Hashing is the process of transforming a given key or string of characters into another value. This is especially useful when we are dealing with passwords.
Let’s learn about this topic in our daily #FromZeroToHacker challenge.
| Table of contents |
| Introduction |
| What have I learnt today? |
| Stats |
| Resources |
Introduction to Hashing – Crypto 101
Before starting, we need to remember (or learn) a few key terms:
- Plaintext: Data before encryption of hashing. Normally text, but it could be a photo or a file instead.
- Encoding: A form of data representation, like base64 or hexadecimal, easily reversible. It is not a form of encryption.
- Hash: A hash is the output of a hash function.
- Brute force: Attacking cryptography by trying every different password.
- Cryptanalysis: Attacking cryptography by finding a weakness in the underlying maths.
What have I learnt today?
What is a hash function?
What is a hash function?
Hash functions are different from encryption, as there is no key and it is meant to be impossible (and sometimes this is achieved!) to go from the output to the input.
A hash function takes some input data and outputs a string of a fixed size. It is hard to predict what the output will be for any input and vice versa. Good hashing algorithms are fast-to-compute, slow-to-reverse.
The output of a hash function is normally raw bytes encoded.
What’s a hash collision?
As the output has a fixed size, but the input can be any size, there are more inputs than outputs (Imagine 100 pigeons and 80 pigeonholes: Some pigeons have to share). Therefore, some inputs, with no relation between them, will give the same output.
Uses for hashing
What can we do with hashing?
Hashing in Cyber security has two main purposes: Verifying the integrity of data and verifying passwords.
Hashing for password verification
I don’t need to tell you that storing users’ passwords in plaintext is a bad option, as it is just encrypting them. The only secure way (to a degree…) is hashing passwords.
If you encrypt the passwords, the key has to be stored somewhere and, if anyone gets it, they can decrypt the passwords.
Instead of storing the password, we store the hash. If the data is leaked, an attacker must have to crack each password one by one to find out what the password is.
But…what if two users have the same password? The hash function turns the same input into the same output, storing the same password hash for each user. A hacker could crack the hash and use what we call a “Rainbow table” (just a list of hash-to-password) to break the hashes.
A rainbow table is a lookup table of hashes to plaintext, so you can quickly find out what password a user has.
Websites like Crackstation use huge rainbow tables to provide fast password cracking for hashes without salts (more about this, below). Doing a lookup on websites like this is quite fast, way faster than cracking the hash.
Protecting against rainbow tables
To protect against rainbow tables, we add a salt to the passwords, like we do to our food. The salt is randomly generated and stored in the database, and it is unique for each user. 5 users with the same password won’t have the same hash.
The salt is added either at the start or the end of the password before it’s hashed. Hash functions like bcrypt and sha512crypt handle this automatically.
Recognising password hashes
We can recognise password hashes by just looking at them.
Unix-style password hashes are pretty easy to recognise, as they have a prefix that tells the hashing algorithm used to generate the hash. The format is $format$rounds$salt$hash.
On Linux, password hashes are stored in /etc/shadow, a file only readable by root (well…).
Windows passwords are hashed using NTLM, a variant of md4.
On Windows, password hashes are stored in the SAM.
Here is a list of Generic hash types:
Password cracking
Yes, we can crack hashes without salt with rainbow tables, but what if they use salt?
You can crack the hashes by hashing a large number of different inputs (normally, we use the famous rockyou.txt), potentially adding the salt if we know it, and comparing it to the target hash. Once it matches, you know what the password was. We use tools like Hashcat or John the Ripper.
Hashing for integrity checking
Integrity checking
Also, hashing can be used to check that files haven’t been changed. Imagine we download a file from the internet, but a malicious hacker intercepts the download, adding some nasty code. How we can tell if our download is pristine?
Enter: Integrity checking.
Basically, a hash function creates a hash from the file, and the creators of the file put the hash and the method used on their website.
Once download, we run the same hash function and compare both hashes. If it is the same, the download is safe. If not, something bad happened…
Summary
Again, we cracked the case! Sorry. Today we have learnt about:
- What hash functions are and their different types.
- Uses for hashing.
- Recognising password hashes.
- Password cracking.
- Hashing for integrity checking.
Stats
From 66.072th to 64.440th.
Here is also the Skill Matrix:
Resources
Module: Cryptography
TryHackMe: Hashing – Crypto 101
