Closed10
[Try Hack Me]Crack the hash
kenryo
ハッシュ値の解析として以下がある模様。今回はCrackStationを使用してみます。
CrackStation
Hash Analyzer
Hash Toolkit
Level 1のハッシュ値をCrackStationに読み込ませたところ以下の結果になりました。Resultは公開しません。
sha256でも有名なハッシュ値は検出されるようです。
4つ目が解析できなかったため、原因を考えてみます。
| Hash | Type | Result |
|---|---|---|
| 48bb6e862e54f2a795ffc4e541caed4d | md5 | ■■■■■ |
| CBFDAC6008F9CAB4083784CBD1874F76618D2A97 | sha1 | ■■■■■ |
| 1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032 | sha256 | ■■■■■ |
| $2y |
Unknown | Unrecognized hash format. |
| 279412f945939ba78ce0758d3fd83daa | md4 | ■■■■■ |
kenryoHashCatにhashモードなしで実行し、ハッシュ関数にあたりをつける。
bcryptというのが出力された。
wikipediaの説明から4つ目のハッシュ値はbcryptと断定します。
┌──(kali㉿kali)-[~]
└─$ hashcat hash.txt rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
OpenCL API (OpenCL 3.0 PoCL 4.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-penryn-Intel(R) Core(TM) i7-10875H CPU @ 2.30GHz, 6939/13943 MB (2048 MB allocatable), 2MCU
The following 4 hash-modes match the structure of your input hash:
# | Name | Category
======+============================================================+======================================
3200 | bcrypt $2*$, Blowfish (Unix) | Operating System
25600 | bcrypt(md5($pass)) / bcryptmd5 | Forums, CMS, E-Commerce
25800 | bcrypt(sha1($pass)) / bcryptsha1 | Forums, CMS, E-Commerce
28400 | bcrypt(sha512($pass)) / bcryptsha512 | Forums, CMS, E-Commerce
Please specify the hash-mode with -m [hash-mode].
Started: Thu Nov 16 00:03:38 2023
Stopped: Thu Nov 16 00:03:41 2023
hashモードに3200、rockyou.txtを指定してhashcatを実行しましたが、リソースが足りないと怒られ、解析できません。仮想マシンの割り当てメモリを16GBぐらいにしてもダメでした。
仕方がないため、ホストマシンであるWindowsにhashcatをインストールし、上記実行してみました。しかし、結果が何も出力されずコマンドが終了してしまうという、kaliより悪い結果になりました。
当方のホストマシンはCPU i7、メモリ32GB、GPU 2GBです。
原因は複数あります。
1つ目は、ホストマシンに既存でインストールされているOpenCLランタイムが悪さをしているというものです。こちらはWindowsからアンインストールすることで解決しました。
2つ目は、使用リソースです。
少し調べたところ、実行中はGPU使用率が100%になっており、CPUは大きな変化がないことに気が付きました。
Iオプションで調べるとGPUの情報しか出力されず、CPUが使われていない設定になっていることがわかりました。
C:\hashcat-6.2.6>hashcat.exe -I
hashcat (v6.2.6) starting in backend information mode
OpenCL Info:
============
OpenCL Platform ID #1
Vendor..: Intel(R) Corporation
Name....: Intel(R) OpenCL HD Graphics
Version.: OpenCL 3.0
Backend Device ID #1
Type...........: GPU
Vendor.ID......: 8
Vendor.........: Intel(R) Corporation
Name...........: Intel(R) UHD Graphics
Version........: OpenCL 3.0 NEO
Processor(s)...: 24
Clock..........: 1200
Memory.Total...: 13057 MB (limited to 2047 MB allocatable in one block)
Memory.Free....: 6496 MB
Local.Memory...: 64 KB
OpenCL.Version.: OpenCL C 1.2
Driver.Version.: 31.0.101.2111
上のサイトでOpenCL Runtimes for Intelのインストールをすればよいと記載があったので以下からインストールをしました。
その後、Iオプションで調べたところ、CPUが出力されました。設定としてOKになります。
C:\hashcat-6.2.6>hashcat.exe -I
hashcat (v6.2.6) starting in backend information mode
OpenCL Info:
============
OpenCL Platform ID #1
Vendor..: Intel(R) Corporation
Name....: Intel(R) OpenCL HD Graphics
Version.: OpenCL 3.0
Backend Device ID #1
Type...........: GPU
Vendor.ID......: 8
Vendor.........: Intel(R) Corporation
Name...........: Intel(R) UHD Graphics
Version........: OpenCL 3.0 NEO
Processor(s)...: 24
Clock..........: 1200
Memory.Total...: 13057 MB (limited to 2047 MB allocatable in one block)
Memory.Free....: 6496 MB
Local.Memory...: 64 KB
OpenCL.Version.: OpenCL C 1.2
Driver.Version.: 31.0.101.2111
OpenCL Platform ID #2
Vendor..: Intel(R) Corporation
Name....: Intel(R) OpenCL
Version.: OpenCL 3.0 WINDOWS
Backend Device ID #2
Type...........: CPU
Vendor.ID......: 8
Vendor.........: Intel(R) Corporation
Name...........: Intel(R) Core(TM) i7-10875H CPU @ 2.30GHz
