Password Hashes

So for my first post I thought I would keep it simple. Hashes.

There are two broad types of attack when it comes to attacking a system or application that is protected by some sort of authentication mechanism:

1. Password Guessing - where you *don't* have access to the stored password representation (hash) aka brute force attack.
   
2. Password Cracking - where you *do* have access to the stored password representation

So its key to point out here that all passwords are stored somewhere - whether in volatile (memory) or non-volatile (datastore, registry) of the target or a centralized authentication provider (Radius, Active Directory). And whether in cleartext (#fail) or in encrypted/hashed representation.

I am going to leave password guessing attacks for now but it maybe on another post in the future. But there are many simple tools out there (Hydra, Metasploit, Web Brute) so find a decent wordlist (Rockyou75, Openwall) and get brute forcing!

Resources for password lists:

• John - http://www.openwall.com/passwords/wordlists/
• Grimwepa - http://code.google.com/p/grimwepa/downloads/detail?name=rockyou-75.txt
• Skull Security - http://www.skullsecurity.org/wiki/index.php/Passwords 

This is going to brief and I am sure i will add to this in the future. However, without a toolbox of zero-day exploits in your back pocket, capturing, breaking or reusing hashes is essential when assessing security of you network. Understanding what you have is key here. 

A recent talk from IronGeek (Adrian Crenshaw) on pilfering windows targets gives a good overview of the types of common hashes you may encounter:

Source: Irongeek - Nashville 2011 Talk 

(VNC is listed here however it is a simple Base64 encoding of the password. Not really a hash more an obfuscation as its easily reversible)


Once you know what you have, 'cracking' them is the next step.


Tools that are useful here are:

• Hashcat
• John
• Ophcrack
• Cain