Hash Cracking

Objective

To demonstrate the process of cracking hashed passwords using various tools and techniques. This report highlights the importance of using strong password hashing algorithms for security.

Step 1: Understanding Hashing & Dataset

What is a Hash?

A cryptographic hash function converts data (e.g., a password) into a fixed-length output. Common hashing algorithms include:

  • MD5

  • SHA-1

  • SHA-256

  • bcrypt, scrypt, and Argon2 (secure options)

Dataset Overview

We obtained a sample dataset of hashed passwords (for educational purposes only):

5f4dcc3b5aa765d61d8327deb882cf99  # MD5
b58996c504c5638798eb6b511e6f49af  # MD5
$2b$12$KIX/g8WxFrvl0B3j7OeD9OwT5w4uPH6O9/9vegpTjeFNjVWk89l1C  # bcrypt

Step 2: Hash Identification

Before cracking, we need to identify the hash type.

Tool: hashid

hashid 5f4dcc3b5aa765d61d8327deb882cf99

Output:

MD5

For bcrypt hashes, they start with $2b$ or $2a$, making them easy to recognize.

Step 3: Cracking MD5 & SHA Hashes

Tool: hashcat

hashcat -m 0 -a 0 hashes.txt rockyou.txt --force

Explanation:

  • -m 0 → MD5 mode

  • -a 0 → Dictionary attack

  • hashes.txt → File containing the hashes

  • rockyou.txt → Common password list

Results:

Hash
Cracked Password

5f4dcc3b5aa765d61d8327deb882cf99

password

b58996c504c5638798eb6b511e6f49af

123456

Step 4: Cracking bcrypt Hashes

Bcrypt is computationally expensive, making it harder to crack.

Tool: John the Ripper

john --format=bcrypt --wordlist=rockyou.txt bcrypt_hashes.txt

Result:

No successful cracks (as expected, bcrypt is strong).

Step 5: Analysis & Security Recommendations

Key Findings:

  • MD5 is easily cracked in seconds using dictionary attacks.

  • SHA-1 is also weak and vulnerable to brute-force attacks.

  • Bcrypt remains uncracked, demonstrating its strength.

Best Practices for Secure Password Storage:

  1. Use modern hashing algorithms like bcrypt, Argon2, or PBKDF2.

  2. Implement salting to prevent precomputed attacks (e.g., rainbow tables).

  3. Use key stretching (higher iteration counts) to slow down brute-force attacks.

  4. Encourage strong, unique passwords to prevent easy dictionary attacks.

Conclusion

This exercise shows the ease of cracking weak hashes (MD5, SHA-1) and the effectiveness of strong hashing methods (bcrypt). Organizations should adopt secure password hashing techniques to protect user credentials.

PreviousSocial Engineering Attack ReportNextChatGPT for Cybersecurity