txt
cat .hashcat/hashcat.potfile  ..found reverse 'charlie' password

cut -d: -f 2 cracked.txt > clear.txt

Crazy what hashcat can do:
Tell it to use 'users', 'pwlist', 'rules', etc...
hashcat -w 3 -a 0 -m 1800 -o cracked.txt shadow_copy names.txt clear.txt
/opt/pass.lst -r /usr/local/share/doc/hashcat/rules/best64.rule

hashcat -a 6 -m 0 example0.hash example.dict ?a?a?a
hashcat -a 6 -m 0 example0.hash ?a?a?a example.dict 

6: hybrid/brute
0: method
hash file
dictionary + 3 chars at the end


Results:
cat ~./hashcat/hashcat.potfile
or: yuck like this:
hashcat -m 5600 --potfile-path ~/.hashcat/hashcat.potfile --show --outfile-format 2 hash.txt

Ruby crack from LM to NT:
If you have LM cracked, but not the NT:

> lm2ntcrack.rb -t NTLM -p MYLMPASS -a BAXOFLYKD
   
> /opt/metasploit-framework/tools/password/lm2ntcrack.rb
   -t NTLM        ..get the NTLM
   -p MYLMPASS    ..current LM
   -a BAXOFLYKD   ..the NT Hash (2nd half string)