Full Report
Intro I wrote a tool to help with cracking of hashes, today I finally decided to blog about it. The idea was to take what I’d learned about common patterns in passwords, and put my experience into practice to make password cracking more efficient on future engagements. Below is a short history of how we got to where we are, as well as some examples of how to use it.
Analysis Summary
# Tool/Technique: hash-cracker
## Overview
`hash-cracker` is a custom-written tool, implemented as a Bash script, designed to make password cracking more efficient during penetration testing engagements by incorporating learned patterns about common password constructions. Its goal is to optimize cracking jobs for standard hardware, such as laptop GPUs.
## Technical Details
- Type: Tool
- Platform: Primarily targets systems capable of running Bash scripts, leveraging Hashcat for the actual cracking process on GPUs (both NVIDIA and Apple Silicon mentioned).
- Capabilities: Automates and combines various Hashcat attack modes (Dictionary, Hybrid, Combinator, Rule-based, Toggle-case, Common substring) based on known password patterns discovered during assessments.
- First Seen: Implicitly developed prior to the blog post dated April 05, 2023.
## MITRE ATT&CK Mapping
The tool directly supports credential access primarily through offline password cracking on harvested hashes.
- [T1003 - OS Credential Dumping]
- [T1003.001 - Hash(es] (Implied context: Cracking harvested hashes)
- [T1558 - Steal or Forge Authentication Credentials]
- [T1558.002 - Steal Application Access Token] (If credentials derived from cracked hashes are used)
- [T1558.003 - Credentials from Password Stores] (If stolen hashes are from systems utilizing these stores)
## Functionality
### Core Capabilities
The tool encapsulates frequently used Hashcat commands into organized modules runnable via a menu interface. These modules include:
* Default light rules
* Default heavy rules
* Brute force
* Iterate results
* Plain attack
* Hybrid attack
* Toggle-case attack
* Combinator attack
* Common substring attack
* Prefix suffix attack
### Advanced Features
* **Password Pattern Incorporation:** Specifically targets common patterns observed in real-world passwords (e.g., Word + Numbers + Special Character like `Summer2023!`, `John1970?`, or utilizing leet speak substitutions).
* **Hybrid Attack Implementation:** Utilizes Hashcat attack mode 6 (`-a6`) with custom brute-force patterns (e.g., `?d?d?d?d?s`) appended or prepended to wordlist entries.
* **Hardware Optimization:** Developed and benchmarked with efficiency in mind for standard consumer/laptop GPUs (e.g., NVIDIA M1200 Mobile, Apple Silicon M1 Pro/M2 Pro).
* **Integration with Known Datasets:** Supports the use of large, publicly available credential lists such as those from "Have I Been Pwned?" (HIBP) via the `haveibeenpwned-downloader`.
## Indicators of Compromise
As this is a local cracking tool, direct network IOCs related to its operation are minimal unless it interacts with external resources (like downloading wordlists).
- File Hashes: N/A (Tool functions by executing Hashcat against local hash files).
- File Names: `hash-cracker`, `processor.sh` (for the initial script). Files related to the knowledge base include `kb.offsec.nl` and the GitHub repository.
- Registry Keys: Not applicable (Client-side offensive tool).
- Network Indicators: None directly attributable to the tool's cracking functionality. May involve downloads from GitHub or HIBP downloader sources (Defanged example: `github[.]com`).
- Behavioral Indicators: High CPU/GPU utilization during execution, file I/O reading large wordlists and hash files, spawning the `hashcat` process.
## Associated Threat Actors
The tool is presented as a custom utility developed by Bart van Bodegom/SensePost for professional assessment use. It is not associated with known malicious threat actor groups mentioned in the context, but rather with offensive security practitioners.
## Detection Methods
Detection focuses on recognizing the execution of the wrapper script and the underlying cracking engine.
- Signature-based detection: Signatures for known Hashcat command line arguments, especially those involving specific attack modes (`-a6`) combined with custom pattern strings (`?d?d?d?d?s`).
- Behavioral detection: Monitoring for the execution of Bash scripts that launch resource-intensive processes like Hashcat, particularly utilizing vendor-supplied wordlists or large dictionary files.
- YARA rules: Not provided in the context.
## Mitigation Strategies
Mitigation focuses on preventing successful offline credential cracking.
- Prevention measures: Strong, complex, and unique passwords that resist dictionary, hybrid, and rule-based attacks. Implementing multi-factor authentication (MFA).
- Hardening recommendations: Ensure password hashes are stored using modern, slow hashing algorithms (e.g., bcrypt, Argon2) instead of fast hashes like NTLM or MD5, increasing the computational cost of cracking attempts.
## Related Tools/Techniques
* **Hashcat:** The underlying password cracking engine utilized by `hash-cracker`.
* **Dictionary Attack, Combinator Attack, Rule Based Attack, Toggle Case Attack:** Specific Hashcat techniques automated by the tool.
* **kb.offsec.nl / crypt0rr/kb:** The knowledge repository that informed the tool's development.
* **PwnedPasswordsDownloader:** Tool used to acquire potentially compromised password hash data.