Interested in password cracking or cryptography? Check this out. HashTag.py is a tool written in python which parses and identifies various password hashes based on their type. HashTag was inspired by attending PasswordsCon 13 in Las Vegas, KoreLogic's 'Crack Me If You Can' competition at Defcon, and the research of iphelix and his toolkit PACK (password analysis and cracking kit). HashTag supports the identification of over 250 hash types along with matching them to over 110 hashcat modes. HashTag is able to identify a single hash, parse a single file and identify the hashes within it, or traverse a root directory and all subdirectories for potential hash files and identify any hashes found.
Click here to download source code or access it online at OnlineHashCrack
One of the biggest aspects of this tool is the identification of password hashes. The main attributes I used to distinguish between hash types are character set (hexadecimal, alphanumeric, etc.), hash length, hash format (e.g. 32 character hash followed by a colon and a salt), and any specific substrings (e.g. '$1$'). A lot of password hash strings can't be identified as one specific hash type based on these attributes. For example, MD5 and NTLM hashes are both 32 character hexadecimal strings. In these cases I make an exhaustive list of possible types and have the tool output reflect that. During development I created an excel spreadsheet which contains much of the hash information which can be found here or here.
Usage:
HashTag.py {-sh hash |-f file |-d directory} [-o output_filename] [-hc] [-n]
Note: When identifying a single hash on *nix operating systems, remember to use single quotes to prevent interpolation. (e.g. python HashTag.py -sh '$1$abc$12345')
-h, --help | show this help message and exit |
-sh SINGLEHASH, --singleHash SINGLEHASH | Identify a single hash |
-f FILE, --file FILE | Parse a single file for hashes and identify them |
-d DIRECTORY, --directory DIRECTORY | Parse, identify, and categorize hashes within a directory and all subdirectories |
-o OUTPUT, --output OUTPUT | Filename to output full list of all identified hashes --file default filename: HashTag/HashTag_Output_File.txt --directory default filename: HashTag/HashTag_Hash_File.txt |
-hc, --hashcatOutput | --file: Output a file per different hash type found, if corresponding hashcat mode exists --directory: Appends hashcat mode to end of separate files |
-n, --notFound | --file: Include unidentifiable hashes in the output file. Good for tool debugging (Is it Identifying properly?) |
Identify a single hash (-sh):
HashTag.py -sh $1$MtCReiOj$zvOdxVzPtrQ.PXNW3hTHI0
HashTag.py -sh 7026360f1826f8bc
HashTag.py -sh 3b1015ccf38fc2a32c18674c166fa447
Parsing and identifying hashes from a file (-f):
HashTag.py -f testdir\street-hashes.10.txt -hc
Here is the output file. Each identified hash outputs the hash, char length, hashcat modes (if found) , and possible hash types:
Using the -hc/--hashcat argument we get a file for each hash type if a corresponding hashcat mode is found. This makes the process of cracking hashes with hashcat much easier as you immediately have the mode and input file of hashes:
Output from a file with many different hash types (the filenames are hashcat modes and inside are all hashes of that type):
Traversing Directories and Identifying Hashes (-d):
HashTag.py -d ./testdir -hc
The output consists of three main things:
- Folders containing copies of potentially password protected files. This makes it easy to group files based on extension and attempt to crack them.
- HashTag default files - A listing of all hashes, password protected files the tool doesn't recognize, and hashes the tool can't identify (good for tool debugging).
- Files for each identified hash type - each file contains a list of hashes. The -hc/--hashcat argument will append the hashcat mode (if found) to the filename.
Resources: Quite a bit of research went into the difference between password hash types. During this research I found a script called Hash Identifier which was actually included in one of the Backtrack versions. After looking it over I feel my tool has a lot more functionality, efficiency, and accuracy. My other research ranged from finding different hash examples to generating my own hashes via the passlib module. I would like to give credit to the following resources which all had some impact in the creation of this tool.
http://wiki.insidepro.com/index.php/Main_Pagehttps://hashcat.net/wiki/
http://openwall.info/wiki/john/
http://pythonhosted.org/passlib/index.html
As always, if you see any coding errors, false assumptions (hash identification), or have constructive criticism please contact me. Hope you like it!
#!/usr/bin/python is very much wrong: python almost never exists in /usr/bin and usually exists in /usr/local/bin.
ReplyDelete#!/usr/bin/env python is better. This assumes it functions with python 2 both 2 and 3. For just python 3 use #!/usr/bin/env python3
this comment is very much wrong. modern linux distributions started aggregating binaries in /usr/bin.
Delete$> which python
/usr/bin/python
however the env method should be considered.
Just to nitpick - see the first image; he's running this on WinX in cmd.exe which means the shebang path is ignored, though python will read any shebang line flags/parameters that are set.
Deletethis guy goes out of his way to write this and you bitch about his first line of code...fuck you bob.
ReplyDeleteAwesome job btw I hate having to remember hash cats syntax
In the your first case study, there is an error as following...
ReplyDeleteMacBook-Air:hashtag v0n$ python HashTag.py -sh $1$MtCReiOj$zvOdxVzPtrQ.PXNW3hTHI0
Hash not found: .PXNW3hTHI0
MacBook-Air:hashtag v0n$
I was unable to reproduce any errors using that hash:
Deletehttp://drive.google.com/uc?export=view&id=0B0TzWBRmg5pWWFQyemZGUldYVFk
thk for the script !
Deletebut i have the same error with cygwin :
xx@yy ~$ python
Python 2.7.5 (default, Oct 2 2013, 22:34:09)
[GCC 4.8.1] on cygwin
Type "help", "copyright", "credits" or "license" for more information.
>>>
[1]+ Stopped python
xx@yy ~$ python HashTag.py -sh $1$MtCReiOj$zvOdxVzPtrQ.PXNW3hTHI0
Hash not found: .PXNW3hTHI0
Thanks for the feedback. This only occurs on linux systems depending on the input. Just use single uninterpolated single quotes around the hash.
DeleteExample:
python HashTag.py -sh '$1$MtCReiOj$zvOdxVzPtrQ.PXNW3hTHI0'
https://drive.google.com/uc?export=view&id=0B0TzWBRmg5pWOWo3c3daRFBjY3c
thank you ! it's perfect with single quotes
Delete:)
Thanks for creating this and sharing! Very useful :)
ReplyDeleteThis is awesome. Thanks for taking the time.
ReplyDeleteThanks For Sharing :)
ReplyDeleteIt seems the sooner some jerkoff with aspergers makes a comment on semantics, the better the tools is, so I have high hopes! Thanks for taking the time to make this and put it out there.
ReplyDelete