Eapolsniper's Blog
01000010 01100101 00100000 01000101 01111000 01100011 01100101 01101100 01101100 01100101 01101110 01110100 00100000 01010100 01101111 00100000 01000101 01100001 01100011 01101000 00100000 01001111 01110100 01101000 01100101 01110010 00000000 00000000 00000000 00000000

What's That Hash - A Hashcat Script

07 Oct 2023

whatsthathash.sh

Overview

Hashcat is a very powerful tool that the InfoSec community relies on, especially Offensive Security teams. One difficulty in using Hashcat is figuring out which hash type/mode to use, as there are currently 473 different types supported, and many look very similar to the naked eye.

The tool hashid from psypanda is the default tool used to identify hashes, and is great. You can give it a hash and add the -m flag, and it’ll give you the suspected hash type and the Hashcat mode to use. The downside is it often gives many results, again due to the similarity of hashes.

Here’s an example of Hashed reading a SHA-1 hash:


──(root㉿kali)-[~]
└─# cat testhash | hashid -m
Analyzing 'b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1'
[+] SHA-1 [Hashcat Mode: 100]
[+] Double SHA-1 [Hashcat Mode: 4500]
[+] RIPEMD-160 [Hashcat Mode: 6000]
[+] Haval-160 
[+] Tiger-160 
[+] HAS-160 
[+] LinkedIn [Hashcat Mode: 190]
[+] Skein-256(160) 
[+] Skein-512(160)

I know the hash is SHA-1, Mode 100 because I created it, but if I was trying to crack this hash then I have to run multiple possibilities, and what if it’s something new not added to hashid yet? This takes time, adds complexity, and possibly is prone to missing hash cracking if you don’t get the right hash mode from the tool.

If you only have hashes, it’s the best you have to work with, unfortunately, with the only other option being to look at the Hashcat wiki of example hashes. But what if you have a known hash and password? This is very common, from accessing web apps where you have an account and dumping databases, to getting access to leaks online where the attackers provide a sample of cracked passwords to show as evidence.

If you have a plain text password along with a hash, my solution is to run the hash/password against every supported mode in Hashcat and see which modes, if any, crack the password. I’ve created a simple tool to do this called “whatsthathash.sh”. You put your single hash in a file, your single password in a file, and feed it to the script. The script then pulls all supported modes from Hashcat and runs your combination against each mode, telling you if it successfully cracked it or not. This means the script should never go out of date as it’s pulling modes automatically.

Using our same hash from above, which hashid gave multiple supported and non-supported modes for, we can see that whatsthathash.sh identifies the correct hash mode as 100. Running the script takes approximately 4 minutes currently in a virtual machine on an M1 MBP.


└─# ./whatsthathash.sh -t testhash -p testpass



Whats That Hash
Created by Tim Jensen @eapolsniper

-----------------------
473 hash ID's have been found and will be tested
hash is: b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1
Pass is: Password123

Hash cracked with hashtype 100!
A total of 1 hash ID's worked!

Setup

The script has some minor setup. It’s pre-configured to run on Kali Linux, which keeps very up to date versions of Hashcat in the apt repository. As such you can just run hashcat on the command line and it works. The backend hashcat app files are stored in /usr/share/hashcat, and this updates as well when the hashcat version is updated. If you’re using Kali, or some other package-managed version, you can likely download the script and run it without issue.

Lines 15-19 are the configuration options if using repositories, if for some reason you need to change a location this is where to do it:


#If using Hashcat from a package manager: otherwise comment all of these out and uncomment the lines above.

packman=1
hashcatmodloc="/usr/share/hashcat"
hashcatbin="hashcat"

Many professional grade cracking rigs will not use Kali Linux, and will have multiple versions of Hashcat installed, including the possibility of switching between hashcat and oclhashcat. Those using this script in this configuration, you’ll want to comment out lines 17-19 and uncomment lines 11 and 13. Place the hashcat directory in the hashcatloc variable, and the hashcat binfile name in the hashcatbin variable. The bin file is unlikely to change unless you use oclhashcat.


#Hashcat installation location.
hashcatloc="/opt/hashcat-6.2.6"
#BIN name is configurable incase your using OCLHashCat or some other future naming convention
hashcatbin="hashcat.bin"

Making these changes is all you should need to run.

Execution Steps

Download whatsthathash.sh and provide it 2 command line options:”

./whatsthathash.sh -t testhash -p testpass

The test file explains the flags and can be accessed using -h:




┌──(root㉿kali)-[~]
└─# ./whatsthathash.sh -h                     



Whats That Hash
Created by Tim Jensen @eapolsniper

-----------------------

Whats That Hash
Created by Tim Jensen @eapolsniper

This script tests a known hash/password combo  against every hash type, and tells you if Hashcat can crack the hash.
You can then automatically start a hashcat job to crack your hashes
---------------------

-t   --  Your test hash (single hash in a file)
-p   --  Your known password in a file

Summary

Hopefully, this helps with hash identification!

Happy Hacking,

EapolSniper

Related posts