So what is a hash and why do we need to know something about hashes? We need to know about hashes, because passwords in databases are most likely hashed. Services use cryptological hash functions to encrypt passwords.
Every password or every string – whatever has an special hash. There can't be 2 strings which have the same hash. That's why also many virus scan websites use hashes for the files – so people can compare them and check if the file they got is the same which got scanned – since every hash exists only 1 time. Hashes can NOT be decrypted – but since every string has a individual hash they can be compared with wordlists. For example lets say we hash the string 'Hello123' in MD5. The result is: D0AABE9A362CB2712EE90E04810902F3
Now if we check an database and find a user with the same hash, we know his password is Hello123.
- Different types of hashes
There are some kind of hashes. Here im going to give you info about the most important hashes. When stealing databases, the most common hash is MD5. Next to MD5, MD2, MD4 also exist
Another very popular hash 'category' is SHA aka Secure Hash Algorithm. There are many different kinds from SHA-1 to SHA512. Not common hash functions are: RIPEMD-160, Tiger, HAVAL, Whirlpool There are also special hash functions which were created for password hashing. Those make the hashing process extremly handy to prevent brute force attacks. List of those for password hashing designed functions: - LM-Hash - PBKDF2 - Bcrypt -Scrypt
- Find type of a certain hash
If you got a hash, and wanna find out which type of hash it is, we are going to use this website:
here
This website gonna tell you, which hash type it could be, making it easier for you to find out the hash type. Most of the time it's the most common hash type from the results you get there
- Best way to 'decrypt' a single hash
Since you can't decrypt hashes, you have to compare them with a wordlist / hash database. First of all you have to find out what hash type your hash is. If you found it out, then we going to use this page to check if the hash is available in a wordlist / hash database:
If you wanna decrypt a MD5 hash : HERE
If you wanna decrypt a MD4 : HERE
If you wanna decrypt a SHA-1 : HERE
If you wanna decrypt a SHA-256 hash : HERE
If you wanna decrypt a SHA-384 hash : HERE
If you wanna decrypt a SHA-512 hash : HERE
- How to 'unhash' whole combos
Unhashing whole combos is a nice thing to know since nowadays most likely all databases store passwords hashed. To unhash whole combo files we got from SQLi Dumper, we are going to use the tool hashcat. You can download it for free here When you finished downloading it, you are going to download a big wordlist which we are going to use to brute force the hashes. The wordlist is going to contain most used passwords. Basically hashcat is using the wordlist to generate hashes,
compare them and replace with the 'unhashed' password. Wordlist Sources: here
So when you downloaded the wordlist you put your combo in the hits.txt (into the HashCat folder) and then u drag your wordlist onto the hashcat application. It will open an CMD window and you can see the hashes are getting cracked. You can also launch hashcat with special settings by opening cmd and cd-ing to the folder and typing hashcat64 or hashcat32. -help to see all available options. Other methods to crack combolists are online hash crackers which use online hash 'decrypt' apis to compare the hashes. You can use this method too.
Get your (own) combos