> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-11/offline-cracking/archive/password-attack-offline-cracking-hash.md).

# Hash

## Crack WordPress MD5 Hash with Hashcat

To crack a WordPress MD5 hash extracted from the database (`wp_users` table), use Hashcat with mode `400`. This mode is specifically designated for cracking WordPress MD5 hashes.

The basic command structure is:

```bash
hashcat -m 400 -o cracked.txt dhash /usr/share/wordlists/rockyou.txt
```

In this command:

* `-m 400` selects the WordPress MD5 hash type.
* Provide the hash(es) you want to crack in a file, such as `dhash`.
* Specify a wordlist file to use for the attack, for example, `/usr/share/wordlists/rockyou.txt`.
* `-o cracked.txt` directs Hashcat to save the cracked passwords to a file named `cracked.txt`.

An example of the expected WordPress MD5 hash format is `a1a436a0c092c2b214a0284f50e84632`. These hashes are typically stored in the `user_pass` column of the `wp_users` table in the WordPress database.

While WordPress historically used the MD5 algorithm for password hashing, it is important to note that MD5 is considered cryptographically broken and insecure for password storage. This is because it is a fast hashing algorithm and is vulnerable to collision attacks, making brute-force and dictionary attacks more feasible. Newer versions of WordPress use stronger, salted, and stretched hashing algorithms, such as portable PHP hashing (like bcrypt), which are significantly more resistant to cracking attempts. Cracking MD5 hashes is comparatively faster due to the lack of stretching and salting.

***

## Crack WordPress PHPass Hashes John

Extract WordPress PHPass hashes, typically found in the `wp_users` table of a database dump, and save them into a file (one hash per line). Then, use John The Ripper with a wordlist to attempt to crack them. John the Ripper automatically identifies the hash type, including WordPress PHPass hashes.

The basic command structure for John the Ripper is:

```bash
john [options] [path_to_hash_file]
```

Using a wordlist, the command would look like this:

```bash
john --wordlist=/path/to/rockyou.txt /path/to/hashfile
```

Once John has had time to process and potentially crack hashes, you can use the `--show` option to display the cracked passwords.

```bash
john --show /path/to/hashfile
```

***

## Offline Cracking of WordPress Hash

First, extract the hash from the compromised WordPress database, typically from the `wp_users` table. The user password hash is stored in the `user_pass` column.

```sql
SELECT user_login, user_pass FROM wp_users WHERE user_login = 'diego';
```

WordPress uses the Portable PHP password hashing framework (phpass) for password security. Hashes generated by phpass can be identified by their format, often starting with `$P$` or `$H$`. The `$P$` format is the most common. These hashes incorporate a salt directly within the hash string, which is generated randomly for each password. It's important to note that while phpass has been the standard, WordPress is transitioning to using bcrypt for password hashing in newer versions (e.g., WordPress 6.8 and later) to improve security with a stronger, more modern hashing algorithm.

Save the desired hash (e.g., for user `diego`) to a file. Then use a tool like John The Ripper with a wordlist. John includes specific modules for recognizing and cracking phpass hashes. John The Ripper supports the phpass format directly, making it suitable for cracking WordPress passwords.

```bash
john --wordlist=<wordlist> <hash_file>
```

John will automatically recognize the WordPress hash format and attempt to crack it against the provided wordlist.

Alternatively, if you have a known plaintext password and the hash, you can use PHP code to verify it, which demonstrates how WordPress itself checks passwords. The core function used by WordPress is `wp_check_password()`.

```php
<?php
// Assume the WordPress environment is loaded or necessary functions are included
// This is a simplified example and requires WordPress core functions

$plaintext_password = 'mysecretpassword'; // The password you want to check
$hashed_password = '$P$B9Iu72x7.C2m83a.qC8v0D9E0F1G2H/'; // The hash from wp_users

if ( wp_check_password( $plaintext_password, $hashed_password ) ) {
    echo 'Password is valid.';
} else {
    echo 'Password is invalid.';
}
?>
```

This PHP snippet illustrates the verification process, which is the reverse operation of hashing and what tools like John The Ripper are trying to emulate to find the original plaintext password that matches the hash.

