... through a simple example of how this process works
Given a hashed password $2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom
, we have only one hint: the password has four letters, all lowercase.
Let's start: finding the hash type
There are a lot of hashes out there. A good way to start guessing is to look at the hashed pass and try to find some kind of pattern. Here, the key is the first 4 characters of the hash.
There is a page where you can look at example hashes: https://hashcat.net/wiki/doku.php?id=example_hashes
Noticed something? We are looking for the bcrypt $2*$, Blowfish (Unix). Our $2y$
matches this pattern. So we are looking for a bcrypt hash. We also can grasp that the hash was generated using a factor of 12 (it is the number that comes after the first four characters).
Let's crack!
First, it is important to know how the process works. Hashing is a process essentially different from encryption - you can only do it once. It means that we cannot really recover the plaintext of a hashed password; instead, we can only compare its hash with our guesses. So, it's like hashing several words and seeing which of them matches exaclty our hash. Then, it must be the password.
We can automatize this process with two tools: hashcat
and a dictionary of potential passwords. This kind of dictionary is easy to find on internet, so we are going to use rock you.
Ok, so our dictionary is very large and checking for each password, one by one, would be an expensive operation. But we already know how our password looks like, right? (four letters, all lowercase).
So, let's filter our dictionary a little bit by creating a file containing all the passwords that match our condition:
grep -x -E '[a-z][^0-9]{4}' rockyou.txt > candidates.txt
Here we are using grep
along with a regex expression to filter our potential passwords to only four-letters words without digits. The -x flag applies this expression to the whole line (our file contains one password per line), whereas the -E flag is needed because we are using an extended expression (due to the {4}
part).
Now, we are ready to crack it with hashcat:
hashcat -a 0 -m 3200 pass.txt candidates.txt --force
Here, the code 3200 stands for the bcrypt
hash, and our hashed pass is stored in pass.txt whereas the potential passwords are stored in candidates.txt.
After a few seconds (depending on your computer), we have the result:
$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom:bleh
Where the "bleh" is the password we were looking for.
In sum: use a password manager :)
Top comments (1)
why you known the password has 4 letters