blogs

Hash Cracking Fundamentals: Breaking MD5, SHA-1, and SHA-256 Hashes

Hash Cracking Fundamentals: Breaking MD5, SHA-1, and SHA-256 Hashes

Challenge Info:

  • Platform: picoCTF 2025 - Hashcrack
  • Category: Cryptography
  • Difficulty: Easy
  • Key Concepts: Hash Identification, Rainbow Tables, Dictionary Attacks

Understanding the Challenge

Goal: The server presents a series of hashes (cryptographically scrambled strings). The objective is to identify the hashing algorithm used for each string and recover the original plaintext password that generated it.

Step-by-Step Solution

Establishing Connection

Open a terminal window and establish a connection to the challenge server using Netcat (nc).

nc verbal-sleep.picoctf.net 60498

Figure 1: Connecting to the challenge server.

Level 1: Cracking MD5

The server provides the first hash.

  • Hash Given: 482c811da5d5b4bc6d497ffa98491e38
  • Identification: The hash consists of 32 hexadecimal characters. A length of 32 characters (128 bits) typically indicates the MD5 algorithm.
  • Method: Using a common wordlist or an online rainbow table reveals that this hash corresponds to a very common password.
  • Password: password123

Verification Command: You can verify this locally in your terminal:

echo -n "password123" | md5sum

Action: Enter password123 into the server prompt.

Figure 2: Solving the MD5 hash.

Level 2: Cracking SHA-1

The server provides a second, longer hash.

  • Hash Given: b7a875fc1ea228b9061041b7cec4bd3c52ab3ce3
  • Identification: The hash consists of 40 hexadecimal characters. A length of 40 characters (160 bits) typically indicates the SHA-1 algorithm.
  • Method: Checking against standard wordlists confirms this is another common password.
  • Password: letmein

Verification Command:

echo -n "letmein" | sha1sum

Action: Enter letmein into the server prompt.

Figure 3: Using John the Ripper to crack the SHA-1 hash.

Level 3: Cracking SHA-256

The server provides the final, longest hash.

  • Hash Given: 916e8c4f79b25028c9e467f1eb8eee6d6bbdff965f9928310ad30a8d88697745
  • Identification: The hash consists of 64 hexadecimal characters. A length of 64 characters (256 bits) identifies this as the SHA-256 algorithm.
  • Method: This password is also found in standard "rockyou" wordlists.
  • Password: qwerty098

Verification Command:

echo -n "qwerty098" | sha256sum

Action: Enter qwerty098 into the server prompt.

Figure 4: Using John the Ripper to crack the SHA-256 hash.

Capturing the Flag

Upon successfully entering the third password, the server validates the session and prints the flag.

Result: picoCTF{...} (The full flag will be displayed in your terminal output). Action: Copy the flag string and submit it on the picoCTF challenge page.

Figure 5: The final flag revealed.

Professional Hash Cracking Techniques

In professional penetration testing and CTF competitions, you are rarely told the hashing algorithm or the password. You must determine these yourself using the following hierarchy of techniques.

Hash Identification Methods

Before attempting to crack a hash, you must identify the algorithm (e.g., MD5, SHA-1, Bcrypt).

Primary Indicator: Hash Length

  • 32 Hex Characters: MD5
  • 40 Hex Characters: SHA-1
  • 64 Hex Characters: SHA-256

Identification Tools

  • hash-identifier: A command-line tool included in Kali Linux and Ubuntu (if installed). It analyzes the string format and provides likely algorithms.
  • hashid: A Python-based tool similar to hash-identifier but often more accurate with modern formats.

Rainbow Table Attacks

This is the most efficient method for cracking standard hashes. "Rainbow Tables" are massive databases of pre-computed hashes for billions of known passwords.

How Rainbow Tables Work

  • Technique: The hash is looked up in the database. If a match is found, the plaintext password is returned instantly.
  • Tools:
    • CrackStation: Excellent for MD5 and SHA variations.
    • Hashes.com: A large database for various hash types.
    • CyberChef: Useful for testing hash generation and simple reversals.

Dictionary Attack Strategy

If the hash is not found in online databases, you must perform a local attack using a "Wordlist" (a text file containing millions of potential passwords).

Dictionary Attack Process

  • Technique: The software reads a word from the list, hashes it, and compares it to your target hash.
  • Common Wordlist: rockyou.txt (Contains roughly 14 million real-world passwords from a data breach).

John the Ripper: A versatile CPU-based cracker. It is excellent for auto-detecting formats.

  • MD5 Command: john --format=Raw-MD5 --wordlist=rockyou.txt hash.txt
  • SHA-1 Command: john --format=Raw-SHA1 --wordlist=rockyou.txt hash.txt
  • SHA-256 Command: john --format=Raw-SHA256 --wordlist=rockyou.txt hash.txt

Hashcat: The industry standard. It utilizes the GPU (Graphics Card) for extreme speed.

  • Command: hashcat -m 0 -a 0 hash.txt rockyou.txt (Mode 0 is for MD5).

Brute Force Techniques

This is the last resort. If the password is not a dictionary word (e.g., "x9!pQ2"), wordlists will fail.

  • Technique: The software generates every possible combination of characters (aaaa, aaab, aaac...) until a match is found.
  • Tools: Hashcat is the preferred tool for brute force due to its ability to leverage GPU processing power to test billions of combinations per second.

Key Takeaways

Attack Hierarchy

  1. Identify the hash type using length and format
  2. Rainbow tables for instant lookups (fastest)
  3. Dictionary attacks using wordlists like rockyou.txt
  4. Brute force as the last resort (slowest)

Security Lessons

  • Common passwords are trivially crackable
  • Unsalted hashes are vulnerable to rainbow tables
  • Modern password security requires salting and key stretching
  • GPU-accelerated cracking makes weak passwords obsolete