Nearly every pen test I’ve been on, we’ve been able to obtain hashes of some sort. These hashes could be generated by a web application, database, operating system, or more. Typically, there will come a point where I either need to generate a hash myself, or compare the hashes I’ve obtained with their potential plaintext value. The problem that we face is it’s not operationally safe to blindly submit cleartext passwords or hashes to online websites. I/we don’t know with 100% certainty what is happening to the hash or cleartext password and if they are being copied to another location. In the end, I don’t trust anything online for anything sensitive in nature.
As a result, I needed a way to quickly generate password hashes and/or compare a hash that I have with a cleartext string and determine if they match, but I need to do this locally to my computer. As a thought exercise, I wanted to make my own application that can meet these needs, so I’m happy to introduce Hasher.
Hasher allows you to generate a hash in a hashing algorithm that you choose, with a cleartext string of your choice, all locally on your machine. Additionally, Hasher lets you compare a cleartext string with a hashed value to determine if they match, again, all locally to your machine. One item to note, Hasher is NOT designed to be a password/hash cracking program. It’s designed for locally creating hashed, or comparing passwords and hashes locally, not for cracking passwords.
Current supported hashing algorithms:
- md5
- sha1
- sha256
- sha512
- ntlm
- msdcc
- msdcc2
- md5_crypt
- sha1_crypt
- sha256_crypt
- sha512_crypt
- MSSQL2000
- MSSQL2005
- MySQL v3.2.3
- MySQL v4.1
- Oracle 10G
- Oracle 11G
- Postgres_md5
Hasher is easily used with a Menu driven interface. Just select the option you want to use, provide the cleartext string or hash, and you’ll get your result. I’ve also made Hasher easily scriptable via the command line. Not all CLI options are required, it’s dependent upon the hashtype you are using, and even then, if you don’t provide a required option, one is typically generated. The CLI options looks like the following:
If you have any questions, or encounter any bugs, please be sure to submit an issue or pull request via github and I will be sure to address it shortly. Also, if you have any specific hash type requests, please be sure to submit a request or github issue to me and I can look into adding that hash type.
To get a copy of Hasher, simply:
git clone https://github.com/ChrisTruncer/Hasher.git
Some sample uses are below:
Creating a NTLM hash with the password of “Password”:
Comparing the password “Password” with a NTLM hash for the correct value:
Comparing the password “password” with a NTLM hash for an incorrect value:
This bashes script creates a file called hashes-final.txt with computed ntlm hashes. The plain text passwords are inputted from a file called passwords.txt.
#!/bin/bash
while read line
do
echo -e “$line”
./Hasher.py -G “$line” -type ntlm >> hashes.txt
done> hashes-final.txt
Enjoy
Thanks for showing everyone a sample of how to do that. I wanted to make Hasher as scriptable as possible. Also, tried to make its comparison responses unique so when doing a comparison, you can script it up and grep for the results.
#!/bin/bash
while read line
do
echo -e “$line”
./Hasher.py -G “$line” -type ntlm >> hashes.txt
done> hashes-final.txt
Cut and paster error!
Thanks for this Chris. It helped.