How to Write a Script in Kali Linux Used to Identify Hashes

August 17, 2016 | Views: 13200

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Linux Password File

I was planning to move on from my series on hashing, but after spending some time digging around /usr/bin on my Kali VM, I decided that a little more fun could be had. So, let’s say you are on a pentest job and come across some hashes. These will grab your attention, but they’re not low hanging fruit, right? After all, hashes aren’t reversible. so why spend the time? Hmmmm…copy them for when you have a bit more time, then follow along with the exercise below.

 

Kali has two Python scripts that can be used to help identify what type of hash you are looking at. These are also listed in the Kali menu system under “05-Password”. I’ll call them from the command-line on an open terminal.

 

Here’s the hash that we will use for the exercise: “286755fad04869ca523320acce0dc6a4”. It’s pretty basic, as we want to have a positive finding in this exercise.

 

The first problem we have is that we don’t know what kind of hash it is. Let’s try to find out using hashid:

root@kali:~# python /usr/bin/hashid –help

usage: hashid [-h] [-e] [-m] [-j] [-o FILE] [–version] INPUT

 

Identify the different types of hashes used to encrypt data

 

Positional Arguments:

 

INPUT input to analyze (default: STDIN)

 

Options:

 

-e, –extended list all possible hash algorithms including salted

 

Passwords:

 

-m, –mode show corresponding Hashcat mode in output

 

-j, –john show corresponding JohnTheRipper format in output

-o FILE, –outfile FILE write output to file

-h, –help show this help message and exit

–version show program’s version number and exit

 

First we use the –help to see what we can do. For now, we’ll keep it simple and short. You can play later.

 

root@kali:~# python /usr/bin/hashid 286755fad04869ca523320acce0dc6a4

 

Analyzing ‘286755fad04869ca523320acce0dc6a4’

 

[+] MD2

 

[+] MD5

 

[+] MD4

 

[+] Double MD5

 

[+] LM

 

[+] RIPEMD-128

 

[+] Haval-128

 

[+] Tiger-128

 

[+] Skein-256(128)

 

[+] Skein-512(128)

 

[+] Lotus Notes/Domino 5

 

[+] Skype

 

[+] Snefru-128

 

[+] NTLM

 

[+] Domain Cached Credentials

 

[+] Domain Cached Credentials 2

 

[+] DNSSEC(NSEC3)

 

[+] RAdmin v2.x

 

Hmmm, let’s see. I’ll take MD5 for the best chance. We can always try the others later. Lets see what hash-identifier says this hash is. First the –help, then we run the command with the hash.

 

root@kali:~# python /usr/bin/hash-identifier –help

 

#########################################################################

 

# — I removed the banner that’s displayed here on the terminal screen —

 

#########################################################################

 

————————————————————————-

 

HASH:

 

Well then, no help here. It’s interactive, so let’s plug the hash in:

 

HASH: 286755fad04869ca523320acce0dc6a4

 

 

Possible Hashes:

 

[+] MD5

 

[+] Domain Cached Credentials – MD4(MD4(($pass)).(strtolower($username)))

 

 

Least Possible Hashes:

 

[+] RAdmin v2.x

 

[+] NTLM

 

[+] MD4

 

[+] MD2

 

[+] MD5(HMAC)

 

[+] MD4(HMAC)

 

[+] MD2(HMAC)

 

[+] MD5(HMAC(WordPress))

 

[+] Haval-128

 

[+] Haval-128(HMAC)

 

[+] RipeMD-128

 

[+] RipeMD-128(HMAC)

 

[+] SNEFRU-128

 

[+] SNEFRU-128(HMAC)

 

[+] Tiger-128

 

[+] Tiger-128(HMAC)

 

[+] md5($pass.$salt)

 

[+] md5($salt.$pass)

 

[+] md5($salt.$pass.$salt)

 

[+] md5($salt.$pass.$username)

 

[+] md5($salt.md5($pass))

 

[+] md5($salt.md5($pass))

 

[+] md5($salt.md5($pass.$salt))

 

[+] md5($salt.md5($pass.$salt))

 

[+] md5($salt.md5($salt.$pass))

 

[+] md5($salt.md5(md5($pass).$salt))

 

[+] md5($username.0.$pass)

 

[+] md5($username.LF.$pass)

 

[+] md5($username.md5($pass).$salt)

 

[+] md5(md5($pass))

 

[+] md5(md5($pass).$salt)

 

[+] md5(md5($pass).md5($salt))

 

[+] md5(md5($salt).$pass)

 

[+] md5(md5($salt).md5($pass))

 

[+] md5(md5($username.$pass).$salt)

 

[+] md5(md5(md5($pass)))

 

[+] md5(md5(md5(md5($pass))))

 

[+] md5(md5(md5(md5(md5($pass)))))

 

[+] md5(sha1($pass))

 

[+] md5(sha1(md5($pass)))

 

[+] md5(sha1(md5(sha1($pass))))

 

[+] md5(strtoupper(md5($pass)))

 

It seems to agree with the MD5 guess and provides other guesses as well. Good. Now what? Let’s see if we can “crack” the hash using “findmyhash”. As you will see, it searches Google.