To understand how these hashes are created in the first place, WordPress uses the `wp_hash_password()` function. If you needed to programmatically generate a WordPress-compatible hash for a given plaintext password (e.g., when creating a user via script), you would use this function:

```php
<?php
// Assume the WordPress environment is loaded or necessary functions are included
// This is a simplified example and requires WordPress core functions

$plaintext_password = 'newsecurepassword';
$hashed_password = wp_hash_password( $plaintext_password );

echo "Plaintext: " . $plaintext_password . "\n";
echo "Hashed: " . $hashed_password . "\n";
?>
```

This demonstrates the function WordPress uses internally to convert a plaintext password into its secure hashed representation before storing it in the database.

***

## Offline MD5 Hash Cracking

Obtain the MD5 hash from the target system, for example, found in a file like `/home/robot/password.raw-md5` with the hash `c3fcd3d76192e4007dfb496cca67e13b`.

To crack the hash, you can use online services like **CrackStation** or powerful offline tools such as **John the Ripper** or **Hashcat**. The core technique involves using a **wordlist** (a dictionary of potential passwords) to generate hashes and compare them against the target hash until a match is found. This is often referred to as a dictionary attack.

For offline tools, specify the hash type (MD5) and the path to your wordlist. Common wordlists are widely available, but a custom wordlist like `fsocity.dic` might be relevant if it's provided within the CTF challenge environment.

Using John the Ripper, the command to attempt cracking the hash `c3fcd3d76192e4007dfb496cca67e13b` stored in `/home/robot/password.raw-md5` with the `fsocity.dic` wordlist is:

```bash
john --format=Raw-MD5 --wordlist=fsocity.dic password.raw-md5
```

Here, `--format=Raw-MD5` specifies the hash type, and `--wordlist=fsocity.dic` points to the dictionary file.

Once the cracking process is complete, the cracked password can be displayed using the `--show` option:

```bash
john --show password.raw-md5
```

This command will reveal the successfully cracked password.

Alternatively, the powerful Hashcat tool can be used for dictionary attacks. To crack MD5 hashes using a dictionary attack with Hashcat, you would use the following command structure:

```bash
hashcat -a 0 -m <hash_type> <hash_file> <wordlist_file>
```

For MD5 hashes specifically, the hash type is represented by the number `0`. A specific example for cracking MD5 hashes contained in a file named `hashes.txt` using a wordlist named `wordlist.txt` is:

```bash
hashcat -a 0 -m 0 hashes.txt wordlist.txt
```

Let's break down the command:

* `-a 0`: This specifies the attack mode as a 'straight' attack, which is used for dictionary attacks.
* `-m 0`: This specifies the hash type. MD5 is represented by 0 in Hashcat.
* `hashes.txt`: This is the file containing the hashes you want to crack, one hash per line.
* `wordlist.txt`: This is the dictionary file containing potential passwords.

Once Hashcat has finished cracking, you can view the cracked hashes using the `--show` flag:

```bash
hashcat --show hashes.txt
```

This command will display any passwords successfully cracked from the `hashes.txt` file.

***

## Offline Password Hash Cracking

To crack an MD5 hash offline, first save the hash string into a file, for example, `hash.txt`.

```bash
echo "53f22d0dfa10dce7e29cd31f4f953fd8" > hash.txt
```

Then, use Hashcat, a fast and advanced password recovery tool, with the appropriate mode for MD5 (`-m 0`), specifying the hash file and your chosen wordlist.

```bash
hashcat -m 0 hash.txt /path/to/wordlist.txt
```

The `-m 0` parameter specifies the hash type, which is MD5. The first argument after `-m 0` is the file containing the hash(es) to crack, and the second argument is the wordlist file.

By default, hashcat outputs cracked hashes to a file named `hashcat.potfile`. To show the cracked hashes that have been found, you can use the `--show` option:

```bash
hashcat -m 0 hash.txt wordlist.txt --show
```

Beyond wordlist attacks, Hashcat supports other methods like bruteforce. To perform a bruteforce attack on an MD5 hash, use the `-a 3` parameter. You also need to specify the character set and mask to use. For example, to bruteforce an 8-character password using the standard lowercase alpha-numeric character set (`?a`):

```bash
hashcat -m 0 hashes.txt -a 3 ?a?a?a?a?a?a?a?a
```

You can also combine attack types, such as a wordlist attack, with rulesets using the `-r` parameter. This applies transformations to the words in the dictionary before hashing them. For example, to apply the `rockyou-30000.rule` ruleset to a wordlist attack:

```bash
hashcat -m 0 hashes.txt wordlist.txt -r rockyou-30000.rule
```
