NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - General Discussion - Tip of the day

WARNING!
Due to the number of SCAMS going on in the PAID forum, PLEASE ask an ADMIN or MODERATOR to verify ALL found passwords to ensure you are not being SCAMMED.
DO NOT PAY until an ADMIN or MOD has verified them for you!


48 Results - Page 2 of 2 -
1 2
Author Message
Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2495
Team:
Reputation: 8298 Reputation
Offline
Thu, 13 Dec 2018 @ 20:33:51

Crack edmodo hashes with hashcat

Algo: Bcrypt(md5($pass))
Type: Slow hash

Method 1 (easy way): find password by mdxfind
Already posted. Can be read here

Method 2 (complicated): find password by hashcat

The passwords are first MD5 hashed, then hashed with algo BCRYPT, then obfuscated with that string. Thus, hashcat should first be run for bcrypt, to retrieve the md5 hashes; then run for md5, to retrieve the actual, cleartext passwords.

STEP 1: We have to convert edmodo hashes to the correct format.

Listing our file content .
Command: "cat raw_edmodo_hashes.txt"
$826y4$31226$dZbD2JfjeZ3TbIe44M0zclck2O4T1l8j7Y7jfl6maZ2ecU900ObFJk9iz8iCE5AODPQx4QkiQjJOVmG
$826y4$31226$dObG2MfyeO3TbYew4M0jcgc42M4D1A837Z7Dfg60aO2.cn9n0dbLTywGnOGmVfGO2whcLYnYCPWkRrK
$826y4$31226$dYb22Uf3eY3jbEe34O0DcBcm2M4D1d8h7M7jfA65aM2.cE9B0mbHqwJJXyEQq8tuyKNaynxwrXGD65C
$826y4$31226$dMbj2RfmeM3GbJej4O0TcYc52N4W1U8y7N7mfJ6jaZ2.cN9n0Wb4XGh1Z6pprH2h7Iwm43iVzZjozB6
$826y4$31226$dYbz2NfheO3GbZem4Z0jcccy2M421Y8w7Y7zfZ6iaN2.cY9k0qbmQal.22hZvum3RuYgYbTd/xfHYgG

Remove unnecessary strings (every 2nd chars until No. 64). Output hash length should be 60 chars.

solution 1:
"cut -c `seq -s ',' 1 2 64`,65- raw_edmodo_hashes.txt >edmodo.txt"
$2y$12$ZDJjZTI4MzlkOTljYjlmZeU0ObFJk9iz8iCE5AODPQx4QkiQjJOVmG
$2y$12$OGMyOTYwMjg4MDA3ZDg0O.nndbLTywGnOGmVfGO2whcLYnYCPWkRrK
$2y$12$Y2U3YjE3ODBmMDdhMjA5M.EBmbHqwJJXyEQq8tuyKNaynxwrXGD65C
$2y$12$MjRmMGJjOTY5NWUyNmJjZ.NnWb4XGh1Z6pprH2h7Iwm43iVzZjozB6
$2y$12$YzNhOGZmZjcyM2YwYzZiN.YkqbmQal.22hZvum3RuYgYbTd/xfHYgG

solution 2:
"cut -c 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31,33,35,37,39,41,43,45,47,49,51,53,55,57,59,61,63,65- raw_edmodo_hashes.txt >edmodo.txt"
$2y$12$ZDJjZTI4MzlkOTljYjlmZeU0ObFJk9iz8iCE5AODPQx4QkiQjJOVmG
$2y$12$OGMyOTYwMjg4MDA3ZDg0O.nndbLTywGnOGmVfGO2whcLYnYCPWkRrK
$2y$12$Y2U3YjE3ODBmMDdhMjA5M.EBmbHqwJJXyEQq8tuyKNaynxwrXGD65C
$2y$12$MjRmMGJjOTY5NWUyNmJjZ.NnWb4XGh1Z6pprH2h7Iwm43iVzZjozB6
$2y$12$YzNhOGZmZjcyM2YwYzZiN.YkqbmQal.22hZvum3RuYgYbTd/xfHYgG

