Ready to Start Your Career?

How to Write a Script in Kali Linux Used to Identify Hashes

junkwerks 's profile image

By: junkwerks

August 17, 2016

[caption id="attachment_70042" align="aligncenter" width="1024"]Using Kali Linux to Identify Hashes - Cybrary Linux Password File[/caption]I was planning to move on from my series on hashing, but after spending some time digging around /usr/bin on my Kali VM, I decided that a little more fun could be had. So, let's say you are on a pentest job and come across some hashes. These will grab your attention, but they're not low hanging fruit, right? After all, hashes aren't reversible. so why spend the time? Hmmmm…copy them for when you have a bit more time, then follow along with the exercise below. Kali has two Python scripts that can be used to help identify what type of hash you are looking at. These are also listed in the Kali menu system under “05-Password”. I'll call them from the command-line on an open terminal. Here's the hash that we will use for the exercise: "286755fad04869ca523320acce0dc6a4". It's pretty basic, as we want to have a positive finding in this exercise. The first problem we have is that we don't know what kind of hash it is. Let's try to find out using hashid:

root@kali:~# python /usr/bin/hashid --help

usage: hashid [-h] [-e] [-m] [-j] [-o FILE] [--version] INPUT

 Identify the different types of hashes used to encrypt data Positional Arguments: 

INPUT input to analyze (default: STDIN)

 Options: 

-e, --extended list all possible hash algorithms including salted

 Passwords: 

-m, --mode show corresponding Hashcat mode in output

 

-j, --john show corresponding JohnTheRipper format in output

-o FILE, --outfile FILE write output to file

-h, --help show this help message and exit

--version show program's version number and exit

 First we use the --help to see what we can do. For now, we'll keep it simple and short. You can play later. 

root@kali:~# python /usr/bin/hashid 286755fad04869ca523320acce0dc6a4

 Analyzing '286755fad04869ca523320acce0dc6a4' [+] MD2 [+] MD5 [+] MD4 [+] Double MD5 [+] LM [+] RIPEMD-128 [+] Haval-128 [+] Tiger-128 [+] Skein-256(128) [+] Skein-512(128) [+] Lotus Notes/Domino 5 [+] Skype [+] Snefru-128 [+] NTLM [+] Domain Cached Credentials [+] Domain Cached Credentials 2 [+] DNSSEC(NSEC3) [+] RAdmin v2.x Hmmm, let's see. I'll take MD5 for the best chance. We can always try the others later. Lets see what hash-identifier says this hash is. First the --help, then we run the command with the hash. 

root@kali:~# python /usr/bin/hash-identifier --help

 ######################################################################### # -- I removed the banner that's displayed here on the terminal screen -- ######################################################################### ------------------------------------------------------------------------- HASH: Well then, no help here. It's interactive, so let's plug the hash in: 

HASH: 286755fad04869ca523320acce0dc6a4

  Possible Hashes: [+] MD5 [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))  Least Possible Hashes: [+] RAdmin v2.x [+] NTLM [+] MD4 [+] MD2 [+] MD5(HMAC) [+] MD4(HMAC) [+] MD2(HMAC) [+] MD5(HMAC(Wordpress)) [+] Haval-128 [+] Haval-128(HMAC) [+] RipeMD-128 [+] RipeMD-128(HMAC) [+] SNEFRU-128 [+] SNEFRU-128(HMAC) [+] Tiger-128 [+] Tiger-128(HMAC) [+] md5($pass.$salt) [+] md5($salt.$pass) [+] md5($salt.$pass.$salt) [+] md5($salt.$pass.$username) [+] md5($salt.md5($pass)) [+] md5($salt.md5($pass)) [+] md5($salt.md5($pass.$salt)) [+] md5($salt.md5($pass.$salt)) [+] md5($salt.md5($salt.$pass)) [+] md5($salt.md5(md5($pass).$salt)) [+] md5($username.0.$pass) [+] md5($username.LF.$pass) [+] md5($username.md5($pass).$salt) [+] md5(md5($pass)) [+] md5(md5($pass).$salt) [+] md5(md5($pass).md5($salt)) [+] md5(md5($salt).$pass) [+] md5(md5($salt).md5($pass)) [+] md5(md5($username.$pass).$salt) [+] md5(md5(md5($pass))) [+] md5(md5(md5(md5($pass)))) [+] md5(md5(md5(md5(md5($pass))))) [+] md5(sha1($pass)) [+] md5(sha1(md5($pass))) [+] md5(sha1(md5(sha1($pass)))) [+] md5(strtoupper(md5($pass))) It seems to agree with the MD5 guess and provides other guesses as well. Good. Now what? Let's see if we can “crack” the hash using "findmyhash". As you will see, it searches Google. 

