Hashing - Crypto 101

-

 Hashing - Crypto 101

- Plaintext - Data before encryption or hashing, often text but not always as it could be a photograph or other file instead.

- Encoding - This is NOT a form of encryption, just a form of data representation like base64 or hexadecimal. Immediately reversible.

- Hash - A hash is the output of a hash function. Hashing can also be used as a verb, "to hash", meaning to produce the hash value of some data.

- Brute force - Attacking cryptography by trying every different password or every different key

- Cryptanalysis - Attacking cryptography by finding a weakness in the underlying maths

------------------------------------------------------------------------

What is a hash function?

------------------------------------------------------------------------

Hash functions are different from encryption. There is no key, and it's meant to be impossible or very difficult to go from the output back to the input.

A hash function takes some input data of any size, and creates a summary or "digest" of that data. 

The output is a fixed size. It's hard to predict what the output will be for any input and vice versa. 

Good hashing algorithms will be relatively fast to compute and slow to reverse(Going from the output and determine the input)

Any small change in the input data, even a single bit, should cause a large change in the output.

Hashing is used very often in cybersecurity. we interact indirectly with hashing more than we would think. any log on into a website, a hash used to verify your password. Same when logging in into your personal computer.

------------------------------------------------------------------------

What is a hash collision?

------------------------------------------------------------------------

A hash collision is when two different inputs give the same output.

Hash functions are designed to avoid this as best as they can, especially being able to engineer a collision, by intentionally creating. 

Due to the pigeonhole effect, collisions are not avoidable.

The pigeonhole effect is basically, there are ta set number of different output values for the hash function, but you can give it any size input. as There are more input than outputs, some of the inputs must give the same output. if you have 128 pigeons and 96 pigeonholes, some of the pigeons are going to have to share.

MD5 and SHA1 have been attacked, and made technically insecure due to engineering hash collisions. 

However, no attack has yet given a collision in both algorithms at the same time so if you use the MD5 hash AND the SHA1 hash to compare, you will see they’re different. The MD5 collision example is available from https://www.mscs.dal.ca/~selinger/md5collision/ and details of the SHA1 Collision are available from https://shattered.io/. Due to these, you shouldn't trust either algorithm for hashing passwords or data.

------------------------------------------------------------------------

Hashing is used for 2 main purposes in Cyber Security. To verify integrity of data (More on that later), or for verifying passwords.

You can't encrypt the passwords, as the key has to be stored somewhere. If someone gets the key, they can just decrypt the passwords.

A rainbow table is a lookup table of hashes to plaintexts, so you can quickly find out what password a user had just from the hash. A rainbow table trades time taken to crack a hash for hard disk space, but they do take time to create.

example of rainbow table: 

-------------------------------------------------------

| Hash | Password      |

------------------------------------------------------|

| 02c75fb22c75b23dc963c7eb91a062cc | zxcvbnm       |

| b0baee9d279d34fa1dfd71aadb908c3f | 11111         |

| c44a471bd78cc6c2fea32b9fe028d30a | asdfghjkl     |

| d0199f51d2728db6011945145a1b607a | basketball    |

| dcddb75469b4b4875094e14561e573d8 | 000000        |

| e10adc3949ba59abbe56e057f20f883e  |   123456   |

| e19d5cd5af0378da05f63f891c7467af | abcd1234      |

| e99a18c428cb38d5f260853678922e03 | abc123        |

| fcea920f7412b5da7be0cf42b8c93759 | 1234567       |

-------------------------------------------------------

Websites like Crackstation internally use HUGE rainbow tables to provide fast password cracking for hashes without salts. Doing a lookup in a sorted list of hashes is really quite fast, much much faster than trying to crack the hash.

-------------------------------------

Protecting against rainbow tables

--------------------------------------

To protect against rainbow tables, we add a salt to the passwords. The salt is randomly generated and stored in the database, unique to each user. In theory, you could use the same salt for all users but that means that duplicate passwords would still have the same hash, and a rainbow table could still be created specific passwords with that salt.

The salt is added to either the start or the end of the password before it’s hashed, and this means that every user will have a different password hash even if they have the same password. Hash functions like bcrypt and sha512crypt handle this automatically. Salts don’t need to be kept private

-------------------------------------

Recognising password hashes

-------------------------------------

- Automated hash recognition tools such as https://pypi.org/project/hashID/ exist, but they are unreliable for many formats.

- For hashes that have a prefix, the tools are reliable. Use a healthy combination of context and tools.  

- If you found the hash in a web application database, it's more likely to be md5 than NTLM. 

- Automated hash recognition tools often get these hash types mixed up, which highlights the importance of learning yourself.

-----------------------------------------------------------------------------------------

- Unix style password hashes are very easy to recognise, as they have a prefix. 

- The prefix tells you the hashing algorithm used to generate the hash. The standard format is '$format$rounds$salt$hash'

- Windows passwords are hashed using NTLM, which is a variant of md4. They're visually identical to md4 and md5 hashes, so it's very important to use context to work out the hash type.

- On Linux, password hashes are stored in /etc/shadow. This file is normally only readable by root. They used to be stored in /etc/passwd, and were readable by everyone.

