1
00:00:06,330 --> 00:00:08,430
- So now that we've used password cracking

2
00:00:08,430 --> 00:00:09,263
with John the Ripper,

3
00:00:09,263 --> 00:00:12,180
let's check out password
cracking with Hashcat.

4
00:00:12,180 --> 00:00:14,440
With Hashcat we're gonna use our GPU.

5
00:00:14,440 --> 00:00:17,673
So you'll see how password
cracking is much faster.

6
00:00:17,673 --> 00:00:21,280
Hashcat is nice because
it has GPU support.

7
00:00:21,280 --> 00:00:23,380
It also recently became open source,

8
00:00:23,380 --> 00:00:25,160
so you can look at the code.

9
00:00:25,160 --> 00:00:29,430
And it supports more than
2000 hashing algorithms.

10
00:00:29,430 --> 00:00:31,270
Which will take a quick look at

11
00:00:31,270 --> 00:00:33,913
some of the hashing
algorithms that it supports.

12
00:00:35,820 --> 00:00:40,523
So if you just type Hashcat,
executable, and help,

13
00:00:41,900 --> 00:00:43,463
It'll show the help menu.

14
00:00:45,010 --> 00:00:49,080
You can see we can crack using
word lists or brute force.

15
00:00:49,080 --> 00:00:51,713
We're gonna show both in this example.

16
00:00:53,429 --> 00:00:55,630
You can see you can
choose the attack mode.

17
00:00:55,630 --> 00:00:57,010
That's where we're gonna choose

18
00:00:57,010 --> 00:01:00,033
whether it's a brute force or a word list.

19
00:01:02,666 --> 00:01:04,680
There's a variety of formats

20
00:01:04,680 --> 00:01:06,650
that Hashcat can crack.

21
00:01:06,650 --> 00:01:09,140
Really over over 200
different types of hashes.

22
00:01:09,140 --> 00:01:12,530
So you can see there's
Citrix, there's Cisco.

23
00:01:12,530 --> 00:01:15,576
The LM and NT, right there,

24
00:01:15,576 --> 00:01:17,530
are the ones we're gonna concentrate on.

25
00:01:17,530 --> 00:01:21,730
So we're gonna have to
use the 3000 flag for LM

26
00:01:23,170 --> 00:01:26,253
and the 1000 option for NTLM.

27
00:01:28,503 --> 00:01:30,950
But you can see there are a large number

28
00:01:30,950 --> 00:01:34,423
of hash types that Hashcat
can actually crack.

29
00:01:37,940 --> 00:01:41,150
There are, in addition
to the different hashes,

30
00:01:41,150 --> 00:01:44,700
there are a lot of different
flags that you can use

31
00:01:45,580 --> 00:01:47,050
for different activities on here.

32
00:01:47,050 --> 00:01:50,390
So the -M is where we're gonna
actually pick the hash type.

33
00:01:50,390 --> 00:01:54,500
So we're gonna use the -M 1000

34
00:01:54,500 --> 00:01:57,453
or -M 3000 for LM or NT.

35
00:01:59,130 --> 00:02:02,090
Attack mode, We're gonna show if it's,

36
00:02:02,090 --> 00:02:05,633
we're gonna use a 3 for
the brute force attack.

37
00:02:06,890 --> 00:02:10,683
You can restore a session
that has been stopped.

38
00:02:11,690 --> 00:02:14,100
You can also use a --show

39
00:02:14,100 --> 00:02:16,050
similar to John the Ripper.

40
00:02:16,050 --> 00:02:18,710
So you can actually show
passwords that have been cracked.

41
00:02:18,710 --> 00:02:21,660
You can pick the POT file path

42
00:02:21,660 --> 00:02:25,583
where it shows where all
your cracked passwords are.

43
00:02:26,710 --> 00:02:30,580
You can use the --username to
actually show the user names

44
00:02:30,580 --> 00:02:32,570
when you're cracking.

45
00:02:32,570 --> 00:02:33,770
Or you can just leave them out,

46
00:02:33,770 --> 00:02:35,943
so it'll just focus on the hashes.

47
00:02:38,790 --> 00:02:40,883
So let's see how this works.

48
00:02:42,330 --> 00:02:45,180
We're gonna look at the password list.

49
00:02:45,180 --> 00:02:47,530
It's the same list we
used for John the Ripper.

50
00:02:49,520 --> 00:02:53,270
It has both the LM and the NT hash there.

51
00:02:53,270 --> 00:02:55,380
First, the LM, then the NT hash.

52
00:02:55,380 --> 00:02:56,403
Shows both of them,

53
00:02:57,520 --> 00:02:59,293
which is standard within Windows.

54
00:03:00,960 --> 00:03:02,190
You run the executable.

55
00:03:02,190 --> 00:03:04,670
We're gonna choose our POT file,

56
00:03:04,670 --> 00:03:06,770
where we're gonna store all the passwords.

57
00:03:07,750 --> 00:03:09,430
We're just gonna put it in the file called

58
00:03:09,430 --> 00:03:11,423
cracked_passwords.pot.

