freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 3369
Team:
Reputation: 10290
Offline
|
Thu, 13 Dec 2018 @ 20:33:51
Crack edmodo hashes with hashcat Algo: Bcrypt(md5($pass))
Type: Slow hash Method 1 (easy way): find password by mdxfind
Already posted. Can be read here Method 2 (complicated): find password by hashcat The passwords are first MD5 hashed, then hashed with algo BCRYPT, then obfuscated with that string. Thus, hashcat should first be run for bcrypt, to retrieve the md5 hashes; then run for md5, to retrieve the actual, cleartext passwords. STEP 1: We have to convert edmodo hashes to the correct format. Listing our file content .
Command: "cat raw_edmodo_hashes.txt"
$826y4$31226$dZbD2JfjeZ3TbIe44M0zclck2O4T1l8j7Y7jfl6maZ2ecU900ObFJk9iz8iCE5AODPQx4QkiQjJOVmG
$826y4$31226$dObG2MfyeO3TbYew4M0jcgc42M4D1A837Z7Dfg60aO2.cn9n0dbLTywGnOGmVfGO2whcLYnYCPWkRrK
$826y4$31226$dYb22Uf3eY3jbEe34O0DcBcm2M4D1d8h7M7jfA65aM2.cE9B0mbHqwJJXyEQq8tuyKNaynxwrXGD65C
$826y4$31226$dMbj2RfmeM3GbJej4O0TcYc52N4W1U8y7N7mfJ6jaZ2.cN9n0Wb4XGh1Z6pprH2h7Iwm43iVzZjozB6
$826y4$31226$dYbz2NfheO3GbZem4Z0jcccy2M421Y8w7Y7zfZ6iaN2.cY9k0qbmQal.22hZvum3RuYgYbTd/xfHYgG
Remove unnecessary strings (every 2nd chars until No. 64). Output hash length should be 60 chars. solution 1:
"cut -c `seq -s ',' 1 2 64`,65- raw_edmodo_hashes.txt >edmodo.txt"
$2y$12$ZDJjZTI4MzlkOTljYjlmZeU0ObFJk9iz8iCE5AODPQx4QkiQjJOVmG
$2y$12$OGMyOTYwMjg4MDA3ZDg0O.nndbLTywGnOGmVfGO2whcLYnYCPWkRrK
$2y$12$Y2U3YjE3ODBmMDdhMjA5M.EBmbHqwJJXyEQq8tuyKNaynxwrXGD65C
$2y$12$MjRmMGJjOTY5NWUyNmJjZ.NnWb4XGh1Z6pprH2h7Iwm43iVzZjozB6
$2y$12$YzNhOGZmZjcyM2YwYzZiN.YkqbmQal.22hZvum3RuYgYbTd/xfHYgG solution 2:
"cut -c 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31,33,35,37,39,41,43,45,47,49,51,53,55,57,59,61,63,65- raw_edmodo_hashes.txt >edmodo.txt"
$2y$12$ZDJjZTI4MzlkOTljYjlmZeU0ObFJk9iz8iCE5AODPQx4QkiQjJOVmG
$2y$12$OGMyOTYwMjg4MDA3ZDg0O.nndbLTywGnOGmVfGO2whcLYnYCPWkRrK
$2y$12$Y2U3YjE3ODBmMDdhMjA5M.EBmbHqwJJXyEQq8tuyKNaynxwrXGD65C
$2y$12$MjRmMGJjOTY5NWUyNmJjZ.NnWb4XGh1Z6pprH2h7Iwm43iVzZjozB6
$2y$12$YzNhOGZmZjcyM2YwYzZiN.YkqbmQal.22hZvum3RuYgYbTd/xfHYgG solution 3:
"cut --complement -c `seq -s ',' 2 2 64` raw_edmodo_hashes.txt >edmodo.txt"
$2y$12$ZDJjZTI4MzlkOTljYjlmZeU0ObFJk9iz8iCE5AODPQx4QkiQjJOVmG
$2y$12$OGMyOTYwMjg4MDA3ZDg0O.nndbLTywGnOGmVfGO2whcLYnYCPWkRrK
$2y$12$Y2U3YjE3ODBmMDdhMjA5M.EBmbHqwJJXyEQq8tuyKNaynxwrXGD65C
$2y$12$MjRmMGJjOTY5NWUyNmJjZ.NnWb4XGh1Z6pprH2h7Iwm43iVzZjozB6
$2y$12$YzNhOGZmZjcyM2YwYzZiN.YkqbmQal.22hZvum3RuYgYbTd/xfHYgG solution 4:
"cut --complement -c 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58,60,62,64 raw_edmodo_hashes.txt >edmodo.txt"
