Hi my fellow hackers!
Today I will teach you how hashes are made and how you can identify and crack them.
Leaked hashes can sometimes be hard to identify and and even harder to crack
in this tutorial I will teach you to to do both with some awesome tools
Identifying Hash Algorithm
Before we start discussing about hash identification I want to tell you something real quick,
Hexadecimal Numbers: 0,1,2,3,4,5,6,7,8,9, a,b,c,d,e,f are called hexadecimal characters. To know more about hexadecimal numbers,read this WikiPedia entry.
Each hexadecimal number represent 4 bits. Now for example, the string "a26fe" contains 5 Hexadecimal characters so I can say its a 4 x 5 = 20 bit string. Easy? Great.
Now take a look at this hash, 5187942d399d4ed244068db70a11319e
It contains only hexadecimal numbers right? The number of characters in this hash is 32.
Hence the length of the hash in bits can be calculated as, 32 x 4 = 128 bits
Now here is a nice and list of bit-lengths of different hash types:
MD2 128 bits
MD4 128 bits
MD5 128 bits
MD6 Up to 512 bits
RIPEMD-128 128 bits
RIPEMD-160 160 bits
RIPEMD-320 320 bits
SHA-1 160 bits
SHA-224 224 bits
SHA-256 256 bits
SHA-384 384 bits
SHA-512 512 bits
SHA-3 (originally known as Keccak) arbitrary
Tiger 192 bits
Whirlpool 512 bits
Hmmm, so the bit-length of our target hash is 128 bits and according the table above, it can be any of these four hashes:
MD2 (Designed in 1989)
MD4 (Designed in 1990)
MD5 (Designed in 1991)
RIPEMD-128 (Designed in 2004)
As you can see, MD5 is the newest 128 bit-length hash in MD Category so no one uses MD2 and MD4 now-a-days. So we can guess that its an MD5 or a RIPEMD-128.
Now ask yourself, which program generated this hash? Well in my case, I got this hash from an MySQL database while performing SQL Injection.
Now your experience and knowledge comes into play, I know that MySQL database management system usually store passwords as MD5 hashes so I know its an MD5 and not a RIPEMD-128. Windows use NTLM hashing algorithm, Linux use MD5, SHA-256 or SHA-512, Blowfish etc., Maria DBMS uses MD5 or SHA-1.
So here's the conclusion:
Find the bit-length of the hash and write down possible hash types
Use your common sense to make an educated guess
But if you are lazy then you can just use this website to make guesses for you. Or if you want something better then you can use a program named "Hash-identifier".
Linux users can install it via the following command in the terminal
apt-get install hash-identifier
Using hash-identifier is a piece of cake. Run it and enter your hash and it makes really good guesses for you.
If you are a windows user (unfortunately), then you can download it from its github mirror.
One of my favorite tools that I use to crack hashes is named Findmyhash.
Hash cracking tools generally use brute forcing or hash tables and rainbow tables. But these methods are resource hungry. There are some websites like https://www.crackstation.net and https://www.hashkiller.co.uk which have huge database of hashes and you can check if your target hashes exists in their database or not. Well you should really try to crack your hashes there because doing so is easy and fast.
FindMyHash is a python script which takes your target hashes and checks 40 different hash cracking website for results. So all you have to do is to submit your hash and sit back instead of checking these sites one by one.
If you are using Linux, run the following command in terminal
apt-get install findmyhash
You can also download findmyhash.py from github
I hope now you are all set to run it.
"Cracking" Hashes With FindMyHash
findmyhash <algorithm> -h <hash>
Where algorithm represents the hash algorithm like MD5, SHA-2, Tiger etc. and hash represents the hash you want to crack.
So like I want to crack this MD5 hash —> 827ccb0eea8a706c4c34a16891f84e7b
I will simply enter
findmyhash MD5 -h 827ccb0eea8a706c4c34a16891f84e7b
and it will start looking into databases of different website.
And here we go, here is the cracked hash
Pretty simple right?
You can also use the following command
findmyhash MD5 -h 827ccb0eea8a706c4c34a16891f84e7b -g
You see that -g option at the end? It represents Google. So if these 40 website fail to crack the hash, FindMyHash does the last attempt by searching the hash on Google and tells you if it finds any useful result.
FindMyHash supports the following hash algorithms:
MD4 – RFC 1320
MD5 – RFC 1321
SHA1 – RFC 3174 (FIPS 180-3)
SHA224 – RFC 3874 (FIPS 180-3)
SHA256 – FIPS 180-3
SHA384 – FIPS 180-3
SHA512 – FIPS 180-3
RMD160 – RFC 2857
GOST – RFC 5831
WHIRLPOOL – ISO/IEC 10118-3:2004
LM – Microsoft Windows hash
NTLM – Microsoft Windows hash
MYSQL – MySQL 3, 4, 5 hash
CISCO7 – Cisco IOS type 7 encrypted passwords
JUNIPER – Juniper Networks $9$ encrypted passwords
LDAP_MD5 – MD5 Base64 encoded
LDAP_SHA1 – SHA1 Base64 encoded
For more usages examples you can enter findmyhash -h in terminal.
So can you trust FindMyHash for all your hash cracking needs? No.
Is it worth trying before trying to crack it with a program like HashCat? Yes.
Note: FindMyhash only uses the websites which permit to do so. So you should give sites like hashkiller or crackstation a try too as they are not included in FindMyHash.
That's all for now. Happy Cracking!