Hashing is an algorithm that generates a fixed-length string from an input.
Cryptography is the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents. The term is derived from the Greek word kryptos, which means hidden.
There are many different hash algorithms with different properties, for example, SHA-256.
You can use openssl to generate a SHA-256 hash:
echo -n 'secret' | openssl dgst -sha256
The output is the hash:
2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b
Hashes have a special property: they are easy to compute but difficult to reverse: given the hash above, it difficult to find its origin, “secret”.
This makes hashes a good method to verify passwords: Rather than storing the password itself and risking it being stolen, you store the password’s hash and when a user provides a password, you compute its hash and compare it to the stored value, if they match it means that the user entered the correct password.
Cracking a cryptographic SHA-256 Hash
But hashes can be reversed using methods such as dictionary attacks which compares the given hash to the hashes of common words from a dictionary or brute-force which computes the hash of many different combinations of characters until it finds one that matches the given hash. This is, of course, not very efficient, but, with enough compute power and time, it often works.
Let’s see an example:
Suppose you were given the hash above and you want to find its origin. To do that, you can utilize a tool called hashcat.
First you need to install it. I used the following steps to install it on macOS Catalina (requires git and make which you can get with brew):
git clone https://github.com/hashcat/hashcat.git
mkdir -p hashcat/deps
git clone https://github.com/KhronosGroup/OpenCL-Headers.git hashcat/deps/OpenCL
cd hashcat/ && make install
Next you need to find the identifier (Hash mode or Hash-type) of your hash algorithm. For SHA-256 it’s 1400. You can see all codes on this page (or with hashcat –help).
Now run a brute-force attack:
hashcat -m 1400 -a 3 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b
And after a short while, you should get:
2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b:secretSession..........: hashcat
Status...........: Cracked
Hash.Name........: SHA2-256
Hash.Target......: 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25...27a25b
Time.Started.....: Tue Sep 22 15:11:41 2020 (10 secs)
Time.Estimated...: Tue Sep 22 15:11:51 2020 (0 secs)
Guess.Mask.......: ?1?2?2?2?2?2 [6]Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 6/15 (40.00%)
Speed.#1.........: 55535.2 kH/s (6.90ms) @ Accel:256 Loops:128 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 521502720/3748902912 (13.91%)
Rejected.........: 0/521502720 (0.00%)
Restore.Point....: 233472/1679616 (13.90%)
Restore.Sub.#1...: Salt:0 Amplifier:0-128 Iteration:0-128
Candidates.#1....: sacers -> co9ishStarted: Tue Sep 22 15:11:35 2020
Stopped: Tue Sep 22 15:11:51 2020
You can see that the status is “Cracked” and the original “secret” just above that.
Cracking an HMAC SHA-256 Hash
Let’s try a slightly more advanced example. This time we will use a different hash algorithm called HMAC-SHA-256 which requires not only the input string but also another secret key.
First, let’s generate the hash of ‘Lucy in the sky of diamonds’ with a secret key ‘secret’:
echo -n 'Lucy in the sky of diamonds' | openssl dgst -sha256 -hmac 'secret'
This will generate the hash:
116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443f9d8d3e5668b5
Now let’s try to reverse it. The Hash mode of HMAC-SHA-256 is 1450. We pass a string comprising the hash and the original text separated by a colon:
hashcat -m 1450 -a 3 "116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443f9d8d3e5668b5:Lucy in the sky of diamonds"
After a minute or so, you should get the result which is the secret key “secret”:
116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443f9d8d3e5668b5:Lucy in the sky of diamonds:secretSession..........: hashcat
Status...........: Cracked
Hash.Name........: HMAC-SHA256 (key = $pass)
Hash.Target......: 116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443...amonds
Time.Started.....: Tue Sep 22 15:48:15 2020 (41 secs)
Time.Estimated...: Tue Sep 22 15:48:56 2020 (0 secs)
Guess.Mask.......: ?1?2?2?2?2?2 [6]Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 6/15 (40.00%)
Speed.#1.........: 12328.6 kH/s (7.00ms) @ Accel:64 Loops:128 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 521207808/3748902912 (13.90%)
Rejected.........: 0/521207808 (0.00%)
Restore.Point....: 233472/1679616 (13.90%)
Restore.Sub.#1...: Salt:0 Amplifier:0-128 Iteration:0-128
Candidates.#1....: sacers -> co9ontStarted: Tue Sep 22 15:48:03 2020
Stopped: Tue Sep 22 15:48:56 2020
A few more advanced tricks with hashcat
- You can crack multiple hashes by putting them in a file and running:
hashcat -m 1450 -a 3 hash-list.txt
Each line in the file should be in the form of “hash” for SHA-256 or “hash:original text” for HMAC-SHA-256.
2. You can use custom character sets and patterns, for example this command searches for secrets with six lowercase letters only:
hashcat -m 1450 -a 3 -1 abcdefghijklmnopqrstuvwxyz "116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443f9d8d3e5668b5:Lucy in the sky of diamonds" "?1?1?1?1?1?1"
3. After successfully cracking a hash, hashcat stores it in ~/.hashcat/hashcat.potfile. If you want to run the same crack again, you need to remove the result from this file, otherwise hashcat will simply return the cached result.
Finally, let’s talk about Security
First of all, a mandatory word of caution: don’t use this maliciously!
Now how can you protect against malicious attackers:
- As a security architect, use an up-to-date and strong hash algorithm with a salt and a strong secret (see detailed explanation). But the best is to use multi-factor-authentication or biometrics so you don’t rely on a password only.
- As a user, use long passwords with digits and special characters, store them in a password manager, and don’t trust the application you are connecting to (don’t share passwords between different accounts).
Related Sites
- Wolfram Alpha provides a nice tool to check password strength
- Online password hash cracker: https://crackstation.net
Read More from us
DALL.E 2: To infinity and beyond sentence-to-image generations.
Since the dawn of the computers humans have theorized about a kind of human like intelligence developed form a computer who would dominate the human race, well that was the theory in practice artificial intelligence is a simulation of human intelligence by machines done with the help of vast amount of data which is used…
How to Know if Your Phone is Under A Malicious Control
Summary: In this article, we’ll learn, how to tell that your phone’s been hacked. If your phone is hacked, you’ll notice, that your battery draining a lot faster, your phone’s performance rate has gone down, too much of your data is being consumed, and you’re getting a bit too many calls and messages from unknown…
Chatbot Issues : Secure Your Chats
Chatbot are the thing that act as bridge between user to user or user to a organization for communication. When face to face interaction is not possible we use our technology to communicate with others. Auto technology of speech recognition like Alexa and Siri are used for response. Now we are using chatbots for communicating…