What's That Hash - A Hashcat Script
07 Oct 2023TLDR Link
Overview
Hashcat is a very powerful tool that the InfoSec community relies on, especially Offensive Security teams. One difficulty in using Hashcat is figuring out which hash type/mode to use, as there are currently 473 different types supported, and many look very similar to the naked eye.
The tool hashid from psypanda is the default tool used to identify hashes, and is great. You can give it a hash and add the -m flag, and it’ll give you the suspected hash type and the Hashcat mode to use. The downside is it often gives many results, again due to the similarity of hashes.
Here’s an example of Hashed reading a SHA-1 hash:
──(root㉿kali)-[~]
└─# cat testhash | hashid -m
Analyzing 'b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1'
[+] SHA-1 [Hashcat Mode: 100]
[+] Double SHA-1 [Hashcat Mode: 4500]
[+] RIPEMD-160 [Hashcat Mode: 6000]
[+] Haval-160
[+] Tiger-160
[+] HAS-160
[+] LinkedIn [Hashcat Mode: 190]
[+] Skein-256(160)
[+] Skein-512(160)
I know the hash is SHA-1, Mode 100 because I created it, but if I was trying to crack this hash then I have to run multiple possibilities, and what if it’s something new not added to hashid yet? This takes time, adds complexity, and possibly is prone to missing hash cracking if you don’t get the right hash mode from the tool.
If you only have hashes, it’s the best you have to work with, unfortunately, with the only other option being to look at the Hashcat wiki of example hashes. But what if you have a known hash and password? This is very common, from accessing web apps where you have an account and dumping databases, to getting access to leaks online where the attackers provide a sample of cracked passwords to show as evidence.
If you have a plain text password along with a hash, my solution is to run the hash/password against every supported mode in Hashcat and see which modes, if any, crack the password. I’ve created a simple tool to do this called “whatsthathash.sh”. You put your single hash in a file, your single password in a file, and feed it to the script. The script then pulls all supported modes from Hashcat and runs your combination against each mode, telling you if it successfully cracked it or not. This means the script should never go out of date as it’s pulling modes automatically.
Using our same hash from above, which hashid gave multiple supported and non-supported modes for, we can see that whatsthathash.sh identifies the correct hash mode as 100. Running the script takes approximately 4 minutes currently in a virtual machine on an M1 MBP.
└─# ./whatsthathash.sh -t testhash -p testpass
Whats That Hash
Created by Tim Jensen @eapolsniper
-----------------------
473 hash ID's have been found and will be tested
hash is: b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1
Pass is: Password123
Hash cracked with hashtype 100!
A total of 1 hash ID's worked!
Setup
The script has some minor setup. It’s pre-configured to run on Kali Linux, which keeps very up to date versions of Hashcat in the apt repository. As such you can just run hashcat on the command line and it works. The backend hashcat app files are stored in /usr/share/hashcat, and this updates as well when the hashcat version is updated. If you’re using Kali, or some other package-managed version, you can likely download the script and run it without issue.
Lines 15-19 are the configuration options if using repositories, if for some reason you need to change a location this is where to do it:
#If using Hashcat from a package manager: otherwise comment all of these out and uncomment the lines above.
packman=1
hashcatmodloc="/usr/share/hashcat"
hashcatbin="hashcat"
Many professional grade cracking rigs will not use Kali Linux, and will have multiple versions of Hashcat installed, including the possibility of switching between hashcat and oclhashcat. Those using this script in this configuration, you’ll want to comment out lines 17-19 and uncomment lines 11 and 13. Place the hashcat directory in the hashcatloc variable, and the hashcat binfile name in the hashcatbin variable. The bin file is unlikely to change unless you use oclhashcat.
#Hashcat installation location.
hashcatloc="/opt/hashcat-6.2.6"
#BIN name is configurable incase your using OCLHashCat or some other future naming convention
hashcatbin="hashcat.bin"
Making these changes is all you should need to run.
Execution Steps
Download whatsthathash.sh and provide it 2 command line options:”
./whatsthathash.sh -t testhash -p testpass
The test file explains the flags and can be accessed using -h:
┌──(root㉿kali)-[~]
└─# ./whatsthathash.sh -h
Whats That Hash
Created by Tim Jensen @eapolsniper
-----------------------
Whats That Hash
Created by Tim Jensen @eapolsniper
This script tests a known hash/password combo against every hash type, and tells you if Hashcat can crack the hash.
You can then automatically start a hashcat job to crack your hashes
---------------------
-t -- Your test hash (single hash in a file)
-p -- Your known password in a file
Summary
Hopefully, this helps with hash identification!
Happy Hacking,
EapolSniper