$2y$12$ZDJjZTI4MzlkOTljYjlmZeU0ObFJk9iz8iCE5AODPQx4QkiQjJOVmG
$2y$12$OGMyOTYwMjg4MDA3ZDg0O.nndbLTywGnOGmVfGO2whcLYnYCPWkRrK
$2y$12$Y2U3YjE3ODBmMDdhMjA5M.EBmbHqwJJXyEQq8tuyKNaynxwrXGD65C
$2y$12$MjRmMGJjOTY5NWUyNmJjZ.NnWb4XGh1Z6pprH2h7Iwm43iVzZjozB6
$2y$12$YzNhOGZmZjcyM2YwYzZiN.YkqbmQal.22hZvum3RuYgYbTd/xfHYgG STEP 2: We have to create a md5 hashed dictionary file. Attached a very simple bash script to do this (create_md5_hashlist_for_edmodo.sh)
Note: DIC variable should be modified according to actual dictionary name. Command: "chmod +x create_md5_hashlist_for_edmodo.sh" Run this script to create md5 hashed list(script file and plain text dictionary file should be in the same dir):
Command: "./create_md5_hashlist_for_edmodo.sh" It will create a md5 hashed dictionary file. (if DIC="best15.txt", output will be "md5_best15.txt"
STEP 3: We can run hashcat (hashcat mode: 3200). Dictionary should be the md5 hashed dic. Sample command: "hashcat -O -m 3200 -a 0 edmodo.txt md5_best15.txt --outfile=found_md5_hashes" STEP 4: We have to run hashcat with the found md5 hash to find the plain text password. Sample command: "hashcat -O -m 0 -a 0 found_md5_hashes best15.txt" Background:
Online education platform Edmodo confirmed in 2017 it was hacked and personal information from 77 million users — students, parents and teachers — was accessed. In a letter sent to affected users, Edmodo confirmed that user names, email addresses and hashed passwords were acquired by the hacker from the “No. 1 K-12 social learning network in the world.” The passwords were hashed — a function that converts standard passwords into strings of random characters — using an encryption algorithm known as bcrypt. The passwords were also salted, which adds additional random data to a hash to make it harder to decipher. Because of these encryption protections, Edmodo said it believes none of the stolen passwords have been compromised. However, it is advising users to change their passwords as soon as possible. https://motherboard.vice.com/en_us/article/ezjbwe/hacker-steals-millions-of-user-account-details-from-education-platform-edmodo
BTC: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp
General rules | Paid section rules
|
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 3369
Team:
Reputation: 10290
Offline
|
Sat, 15 Dec 2018 @ 11:07:27
4-ways handshake crack - for JtR bleeding users: 1. run hcxdumptool to get pcapng
2. run hcxpcaptool to convert output to JtR format
3. now run Jtr Command:
"./john test.john -format:wpapsk-opencl -dev:gpu -single:all" That are new functions on latest git push.
