THM: Hashing Basics

Solution of Hasing Basics room

Hash Functions

A hash function deterministically maps data of arbitrary size to a fixed-length fingerprint (hash). Changing a single bit in the input produces a completely different hash (the avalanche effect). Hashes are used for integrity checks, password verification, and many security protocols

Common hash algorithms & output sizes

  • MD5 — 128 bits (16 bytes). Fast but broken for collision resistance; do not use for security.
  • SHA-1 — 160 bits. Deprecated for many uses because of collision attacks.
  • SHA-256 — 256 bits. Widely used for integrity checks.
  • SHA-512 — 512 bits. For higher security/integrity needs.
  • Bcrypt, Scrypt, Argon2 — password-hashing algorithms: intentionally slow and/or memory-hard to resist brute-force and GPU attacks. Use these for storing passwords.
bash 
hexdump -C file1.txt  
00000000 54 |T|  
00000001

md5sum file 
b9ece18c950afbfa6b0fdbfa4ff731d3 file1.txt

sha1sum file
c2c53d66948214258a26ca9ca845d7ac0c17f8e7 file1.txt

sha256sum file1 
e632b7095b0bf32c260fa4c539e9fd7b852d0de454e9be26f24d0d6f91d069d3 file1.txt

Answer the questions

What is the SHA256 hash of the passport.jpg file in ~/Hashing-Basics/Task-2?
bash 
sha256sum ~/Hashing-Basics/Task-2/passport.jpg

Answer: 77148c6f605a8df855f2b764bcc3be749d7db814f5f79134d2aa539a64b61f02

What is the output size in bytes of the MD5 hash function?

Answer: 16

If you have an 8-bit hash output, how many possible hash values are there?
bash 
2^8 = 256

Answer: 256

Insecure Password Storage for Authentication

Three insecure practices when it comes to passwords:

  • Storing passwords in plaintext
  • Storing passwords using a deprecated encryption
  • Storing passwords using an insecure hashing algorithm

Answer the questions

What is the 20th password in `rockyou.txt`?

Answer: qwerty

Using Hashing for Secure Password Storage

Rainbow Table is a lookup table of hashes to plaintexts, so you can quickly find out what password a user had just from the hash. A rainbow table trades the time to crack a hash for hard disk space, but it takes time to create.

Websites like CrackStation and Hashes.com internally use massive rainbow tables to provide fast password cracking for hashes without salts. Doing a lookup in a sorted list of hashes is quicker than trying to crack the hash.

Answer the questions

Manually check the hash “4c5923b6a6fac7b7355f53bfe2b8f8c1” using the rainbow table above.

Answer: inS3CyourP4$$

Crack the hash “5b31f93c09ad1d065c0491b764d04933” using an online tool.

Answer: tryhackme

Should you encrypt passwords in password-verification systems? Yea/Nay

Answer: Nay

Recognising Password Hashes

The shadow file contains the password information. Each line contains nine fields, separated by colons (:). The first two fields are the login name and the encrypted password. More information about the other fields can be found by executing man 5 shadow on a Linux system.

The encrypted password field contains the hashed passphrase with four components: prefix (algorithm id), options (parameters), salt, and hash. It is saved in the format $prefix$options$salt$hash. The prefix makes it easy to recognise Unix and Linux-style passwords; it specifies the hashing algorithm used to generate the hash.

Consider the following line from a modern Linux system’s shadow password file.

bash 
sudo cat /etc/shadow | grep strategos

strategos:$y$j9T$76UzfgEM5PnymhQ7TlJey1$/OOSg64dhfF.TigVPdzqiFang6uZA4QA1pzzegKdVm4:19965:0:99999:7:::

The fields are separated by colons. The important ones are the username and the hash algorithm, salt, and hash value. The second field has the format $prefix$options$salt$hash.

In the example above, we have four parts separated by $:

  • y indicates the hash algorithm used, yescrypt
  • j9T is a parameter passed to the algorithm
  • 76UzfgEM5PnymhQ7TlJey1 is the salt used
  • /OOSg64dhfF.TigVPdzqiFang6uZA4QA1pzzegKdVm4 is the hash value

Answer the questions

What is the hash size in yescrypt?

