I wrote a password cracking manual
Password cracking has always been this niche activity during a routine pentest. You collect some hashes, fire up John The Ripper or Hashcat, and use default settings with rules and some lame dictionary you pulled off the internet and hit <enter>. You recover a fair amount of the passwords but fail to make any real breakthroughs. After digging through forums and blog posts looking for tool usage, password analysis, and examples you apply some new trick only to forget it by the next pentest. After falling victim to this vicious cycle I decided to write a password cracking manual, HASH CRACK. I've also created a dedicated site to announce its availability and release future versions at hashcrack.io
Inspired by the Red Team Field Manual (RTFM) and its concise format, I set about researching and compiling the most common tools and their usage. Broken into sections to help the beginner and advanced security professional assist in their usage and understanding of the hash cracking process. Stripped of all the fluff and cuts right to the point with a simple sentence or two about each command and corresponding example usage.
Also included is a chapter called "Common Hash Examples" which lists the 25 most frequent hash types encountered during a pentest with examples in Hashcat and JTR. No nonsense and straight to the point to aid a security professional on the spot.
Chapter Topics Covered
Core Hash Cracking Knowledge
Basic Cracking Playbook
-John The Ripper
-Terminal Command Cheat Sheet
-File Manipulation Cheat Sheet
-System Hash Extraction (Windows, *Nix, and Mac)
-PCAP Hash Extraction
-Database Hash Extraction
-Misc Hash Extraction (Documents, browser, etc...)
-Examples Hashes & Passwords
Dictionary / Wordlist
Rules & Masks
-Rule Attack Creation
-Mask Cheat Sheet
-Mask Attack Creation
Foreign Character Sets
-(UTF8) Arabic, Bengali, Chinese, Japanese, Russian
-Hashcat and JTR built-in charsets
Common Hash Examples
-MD5, NTLM, NTLMv2, LM, MD5crypt, SHA1, SHA256, bcrypt, PDF 1.4 - 1.6 (Acrobat 5-8), Microsoft OFFICE 2013, RAR3-HP, Winzip, 7zip, Bitcoin/Litecoin, MAC OSX v10.5-v10.6, MySQL 4.1-5+, Postgres, MSSQL(2012)-MSSQL(2014), Oracle 11g, Cisco TYPE 4 5 8 9, WPA PSK / WPA2 PSK
-John The Ripper Menu
-Hash Cracking Benchmarks (table)
-Hash Cracking Speed (table)
A few of the tools/resources covered in the HASH CRACK manual are Hashcat, John The RIpper, PACK (Password Analysis and Cracking Kit), PIPAL, PassPat, Creddump, Mimkatz, Pcredz, Aircrack-ng, Weakpass, Crackstation, and more. Updates and additions to the manual are planned for future chapters and sections based on customer feedback and geared towards assisting the network security professional. Also for some password cracking swag head on over to hashcrack.io to check out the latest Limited Edition T-Shirt.
Give Back To The Cracking Community
I highly encourage you DONATE to the dedicated contributing members of the cracking community and in that same vein a portion of the proceeds from the sale of this manual will be given to the various projects and researchers. So in the future when you see a donate button, click and give what you can.
Lastly, if you are a developer of one of the tools or online resources covered in the manual reach out to me on twitter @netmux and I'll mail you a free copy. Because without you and your contributions to the community we would be stuck hacking together some pathetic piece of code, praying to eek out 100 c/s against MD4. And dont forget to check out the companion site hashcrack.io for future updates and versions.
We just sent you an email. Please click the link in the email to confirm your subscription!