Hashcat

What is hashcat ?, is a great tool, is a advanced password recovery tool :). Everything what you need you can find here https://hashcat.net/hashcat/

Short story

During penetration testing I was able to find user name admin and password hash 41f26dc8435d1f633b1a3c4a30a0d882f645d5a6 with salt szalek. It was quite easy to figure out, that system was create base on Open Source Software. I was able to find a piece of code that generate password.

$pass = "???????";
$hash = "szalek"; 
$pass .= $hash; 
$pass = sha1($pass);

Now we have everything but we don't have plain text password, we have all the pieces of the puzzle and we have hashcat.

What we have to do ?

That part is quite easy, first, you have to have is a list of passwords. Under those links you will find dumps form various leaks. link 1 and link 2

Hashcat time

First you have to create file hash_to_crack.txt with one line 41f26dc8435d1f633b1a3c4a30a0d882f645d5a6:szalek as you see here we have hash and salt sepereate by colon if you are ready please execut this. (-m 110 mean SHA-1 more about hash mode)

hashcat -a 0 -m 110 hash\_to\_crack.txt /usr/share/wordlists/rockyou.txt

in this case it will take a secend to restore your password.

...

Dictionary cache built:
\* Filename..: rockyou.txt
\* Passwords.: 14344391
\* Bytes.....: 139921497
\* Keyspace..: 14343296
\* Runtime...: 1 sec

41f26dc8435d1f633b1a3c4a30a0d882f645d5a6:szalek:123456    

Session..........: hashcat
Status...........: Cracked
Hash.Type........: sha1($pass.$salt)
Hash.Target......: 41f26dc8435d1f633b1a3c4a30a0d882f645d5a6:szalek
Time.Started.....: Sat Dec 30 23:45:31 2017 (0 secs)
Time.Estimated...: Sat Dec 30 23:45:31 2017 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:  6501.6 kH/s (1.05ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 8192/14343296 (0.06%)
Rejected.........: 0/8192 (0.00%)
Restore.Point....: 0/14343296 (0.00%)
Candidates.#1....: 123456 -> total90
HWMon.Dev.#1.....: N/A