Answer: 256

What’s the Hash-Mode listed for Cisco-ASA MD5?

Answer: 2410

What hashing algorithm is used in Cisco-IOS if it starts with `$9$`?

Answer: scrypt

Password Cracking

Hashcat uses the following basic syntax: hashcat -m -a hashfile wordlist, where:

  • -m  specifies the hash-type in numeric format. For example, -m 1000 is for NTLM. Check the official documentation (man hashcat) and example page to find the hash type code to use.
  • -a  specifies the attack-mode. For example, -a 0 is for straight, i.e., trying one password from the wordlist after the other.
  • hashfile is the file containing the hash you want to crack.
  • wordlist is the security word list you want to use in your attack.

Answer the questions

Use `hashcat` to crack the hash, `$2a$06$7yoU3Ng8dHTXphAg913cyO6Bjs3K5lBnwq5FJyA6d01pMSrddr1ZG`, saved in `~/Hashing-Basics/Task-6/hash1.txt`.
bash 
hashcat -m 3200 -a 0 ~/Hashing-Basics/Task-6/hash1.txt rockyou.txt

Answer: 85208520

Use `hashcat` to crack the SHA2-256 hash, `9eb7ee7f551d2f0ac684981bd1f1e2fa4a37590199636753efe614d4db30e8e1`, saved in saved in `~/Hashing-Basics/Task-6/hash2.txt`.
bash 
hashcat -m 1400 -a 0 ~/Hashing-Basics/Task-6/hash2.txt rockyou.txt

Answer: halloween

Use `hashcat` to crack the hash, `$2a$06$7yoU3Ng8dHTXphAg913cyO6Bjs3K5lBnwq5FJyA6d01pMSrddr1ZG`, saved in `~/Hashing-Basics/Task-6/hash1.txt`.
bash 
hashcat -m 1800 -a 0 ~/Hashing-Basics/Task-6/hash3.txt rockyou.txt

Answer: spaceman

Crack the hash, `b6b0d451bbf6fed658659a9e7e5598fe`, saved in `~/Hashing-Basics/Task-6/hash4.txt`.

Answer: funforyou

  • https://crackstation.net/

Hashing for Integrity Checking

HMAC (Keyed-Hash Message Authentication Code) is a type of message authentication code (MAC) that uses a cryptographic hash function in combination with a secret key to verify the authenticity and integrity of data.

The following steps give you a fair idea of how HMAC works.

  1. The secret key is padded to the block size of the hash function.
  2. The padded key is XORed with a constant (usually a block of zeros or ones).
  3. The message is hashed using the hash function with the XORed key.
  4. The result from Step 3 is then hashed again with the same hash function but using the padded key XORed with another constant.
  5. The final output is the HMAC value, typically a fixed-size string.

Answer the questions

What is SHA256 hash of `libgcrypt-1.11.0.tar.bz2` found in `~/Hashing-Basics/Task-7`?
bash 
sha256sum ~/Hashing-Basics/Task-7/libgcrypt-1.11.0.tar.bz2

Answer: 09120c9867ce7f2081d6aaa1775386b98c2f2f246135761aae47d81f58685b9c

What’s the hashcat mode number for `HMAC-SHA512 (key = $pass)`?
bash 
hashcat -m 1400 -a 0 ~/Hashing-Basics/Task-6/hash2.txt rockyou.txt

Answer: 1750

Conclusion

Encoding converts data from one form to another to make it compatible with a specific system. ASCII, UTF-8, UTF-16, UTF-32, ISO-8859-1, and Windows-1252 are valid encoding methods for the English language. Note that UTF-8, UTF-16, and UTF-32 are Unicode encodings, and they can represent characters from other languages, such as Arabic and Japanese.

bash 
base64 TryHackMe
VHJ5SGFja01lCg== 

base64 -d VHJ5SGFja01lCg== 
TryHackMe

Answer the questions

Use `base64` to decode `RU5jb2RlREVjb2RlCg==`, saved as `decode-this.txt` in `~/Hashing-Basics/Task-8`. What is the original word?
bash 
base64 -d ~/Hashing-Basics/Task-8/decode-this.txt

Answer: ENcodeDEcode