Version........: OpenCL 3.0 (Build 0)
Processor(s)...: 16
Clock..........: 2300
Memory.Total...: 32644 MB (limited to 8161 MB allocatable in one block)
Memory.Free....: 16290 MB
Local.Memory...: 32 KB
OpenCL.Version.: OpenCL C 3.0
Driver.Version.: 2023.16.6.0.28_042959
上記で大丈夫だろうと再実施しましたが、解析まで2 days, 11 hoursかかると言われたのでホストマシンでやるのは諦めます。
Session..........: hashcat
Status...........: Quit
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX...8wsRom
Time.Started.....: Thu Nov 16 23:55:35 2023 (1 min, 30 secs)
Time.Estimated...: Sun Nov 19 11:05:17 2023 (2 days, 11 hours)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 67 H/s (7.54ms) @ Accel:16 Loops:8 Thr:1 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 5888/14344384 (0.04%)
Rejected.........: 0/5888 (0.00%)
Restore.Point....: 5888/14344384 (0.04%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:2352-2360
Candidate.Engine.: Device Generator
Candidates.#2....: charlie2 -> horoscope
Started: Thu Nov 16 23:55:21 2023
Stopped: Thu Nov 16 23:57:06 2023
上のはAWS EC2とか使って解析する方針にして、とりあえずLevel2に進む。
例のごとくCrackStationを使う。
| Hash | Type | Result |
|---|---|---|
| F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85 | sha256 | ■■■■■ |
| 1DFECA0C002AE40B8619ECF94819CC1B | NTLM | ■■■■■ |
| $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02. | Unknown | Unrecognized hash format. |
| e5d8870e5bdd26602cab8dbe07a942c8669e56d6 | Unknown | Not found. |
kenryoクラックに使用するEC2のインスタンスタイプは以下記載のものを使用してみる。
kenryo上記EC2を構築してhashcatを試したが、予想時間が6hぐらいといわれたので、結局ホストマシンでやってみた。
予想時間は2日半ぐらいと出たが、最終的には43分で解析できた。
Session..........: hashcat
Status...........: Running
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX...8wsRom
Time.Started.....: Tue Nov 21 01:15:20 2023 (19 mins, 15 secs)
Time.Estimated...: Thu Nov 23 14:08:21 2023 (2 days, 12 hours)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 5 H/s (74.80ms) @ Accel:1 Loops:4 Thr:16 Vec:1
Speed.#2.........: 61 H/s (33.15ms) @ Accel:16 Loops:32 Thr:1 Vec:1
Speed.#*.........: 65 H/s
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 75136/14344384 (0.52%)
Rejected.........: 0/75136 (0.00%)
Restore.Point....: 75520/14344384 (0.53%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:3320-3324
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:3264-3296
Candidate.Engine.: Host Generator + PCIe
Candidates.#1....: blah11 -> 27121986
Candidates.#2....: minkie -> klk123
$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom:■■■■■
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX...8wsRom
Time.Started.....: Tue Nov 21 01:15:20 2023 (43 mins, 54 secs)
Time.Estimated...: Tue Nov 21 01:59:14 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 5 H/s (74.66ms) @ Accel:1 Loops:4 Thr:16 Vec:1
Speed.#2.........: 61 H/s (32.14ms) @ Accel:16 Loops:32 Thr:1 Vec:1
Speed.#*.........: 66 H/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 173696/14344384 (1.21%)
Rejected.........: 0/173696 (0.00%)
Restore.Point....: 173824/14344384 (1.21%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:3308-3312
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:4064-4096
Candidate.Engine.: Host Generator + PCIe
Candidates.#1....: loveneverfails -> lara1
Candidates.#2....: boricua8 -> berhasil
Started: Tue Nov 21 01:14:50 2023
Stopped: Tue Nov 21 01:59:15 2023
によると3つ目のは$6$: SHA-512ベースの暗号 ('sha512crypt')らしい
hashcatで比較的速く値を取得できた。
Session..........: hashcat
Status...........: Running
Hash.Mode........: 1800 (sha512crypt $6$, SHA512 (Unix))
Hash.Target......: $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPM...ZAs02.
