Backtrack 5R1 - note if using R1 you can install hashcat-gui (Installed in R2 onwards by default)
apt-get install hashcat-gui
location after /pentest/passwords/hashcat-gui
--------------------------------------------
To test create some local accounts on a WIN 7 VM.
net user (username) (password) /ADD
Below are the ones used to test. Passwords used were from /opt/framework/msf3/data/wordlists/unix_passwords.txt
net user test1 password1 /ADD
net user test2 soccer /ADD
net user test3 anthony /ADD
net user test4 friends /ADD
net user test5 butterfly /ADD
net user test6 purple /ADD
net user test7 angel /ADD
net user test8 jordan /ADD
net user test9 liverpool /ADD
net user test10 justin /ADD
net user test11 loveme /ADD
net user test12 123123 /ADD
net user test13 football /ADD
net user test14 secret /ADD
net user test15 andrea /ADD
net user test16 carlos /ADD
net user test17 jennifer /ADD
--------------------------------------------
Exploited WIN 7 VM
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test:1000:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
test1:1001:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
test10:1012:aad3b435b51404eeaad3b435b51404ee:eac8ec95b0ab5750ba3e562997d3665c:::
test11:1013:aad3b435b51404eeaad3b435b51404ee:70f4336a5fa36ed605e0fba55009cba8:::
test12:1014:aad3b435b51404eeaad3b435b51404ee:579110c49145015c47ecd267657d3174:::
test13:1015:aad3b435b51404eeaad3b435b51404ee:31fc0dc8f7dfad0e8bd7ccc3842f2ce9:::
test14:1016:aad3b435b51404eeaad3b435b51404ee:878d8014606cda29677a44efa1353fc7:::
test15:1017:aad3b435b51404eeaad3b435b51404ee:5bed09cd516a9c87226f086d230daf2b:::
test16:1018:aad3b435b51404eeaad3b435b51404ee:092037a5d6e35b381a2fdfa8d179bddc:::
test17:1019:aad3b435b51404eeaad3b435b51404ee:bf1e7d0739f270a842463d7a211bd5b8:::
test2:1004:aad3b435b51404eeaad3b435b51404ee:bf4c3092a586df1a9137a4f5737bdc94:::
test3:1005:aad3b435b51404eeaad3b435b51404ee:9a887a333e06e267746cc40ecd0ee3b8:::
test4:1006:aad3b435b51404eeaad3b435b51404ee:e3579aac72e00bb5907c37438439bacf:::
test5:1007:aad3b435b51404eeaad3b435b51404ee:f3fe9e6330783d307510cc18645b1d0f:::
test6:1008:aad3b435b51404eeaad3b435b51404ee:84440338f26bf725be78c015f7d62c88:::
test7:1009:aad3b435b51404eeaad3b435b51404ee:fdb9e98ac7c2d034176bf3f89685206a:::
test8:1010:aad3b435b51404eeaad3b435b51404ee:dd555241a4321657e8b827a40b67dd4a:::
test9:1011:aad3b435b51404eeaad3b435b51404ee:56209099eb67cfbd62ff46809c77b5f4:::
--------------------------------------------
1. Open Gedit and copy hash into it then save. Note - Strip the 1st part of the hash off as You only require the second hash (NTLM hash)
example test9:1011:aad3b435b51404eeaad3b435b51404ee:56209099eb67cfbd62ff46809c77b5f4::: strip all off apart from 56209099eb67cfbd62ff46809c77b5f4
Hash files used for test below,
31d6cfe0d16ae931b73c59d7e0c089c0
31d6cfe0d16ae931b73c59d7e0c089c0
28ade0fabbcde5ec4f8142b51507a65e
8846f7eaee8fb117ad06bdd830b7586c
8846f7eaee8fb117ad06bdd830b7586c
eac8ec95b0ab5750ba3e562997d3665c
70f4336a5fa36ed605e0fba55009cba8
579110c49145015c47ecd267657d3174
31fc0dc8f7dfad0e8bd7ccc3842f2ce9
878d8014606cda29677a44efa1353fc7
5bed09cd516a9c87226f086d230daf2b
092037a5d6e35b381a2fdfa8d179bddc
bf1e7d0739f270a842463d7a211bd5b8
bf4c3092a586df1a9137a4f5737bdc94
9a887a333e06e267746cc40ecd0ee3b8
e3579aac72e00bb5907c37438439bacf
f3fe9e6330783d307510cc18645b1d0f
84440338f26bf725be78c015f7d62c88
fdb9e98ac7c2d034176bf3f89685206a
dd555241a4321657e8b827a40b67dd4a
56209099eb67cfbd62ff46809c77b5f4
----------------------------------------
hashcat options
root@bt:/pentest/passwords/hashcat# ./hashcat-cli32.bin -h
hashcat, advanced password recovery
Usage: ./hashcat-cli32.bin [options] hashfile [wordfiles|directories]
Startup:
-V, --version print version
-h, --help print help
--eula print eula
Logging and Files:
--remove enable remove of hash from hashlist once it is cracked
