Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson focuses on how to use the oclhashcat command. The oclhashcat command is a tool that can be used for password cracking. This lesson offers step by step instructions using the hashcut command and applying different rules to crack passwords. This lesson also covers using the pipal tool to obtain statistics from passwords.

Video Transcription

00:04
Okay. Now let's look at another tool called hash Cat. There's also a virgin cold Rocio
00:10
hash cat,
00:13
but that's gonna be based on using GP. Use your graphics cards show your hardcore gaming machines would be appropriate for this. Our virtual machine is not remotely
00:24
appropriate for this. It wouldn't do us any good, so we could just use the regular version of hash Cap. If you're interested in getting into password cracking, I would encourage you to build
00:34
ah,
00:35
password cracking box or get one online.
00:38
One of the cloud service is
00:41
we're gonna use regular hash cat.
00:46
Well, nice. This couple of had a shirt will expire.
00:51
What do you do? It has that
00:53
dash dash, Help us. We need to actually tell it the mode,
00:58
so we're not going to be able to just have it. Guess
01:02
so. We want
01:06
grab one of these mode numbers. We want se nt Hatcher's NTL in. That's
01:12
1000.
01:15
Try that one on our window. Seven. We had we got Lisa's password is football, but we don't know honestly, I don't know cause where it is, And James and Martin also have passwords. Maybe we can get some of them
01:29
we want the mode is 1000
01:32
and
01:34
hash cat also has a built in word lists over Go to use your share
01:45
Awesome Said it had
01:48
wordless. Maybe it doesn't,
01:49
um it just have rules. So you see those? We can look at my these, but
01:57
gonna use your share wordless
02:00
some more in Kelly that we can use.
02:04
No, I guess there's not one
02:07
built in with hash. Got seemed to think that there was, but I guess not. There's this rock you dot tex dot jeezy. We're gonna have to use guns that open it. Thistle's a good 1 may take a while, but it's pretty big. It's a word list. It's actually one of the ones they use.
02:23
What work?
02:24
So the only one but
02:27
the big. So just unzip that with guns up,
02:30
so just rock you don't text. I wouldn't encourage you to open it because it'll probably hang your bm Is it so big the Nano tried to open it.
02:38
It'll just freak out.
02:40
All right, So
02:44
cash cats not has dump trash cat dash in for mode R mode is going to be with the 1000
02:53
and our input file is going to be desktop
02:57
when those seven has is stopped. Text
03:00
dash over the output was Just call it
03:05
and seven
03:07
crack
03:07
text on. Then we need the word list of the future share
03:13
word lists rock you don't text.
03:21
This is one of the things that annoys me about hash out. I like hash got headshots even through the one that people are moving to the John. The Ripper's going back into development, so
03:31
it's kind of hard the tower from better. But I don't like the fact that it's complaining. It can't load the has. There's not only do I have to know the mode, which isn't so hard here, but if we tried our limits ones don't know what those are,
03:45
you have to find out. It actually won't let us just load what comes out of a typical password hash dumper.
03:53
So what we actually have to do?
03:55
Yeah, look at
04:00
no seven hazards dot text make a copy first.
04:20
What do you?
04:27
What we want to do is just have the element has shall we even have to get rid of the user name so that I could be a little bit annoying? I think that all you get
04:35
is the hash and in the plane traction. And it's up to you to write some sort of script to get them back to the user names. If you want them,
04:56
though, we could have also used, like, cut on this. I mean, it's all Coghlan's. Those wouldn't have been too hard
05:03
to use cut rather than doing it this long way. Certainly, if you have
05:09
longer list, that's what you'd want to D'oh!
05:26
All right, You know what? We've done that. Let's try it again.
05:44
Don't recovered four out of the six,
05:53
so I was pretty fast.
05:58
What did we put the output? Violent. 17 cracks. Not fact.
06:09
Password football
06:11
now saying it was password. Okay,
06:16
so is the 31
06:24
right, Minister Blank.
06:29
So you're saying that my password was password like it was supposed to bay? I'm not entirely sure why John wasn't picking it up. It has to be something about the pot file. John has the pot file where it stores the stuff it's already found. I think doing that dash data show should have shown it. But
06:44
once it's cracked, the password has I won't do it again. unless you delete the pots, I'll
06:49
tradition other way to do it. But all it really has served to do in my life has managed to make my classes screw up because I use the same VM.
06:58
Um, so that has to be Why so we got
07:01
And it's kind of knowing you have to do this so it looks like we don't
07:06
we do have a password for James. Looks like that password. 123
07:15
Pretty common thing to do when you're getting with domains that have a group policy. So it's like just by default, they require certain complexity. Issue uppercase password one or best with 123
07:27
I already knew that Lisa was football,
07:30
and
07:31
it's like Georgia
07:33
crossword, but we don't have. We still don't have Martin.
07:46
Let's see if we can do any better.
07:48
But what we can do is actually use those rules,
07:54
so use your share hash. Can't
08:00
we have some built in rule file? So this is gonna be where it's like mangles the passwords was gonna run through the word list and then try different things on it, in addition to just
08:09
the normal.
08:11
Like if it had a password
08:15
all in lower case. It might try it all. Upper case. It might uppercase each letter one by one. It might put a one on the end of two on me and my exclamation at the end of all different stuff I like best. 64 rule the the dead One is when I usually use password pro.
08:33