Time.Started.....: Tue Nov 21 21:39:55 2023 (48 secs)
Time.Estimated...: Tue Nov 21 22:20:14 2023 (39 mins, 31 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1569 H/s (117.42ms) @ Accel:32 Loops:512 Thr:64 Vec:1
Speed.#2.........: 4358 H/s (49.95ms) @ Accel:1024 Loops:1024 Thr:1 Vec:4
Speed.#*.........: 5926 H/s
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 285928/14344384 (1.99%)
Rejected.........: 232/285928 (0.08%)
Restore.Point....: 281826/14344384 (1.96%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:512-1024
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:4096-5000
Candidate.Engine.: Device Generator
Candidates.#1....: 080963 -> weezy07
Candidates.#2....: weezy06 -> tray1
$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.:■■■■■
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1800 (sha512crypt $6$, SHA512 (Unix))
Hash.Target......: $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPM...ZAs02.
Time.Started.....: Tue Nov 21 21:39:55 2023 (8 mins, 17 secs)
Time.Estimated...: Tue Nov 21 21:48:12 2023 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1580 H/s (121.28ms) @ Accel:32 Loops:512 Thr:64 Vec:1
Speed.#2.........: 4073 H/s (50.25ms) @ Accel:1024 Loops:1024 Thr:1 Vec:4
Speed.#*.........: 5654 H/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2830769/14344384 (19.73%)
Rejected.........: 20913/2830769 (0.74%)
Restore.Point....: 2822383/14344384 (19.68%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2560-3072
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:4096-5000
Candidate.Engine.: Device Generator
Candidates.#1....: wallly1945 -> wales069
Candidates.#2....: wakapogi -> waimo1
Started: Tue Nov 21 21:39:18 2023
Stopped: Tue Nov 21 21:48:13 2023
ヒントはHMAC-SHA1
e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackmeで解析してみる。
C:\hashcat-6.2.6>hashcat -m 160 hash.txt rockyou.txt -O -D 1,2 -w 3
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) UHD Graphics, 6496/13057 MB (2047 MB allocatable), 24MCU
OpenCL API (OpenCL 3.0 WINDOWS) - Platform #2 [Intel(R) Corporation]
====================================================================
* Device #2: Intel(R) Core(TM) i7-10875H CPU @ 2.30GHz, 16290/32644 MB (8161 MB allocatable), 16MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 31
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 1479 MB
Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme:■■■■■
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 160 (HMAC-SHA1 (key = $salt))
Hash.Target......: e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme
Time.Started.....: Tue Nov 21 22:16:04 2023 (2 secs)
Time.Estimated...: Tue Nov 21 22:16:06 2023 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1675.9 kH/s (40.18ms) @ Accel:512 Loops:1 Thr:32 Vec:4
Speed.#2.........: 4258.9 kH/s (1.89ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Speed.#*.........: 5934.8 kH/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 13257559/14344384 (92.42%)
Rejected.........: 2903/13257559 (0.02%)
Restore.Point....: 11339902/14344384 (79.05%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 5225535 -> 22751827
Candidates.#2....: 14081964 -> 136399
Started: Tue Nov 21 22:15:04 2023
Stopped: Tue Nov 21 22:16:08 2023
このスクラップは2024/01/01にクローズされました