59
00:03:13,150 --> 00:03:16,020
We're gonna use the -M 3000

60
00:03:18,240 --> 00:03:20,420
and then -a 3 for brute force.

61
00:03:20,420 --> 00:03:23,713
So we're gonna brute force the LM hashes.

62
00:03:24,600 --> 00:03:27,885
If you use ?a?a

63
00:03:27,885 --> 00:03:31,820
that means we wanna brute force
all two-character passwords.

64
00:03:31,820 --> 00:03:34,250
If we don't use the ?a's at all,

65
00:03:34,250 --> 00:03:36,420
then it's just brute
forcing every combination

66
00:03:36,420 --> 00:03:40,220
from one-character all the way up to

67
00:03:40,220 --> 00:03:42,480
as many characters as you can.

68
00:03:42,480 --> 00:03:44,730
So three a's with question marks,

69
00:03:44,730 --> 00:03:47,930
those are three-character
passwords that you're gonna crack.

70
00:03:47,930 --> 00:03:50,270
We're gonna leave those
off for right now, though.

71
00:03:50,270 --> 00:03:52,023
And just crack every possibility.

72
00:03:54,610 --> 00:03:56,050
As you can see it's cracking

73
00:03:56,050 --> 00:03:58,920
and really quickly it
cracked all one-character,

74
00:03:58,920 --> 00:04:01,340
two character, three-character passwords.

75
00:04:01,340 --> 00:04:04,253
Now, we see we're on
four-character passwords.

76
00:04:05,360 --> 00:04:06,393
It's cracking.

77
00:04:07,290 --> 00:04:09,563
So Hashcat is incredibly fast.

78
00:04:10,810 --> 00:04:13,450
You see, now it's on
five-character passwords.

79
00:04:13,450 --> 00:04:15,360
It's already cracked all

80
00:04:15,360 --> 00:04:19,093
one-character through
four character passwords.

81
00:04:20,920 --> 00:04:23,370
And it has gone through
every single combination.

82
00:04:23,370 --> 00:04:24,550
You could see that it's

83
00:04:24,550 --> 00:04:26,853
cracking six-character passwords now.

84
00:04:28,380 --> 00:04:31,270
And expects to be done with
six-character passwords

85
00:04:31,270 --> 00:04:32,763
in 16 seconds.

86
00:04:37,310 --> 00:04:39,510
And you can see all the
passwords it's cracking.

87
00:04:39,510 --> 00:04:42,580
It appears on the screen once
it finishes cracking those.

88
00:04:42,580 --> 00:04:46,160
Remember LM hashes are
only seven-characters

89
00:04:46,160 --> 00:04:47,300
for each side of it.

90
00:04:47,300 --> 00:04:51,080
So it estimates it'll
crack all these passwords

91
00:04:51,080 --> 00:04:52,933
within 11 minutes.

92
00:04:55,360 --> 00:04:58,170
It's quickly going through
the seven-character passwords.

93
00:04:58,170 --> 00:05:02,140
You can hit a button at any
time to check the status.

94
00:05:02,140 --> 00:05:03,403
You can hit the S button.

95
00:05:04,600 --> 00:05:07,010
Or you can pause it if you'd like, also.

96
00:05:07,010 --> 00:05:09,017
So we're just gonna quit for now.

97
00:05:09,017 --> 00:05:10,330
So, we get the idea.

98
00:05:10,330 --> 00:05:15,330
It would've cracked all the LM
passwords within 10 minutes.

99
00:05:15,570 --> 00:05:16,930
So let's show the passwords.

100
00:05:16,930 --> 00:05:20,190
If you use the --show flag,

101
00:05:20,190 --> 00:05:22,050
you can actually show all the passwords

102
00:05:22,050 --> 00:05:24,520
that is cracked so far.

103
00:05:24,520 --> 00:05:27,550
And you can see, it actually
shows all the hashes

104
00:05:27,550 --> 00:05:30,620
with the associated passwords.

105
00:05:30,620 --> 00:05:32,940
You can see that since it's an LM hash

106
00:05:32,940 --> 00:05:35,400
it splits the password into two.

107
00:05:35,400 --> 00:05:39,130
So you'll see some with
the brackets not found

108
00:05:39,130 --> 00:05:42,140
'cause it hasn't cracked that
part of the password yet.

109
00:05:42,140 --> 00:05:43,990
So at the very bottom

110
00:05:43,990 --> 00:05:47,423
you can see the first half
not found then ME2016.

111
00:05:51,850 --> 00:05:55,050
So if we do the --username,

112
00:05:55,050 --> 00:05:59,133
it'll put the usernames with
the associated passwords.

113
00:06:01,730 --> 00:06:04,520
So it is the same idea
if we are going to crack

114
00:06:04,520 --> 00:06:06,560
the NT passwords.

115
00:06:06,560 --> 00:06:08,940
We're changing 3000 to 1000,

116
00:06:08,940 --> 00:06:12,713
and now it's cracking NT
passwords using brute force.

117
00:06:13,550 --> 00:06:17,020
So the NT passwords are not all uppercase,

118
00:06:17,020 --> 00:06:19,010
they're upper and lowercase.