 

root@kali:~# python /usr/bin/findmyhash –help

/usr/bin/findmyhash 1.1.2 ( http://code.google.com/p/findmyhash/ )

 

 

Usage:

 

——

 

python /usr/bin/findmyhash <algorithm> OPTIONS

 

 

Accepted algorithms are:

 

————————

 

MD4 – RFC 1320

 

MD5 – RFC 1321

 

SHA1 – RFC 3174 (FIPS 180-3)

 

SHA224 – RFC 3874 (FIPS 180-3)

 

SHA256 – FIPS 180-3

 

SHA384 – FIPS 180-3

 

SHA512 – FIPS 180-3

 

RMD160 – RFC 2857

 

GOST – RFC 5831

 

WHIRLPOOL – ISO/IEC 10118-3:2004

 

LM – Microsoft Windows hash

 

NTLM – Microsoft Windows hash

 

MYSQL – MySQL 3, 4, 5 hash

 

CISCO7 – Cisco IOS type 7 encrypted passwords

 

JUNIPER – Juniper Networks $9$ encrypted passwords

 

LDAP_MD5 – MD5 Base64 encoded

 

LDAP_SHA1 – SHA1 Base64 encoded

 

 

NOTE: for LM / NTLM it is recommended to introduce both values with this format:

 

python /usr/bin/findmyhash LM -h 9a5760252b7455deaad3b435b51404ee:0d7f1f2bdeac6e574d6e18ca85fb58a7

 

python /usr/bin/findmyhash NTLM -h 9a5760252b7455deaad3b435b51404ee:0d7f1f2bdeac6e574d6e18ca85fb58a7

 

 

 

Valid OPTIONS are:

 

——————

 

-h <hash_value> If you only want to crack one hash, specify its value with this option.

-f <file> If you have several hashes, you can specify a file with one hash per line.

 

NOTE: All of them have to be the same type.

 

-g If your hash cannot be cracked, search it in Google and show all the results.

 

NOTE: This option ONLY works with -h (one hash input) option.

 

 

Examples:

 

———

 

-> Try to crack only one hash.

 

python /usr/bin/findmyhash MD5 -h 098f6bcd4621d373cade4e832627b4f6

 

-> Try to crack a JUNIPER encrypted password escaping special characters.

 

python /usr/bin/findmyhash JUNIPER -h “$9$LbHX-wg4Z”

 

-> If the hash cannot be cracked, it will be searched in Google.

 

python /usr/bin/findmyhash LDAP_SHA1 -h “{SHA}cRDtpNCeBiql5KOQsKVyrA0sAiA=” -g

 

-> Try to crack multiple hashes using a file (one hash per line).

 

python /usr/bin/findmyhash MYSQL -f mysqlhashesfile.txt

 

 

Contact:

 

——–

[Web] http://laxmarcaellugar.blogspot.com/

 

[Mail/Google+] bloglaxmarcaellugar@gmail.com

 

[twitter] @laXmarcaellugar

 

 

Ok, so here we go, we’ll test a single hash, and that allows us to search Google:

 

root@kali:~# python /usr/bin/findmyhash -h “286755fad04869ca523320acce0dc6a4” -g

 

root@kali:~#

 

 

Ummm. No return. Ok, for our purposes here, I know that isn’t correct. So, what’s up? It’s Python, so let’s look at the code:

 

less /usr/bin/findmyhash

 

 

We can see some classes that submit a search to various websites and then scrape the returned data. A quick check tells me that some of the websites no longer exist, and we all know that websites change. So unfortunately, this is un-maintained code that may partially work in some instances. You’ll be surprised to find out that nothing worked here in this example in just a moment.

 

The script checks Google with the hash, so we can too, using the following search term:

 

md5 hash “286755fad04869ca523320acce0dc6a4”

 

 

We have hits. Lets check the first one that came up for me (http://md5cracker.org/decrypted-md5-hash/286755fad04869ca523320acce0dc6a4).

 

Bingo! The hash is MD5 for “password”.

 

 

So, there we have it. Find a hash, identify the type of hash, then search for it. Of course, it will rarely be that easy.

 

And if there’s a Python programmer looking to fork some code that could be contributed back to the folks at Kali, findmyhash could use some love.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
6 Comments
  1. Kali. Anyone has got the entire manual on how to use the software? I’m new to Kali. Please kindly direct me where I can find a self study manual about Kali. Thanks

  2. I prefer using a much simpler solution by uploading the unknown hash to crackstation.net. Huge fan of using Kali live (with persistence) to obtain SAM and SYSTEM files from Windows systems. Once I have these two files, I can go to the comfort of my own home and run BKHIVE and SAMDUMP2 to pull the hashes. Once I’ve got these, crackstation is my friend. If it can’t get it, then it’s not worth my time. Educational and informational purposes only!

  3. Oooh…I know where I’m going to try THIS out tomorrow!! 🙂

    Thanks, and have a great day!!

    ladyhacker
    🙂

  4. Yes. Google it once you have an idea of what type of hash you are dealing with, not that knowing is necessarily always all that important. Its more about an exercise in tool discovery and use. A key part of the article was not to trust that everything just works, not even on Kali.

    The whole Kali thing. No arguments from me there. I reluctantly used that title, but most people here are using it to learn with. And yes that is the danger, not only using root for everything, but not learning how to use or admin a linux distribution in general. I actually looked in the debian repos for the tools but not surprisingly they are not there. It’s more about experimenting with tools on hand than searching for tools, learning git, compiling from source, etc. Those skills are import, but outside the scope of the article.

    Arch. Used it from 2004 until 2013. Went 7 years without a reinstall and was bleeding edge and up to date the day I killed the hardware. Fun stuff.

  5. So basically, what you are saying is google it? Because that’s what I do on every test…why do the hard work when someone else has already for you? 😉

    Also, we should really steer away from the whole “Using Kali Linux to Identify Hashes” thing, you aren’t using Kali to identify the hashes, you are using Kali to run a script that is identifying hashes through a website. I know it sounds picky, but so many folk I see nowadays just install Kali and presume its the solution. The amount of folk I see who have a hard install of Kali and they are running it as their base OS/daily driver is insane. I use it to live boot into an environment that is configured to give me the quick and dirty solutions I need, however… if I have the time, I would much prefer to use my Arch machine.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel