Cracking Cryptographic Hashes

Tufin
4 min readSep 22, 2020

--

By Reuven Harrison

Hashing is an algorithm that generates a fixed-length string from an input.

There are many different hash algorithms with different properties, for example, SHA-256.

You can use openssl to generate a SHA-256 hash:

echo -n 'secret' | openssl dgst -sha256

The output is the hash:

2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b

Hashes have a special property: they are easy to compute but difficult to reverse: given the hash above, it difficult to find its origin, “secret”.

This makes hashes a good method to verify passwords: Rather than storing the password itself and risking it being stolen, you store the password’s hash and when a user provides a password, you compute its hash and compare it to the stored value, if they match it means that the user entered the correct password.

Cracking a SHA-256 Hash

But hashes can be reversed using methods such as dictionary attacks which compares the given hash to the hashes of common words from a dictionary or brute-force which computes the hash of many different combinations of characters until it finds one that matches the given hash. This is, of course, not very efficient, but, with enough compute power and time, it often works.

Let’s see an example:

Suppose you were given the hash above and you want to find its origin. To do that, you can utilize a tool called hashcat.

First you need to install it. I used the following steps to install it on macOS Catalina (requires git and make which you can get with brew):

git clone https://github.com/hashcat/hashcat.git
mkdir -p hashcat/deps
git clone https://github.com/KhronosGroup/OpenCL-Headers.git hashcat/deps/OpenCL
cd hashcat/ && make install

Next you need to find the identifier (Hash mode or Hash-type) of your hash algorithm. For SHA-256 it’s 1400. You can see all codes on this page (or with hashcat --help).

Now run a brute-force attack:

hashcat -m 1400 -a 3 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b

And after a short while, you should get:

2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b:secretSession..........: hashcat
Status...........: Cracked
Hash.Name........: SHA2-256
Hash.Target......: 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25...27a25b
Time.Started.....: Tue Sep 22 15:11:41 2020 (10 secs)
Time.Estimated...: Tue Sep 22 15:11:51 2020 (0 secs)
Guess.Mask.......: ?1?2?2?2?2?2 [6]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 6/15 (40.00%)
Speed.#1.........: 55535.2 kH/s (6.90ms) @ Accel:256 Loops:128 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 521502720/3748902912 (13.91%)
Rejected.........: 0/521502720 (0.00%)
Restore.Point....: 233472/1679616 (13.90%)
Restore.Sub.#1...: Salt:0 Amplifier:0-128 Iteration:0-128
Candidates.#1....: sacers -> co9ish
Started: Tue Sep 22 15:11:35 2020
Stopped: Tue Sep 22 15:11:51 2020

You can see that the status is “Cracked” and the original “secret” just above that.

Cracking an HMAC SHA-256 Hash

Let’s try a slightly more advanced example. This time we will use a different hash algorithm called HMAC-SHA-256 which requires not only the input string but also another secret key.

First, let’s generate the hash of ‘Lucy in the sky of diamonds’ with a secret key ‘secret’:

echo -n 'Lucy in the sky of diamonds' | openssl dgst -sha256 -hmac 'secret'

This will generate the hash:

116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443f9d8d3e5668b5

Now let’s try to reverse it. The Hash mode of HMAC-SHA-256 is 1450. We pass a string comprising the hash and the original text separated by a colon:

hashcat -m 1450 -a 3 "116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443f9d8d3e5668b5:Lucy in the sky of diamonds"

After a minute or so, you should get the result which is the secret key “secret”:

116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443f9d8d3e5668b5:Lucy in the sky of diamonds:secretSession..........: hashcat
Status...........: Cracked
Hash.Name........: HMAC-SHA256 (key = $pass)
Hash.Target......: 116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443...amonds
Time.Started.....: Tue Sep 22 15:48:15 2020 (41 secs)
Time.Estimated...: Tue Sep 22 15:48:56 2020 (0 secs)
Guess.Mask.......: ?1?2?2?2?2?2 [6]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 6/15 (40.00%)
Speed.#1.........: 12328.6 kH/s (7.00ms) @ Accel:64 Loops:128 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 521207808/3748902912 (13.90%)
Rejected.........: 0/521207808 (0.00%)
Restore.Point....: 233472/1679616 (13.90%)
Restore.Sub.#1...: Salt:0 Amplifier:0-128 Iteration:0-128
Candidates.#1....: sacers -> co9ont
Started: Tue Sep 22 15:48:03 2020
Stopped: Tue Sep 22 15:48:56 2020

A few more advanced tricks with hashcat

  1. You can crack multiple hashes by putting them in a file and running:
hashcat -m 1450 -a 3 hash-list.txt

Each line in the file should be in the form of “hash” for SHA-256 or “hash:original text” for HMAC-SHA-256.

2. You can use custom character sets and patterns, for example this command searches for secrets with six lowercase letters only:

hashcat -m 1450 -a 3 -1 abcdefghijklmnopqrstuvwxyz "116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443f9d8d3e5668b5:Lucy in the sky of diamonds" "?1?1?1?1?1?1"

3. After successfully cracking a hash, hashcat stores it in ~/.hashcat/hashcat.potfile. If you want to run the same crack again, you need to remove the result from this file, otherwise hashcat will simply return the cached result.

Finally, let’s talk about Security

First of all, a mandatory word of caution: don’t use this maliciously!

Now how can you protect against malicious attackers:

  1. As a security architect, use an up-to-date and strong hash algorithm with a salt and a strong secret (see detailed explanation). But the best is to use multi-factor-authentication or biometrics so you don’t rely on a password only.
  2. As a user, use long passwords with digits and special characters, store them in a password manager, and don’t trust the application you are connecting to (don’t share passwords between different accounts).

Related Sites

Enjoy!

Reuven

--

--

Tufin

From the Security Policy Company. This blog is dedicated to cloud-native topics such as Kubernetes, cloud security and micro-services.