solution 3:
"cut --complement -c `seq -s ',' 2 2 64` raw_edmodo_hashes.txt >edmodo.txt"
$2y$12$ZDJjZTI4MzlkOTljYjlmZeU0ObFJk9iz8iCE5AODPQx4QkiQjJOVmG
$2y$12$OGMyOTYwMjg4MDA3ZDg0O.nndbLTywGnOGmVfGO2whcLYnYCPWkRrK
$2y$12$Y2U3YjE3ODBmMDdhMjA5M.EBmbHqwJJXyEQq8tuyKNaynxwrXGD65C
$2y$12$MjRmMGJjOTY5NWUyNmJjZ.NnWb4XGh1Z6pprH2h7Iwm43iVzZjozB6
$2y$12$YzNhOGZmZjcyM2YwYzZiN.YkqbmQal.22hZvum3RuYgYbTd/xfHYgG

solution 4:
"cut --complement -c 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58,60,62,64 raw_edmodo_hashes.txt >edmodo.txt"
$2y$12$ZDJjZTI4MzlkOTljYjlmZeU0ObFJk9iz8iCE5AODPQx4QkiQjJOVmG
$2y$12$OGMyOTYwMjg4MDA3ZDg0O.nndbLTywGnOGmVfGO2whcLYnYCPWkRrK
$2y$12$Y2U3YjE3ODBmMDdhMjA5M.EBmbHqwJJXyEQq8tuyKNaynxwrXGD65C
$2y$12$MjRmMGJjOTY5NWUyNmJjZ.NnWb4XGh1Z6pprH2h7Iwm43iVzZjozB6
$2y$12$YzNhOGZmZjcyM2YwYzZiN.YkqbmQal.22hZvum3RuYgYbTd/xfHYgG

STEP 2: We have to create a md5 hashed dictionary file.

Attached a very simple bash script to do this (create_md5_hashlist_for_edmodo.sh)
Note: DIC variable should be modified according to actual dictionary name.

Command: "chmod +x create_md5_hashlist_for_edmodo.sh"

Run this script to create md5 hashed list(script file and plain text dictionary file should be in the same dir):
Command: "./create_md5_hashlist_for_edmodo.sh"

It will create a md5 hashed dictionary file. (if DIC="best15.txt", output will be "md5_best15.txt"

STEP 3: We can run hashcat (hashcat mode: 3200). Dictionary should be the md5 hashed dic.

Sample command: "hashcat -O -m 3200 -a 0 edmodo.txt md5_best15.txt --outfile=found_md5_hashes"

STEP 4: We have to run hashcat with the found md5 hash to find the plain text password.

Sample command: "hashcat -O -m 0 -a 0 found_md5_hashes best15.txt"

Background:
Online education platform Edmodo confirmed in 2017 it was hacked and personal information from 77 million users — students, parents and teachers — was accessed.

In a letter sent to affected users, Edmodo confirmed that user names, email addresses and hashed passwords were acquired by the hacker from the “No. 1 K-12 social learning network in the world.”

The passwords were hashed — a function that converts standard passwords into strings of random characters — using an encryption algorithm known as bcrypt. The passwords were also salted, which adds additional random data to a hash to make it harder to decipher.

Because of these encryption protections, Edmodo said it believes none of the stolen passwords have been compromised. However, it is advising users to change their passwords as soon as possible.

https://motherboard.vice.com/en_us/article/ezjbwe/hacker-steals-millions-of-user-account-details-from-education-platform-edmodo


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
Clav17

Status: n/a
Joined: Sun, 01 May 2016
Posts: 568
Team:
Reputation: 476 Reputation
Offline
Thu, 13 Dec 2018 @ 21:31:21

https://paste.hashkiller.co.uk/JT4BK-8WEeiA_0CNXEjIzQ
: echo -n "$passwords"| md5sum | tr -d " -" >> md5_"$DIC"
echo -n "$passwords"| md5sum | tr -d " -" | xargs >> md5_"$DIC"

xargs will trim \r, extra space, etc and your script will be perfect


My Bitcoin address is 135euCh71HmXY7xrs1fzUGWKs4A5BA3cfF, if you'd like to thank me :)

Avatar
Milzo
Administrator
Status: Elite
Joined: Sat, 29 Dec 2012
Posts: 3149
Team:
Reputation: 4929 Reputation
Offline
Thu, 13 Dec 2018 @ 22:32:10

Clav17 said:

https://paste.hashkiller.co.uk/JT4BK-8WEeiA_0CNXEjIzQ
: echo -n "$passwords"| md5sum | tr -d " -" >> md5_"$DIC"
echo -n "$passwords"| md5sum | tr -d " -" | xargs >> md5_"$DIC"

xargs will trim \r, extra space, etc and your script will be perfect

This method would take an eternity on a large dictionary, use this small perl script instead.

