Beginner. AD hash crack (min 12 char)
#1
Hi

I'm new to this field, read some hascat wiki and hashcat forum and watched youtube information. I have not yet understood everything but I got an idea how it works. I was able to crack my own testhashes, so far i got the basic concept and usage of hashcat. Unfortunately I am struggling with increasing difficulty.

In our company (half public sector) we had a security training and the company offered us a challenge to crack one specific hash. It is likely a simple password, but not a short one). The password i sfollowing some standard Active Directory complexity settings but has a minimal lenght of 12 characters. I'm trying to find a good approach how to put my handy on it. I also installed The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Linux and did my first experiments with it (beginner but like it). 

Bruteforce seems to be not suitable, (minimum 12 chracters long, could be even longer).
What I did:
- collected a wordlist (dictionary) of our local language
- collected a wordlist (cewl) from our homepage
- combined these two lists into one single wordlist. 

I would like to attack the hash, but struggling how to do it with rulesets/masks. May I ask if anyone could recommend a good guide how to approach it? Like a tutorial or good website explaining how to do it?

I think it would make sense somehow build a dictionary with some Baseword from the dictionary and numbers/special characters but lost a bit how to do it. Experimented with princeprocessor but didn't got very far with this. Or somehow with mask or combine it. 

Any recommendations?

Kind Regards,
Manuell
Reply
#2
i think the hahscat wiki is a very good first spot to take a look

to achieve the things you mentioned there are 2 main possiblities, hashcat supports combining two wordlist, known as combinator attack, so you can use your first wordlist and generate a second one like this

hashcat --stdout -a 3 19?d?d
or with maskprocessor from hashcat tools see https://hashcat.net/wiki/doku.php?id=hashcat_utils

this will generate all numbers from 1900 to 1999 (unsorted) you can redirect or use -o to get this this to a file and have a simple second word list, with combinator attack -a 1 this would result in combining all passwords from your wordlist with all numbers from 1900-1999

the same would be possible with rules, attack mode -a 0

sample rule
$1 $9 $0 $0
meaning append 1 append 9 append 0 append 0 to every word in wordlist, put this into a file named rule.txt put a password in a file called pw.txt run hashcat like this and you will see the "generated" password with 1900 appended

hashcat --stdout -a 0 -r rule.txt pw.txt

for all rules see
https://hashcat.net/wiki/doku.php?id=rule_based_attack
or take a look into the rules folder, there are some basic rulesets like best64.rule

for basic attacks refer to hashcat --help ot wiki

  Wordlist + Rules hashcat -a 0 -m hashtype hashfile wordlist -r best64.rule
  Brute-Force hashcat -a 3 -m hashtype hashfile ?a?a?a?a?a?a
  Combinator hashcat -a 1 -m 0 hashtype wordlist1 wordlsit2
Reply
#3
Thank you snoopy for your reply.

Yes, I'm reading the wiki, tried out some wordlist attacks, mask attacks, etc. Also searched for some wordlists and found different ones (rockyou, some in my local language, i created also wordlist with cewl from webpage of the company, now i'm experimenting with combinator, no luck yet. also tried with best64 rules, no luck yet.

what i would like to do is to translater the rules of MS-AD into a rulset that only generates candidates that satisfies AD complexity settings (like bigletter, smallletter, special character and min length in this case 12 or more characters). I'll further dig howto do that.
Reply
#4
there are some reject rules you can use for that, but ntlm (i suppose youre are trying to crack a windows hash) is considered a fast hash, so dont mind with rejecting

if you really want, you can "clean" your wordlist before, in hahscat tools i think there was a little helper splitting up a given wordlist into pw by length, but be aware, there are so much rules (delivered rules) like strip first char, strip last char and so on, that you should use at least password-candidates from 12-18 chars minimum

take also a look at maskprocessor and/or prince to build up generated candidates with minimum lenght of 12.

there are some more things to consider (didnt find the slide right know but for short)
most pw begin with a capitale letter (depending a little bit on your language) -> rule capitalize first letter
most pw end up with a number or special char -> see rules for that

as always, there's more than one way to skin a [hash]cat
Reply