Posted on 6 Comments

Cracking hashes with Kali :hashidentifier, hashid, findmyhash

Hello aspiring hackers. In many hacking scenarios, we encounter hashes. To those newbies who have no idea what hashes are, they are encrypted text ( literally we can’t call it text ). Normally they are used to encrypt passwords for website users, operating system users etc. Today our tutorial is about cracking hashes.

For this howto, we will use NewsP Free News Script 1.4.7 which had a credential disclosure vulnerability as shown below. Imagine we got the username and password hash as shown below. The only thing that stops me from accessing the website is password in encrypted format.

The first step in cracking hashes is to identify the type of hash we are cracking. Kali Linux has an inbuilt tool to identify the type of hash we are cracking. It’s hash-identifier. Open a terminal and type command hash-identifier.

Enter the hash we need to crack as shown above and hit ENTER. It will show the possible hash type as shown below. In our case, it is MD5 or a variant of it.

We can also use another tool hashid for similar purpose. It’s syntax is as shown below.

We know what the type of hash is. Now, it’s time to crack the hash. We will use a tool called ‘findmyhash’. To use this tool, we need to specify the hash type ( which we already know ) and hash after it as shown below. This tool tries to crack the hash by using various online hash crackers available.

After successfully cracking the hash, it will display us the corresponding password as shown below. In our case, the password is admin.

6 thoughts on “Cracking hashes with Kali :hashidentifier, hashid, findmyhash

  1. Nice Article, Does “findmyhash” uses rainbow tables or Brute Force Attack in the background?

    1. Thanks Waqar afridi and sorry for the delay in the reply. Findmyhash connects to the online hash cracking websites to crack a hash. Most of these online hash crackers use rainbow tables to crack a hash.

      1. I am unable to crack sha-256 hash using findmyhash,, IS there any other way to crack it

        1. Technically speaking, SHA 256 is unbreakable. atleast till now. SHA-256 is one of the strongest hash functions available. It has not yet been compromised in any way until now. This produces a 256 bit key as output which is irreversible.

          1. Probably hashcat do some magic there… not entirely sure,, but there git profile seems very promising and they also poses a very good track record till now

  2. […] Once we know target is vulnerable, executing the exploit using command “run” downloads the current usernames and password hashes from database to a JSON file. We can crack these password hashes and login into the Zabbix instance. See how to crack hashes with Kali Linux. […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.