- On Windows, password hashes are stored in the SAM. Windows tries to prevent normal users from dumping them, but tools like mimikatz exist for this. Importantly, the hashes found there are split into NT hashes and LM hashes.


quick table of the most Unix style password prefixes:

--------------------------------------------------------------------------------------------------------------

| Prefix   algorithms      |

--------------------------------------------------------------------------------------------------------------

| $1$            md5crypt, used in Cisco stuff and older Linux/Unix systems|

--------------------------------------------------------------------------------------------------------------

| $2$, $2a$, $2b$, $2x$, $2y$ Bcrypt (Popular for web applications)              |

--------------------------------------------------------------------------------------------------------------

| $6$                sha512crypt (Default for most Linux/Unix systems)  |

--------------------------------------------------------------------------------------------------------------


A great place to find more hash formats and password prefixes is the hashcat example page, available here: https://hashcat.net/wiki/doku.php?id=example_hashes.


*For other hash types, you'll normally need to go by length, encoding or some research into the application that generated them. Never underestimate the power of research.


How many rounds does sha512crypt ($6$) use by default: 5000

How long is a Windows NTLM hash, in characters: 32

-------------------------------------------------------

Password Cracking

-------------------------------------------------------

You can't "decrypt" password hashes. They're not encrypted. You have to crack the hashes by hashing a large number of different inputs (often rockyou, these are the possible passwords), potentially adding the salt if there is one and comparing it to the target hash. Once it matches, you know what the password was. Tools like Hashcat and John the Ripper are normally used for this.

-------------------------------------------------------

Why crack on GPUs?

--------------------------------------------------------

Graphics cards have thousands of cores. Although they can’t do the same sort of work that a CPU can, they are very good at some of the maths involved in hash functions.

- This means you can use a graphics card to crack most hash types much more quickly.

- Some hashing algorithms, notably bcrypt, are designed so that hashing on a GPU is about the same speed as hashing on a CPU which helps them resist cracking.

-------------------------------------------------------

Cracking on VMs?

-------------------------------------------------------

- It’s worth mentioning that virtual machines normally don’t have access to the host's graphics card. IT can be setted up but it requires a lot of work.

- if we wan to run hashcat, it s best to run it on windows with a graphic card

- John the ripper uses CPU by default and as such, works in a VM out of the box although you may get better speeds running it on the host OS as it will have more threads and no overhead from running in a VM.

N.B.: never used --force for hashcat: It can lead to false positives (wrong passwords being given to you) and false negatives. As of Kali 2020.2, hashcat 6.0 will run on the CPU without --force. But still ctacking on windows with hashcat is much faster

------------------------------------------------------------------------------------------------------------

Hashing for integrity checking

------------------------------------------------------------------------------------------------------------

Integrity Checking

-------------------------------------------------------

Hashing can be used to check that files haven't been changed. If you put the same data in, you always get the same data out. 

If even a single bit changes, the hash will change a lot. This means you can use it to check that files haven't been modified or to make sure that they have downloaded correctly. 

You can also use hashing to find duplicate files, if two pictures have the same hash then they are the same picture.

------------------------------------------------------------------------------------------------------

HMACs

-------------

HMAC is a method of using a cryptographic hashing function to verify the authenticity and integrity of data. 

The TryHackMe VPN uses HMAC-SHA512 for message authentication, which you can see in the terminal output. 

A HMAC can be used to ensure that the person who created the HMAC is who they say they are (authenticity), and that the message hasn’t been modified or corrupted (integrity). They use a secret key, and a hashing algorithm in order to produce a hash

-----------------------------------------------------------------------------------------------------------------------------

Thanks for reading. 

Roger - Ozz961

Comments

Post a Comment

Popular posts from this blog

Common Network Commands: Ping

-
Ping Command Overview The `ping` command is a fundamental utility used in network diagnostics. It checks the reachability of a host on an Internet Protocol (IP) network and measures the round-trip time for messages sent from the originating host to a destination computer. The command uses the Internet Control Message Protocol (ICMP) to send echo request packets and listens for echo replies. Origin and Development The `ping` command was developed in 1983 by Mike Muuss as a diagnostic tool for the ARPANET. Since then, it has become a standard utility available on most operating systems, including Linux, Windows, and macOS, making it an essential tool for network administrators and users. Basic Functionality The `ping` command serves several functions: - Tests connectivity to a specified host. - Measures the time taken for packets to travel to the destination and back. - Provides statistics about packet loss and round-trip time. Key Command Syntax 1. Basic Syntax:    ```    ping [options]
Read more

Common Network Commands: Route

-
Route Command Overview The route command is a part of the older net-tools package used in Linux systems for viewing and manipulating the IP routing table. It provides information about how packets are routed through the network and allows for the addition, deletion, and modification of routes. Origin and Development Historically, the route command has been a primary tool for managing network routing in Linux. However, it has largely been replaced by the ip command from the iproute2 package, which offers more advanced features and capabilities. Despite this, route is still commonly used in many Linux distributions for its simplicity and familiarity. Basic Functionality The route command serves several functions: - Displays the current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Display Routing Table:    ```    route -n    ```    The -n option prevents DNS
Read more

John The Ripper

-
John the Ripper  Is one of the most well known, well-loved and versatile hash cracking tools out there. It combines a fast cracking speed, with an extraordinary range of compatible hash types. This room will assume no previous knowledge, so we must first cover some basic terms and concepts before we move into practical hash cracking. A hash is a way of taking a piece of data of any length and  representing it in another form that is a fixed length. This masks the original value of the data. This is done by running the original data through a hashing algorithm. There are many popular hashing algorithms, such as MD4,MD5, SHA1 and NTLM. Lets try and show this with an example: If we take "polo", a string of 4 characters- and run it through an MD5 hashing algorithm, we end up with an output of: b53759f3ce692de7aff1b5779d3964da a standard 32 character MD5 hash. Likewise, if we take "polomints", a string of 9 characters- and run it through the same MD5 hashing algorithm, w
Read more