Using this options, JtR will run hcxpsktool functions inside JtR on all hashes in the hashfile. This is done on GPU and extreme fast 
BTC: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp
General rules | Paid section rules
|
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 3369
Team:
Reputation: 10290
Offline
|
Sat, 22 Dec 2018 @ 16:19:39
How-to use hashcat-brain function for slow hashes. Command on the server side: "hashcat --brain-server --brain-host=IP --brain-port=port_number --brain-password=your_password" Command on the client side (example): "hashcat -O --brain-client --brain-client-features=3 --brain-host=IP --brain-port=port_number --brain-password=password -m 0 -a 0 hash_file.txt dictionary.txt -r your_rule.rule" More info can be found here and here.
BTC: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp
General rules | Paid section rules
|
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 3369
Team:
Reputation: 10290
Offline
|
Sun, 13 Jan 2019 @ 10:40:40
To clean a cap or pcap file, man can use tshark: The following command read from input.cap, remove unneeded frames and store the result to output.pcapng $ tshark -r input.cap -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04
|| wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x0b || eapol)" -2 -F pcapng
-w output.pcapng $ tshark -r input.cap -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04
|| wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x0b || eapol)" -2 -F pcap -w
output.pcap Then you can compress the output file to reduce size before uploading it to an online hash cracker.
$ gzip output.pcapng
or
$ gzip output.pcap All "state of the art" tools (for example wireshark) and online hashcrackers will understand compressed pcapng files!
BTC: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp
General rules | Paid section rules
|
kevtheskin
Status: Member
Joined: Wed, 21 Feb 2018
Posts: 322
Team:
Reputation: 188
Offline
|
Mon, 21 Jan 2019 @ 21:37:13
Hi everyone, I dont know if this is already done but from a noobie perspective i found it to be helpfull . When I see any new passwords found on here from wpa handshake or hashes etc rather than copy the hash or download the hccapx to try and replicate the crack(which I usually do for practice). I realized tonight that instead of running all my wordlist against the found hash or hccapx . I used the grep -r (password found already) wordlist/wlistfolder against my wordlist to see if any instance of the found password was in any of my lists. It saves wasting practice time. If it finds something near like eg Kevin but password is Kevin1999 I can then try running rules for practice against the found wordlist. It only work if the password is already known already LOL . Just my wee tuppence worth might be helpfull
Cheers Kev
|
dipeperon
Status: Member
Joined: Tue, 03 Apr 2018
Posts: 411
Team:
Reputation: 425
Offline
|
Tue, 22 Jan 2019 @ 00:39:48
kevtheskin said: Hi everyone, I dont know if this is already done but from a noobie perspective i found it to be helpfull . When I see any new passwords found on here from wpa handshake or hashes etc rather than copy the hash or download the hccapx to try and replicate the crack(which I usually do for practice). I realized tonight that instead of running all my wordlist against the found hash or hccapx . I used the grep -r (password found already) wordlist/wlistfolder against my wordlist to see if any instance of the found password was in any of my lists. It saves wasting practice time. If it finds something near like eg Kevin but password is Kevin1999 I can then try running rules for practice against the found wordlist. It only work if the password is already known already LOL . Just my wee tuppence worth might be helpfull
Cheers Kev
Hashcat has an stdout mode in which it dumps out password candidates to stdout for whichever password list you specify with rules applied to the candidates. So you can make a very simple script that reads from stdin with one if statement to check if the candidate is the password you're looking for And then just pipe hashcat's stdout to the script Using rules on WPA seems like a crazy idea though, on slow algorithms plain wordlists are king.