119
00:06:19,010 --> 00:06:24,010
So we can quickly see how
it's cracking those passwords.

120
00:06:24,470 --> 00:06:26,930
It cracked one through
five-character passwords

121
00:06:26,930 --> 00:06:27,810
really quickly.

122
00:06:27,810 --> 00:06:30,680
Now it's on seven-character passwords.

123
00:06:30,680 --> 00:06:32,680
And with NT hashes

124
00:06:32,680 --> 00:06:35,910
they can be many more
characters than this.

125
00:06:35,910 --> 00:06:37,880
So, you see that right here,

126
00:06:37,880 --> 00:06:40,810
it says it'll finish cracking
all seven-character passwords

127
00:06:40,810 --> 00:06:42,520
within four minutes.

128
00:06:42,520 --> 00:06:46,053
And now let's see all the
passwords using the show.

129
00:06:47,370 --> 00:06:50,600
And you can see the
individuals with the NT hash

130
00:06:50,600 --> 00:06:54,143
and their NT password.

131
00:06:54,143 --> 00:06:56,159
Let's try a dictionary attack.

132
00:06:56,159 --> 00:07:00,263
We're gonna use the RockYou password file.

133
00:07:01,330 --> 00:07:05,500
Pretty popular password
file for cracking passwords

134
00:07:05,500 --> 00:07:06,673
using a dictionary.

135
00:07:07,520 --> 00:07:10,000
And you could see really quickly,

136
00:07:10,000 --> 00:07:12,190
we're able to pick up a lot
of the passwords that are

137
00:07:12,190 --> 00:07:13,023
in the file.

138
00:07:14,159 --> 00:07:16,970
It's a really large text
file that we're using.

139
00:07:16,970 --> 00:07:19,890
So it says it's gonna take 24 minutes

140
00:07:19,890 --> 00:07:21,920
to crack all the passwords.

141
00:07:21,920 --> 00:07:24,150
It's not only going through
each of the passwords

142
00:07:24,150 --> 00:07:27,590
that are in the file, but
it's also, you could see,

143
00:07:27,590 --> 00:07:30,700
using different types of mangling rules.

144
00:07:30,700 --> 00:07:33,550
We're using the
InsidePro-PasswordsPro rule,

145
00:07:33,550 --> 00:07:36,730
which comes with Hashcat,
for cracking the password.

146
00:07:36,730 --> 00:07:39,003
These are LM hashes that we're cracking.

147
00:07:40,090 --> 00:07:43,670
Really the same idea
for NT password cracking

148
00:07:43,670 --> 00:07:45,023
using this word list.

149
00:07:47,890 --> 00:07:52,760
And within seconds it has
cracked a lot of the NT hashes

150
00:07:52,760 --> 00:07:53,593
as well.

151
00:07:56,210 --> 00:07:57,623
So we can quit out of that.

152
00:08:00,560 --> 00:08:02,990
Just so you can see the
actual speed of this.

153
00:08:02,990 --> 00:08:04,590
I mean, you know that
it's going really fast.

154
00:08:04,590 --> 00:08:06,510
But let's look at an English dictionary

155
00:08:06,510 --> 00:08:08,910
and see how quickly it
can go through this list.

156
00:08:15,041 --> 00:08:17,356
So you can see within a few seconds

157
00:08:17,356 --> 00:08:19,820
it went through the
entire English dictionary

158
00:08:19,820 --> 00:08:22,223
to see if any of the
passwords were in there.

159
00:08:28,497 --> 00:08:31,020
And these are NT hashes

160
00:08:31,020 --> 00:08:34,300
that it quickly cracked
using the English dictionary

161
00:08:34,300 --> 00:08:37,093
and the pro mangling rules.

162
00:08:38,060 --> 00:08:40,960
We can show the passwords
that it has cracked.

163
00:08:40,960 --> 00:08:43,430
You can see them all right there.

164
00:08:43,430 --> 00:08:47,423
So, amazingly fast password
cracker using the GPU.

165
00:08:48,300 --> 00:08:50,490
And what would most likely
happen in this scenario,

166
00:08:50,490 --> 00:08:52,550
was you could use John the Ripper

167
00:08:52,550 --> 00:08:55,020
when you're on site doing
the password cracking.

168
00:08:55,020 --> 00:08:56,720
But once you have a significant number

169
00:08:56,720 --> 00:08:58,830
of passwords that you need to crack,

170
00:08:58,830 --> 00:09:00,383
or you have some more difficult passwords

171
00:09:00,383 --> 00:09:01,380
that you need to crack,

172
00:09:01,380 --> 00:09:04,610
you'd probably bring them to
your password cracking station.

173
00:09:04,610 --> 00:09:06,610
That's using your graphics card

174
00:09:06,610 --> 00:09:09,053
instead of the CPU on the machine,

175
00:09:09,915 --> 00:09:11,600
or multiple graphics cards.

176
00:09:11,600 --> 00:09:13,330
And you'd run the password cracking

177
00:09:13,330 --> 00:09:15,853
on that password cracking machine.

178
00:09:16,920 --> 00:09:17,973
That is Hashcat.