Cracking Hashes/How-To's And What-Nots

1. Intro

Ive seen a few requests for people to crack hashes, and some people aren't doing it right, just leaving a hash is not enough to help us help you.
This tutorial will walk threw the basics and try and help you out in your future of hashing.

2. Hashes

It is common practice for most web programmers to secure passwords by storing the encrypted value of the password in a database, because if they don't they risk a major security flaw which can harm their customers and themselves.

Hashes are also known as Cryptography, in a way.
Some hashes can decode on purpose, while others you need to brute force.
An example of encryption that allows decoding is Base64.

2.1 Need-To-Know's about Hashes

Widely used Hash Types include:

MD5 | SHA-1 | SHA-2

This means these 3 are the ones you need to be looking into when you grab a hash.

Quote:Type | Word Size| Collision |

MD5 | 32 | | Yes |
SHA-1 | 32 | Yes |
SHA-2 | 64 | No |

2.1.1 Hash Collisions

From the graph I made above you can see MD5 and SHA-1 have Hash Collisions. This means that more then 1 value can equal the same hash value.

This is common sense seeing as MD5 and SHA-1 are both 32 Characters long, and there is a limit of how many 32 random characters you can make, I mean it isnt infinite. So their aught to be a Collision at some point.


H(a) = H(b) H representing the hash function.

3 Hash Decrypt Sites

many sites host services where you can md5 encode whatever you want, but at the same time this service saves both values for later.
So be aware when you use these services your md5 input and output will be saved in their database for their "md5 decode" service.

A list of Hash Decrypt Sites you can use.

- (457,354,352,282)
- (MD5 Search engine by searches a total of 14 on-line crackers.)
- (5,889,729)
- (The database is approximately 70gb)
- (56,502,235)
- (3,251,106)
- (306.000.000.000)
- (Milw0rm Cracker db)
- (2,456,288)
- ( The data base currently contains 169582 passwords )
- (Need Account)
- (Register to increase your priority)

4 Brute Forcing

Most secure CMS's (Content Management Systems) use Salts and different algorithms.
an example is

Quote:Common: md5($password);
PHP-Fusion: md5(md5($password));
VBulliten: md5(md5($password).$salt);
MyBB: md5(md5($salt).$password); Knowing the Hash + Hash Algorithm is needed when requesting help on cracking a hash.

Recommended Brute Forcing Programs

HashCat = Linux
HashCat GUI = Windows.

4.1 WordLists

To brute force passwords its common sense you need a list of words.
Depending on the site of your CPU it all depends on how much space you want to use.
You can look at all the different word lists here

OR Download the wordlists I used in the HashCat video above.
NamesNumbers - 4MB - 4000800 Wo

Quote:Really useful list, it provides top 200 popular male and female names followed by numbers.

28GB Wordlist - 28GB - 4103549326 Words

Quote:I Opened this up and it looked pretty useless as well as a waist of time to look threw. Around 28GB of just 6-7 characters long with special characters, letters, and numbers. Like ()D@WFOWI.

wordlist1 - 107MB - 9657365 Words

Quote:This file contains alot of number combination's as well as common passwords. This has gotten me afew cracks in the past.

UrbanDictionarySlangA-Z - 26KB - 3087 Words

Quote:I took the time and copying and pasting the top popular A-Z Urban Dictionary words, because some people use slang terms like friend and cumdumpster as a password.

Other 126GB word-list

Thank you (zer0wr0m)

Published By : Zer0w0rm ~ Zer0w0rm



  1. Submit your website or blog now for indexing in Google and over 300 other search engines!

    Over 200,000 sites indexed!