Masquerade,Cracking Hashes with Known Formats

Cracking Hashes

As a penetration tester, cracking hashes can be a great post-exploitation activity for both the fun and value to a client, providing a great way of showing the severity of an issue (but mostly for the fun). As most penetration testers know, the holy grail of Password cracking is seeing the 100% success as hashcat finishes, alerting you that you have cracked all the hashes found (sadly more often than not this is not the case). As usual dictionary attacks against these hashes are great for picking off the low hanging fruit, however they have their downsides. Dictionaries take up precious storage space and more often than not, they do not contain all the passwords to crack the hashes. This is where masks come in, masks allow the tester to specify a set layout of the hashed password taking a more targeted approach to cracking. Although this type of cracking provides a number of dependencies to successfully carry out, it helps push towards that sweet 100% crack rate.

Take the following, for example, default ISP router passwords, the structure of these passwords are usually generated in the same way. Imagine, you have managed to get a hold of a password hash from an ISP, you have identified this hash as MD5 and you know from your own password that the structure of their passwords is as follows:

• ‘1aaa111aaa’ is your password, so the uniformed structure of characters is – Number::3 Alphabetic::3 Numbers::3 Alphabetic

To brute for this specific password if the structure wasn’t uniform knowing only the length is 10 characters and it only incorporates numbers/alpha characters, the maximum number of possibilities would be:

• 35^10 = 2,758,547,353,515,625

Cracking this without a mask would take a huge amount of time, however, with a mask, it would reduce the possibilities to the following:

• 9*26*26*26*9*9*9*26*26*26 = 2,026,796,406,336

Just to reiterate, without the known structure the password would take around 1,361 times longer to crack. It should be noted at this point that this kind of attack, however, is reliant on a couple of things, both knowledge of that structure and the identified knowledge being correct. If the mask is incorrect it will be IMPOSSIBLE to crack the password if it’s structure does not conform to the given mask.

Writing Hashcat Masks:

To understand masks, hashcat will display information in relation to this by running the following command:

• Hashcat —help

However for a consolidated guide use the following, hashcat includes some built-in charset’s which can be used to write masks:

• ?l = abcdefghijklmnopqrstuvwxyz
• ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
• ?d = 0123456789
• ?s =  !”#$%&'()*+,-./:;<=>?@[\]^_`{|}~
• ?a = ?l?u?d?s
• ?b = 0x00 – 0xff

So consider the following MD5 hash as mentioned above ‘1aaa111aaa’, as we know the structure for this piece of hashed data we can write a mask to speed up cracking.

• dba675af53852bbb1637236d0077c419

We need to tell hashcat that we know the first character will always be a number, followed by 3 alphabetic characters, followed by 3 numbers, followed by 3 more alphabetic characters. This can be done as follows:

• ?d?l?l?l?d?d?d?l?l?l – This denotes the structure in the format which hashcat is expecting.

With hashcat you can also specify up to 4 custom charsets, for example, take the structure above, instead say this time that the first character has the possibility of being in the range of either 1-9 or L-P. So we need to tell hashcat this which can be done as follows:

• -1=?dLMNOP – Thus when ?1 is used in the mask, it denotes you know this character could be either 1-9 or L-P.

Take another example, SQL injection has revealed a set of MD5 hashed passwords. You know from scraping the website that a password policy of one uppercase character, one number, eight characters and one symbol from the following list; !@?% is implemented. It is more than likely that the majority of people will meet the minimum requirements of this policy for ease of use, so we can use masks to specify the most likely password structure. With my experience of testing so far, the most likely format for a user’s password is (Capital first letter)some word, number(s), symbol.

So we can build a mask to quickly run through possibilities take the following passwords:

• Monday123! (Yes, it’s surprising how many people use this password).
• Password1!Monday123! (Yes, it’s surprising how many people use this password).

The following mask should cover these:

• Custom charset 1 to cover places which may be digits or letters: -1=?d?l
• Custom charset 2 to limit the symbols to only those which are accepted: -2=!@?%
• Mask to use: ?u?l?l?l?l?l?1?1?1?2

Thus speeding up the cracking of passwords massively.

The following command can be used to utilise hashcats mask function:

• hashcat -a 3 -m hashtype (Any custom charsets eg. -1=?dapc) hash_or_hash_file mask

The above command can be broken down as:

• -a 3 – specifies the use of attack mode 3, a brute force attack trying all possibilities of the specified mask
• -m hashtype – for example, 0 for MD5.
• mask – the mask created earlier to speed up this cracking.

Example:

The following MD5 hash needs to be cracked, when know it’s structure is the same as the route example given above:

• ceb53b8257715f8e7bd3f0b73cbd094c

Using the following command and the knowledge learned above the following command can be used:

• hashcat -a 3 -m 0 ceb53b8257715f8e7bd3f0b73cbd094c ?d?l?l?l?d?d?d?l?l?l

The following screenshot shows that the password has been recovered as 1aaa111aaa

Other uses of the mask:

—increment – this option can be used to try all the different combinations incrementally, say you have a hash and you know that it contains between 1 and 8 digits. The following mask: ?d?d?d?d?d?d?d?d used with the —increment will try all combinations like follows, removing the need for a fixed-length mask:

• ?d
• ?d?d
• ?d?d?d
• ?d?d?d?d
• ?d?d?d?d?d
• ?d?d?d?d?d?d
• ?d?d?d?d?d?d?d
• ?d?d?d?d?d?d?d?d
  

Masks can also be used with files, say you know that all passwords must end with a symbol, start with an uppercase letter and be between seven and eight characters long with the In between characters only being upper or lower case letters. This means more than one mask is required. Due to the different lengths, we can cover this in a file using the custom charsets. Mask files must use the .hcmask extension and to cover the passwords above an example the following can be used:

• ?u,?l?u,?d, ?1?2?2?2?2?2?3
• ?u,?l?u,?d, ?1?2?2?2?2?2?2?3

To explain the above, the file is written in the following format: charset-one, charset-two, charset-three, mask, however, some of the custom charsets can be omitted or added. Thus covering two layouts with one mask. The mask file can be used in the command in place of the mask.

Conclusion

As demonstrated above, masks are extremely useful when cracking hashes whilst having a rough knowledge of their structure. Thus targeting the structure rather than a pure blind guess, saving time for other activities when Testing. Writing custom hashcat masks is an essential skill for a penetration tester speeding the job up and delivering more accurate targeted results for clients.

Interested in a Web Application Testing? Find out more here.

References:

• How to Perform a Mask Attack Using hashcat
• Exploiting masks in Hashcat for fun and profit

‍