10-01-2022, 11:30 AM
I'm looking at cracking one of my own passwords that's been leaked. From the looks of it, it was leaked but never cracked. It was too difficult for the attackers. For starters, it's hashed with bcrypt, and it's a very strong password that they knew nothing about. But I happen to know the password since it's my password. So I want to give it a go with Hashcat, to educate myself on cracking bcrypt.
For the sake of example, it looks something like this:
No need to google this, this is not my actual hash. I took this from Hashcat example list. Mine is a 2y variant with cost of 10.
1. The first 22 chars (after last dollar) is salt?
2. The remaining 31 chars is blowfish hash?
I tried with a command like this:
3. Is this the expected format for bcrypt hash parameter?
4. Am I allowed to supply the parameter inline on the terminal like this or do I have to use a file for input?
I have always wondered why Hashcat users create a file just to store a single hash. Is there any reasonable explanation for this? This seems like something you would only want to do when you want to work on two or more hashes.
5. How can I tell Hashcat how long my password is or to tell it what the password is and have it try that?
I have typed in my password in cleartext in the "wordlist" file. Is that the right way to do it?
I requested optimized kernel but got none:
Optimized kernel requested, but not available or not required
6. Is there any list of optimized kernels that Hashcat supports?
The command failed with this error:
7. What separator matching is it looking for?
This is the 31 char of the string (see above). Although mine doesn't look like this, this is where it's at. Mine includes "/" chars, one at the beginning and one somewhere in the middle or so. Is this throwing off Hashcat in any way? Is it problematic to have these slashes in the string, and do I need to escape them?
Lastly, my hash included additional colon separated bits, ending with semicolon. Something like this:
8. What is the significance of these last bits and should they be included in input?
I would appreciate your help with this.
For the sake of example, it looks something like this:
Code:
$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6
No need to google this, this is not my actual hash. I took this from Hashcat example list. Mine is a 2y variant with cost of 10.
1. The first 22 chars (after last dollar) is salt?
2. The remaining 31 chars is blowfish hash?
I tried with a command like this:
Code:
hashcat -m 3200 -a 0 -O $2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6 ./wordlist
3. Is this the expected format for bcrypt hash parameter?
4. Am I allowed to supply the parameter inline on the terminal like this or do I have to use a file for input?
I have always wondered why Hashcat users create a file just to store a single hash. Is there any reasonable explanation for this? This seems like something you would only want to do when you want to work on two or more hashes.
5. How can I tell Hashcat how long my password is or to tell it what the password is and have it try that?
I have typed in my password in cleartext in the "wordlist" file. Is that the right way to do it?
I requested optimized kernel but got none:
Optimized kernel requested, but not available or not required
6. Is there any list of optimized kernels that Hashcat supports?
The command failed with this error:
Code:
Hash 'j0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6': Separator unmatched
No hashes loaded.
7. What separator matching is it looking for?
This is the 31 char of the string (see above). Although mine doesn't look like this, this is where it's at. Mine includes "/" chars, one at the beginning and one somewhere in the middle or so. Is this throwing off Hashcat in any way? Is it problematic to have these slashes in the string, and do I need to escape them?
Lastly, my hash included additional colon separated bits, ending with semicolon. Something like this:
Code:
$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6:01234567890123456789:012345678;
8. What is the significance of these last bits and should they be included in input?
I would appreciate your help with this.