If you want to know how to crack password hashes, then your basics need to be clear regarding how passwords are stored and what exactly are hashes, and their types. Without having an understanding of this, you will not be able to use this hash suite tool for cracking passwords.
Table of contents
- So what is password hashing?
- Download hash suite
- Step 1: Obtain the password hashes
- Step 2: Cracking LM hashes
- Step 3: Crack passwords with word lists
- Step 4: Crack passwords by using common English phrases
- Step 5: Try all other methods for hacking passwords
- Review all the cracked passwords.
- Commonly asked questions about hash suite
So what is password hashing?
Storing usernames and passwords in plain text on devices and servers results in an instant compromise of all passwords. These passwords can be easily cracked and exploited if the password file is compromised.
Operating systems like Windows and Linux apply numerous cryptographic hash functions, which transform the stored password into a complicated hash that cannot be deciphered with naked eyes. These hash functions are one-way. To put it simply, it is not possible to guess a password from its hash. Instead, you have to use the trial and error approach used by the hash suite.
Hash Suite does not “invert” the hashes to obtain the password; instead, it generates different candidate passwords and hashes them. Then these generated hashes are compared with the stored hashes. You can read more about password cracking can be found here.
You might like: Hacking facebook passwords with facebook password extractor.
Download hash suite
The hash suite can be downloaded from here.
Extract the zip file and open the one corresponding to your device version. Mine is 64bit.
The welcome dialogue box will be shown. Click on ok or enter to dismiss it.
Now you have to download the necessary world lists. You can do this, as shown below.
The downloader option has wordlists for downloading.
Step 1: Obtain the password hashes
To crack password hashes, we first need to get them. Normally you obtain these password hashes after exploiting a machine with a remote exploit. More articles regarding the same will be added soon; however, we will be using hashes from the public demo (available from here). These are publicly available hashes of common passwords. You can use them for testing.
Import those hashes, as shown below:
Step 2: Cracking LM hashes
LM hashes are very weak: we can crack ANY valid LM hash password by brute-force (Learn more about LM hashes here).
We start with nothing cracked yet:
|00h:00min||LM: Found 0/3380 0%||NTLM: Found 0/30640 0%|
We will use the Charset key-provider, which is the default option in the hash suite, and a range of password lengths from 0 to 6, which is selected by default.
Now we will start the attack by clicking the start button.
|00h:02min||LM: Found 1663/3380 49%||NTLM: Found 0/30640 0%|
After an hour, all the passwords were cracked, as shown below.
|00h:29min||LM: Found 3380/3380 100%||NTLM: Found 0/30640 0%|
Step 3: Crack passwords with word lists
Use Wordlist with the file Wikipedia-wordlist-sraveau-20090325.txt.bz2.
I recommended downloading these lists at the beginning of the article. We are going to use this list to crack some passwords.
|00h:31min||LM: Found 3380/3380 100%||NTLM: Found 6900/30640 22%|
We will use the Charset key-provider with default options, which are: password length from 0 to 6 with all printable characters.
|00h:33min||LM: Found 3380/3380 100%||NTLM: Found 7707/30640 25%|
Step 4: Crack passwords by using common English phrases
The popularity of passwords based on English phrases has risen quite a lot lately. Hash Suite provides a phrase generator with English words that can also be used to crack passwords.
This obviously takes a long time to process and the entire hack to finish. Have patience. The cracking process will depend on your device’s speed. Do make sure your device is properly cooled, especially if you are using a laptop.
Step 5: Try all other methods for hacking passwords
There are many options that you can use for cracking passwords. We have charset, phrases, wordlist, DB info, keyboard, LM2NT, etc. More will be added with every update. Each method works, as mentioned below.
You can also crack NTLM, MD5, SHA1, SHA256, SHA512, DCC, SSHA, MD5CRYPT, DCC2 WPA-PSK crypt hashes as well. So do take some time to try out the various options on this tool. This password cracking tool has many features, so I cannot review every one of them. So My recommendation is to install and test to know more.
Hash Suite Key-Features for cracking passwords
Hash Suite offers many different ways (named key-providers) to generate passwords:
- Charset: Generates passwords by trying all combinations. Also known as the brute-force attack.
- Wordlist: Generates passwords from a wordlist
- Keyboard: Generates passwords by trying combinations of adjacent keys on a keyboard.
- Phrases: Generates passwords phrases by combining words from a wordlist.
- DB Info: Generates keys taking all usernames/found passwords. Useful with rules enabled.
- LM2NT: Alters the case of characters in cracked LM hash passwords to crack the corresponding NTLM hash passwords instantly.
Review all the cracked passwords.
We can easily review all the broken passwords within the hash suite. We can easily crack many passwords with the hash suite as long as you have a good device and patience to wait for the cracking process to complete. Do note very strong passwords cannot be hacked with this tool, which is the real reason why you should always have a strong password that cannot be easily cracked.
Commonly asked questions about hash suite
Q1. Can you crack any password with this tool?
Technically, yes you can provide the password you want to crack available in a password list, and you have the hashes locally available on your system for hacking. Your device performance will also come into the picture.
Q2. What is the purpose of the HASH suite?
This tool is meant to check your passwords and ensure that they meet the minimum security standards. Companies can use this to audit employee and network passwords to see that they meet the minimum requirements.
Q.3 Can I use this to hack WhatsApp and facebook?
No, you cannot hack WhatsApp and WhatsApp.
Q.4 Is this tool legal to use on anyone?
No, it is not meant for hacking anyone. It is a pentesting tool made by developers with good intentions. These are the same guys who made john the ripper — the famous password cracking tool.