https://paste.hashkiller.co.uk/0Ecdnv8mEeiA_0CNXEjIzQ


1CrqbgYU63zfLjwKVagyiTYP9XGMgyFAVm

Forum Rules
https://i-disclose.net/ (Temporary Offline)
Discord - Milzo#6567

Avatar
Clav17

Status: n/a
Joined: Sun, 01 May 2016
Posts: 568
Team:
Reputation: 476 Reputation
Offline
Thu, 13 Dec 2018 @ 23:25:47

Milzo said:

Clav17 said:

https://paste.hashkiller.co.uk/JT4BK-8WEeiA_0CNXEjIzQ
: echo -n "$passwords"| md5sum | tr -d " -" >> md5_"$DIC"
echo -n "$passwords"| md5sum | tr -d " -" | xargs >> md5_"$DIC"

xargs will trim \r, extra space, etc and your script will be perfect

This method would take an eternity on a large dictionary, use this small perl script instead.

https://paste.hashkiller.co.uk/0Ecdnv8mEeiA_0CNXEjIzQ

There is also dos2unix (not present by default in most unix), but isn't the bash for loop supposed to treat line by line ?


My Bitcoin address is 135euCh71HmXY7xrs1fzUGWKs4A5BA3cfF, if you'd like to thank me :)

Avatar
{EHF}

Status: Elite
Joined: Wed, 07 Feb 2018
Posts: 422
Team: {EHF}
Reputation: 710 Reputation
Offline
Thu, 13 Dec 2018 @ 23:34:27

You can also use a specially crafted hashcat kernel for this.

https://forum.hashkiller.co.uk/topic-view.aspx?t=23819&m=174616#174616

It also converts Edmodo hashes to the correct format (Step 1) where needed. Less to worry, more to crack.


BTC: 1EHFTeamaugMZLYPZUW5xd1MWQReT18brW
Email: b961be2b6c3675d4ba1490fa85268a2a
Now accepting custom, mixed or iterated hashes via PM or mail.
Custom hashcat kernels

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2495
Team:
Reputation: 8298 Reputation
Offline
Sat, 15 Dec 2018 @ 11:07:27

4-ways handshake crack - for JtR bleeding users:

1. run hcxdumptool to get pcapng
2. run hcxpcaptool to convert output to JtR format
3. now run Jtr

Command:
"./john test.john -format:wpapsk-opencl -dev:gpu -single:all"

That are new functions on latest git push.
Using this options, JtR will run hcxpsktool functions inside JtR on all hashes in the hashfile. This is done on GPU and extreme fast


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
ukris

Status: n/a
Joined: Sat, 29 Sep 2018
Posts: 29
Team:
Reputation: 0 Reputation
Offline
Sat, 15 Dec 2018 @ 11:46:30

freeroute said:

4-ways handshake crack - for JtR bleeding users:

Is 4-ways handshake something different to normal IEEE802.11 4-way handshake, freeroutes?


Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2495
Team:
Reputation: 8298 Reputation
Offline
Sat, 15 Dec 2018 @ 13:41:55

There is one standard for 4-way handshake in 802.11, but there are different methods of authentications.


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2495
Team:
Reputation: 8298 Reputation
Offline
Tue, 18 Dec 2018 @ 10:17:49

Mask hcxdumptool as HP printer:


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2495
Team:
Reputation: 8298 Reputation
Offline
Tue, 18 Dec 2018 @ 23:19:09

How-to check if WIFI-Card Supports Monitor Mode & Packet Injection


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2495
Team:
Reputation: 8298 Reputation
Offline
Sat, 22 Dec 2018 @ 00:13:52

Convert file format "hccapx" to "cap"
https://forum.hashkiller.co.uk/topic-view.aspx?t=27300&m=197840#197840


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
ukris

Status: n/a
Joined: Sat, 29 Sep 2018
Posts: 29
Team:
Reputation: 0 Reputation
Offline
Sat, 22 Dec 2018 @ 07:28:10

freeroute said:

Convert file format "hccapx" to "cap"
https://forum.hashkiller.co.uk/topic-view.aspx?t=27300&m=197840#197840

A cap file fabricated this way can only contain information already included
in hccapx

The real cap file may contain other information like PMKID or Probe Response info
which are much more useful to skilled crackers than a cap generated by wlanhcx2cap


Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2495
Team:
Reputation: 8298 Reputation
Offline
Sat, 22 Dec 2018 @ 16:19:39

How-to use hashcat-brain function for slow hashes.

