Cracking Hashes when you are Broke!

If you don’t have enough compute and don’t want to burn your GPU for too long, then this is the ultimate guide for you! The Guide is for domain hashes, but similarly you can use it for any type of hash.

This is how your user list is going to look like.

SAINTDOMAIN\smith.falcon:4709:aad3b435b51404eeaad3b435b51404ee:aa3e93f9e31509ae98443ee24f65c9f6:::

You can grep “SAINTDOMAIN” and save user entries to a list; as a lot of entries are going to be filled with computer name.

Clean the list with the below command to extract user hashes

cat hashes.txt | grep "domain here" | sed -e '/des-/d' -e '/aes256/d' -e '/aes128/d' > clean.txt

This will create a decent word-list based on the names of the users.

Part 1 — Hunting with Staff Names

#!/bin/bash
# sh script.sh - outputs results to crack.txt
echo What is the name of the file?
read filename
firstname=$(cat $filename | cut -d . -f1)\n
lastname=$(cat $filename | cut -d . -f2)\n
allnames=$(cat $filename)
capfirstname=$(echo -e "$firstname\n" | sed 's/\w/\u&/' )
caplastname=$(echo -e "$lastname\n" | sed 's/\w/\u&/' )
first3=$(echo -e "$capfirstname\n" | cut -c 1-3 )
last3=$(echo -e "$caplastname\n" | cut -c 1-3 )
first5=$(echo -e  "$capfirstname\n" | cut -c 1-5 )
last5=$(echo -e "$caplastname\n" | cut -c 1-5 )
capallnames=$(echo -e "$allnames\n" | sed 's/\w/\u&/')
echo -e "$firstname\n" -e "$lastname\n" -e "$allnames\n" -e "$capfirstname" -e "$caplastname" -e "$first3" -e "$last3" -e "$first5" -e "$last5" -e "$capallnames" | sort | uniq  > crack.txt

The first attempt with random rules generated with -g ( 2 minutes )

hashcat64 -m 1000 -a 0 newlist.txt crack.txt -g 300000

Speed.#1………: 182.4 MH/s (1.30ms) @ Accel:128 Loops:64 Thr:64 Vec:1
Recovered……..: 22/1093 (2.01%) Digests, 0/1 (0.00%) Salts

It took approximately less than 2 minutes to finish all rules and get 27.

hashcat64 -m 1000 -a 0 newlist.txt crack.txt -r rules\*

Recovered……..: 27/1093 (2.47%) Digests, 0/1 (0.00%) Salts

Just 2.47% is recovered; we are not doing so good but these are still difficult passwords in about 5 minutes. It’s time to go a little more aggressive.

Total time for below command taken 4 mins, 9 secs

hashcat64 -m 1000 -a 6 newlist.txt crack.txt ?1?2?2?d?d?d?d --custom-charset1="!@#$%_&" --custom-charset2="!@#$%&1234567890"  -i --increment-max=21

Recovered……..: 51/1093 (4.67%) Digests, 0/1 (0.00%) Salts

This is not too bad considering the time we had to wait.

The second one is going to take you roughly 10 minutes. This is also not sooooo bad i believe.

hashcat64 -m 1000 -a 6 newlist.txt crack.txt ?2?2?2?d?d?d?d --custom-charset1="!@#$%_&" --custom-charset2="!@#_$%&1234567890"  -i --increment-max=21

Recovered……..: 76/1093 (6.95%) Digests, 0/1 (0.00%) Salts

Well, a lot of users are reusing passwords. When i actually check into the lists it has already recovered passwords of 126 user accounts.

This is a real test of a results of a Telecom Provider in Maldives [fixed].

Part 2 — Hunting with brute force

It took less than 30 seconds to finish this

hashcat64 -m 1000 -a 3 newlist.txt ?u?l?l?l?1?1?d?d?d --custom-charset1=!@#$_1234567809 -i --increment-max=21

Recovered……..: 88/1093 (8.05%) Digests, 0/1 (0.00%) Salts

This will take less than 20 seconds

hashcat64 -m 1000 -a 3 newlist.txt ?u?l?l?1?1?1?d?d --custom-charset1=!@#$_1234567890 -i --increment-max=21

Recovered……..: 91/1093 (8.33%) Digests, 0/1 (0.00%) Salts

Collect all your saved passwords and use it with mask attack.

hashcat64-m 1000 -a 6 newlist.txt passwords.txt ?1?1?d?d?d?d --custom-charset1=!@#$%_123567890 -i --increment-max=21

Recovered……..: 96/1093 (8.78%) Digests, 0/1 (0.00%) Salts

It will again take less than a minute to finish the below results

hashcat64 -m 1000 -a 0 newlist.txt passwords.txt -r rules\*

Recovered……..: 99/1093 (9.06%) Digests, 0/1 (0.00%) Salts

In less than 20 minutes, I was able to crack 9.06% hashes which was about 239 user accounts.

You can use the company name for cracking. Try different combinations than what is mentioned here as i have put for example “Facebook” to hide the actual company name. This will take again less than 1 minute.

hashcat64.exe -m 1000 -a 3 newlist.txt --custom-charset4="!@#$%_1234567890" Facebook?4?4?4?4?4?4 -i --increment-max=22

Recovered……..: 103/1093 (9.42%) Digests, 0/1 (0.00%) Salts

Part 3— Hunting with RockYou & Masks

hashcat64 -m 1000 -a 6 newlist.txt rockyou.txt --custom-charset1="!@#$%&_" --custom-charset2="!@#_1234567890" ?1?2?d?d?d?d?d?d -i --increment-max=22

Recovered……..: 132/1093 (12.08%) Digests, 0/1 (0.00%) Salts

This was a total of 298 user accounts cracked in less than 30 minutes and I canceled before the last one finished its result.