root@kali:~# python /usr/bin/findmyhash --help

/usr/bin/findmyhash 1.1.2 ( https://code.google.com/p/findmyhash/ )

  Usage: ------ python /usr/bin/findmyhash <algorithm> OPTIONS  Accepted algorithms are: ------------------------ MD4 - RFC 1320 MD5 - RFC 1321 SHA1 - RFC 3174 (FIPS 180-3) SHA224 - RFC 3874 (FIPS 180-3) SHA256 - FIPS 180-3 SHA384 - FIPS 180-3 SHA512 - FIPS 180-3 RMD160 - RFC 2857 GOST - RFC 5831 WHIRLPOOL - ISO/IEC 10118-3:2004 LM - Microsoft Windows hash NTLM - Microsoft Windows hash MYSQL - MySQL 3, 4, 5 hash CISCO7 - Cisco IOS type 7 encrypted passwords JUNIPER - Juniper Networks $9$ encrypted passwords LDAP_MD5 - MD5 Base64 encoded LDAP_SHA1 - SHA1 Base64 encoded  NOTE: for LM / NTLM it is recommended to introduce both values with this format: python /usr/bin/findmyhash LM -h 9a5760252b7455deaad3b435b51404ee:0d7f1f2bdeac6e574d6e18ca85fb58a7 python /usr/bin/findmyhash NTLM -h 9a5760252b7455deaad3b435b51404ee:0d7f1f2bdeac6e574d6e18ca85fb58a7   Valid OPTIONS are: ------------------ 

-h <hash_value> If you only want to crack one hash, specify its value with this option.

-f <file> If you have several hashes, you can specify a file with one hash per line.

 NOTE: All of them have to be the same type. 

-g If your hash cannot be cracked, search it in Google and show all the results.

 NOTE: This option ONLY works with -h (one hash input) option.  Examples: --------- -> Try to crack only one hash. 

python /usr/bin/findmyhash MD5 -h 098f6bcd4621d373cade4e832627b4f6

 -> Try to crack a JUNIPER encrypted password escaping special characters. 

python /usr/bin/findmyhash JUNIPER -h "$9$LbHX-wg4Z"

 -> If the hash cannot be cracked, it will be searched in Google. 

python /usr/bin/findmyhash LDAP_SHA1 -h "{SHA}cRDtpNCeBiql5KOQsKVyrA0sAiA=" -g

 -> Try to crack multiple hashes using a file (one hash per line). 

python /usr/bin/findmyhash MYSQL -f mysqlhashesfile.txt

  Contact: --------[Web] http://laxmarcaellugar.blogspot.com/ [Mail/Google+] bloglaxmarcaellugar@gmail.com [twitter] @laXmarcaellugar  Ok, so here we go, we'll test a single hash, and that allows us to search Google: 

root@kali:~# python /usr/bin/findmyhash -h "286755fad04869ca523320acce0dc6a4" -g

 

root@kali:~#

  Ummm. No return. Ok, for our purposes here, I know that isn't correct. So, what's up? It's Python, so let's look at the code: 

less /usr/bin/findmyhash

  We can see some classes that submit a search to various websites and then scrape the returned data. A quick check tells me that some of the websites no longer exist, and we all know that websites change. So unfortunately, this is un-maintained code that may partially work in some instances. You'll be surprised to find out that nothing worked here in this example in just a moment. The script checks Google with the hash, so we can too, using the following search term: 

md5 hash "286755fad04869ca523320acce0dc6a4"

  We have hits. Lets check the first one that came up for me (http://md5cracker.org/decrypted-md5-hash/286755fad04869ca523320acce0dc6a4). Bingo! The hash is MD5 for "password".  So, there we have it. Find a hash, identify the type of hash, then search for it. Of course, it will rarely be that easy. And if there's a Python programmer looking to fork some code that could be contributed back to the folks at Kali, findmyhash could use some love.
Schedule Demo