--quiet suppress output
--stdout stdout mode
--disable-potfile do not write potfile
-r, --rules-file=FILE rules-file for hybrid-attack
-o, --output-file=FILE output-file for recovered hashes
--output-format=NUM 0 = hash:pass
1 = hash:hex_pass
2 = hash:pass:hex_pass
-e, --salt-file=FILE salts-file for unsalted hashlists
--debug-file=FILE debug-file
--debug-mode=NUM 1 = save finding rule (hybrid only)
2 = save original word (hybrid only)
-p, --seperator-char=CHAR seperator-char for hashlists
Resources:
-n, --threads=NUM number of threads
-c, --segment-size=NUM number of mb to cache from wordfile
-s, --words-skip=NUM skip number of words (for resume)
-l, --words-limit=NUM limit number of words (for distributed)
Attacks:
-g, --generate-rules=NUM number of self-generating rules
--generate-rules-func-min=NUM force number of functions per rule min
--generate-rules-func-max=NUM force number of functions per rule max
-a, --attack-mode=NUM number of attack-mode
0 = Straight *
1 = Combination *
2 = Toggle-Case
3 = Brute-Force
4 = Permutation
5 = Table-Lookup
* = for Hybrid-Attack use -r or -g
-m, --hash-mode=NUM number of hash-mode
0 = MD5 200 = MySQL
1 = md5($pass.$salt) 300 = MySQL4.1/MySQL5
2 = md5($salt.$pass) 400 = MD5(WordPress)
3 = md5(md5($pass)) 400 = MD5(phpBB3)
4 = md5(md5(md5($pass))) 500 = MD5(Unix)
5 = vBulletin v3.8.5
30 = md5($username.0.$pass)
31 = md5(strtoupper(md5($pass)))
100 = SHA1 1400 = SHA256
101 = sha1($pass.$salt) 1600 = MD5(APR)
102 = sha1($salt.$pass) 1700 = SHA512
103 = sha1(sha1($pass)) 1800 = SHA-512(Unix)
104 = sha1(sha1(sha1($pass)))
105 = sha1(strtolower($username).$pass)
Toggle-Case specific:
--toggle-min=NUM number of alphas in dictionary minimum
--toggle-max=NUM number of alphas in dictionary maximum
Brute-Force specific:
--bf-pw-min=NUM password length minimum
--bf-pw-max=NUM password length maximum
--bf-cs-buf=CHARS charset for attack
Permutation specific:
--perm-min=NUM number of chars in dictionary minimum
--perm-max=NUM number of chars in dictionary maximum
Table-Lookup specific:
-t, --table-file=FILE table file
--table-min=NUM number of chars in dictionary minimum
--table-max=NUM number of chars in dictionary maximum
----------------------------------------
Testing the created accounts hash dumps
root@bt:/pentest/passwords/hashcat#
./hashcat-cli32.bin --hash-mode 1000 /root/hash /opt/framework/msf3/data/wordlists/unix_passwords.txt
Initializing hashcat v0.38 by atom with 8 threads and 32mb segment-size...
NOTE: press enter for status-screen
Added hashes from file /root/Hash/hash: 21 (1 salts)
31d6cfe0d16ae931b73c59d7e0c089c0:
8846f7eaee8fb117ad06bdd830b7586c:password
bf4c3092a586df1a9137a4f5737bdc94:soccer
9a887a333e06e267746cc40ecd0ee3b8:anthony
e3579aac72e00bb5907c37438439bacf:friends
f3fe9e6330783d307510cc18645b1d0f:butterfly
84440338f26bf725be78c015f7d62c88:purple
fdb9e98ac7c2d034176bf3f89685206a:angel
dd555241a4321657e8b827a40b67dd4a:jordan
56209099eb67cfbd62ff46809c77b5f4:liverpool
eac8ec95b0ab5750ba3e562997d3665c:justin
70f4336a5fa36ed605e0fba55009cba8:loveme
579110c49145015c47ecd267657d3174:123123
31fc0dc8f7dfad0e8bd7ccc3842f2ce9:football
878d8014606cda29677a44efa1353fc7:secret
5bed09cd516a9c87226f086d230daf2b:andrea
092037a5d6e35b381a2fdfa8d179bddc:carlos
bf1e7d0739f270a842463d7a211bd5b8:jennifer
Wordlist..: /opt/framework/msf3/data/wordlists/unix_passwords.txt
Index.....: 1/1 (segment), 1000 (words), 7786 (bytes)
Recovered.: 18/21 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1000/1000 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--
Started: Fri Sep 14 13:54:54 2012
Stopped: Fri Sep 14 13:54:55 2012
----------------------------------------
next to each hash you can now see the password
878d8014606cda29677a44efa1353fc7:secret
----------------------------------------
To use gui
root@bt:/pentest/passwords/hashcat-gui# ./hashcat-gui32.bin
myexploit 