Cracking windows and Unix passwords using Hashcat

According to Gartner's research conducted in 2018, weak and stolen credentials contribute to 80% of the cyber breaches in the world. This means that every 4 out of 5 attacks take place owing to weak passwords.

The windows passwords are located in the C:\windows\system32\config\SAM whereas the UNIX passwords are stored in /etc/shadow file. Even though gaining access to these files is fairly difficult for someone who is a beginner, it is fairly simple for a seasoned hacker.

In this article, I would explain how to crack windows and UNIX passwords using Hashcat. Hashcat is a password cracking utility which uses a dictionary to guess a password, hashes each of the dictionary word sequentially, and then compares the resulting hash to the one it's trying to crack. If the hashes match, we know the password. If not,it keeps guessing ?? 

Disclaimer: This article is for educational purpose only!

STEP 1: The first step is to download and install hashcat (https://hashcat.net/hashcat/). If using Kali Linux, the tool comes as pre-loaded.

Note: The OS used in this POC is Kali Linux however this can be performed on any Operating system.

STEP 2: Install the OpenCL framework which is the platform required for HashCat to run.

Note: OpenCL (Open Computing Language) is a framework for writing programs that execute across heterogeneous platforms. OpenCL specifies programming languages for programming these devices and application programming interfaces (APIs) to control the platform and execute programs on the compute devices. OpenCL also provides a standard interface for parallel computing using task- and data-based parallelism.

Note: The OpenCL framework for Intel platform can be downloaded from https://software.intel.com/en-us/articles/opencl-drivers

STEP 3: Ensure the OpenCL framework is installed correctly.

STEP 4: Unzip the password dictionary in location /usr/share/wordlists/

Note: This step assumes that you already have a password dictionary available. If not, you can download one from https://weakpass.com/lists

STEP 5: Run the hashcat -h command to check all available options. The most interesting modules are -m (hash type) and -a (attack mode)

Note: Windows stores password in NTLM hash format whereas UNIX stores the passwords in SHA-256 format. So the hash module has to be chosen accordingly.

STEP 6 : Store all the hashes which need to be cracked in a text file.

Note: This step assumes that you already have access to hashes. If you don’t have any hash, you can copy the hash for user from /etc/shadow file.

STEP 7: Run the Hashcat command to crack the passwords. It might take a few minutes to several hours based on the hash type to crack the password.

Note: Hashcat has the following syntax: hashcat -a (attack mode) -m (hash type) <File with hashes to be cracked> <Password dictionary>

STEP 8: See the passwords cracked.

The most important lesson learnt from this exercise was that when a simple password with 8 characters with no password complexity was configured, the password was cracked within 5 minutes. However when a complex password (including an uppercase, lower case, special characters etc) with a 14 character password length was configured, it took almost 2 days to crack the password. This emphasizes the importance of using a strong password which even though wouldn't make the attack impossible but still make it more difficult for hackers to break in your passwords ?? 

---------------------------------------------------------------------------------------------------------------