Some of the ones in here leet speak. I mean, depending on who you're dealing with. Got I t people leet speak could be a good one.
08:41
Anything in here would be worth trying out. And certainly you could get additional rules as well again to a lot of password attacks that
08:50
our password research people who spend a lot of time putting together word list and rule sets to try and crack these as fast as possible.
09:05
Go up and try this again and I just want
09:09
dash are and I want you, Jer here.
09:15
Closure
09:16
rules. Best 64 rule.
09:28
First, we'll take a little longer
09:31
inner to see how we're doing
09:35
back to four of six.
09:39
This will take a little bit longer because it has to process the rules. So it's gonna run through
09:45
each password that then the rock you dot text multiple times based on what the rules come up with. So
09:54
we will
09:56
hopefully maybe get Martin's password.
09:58
I know what it is, honestly,
10:03
and we also have those Lennox passwords. Let's see if I can turn it all here.
10:11
Mom's working.
10:13
So I This would be one of the reasons I would definitely huge John, At least to start, um is the Lennox
10:24
has you stop taste because I'm not sure what they are, and it will tell me.
10:28
So it says it found
10:31
Indy five as well, a shar 5 12
10:35
crypt.
10:39
So it has one MD five and then I imagine the rest or the show 5 12
10:48
So imagine the the one at the front is the MD five. That's the one I made when I installed the operating system, but kind of makes sense with the rest would be in a different format. That doesn't really make sense, but I could see how that would happen. The rest would be in that shot. Five toils.
11:07
Let's overwork my four little CPU here and do John
11:13
Flex Hodges, Dr Cox
11:15
format equals, huh?
11:18
5 to 12 crypt.
11:22
That's that's word list equals
11:26
your share.
11:28
Word
11:31
you?
11:33
No.
11:41
You know, Georges. Password is password, so that should be
11:45
easy.
11:50
Well, you will get something out here.
11:52
One of these guys.
11:56
Still it. Four of six here.
12:05
Well,
12:05
you could certainly let these run. And
12:09
I encourage you to try different passwords like try some stuff with It's not based on a dictionary, words and stuff that is put like,
12:16
um, password with a Zatz on letters and numbers Together
12:22
your upper cases and lower cases symbols getting near the end and see, you know what you're able
12:28
to bring out. Typically when I do password attacks, I get a lot of
12:35
simple dictionary word with, like, uppercase first letter or
12:39
numbers at the end or symbols of the end.
12:43
Something like that.
12:48
I mean, I get a lot of that. It's really hard to stop something like that. Come on, give me another password
12:54
on the last thing. Well, check in the last things. I want to show you.
12:58
One more thing that's kind of silly is that sometimes you may not even have to crack the password. Remember, we have the file villains, for example, seeding his desktop
13:09
now follow the XML,
13:16
and here's one for new users and MD five. Look at Google and find out
13:20
that's how follow those stores. Its passwords
13:26
look actually to stick this into Google in addition to building your own password cracking rigged with GP use. There are online service is that will do password cracking,
13:41
but I encourage youto
13:43
you're into building hardware
13:46
to go gaming rig on, turn it into
13:50
password cracker.
13:54
Be fun
13:58
Course doesn't want to do to people on here. I'm not entirely sure why.
14:11
Where to stick that hard in the Google and actually comes out
14:18
with the correct crosswords air like right here. It actually, I don't even have to click on it. It's just the plain text is lamp, So that's the default for files alive.
14:26
User name. New user on
14:30
password lamp
14:31
didn't tell me it isn't all that I needed to change that. So it's just sitting there
14:39
now against some pump. You may not even have to crack it.
14:45
Philip for six.
14:48
Angela's password is Quartey.
14:50
What a terrible passwords. We did get one of the Lenox passwords houses out
14:54
in the plain text
15:01
cash cat. Even the regular harsh cat seems to get a little bit faster than this.
15:07
Chevron 5 12 crypt may be slower toe has You never know.
15:13
So another thing you could do. Once you're done with your password cracking, you use this tool called people. This will actually allow you to get some statistics off your passwords.
15:24
Yeah,
15:26
do another. James's password is green.
15:31
Our windows
15:35
cracked.
15:37
What I call them
15:45
17 Correct.
15:54
I just added them back in again as I wrote him to the same file.
15:58
But a tipple on Win seven cracked up text.
16:03
What this is going to do is give me some statistics. There's really not much in this one, since there's not many, but usually when I do these, I get
16:11
awesome stuff like it have the months and days,
16:15
like the amount of, like only lower case. Also only upper cage. Only Alva only merit
16:22
126 Characters want AIDS. You get really good passwords, statistics and itjust. Automates is you don't have to do it
16:29
yourself, so I really like that as well. No, give your clients and ideas about
16:34
what their statistics are
16:37
on the passwords.
16:40
So that is a little bit of password cracking it is a pretty big seal. There's a lot of people who have been a lot of time with the password cracking it being, you know, the main way. We all syndicate it certainly worthwhile to be good at password cracking. So it really comes down to how good your word list is having your rules Heads are,
17:00
and, of course, how
17:02
pour the password policies are your organization that you're doing the cracking against.
17:08
But if they're using really, really strong, fast words, it's going to be harder. If they're using really, really weak passwords, it's going to be simple. And also, of course, the algorithm used like our Ellen Hodge. It doesn't matter how strong the password is. We'll still be able to crack.

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor