TryHackMe: Complete Beginner

author: Nathan Acks
date: 2021-10-11

Hashing

What is a Hash Function?

Apparently hashes are sometimes represented in base64. I’ve never seen this myself.

The MD5 algorithm outputs a 128 bit (16 byte) hash.

Uses for Hashing

REMINDER: For salting to be effective, the salt needs to be different for each user!

Recognizing Password Hashes

Recognizing hash types from first principles is generally unreliable (which makes sense - for a hash to maximally cover the space allocated by its size, it can’t have any “patterns” to it). Some general notes:

UNIX-style passwords are of the form $format$rounds$salt$hash. Common format parameters:

Both $rounds and $salt are optional (salts are never purely numeric, so it’s easy to tell these apart).

NTLM hashes are an md4 variant. You can’t tell NTLM from md4 from md5 hashes just by looking at them (they’re all the same length). Windows stores passwords in the SAM, split between NT hashes (a.k.a. NTLM, though technically NTLM is the protocol) and LM hashes (an older, much weaker, hash type).

LM hashes are constructed in an absolutely batshit crazy fashion, but NT hashes are just the md4 hash of the UTF-16-LE encoding of the user password (UTF-16-LE is the little endian version of UTF-16).

NOTE: 1 hex digit = 4 bits

Password Cracking

Bcrypt is designed to take approximately the same amount of time when hashed on a CPU vs. a GPU, which is one reason it’s considered more resistant to cracking.

Hashcat command line:

hashcat -m $TYPE -O $HASHFILE $WORDLIST

Here $TYPE is the hash type (check man hashcat), and -O requests that hashcat use an optimized kernel (faster, but limited in the password length that can be cracked).

Some values of -m:

Passwords are output as HASH:PLAINTEXT tuples.

A “token length exception” means that the provided hash format is of the wrong length (probably because an additional character got accidentally added).