Cracking a SHA512 Debian password hash with oclhashcat on Debian 8.0. I am using a Radeon HD6670 card and I created a user with the crappy password of “password”. Then I downloaded oclHashcat 1.37 and used this to crack the password using the GPU.
This is the password hash in the /etc/shadow file.
fred:$6$5l70Gupv$xBTxhCSexudn5jJ9hampIfTK0KIR3nqK1K1Rxye.OA5obtKArO7jgftjJtVSdp31MPxItEPmOuWhbgBvp0wqn.:16737:0:99999:7::: |
The salt of the password hash is the first section:
5l70Gupv |
And the hash is the next part of the line:
xBTxhCSexudn5jJ9hampIfTK0KIR3nqK1K1Rxye.OA5obtKArO7jgftjJtVSdp31MPxItEPmOuWhbgBvp0wqn. |
The $ sign is the delimiter between the salt and the hash in a shadow password file entry. $6 defines this as a SHA512 password hash.
I needed to edit this file to remove the extraneous data and leave just the hash.
$6$5l70Gupv$xBTxhCSexudn5jJ9hampIfTK0KIR3nqK1K1Rxye.OA5obtKArO7jgftjJtVSdp31MPxItEPmOuWhbgBvp0wqn. |
Then I could use hashcat and rockyou.txt from Kali Linux to attack this hash and get the users password.
john@hackerbox:~/Documents/oclHashcat-1.37$ ./oclHashcat64.bin -m 1800 -o output.txt ../passhash ../wordlists/rockyou.txt --force oclHashcat v1.37 starting... Device #1: Turks, 512MB, 800Mhz, 6MCU Hashes: 1 hashes; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable Optimizers: * Zero-Byte * Single-Hash * Single-Salt Watchdog: Temperature abort trigger set to 90c Watchdog: Temperature retain trigger set to 80c Device #1: Kernel ./kernels/4098/m01800.Turks_1526.3_1526.3_1439892092.kernel (1165084 bytes) Device #1: Kernel ./kernels/4098/amp_a0_v1.Turks_1526.3_1526.3_1439892092.kernel (304324 bytes) INFO: removed 1 hash found in pot file Session.Name...: oclHashcat Status.........: Cracked Input.Mode.....: File (../wordlists/rockyou.txt) Hash.Target....: $6$5l70Gupv$xBTxhCSexudn5jJ9hampIfTK0KIR3... Hash.Type......: sha512crypt, SHA512(Unix) Time.Started...: 0 secs Speed.GPU.#1...: 0 H/s Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.......: 0/0 (100.00%) Rejected.......: 0/0 (100.00%) Restore point..: 0/0 (100.00%) HWMon.GPU.#1...: 0% Util, 31c Temp, 40% Fan Started: Thu Oct 29 21:15:32 2015 Stopped: Thu Oct 29 21:15:33 2015 |
This is the output I received after cracking the password with oclHashcat.
john@hackerbox:~/Documents/oclHashcat-1.37$ cat output.txt $6$5l70Gupv$xBTxhCSexudn5jJ9hampIfTK0KIR3nqK1K1Rxye.OA5obtKArO7jgftjJtVSdp31MPxItEPmOuWhbgBvp0wqn.:password |
And now I have the users password. That is how simple this is, but you need a wordlist with the password in it and this consumes a very large amount of disk space. I have cracked a pin hash with a wordlist generated with crunch, but it was 60 gigabytes. A wordlist that contained all possible 4 digit numbers would have been 150 Petabytes. Luckily, this pin code only used certain numbers and therefore the wordlist of all possible pin numbers was less than that. The rockyou.txt file may be downloaded here: http://scrapmaker.com/download/data/wordlists/dictionaries/rockyou.txt This is quite a comprehensive wordlist and I have used this to crack a couple of things. More wordlists are available here: https://github.com/danielmiessler/SecLists/tree/master/Passwords.
The mkpasswd command allows the creation of a password hash on Linux.
Here is an example. The salt is randomly generated. This is generating a password hash with the password “password” three times and we get a different result each time. But when I put one of these password hashes on an actual Linux system, I was able to login. So this does work.
ubuntu ~ $ mkpasswd -m SHA-512 Password: $6$WXYsgsCwknMup$HPiIFSkNfApJ/U1jmrGhNdrmeUvS/xgttmojICueacwcXZJukeMkJ7hBoSknGKInkHG/RIID1Q0EJV4UjFP321 ubuntu ~ $ mkpasswd -m SHA-512 Password: $6$4WSJMQBe3h$fVIZsVcvR2ZCv9BJdvxT.GpEHNlSJYH0GTv6Lh20sCMrowL1d.wpJzbZ/fz.xIMjGckQhWG7aPnhswksGxs5l1 ubuntu ~ $ mkpasswd -m SHA-512 Password: $6$8.ku/bT..k/Y$ZwUX.tMGAfpog/GxdRz5NHXNe73TXayNz5bmGTiQWFB04WtlOZIK0ecsBPOFf9vEWte4pe5iemqJk4geOsX/M. |
But if you have access to the shadow file, you would have root access and would be able to change the password with passwd anyway. But his goes to show that you can crack a SHA512 password hash on Linux in no time with a GPU.