Command on the server side: "hashcat --brain-server --brain-host=IP --brain-port=port_number --brain-password=your_password"

Command on the client side (example): "hashcat -O --brain-client --brain-client-features=3 --brain-host=IP --brain-port=port_number --brain-password=password -m 0 -a 0 hash_file.txt dictionary.txt -r your_rule.rule"

More info can be found here and here.


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2495
Team:
Reputation: 8298 Reputation
Offline
Fri, 11 Jan 2019 @ 20:52:38

How-to check the candidates generated by hashcat' rule file

Command: "echo 'password' | hashcat -r /usr/share/hashcat/rules/best64.rule --stdout"

Output


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2495
Team:
Reputation: 8298 Reputation
Offline
Sun, 13 Jan 2019 @ 10:40:40

To clean a cap or pcap file, man can use tshark:

The following command read from input.cap, remove unneeded frames and store the result to output.pcapng

$ tshark -r input.cap -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04
|| wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x0b || eapol)" -2 -F pcapng
-w output.pcapng

$ tshark -r input.cap -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04
|| wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x0b || eapol)" -2 -F pcap -w
output.pcap

Then you can compress the output file to reduce size before uploading it to an online hash cracker.
$ gzip output.pcapng
or
$ gzip output.pcap

All "state of the art" tools (for example wireshark) and online hashcrackers will understand compressed pcapng files!


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2495
Team:
Reputation: 8298 Reputation
Offline
4 days ago

Erase hashcat-brain memory:

remove/delete the files starting with brain.*
brain.*.admp (attack storage)
brain.*.ldmp (session storage, long time memory)


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
kevtheskin

Status: n/a
Joined: Wed, 21 Feb 2018
Posts: 184
Team:
Reputation: 88 Reputation
Offline
1 days ago

Hi everyone,

I dont know if this is already done but from a noobie perspective i found it to be helpfull . When I see any new passwords found on here from wpa handshake or hashes etc rather than copy the hash or download the hccapx to try and replicate the crack(which I usually do for practice). I realized tonight that instead of running all my wordlist against the found hash or hccapx . I used the grep -r (password found already) wordlist/wlistfolder against my wordlist to see if any instance of the found password was in any of my lists. It saves wasting practice time. If it finds something near like eg Kevin but password is Kevin1999 I can then try running rules for practice against the found wordlist. It only work if the password is already known already LOL . Just my wee tuppence worth might be helpfull


Cheers Kev


Avatar
dipeperon

Status: n/a
Joined: Tue, 03 Apr 2018
Posts: 229
Team:
Reputation: 308 Reputation
Offline
1 days ago

kevtheskin said:

Hi everyone,

I dont know if this is already done but from a noobie perspective i found it to be helpfull . When I see any new passwords found on here from wpa handshake or hashes etc rather than copy the hash or download the hccapx to try and replicate the crack(which I usually do for practice). I realized tonight that instead of running all my wordlist against the found hash or hccapx . I used the grep -r (password found already) wordlist/wlistfolder against my wordlist to see if any instance of the found password was in any of my lists. It saves wasting practice time. If it finds something near like eg Kevin but password is Kevin1999 I can then try running rules for practice against the found wordlist. It only work if the password is already known already LOL . Just my wee tuppence worth might be helpfull


Cheers Kev

Hashcat has an stdout mode in which it dumps out password candidates to stdout for whichever password list you specify with rules applied to the candidates.

So you can make a very simple script that reads from stdin with one if statement to check if the candidate is the password you're looking for

And then just pipe hashcat's stdout to the script

Using rules on WPA seems like a crazy idea though, on slow algorithms plain wordlists are king.


My haschat stuff (rules, scripts): https://github.com/theherp/Hashcat-stuff


48 Results - Page 2 of 2 -
1 2

186 users online in the last hour
InfiniteAttack, sophie2, capric0rnu$, nickypoo, shad0, alotdv, ras31n, N|IGHT5, ZEROF, helenharry,

We have a total of 167488 messages in 20968 topics.
We have a total of 18817 registered users.
Our newest registered member is helenharry.