Funmibi's Organization
  • NOTES
  • Ethical Hacking Lab Setup Guide
  • Information Gathering & Reconnaissance
  • Social Engineering Attack Report
  • Hash Cracking
  • ChatGPT for Cybersecurity
  • Google Hacking (Google Dorking)
  • Nmap Port Scanning & Vulnerability Assessment
  • Proof-of-Concept Exploit: EternalBlue (MS17-010)
  • Privilege Escalation & Client-Side Exploits
  • Buffer Overflow Vulnerability
  • Windows-Based Buffer Overflow Attack
  • Man-in-the-Middle (MITM) Attack
  • BeEF (Browser Exploitation Framework) Setup & Demonstration
Powered by GitBook
On this page
  • Objective
  • Step 1: Understanding Hashing & Dataset
  • What is a Hash?
  • Dataset Overview
  • Step 2: Hash Identification
  • Tool: hashid
  • Step 3: Cracking MD5 & SHA Hashes
  • Tool: hashcat
  • Results:
  • Step 4: Cracking bcrypt Hashes
  • Tool: John the Ripper
  • Step 5: Analysis & Security Recommendations
  • Key Findings:
  • Best Practices for Secure Password Storage:
  • Conclusion

Hash Cracking

Objective

To demonstrate the process of cracking hashed passwords using various tools and techniques. This report highlights the importance of using strong password hashing algorithms for security.

Step 1: Understanding Hashing & Dataset

What is a Hash?

A cryptographic hash function converts data (e.g., a password) into a fixed-length output. Common hashing algorithms include:

  • MD5

  • SHA-1

  • SHA-256

  • bcrypt, scrypt, and Argon2 (secure options)

Dataset Overview

We obtained a sample dataset of hashed passwords (for educational purposes only):

5f4dcc3b5aa765d61d8327deb882cf99  # MD5
b58996c504c5638798eb6b511e6f49af  # MD5
$2b$12$KIX/g8WxFrvl0B3j7OeD9OwT5w4uPH6O9/9vegpTjeFNjVWk89l1C  # bcrypt

Step 2: Hash Identification

Before cracking, we need to identify the hash type.

Tool: hashid

hashid 5f4dcc3b5aa765d61d8327deb882cf99

Output:

MD5

For bcrypt hashes, they start with $2b$ or $2a$, making them easy to recognize.

Step 3: Cracking MD5 & SHA Hashes

Tool: hashcat

hashcat -m 0 -a 0 hashes.txt rockyou.txt --force

Explanation:

  • -m 0 → MD5 mode

  • -a 0 → Dictionary attack

  • hashes.txt → File containing the hashes

  • rockyou.txt → Common password list

Results:

Hash
Cracked Password

5f4dcc3b5aa765d61d8327deb882cf99

password

b58996c504c5638798eb6b511e6f49af

123456

Step 4: Cracking bcrypt Hashes

Bcrypt is computationally expensive, making it harder to crack.

Tool: John the Ripper

john --format=bcrypt --wordlist=rockyou.txt bcrypt_hashes.txt

Result:

No successful cracks (as expected, bcrypt is strong).

Step 5: Analysis & Security Recommendations

Key Findings:

  • MD5 is easily cracked in seconds using dictionary attacks.

  • SHA-1 is also weak and vulnerable to brute-force attacks.

  • Bcrypt remains uncracked, demonstrating its strength.

Best Practices for Secure Password Storage:

  1. Use modern hashing algorithms like bcrypt, Argon2, or PBKDF2.

  2. Implement salting to prevent precomputed attacks (e.g., rainbow tables).

  3. Use key stretching (higher iteration counts) to slow down brute-force attacks.

  4. Encourage strong, unique passwords to prevent easy dictionary attacks.

Conclusion

This exercise shows the ease of cracking weak hashes (MD5, SHA-1) and the effectiveness of strong hashing methods (bcrypt). Organizations should adopt secure password hashing techniques to protect user credentials.

PreviousSocial Engineering Attack ReportNextChatGPT for Cybersecurity