My haschat stuff (rules, scripts): https://github.com/theherp/Hashcat-stuff
|
kevtheskin
Status: Member
Joined: Wed, 21 Feb 2018
Posts: 322
Team:
Reputation: 188
Offline
|
Wed, 23 Jan 2019 @ 20:03:33
dipeperon said: kevtheskin said: Hi everyone, I dont know if this is already done but from a noobie perspective i found it to be helpfull . When I see any new passwords found on here from wpa handshake or hashes etc rather than copy the hash or download the hccapx to try and replicate the crack(which I usually do for practice). I realized tonight that instead of running all my wordlist against the found hash or hccapx . I used the grep -r (password found already) wordlist/wlistfolder against my wordlist to see if any instance of the found password was in any of my lists. It saves wasting practice time. If it finds something near like eg Kevin but password is Kevin1999 I can then try running rules for practice against the found wordlist. It only work if the password is already known already LOL . Just my wee tuppence worth might be helpfull
Cheers Kev
Hashcat has an stdout mode in which it dumps out password candidates to stdout for whichever password list you specify with rules applied to the candidates. So you can make a very simple script that reads from stdin with one if statement to check if the candidate is the password you're looking for And then just pipe hashcat's stdout to the script Using rules on WPA seems like a crazy idea though, on slow algorithms plain wordlists are king. Hi dipeperon, Can you give a example please on how to do the stdout. Cheers Kev
|
dipeperon
Status: Member
Joined: Tue, 03 Apr 2018
Posts: 411
Team:
Reputation: 425
Offline
|
Wed, 23 Jan 2019 @ 22:18:50
kevtheskin said: Hi dipeperon, Can you give a example please on how to do the stdout. Cheers Kev hashcat64.exe --stdout wordlist.txt -r rules/best64.rule
My haschat stuff (rules, scripts): https://github.com/theherp/Hashcat-stuff
|
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 3369
Team:
Reputation: 10290
Offline
|
Thu, 07 Feb 2019 @ 17:24:11
Check example hash-types, modes with hashcat Command: "hashcat --example-hashes" Output:
....
MODE: 17900
TYPE: Keccak-384
HASH: 5804b7ada5806ba79540100e9a7ef493654ff2a21d94d4f2ce4bf69abda5d94bf03701fe9525a15dfdc625bfbd769701
PASS: hashcat MODE: 18000
TYPE: Keccak-512
HASH: 2fbf5c9080f0a704de2e915ba8fdae6ab00bbc026b2c1c8fa07da1239381c6b7f4dfd399bf9652500da723694a4c719587dd0219cb30eabe61210a8ae4dc0b03
PASS: hashcat MODE: 18100
TYPE: TOTP (HMAC-SHA1)
HASH: 597056:3600
PASS: hashcat
....
BTC: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp
General rules | Paid section rules
|
dipeperon
Status: Member
Joined: Tue, 03 Apr 2018
Posts: 411
Team:
Reputation: 425
Offline
|
Mon, 11 Feb 2019 @ 14:59:02
Removing counts from a standard frequency analysis (format count:string) is very easy with regex. Regex: ^\d+:
replace with an empty string, can be done with notepad++ or ULM
My haschat stuff (rules, scripts): https://github.com/theherp/Hashcat-stuff
|
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 3369
Team:
Reputation: 10290
Offline
|
Thu, 14 Feb 2019 @ 10:47:59
Separate mail and password fields with sed.
Format email:password/line
What characters are allowed in an email address? "cat email_pass.txt " manishvasava27@gmail.com:password123
sarbani.bose@techmahindra.com:pass:?$
mit?esh@nascentinfo.net:123**!
mits.tandel@gmail.com:Password123*$?!+
test@co.uk:Password123>É Split mail field (field 1): "sed -r "s/^([a-zA-Z0-9%&'*+-/=?^_\`{|}~]+@[a-zA-Z0-9.]+\w{2,6}) .*)/\1/" email_pass.txt " manishvasava27@gmail.com
sarbani.bose@techmahindra.com
mit?esh@nascentinfo.net
mits.tandel@gmail.com
test@co.uk
Split password field (field 2): "sed -r "s/^([a-zA-Z0-9%&'*+-/=?^_\`{|}~]+@[a-zA-Z0-9.]+\w{2,6}).*)/\2/" email_pass.txt " password123
pass:?$
123**!
Password123*$?!+
Password123>É Code: https://paste.hashkiller.co.uk/Gl6YVq9f
BTC: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp
General rules | Paid section rules
|