The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

tryhackme RP Crack The Hash 


While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.












TryHackMe :- Click Here


TryHackMe has recently had their 500th user sign up to access varied content from fundamentals of web security to basic reverse engineering. Their self contained virtual classrooms make it easy for users to focus on a particular area by aggregating the necessary information. They want users to focus on the learning instead of spending time scouring the internet for resources! They are a relatively new company, so they are still in the process of creating custom VMs for learning purposes, but more content is being released weekly and their newsletter gives users an insight to whats being released on a weekly basis ahead of time. TryHackeMe RP : Crack The Hash



 In the tryhackme crack the hash challange they make identifying the hashes easy with there Hint buttons used on the platform.These either tell you what the hash is exactly or point you in the right direction on what to look for.
Try Hack Me hint

In real life there is no hint system to get this information, now you might be an absolute ninja and can look at a hash and go that SHA256 but for the rest of us there s a few tools to our disposal.





Hash Analyzer Tunnelsup.com Hash Analyser allows you to stick a hash into there site and will give you there best guess at what the hash is. This was all i used for the Crack the hash challenge and was pretty much spot on until some of the later tasks.


Hash-Identifier can be found pre-installed in Kali Linux and will tell you the possible hashing algorithm for the hash you enter. The Nice thing about this other then it already being installed in kali is that it gives you a few alternatives which can help finding finding the right mode in hashcat.

HashID This is a python based hash identifying tool which needs to be downloaded from there GitHub Repo. The cool thing about this tool is not only does it identify the hashes but also can give you the corresponding hashcat mode as part of the output.

Find the HastCat Mode

hashcat -h | grep sha256
hashcat -h | grep md5
hashcat -h | grep salt
hashcat -h | grep sha

hascat --help






This can also be done in windows by replacing grep with the findstr command.








Lets Get Cracking!


For each of these Tasks in this challange I echo the hash into a text file called tryhackme.txt remembering not to stick a space after the hash and before the > as shown below as the extra space causes an issue cracking the password.

echo 48bb6e862e54f2a795ffc4e541caed4d> hashes1.txt


echo CBFDAC6008F9CAB4083784CBD1874F76618D2A97> hashes2.txt

echo 1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B3
36B63032> hashes3.txt

echo 48bb6e862e54f2a795ffc4e541caed4d> hashes4.txt
ETC

Task 1.1

Hash: 48bb6e862e54f2a795ffc4e541caed4d
Identified: MD5
Hashcat mode: 0

Command: hashcat -m 0 -a 0  hashes1.txt /usr/share/wordlists/rockyou.txt


  Password: easy  

Task 1.2

Hash: CBFDAC6008F9CAB4083784CBD1874F76618D2A97
Identified: SHA1
Hashcat Mode: 100


Command: hashcat -m 100 hashes1.txt /usr/share/wordlists/rockyou.txt
or
command: hashcat -m 100 hashes1.txt /usr/share/wordlists/rockyou.txt  --force

 

 

Task 1.3

Hash:
1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B
336B63032

Identified: SHA2-256
Hashcat Mode: 1400


Command: hashcat -m 1400 hashes1.txt /usr/share/wordlists/rockyou.txt 
or
command: hashcat -m 1400 hashes1.txt /usr/share/wordlists/rockyou.txt  --force


   Password: letmein  

Task 1.4

Hash:
$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom
Identified: Bcrypt
Hashcat Mode: 3200


command: hashcat -m 3200 hashes1.txt /usr/share/wordlists/rockyou.txt  --force


Note: This Bcrypt Hash took me over a hour to crack which is by design because its based on the blowfish cipher, so you might want to go make some coffee or alternatively just try sticking this hash into Google.


   Password: bleh   

Task 1.5

Hash: 279412f945939ba78ce0758d3fd83daa

Identified: MD4
Hashcat Mode: 900
Rule: Best64.rule


Command: hashcat -m 3200 -r /rules/Best64.rule hashesh5.txt /usr/share/wordlists/rockyou.txt


Note: Due this Password having a Capital letter at the start and some numbers on the end, this password cant be found with just the default rockyou.txt file. You have to add some rules to the Hashcat command to crack the hash. Check out the rules folder In your default Hashcat directory.


  Password: Eternity22 

Task 2.1

Hash: F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85
Identified: SHA2-256
Hashcat Mode: 1400

Command: hashcat -m 1400 hashes6.txt /usr/share/wordlists/rockyou.txt


   Password: paule   

Task2.2

Hash: 1DFECA0C002AE40B8619ECF94819CC1B
Identified: NTLM
Hashcat Mode: 1000

Command: hashcat -m 1000 hashes6.txt /usr/share/wordlists/rockyou.txt


  Password: n63umy8lkf4i 

Task 2.3

Hash: $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.
Salt: aReallyHardSalt
Identified:SHA512crypt
Hashcat Mode: 1800

Note: This one actually took me a while to work out what this hash was as there was no hint on tryhackme.com and neither the hash analyser website or Hash-identifier program recognised it. After some investigating it turns out that the hash comes from a Linux shadow file.


Command: hashcat -m 1800  hashes8.txt /usr/share/wordlists/rockyou.txt
or
Command: hashcat -m 1800  hashes8.txt /usr/share/wordlists/rockyou.txt --force




  Password: waka99  

 

Task 2.4

Hash: e5d8870e5bdd26602cab8dbe07a942c8669e56d6
Salt: tryhackme
Identified: HMAC-SHA1
Hashcat Mode: 160


Command: hashcat -m 160 hashes9.txt /usr/share/wordlists/rockyou.txt


Note: This took me a while to figure out that the trick here is that you need to add the salt to the password file, separated by a colon (as below) to get the hash to crack.


echo e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme> hashes9.txt



  Password: 481616481616 

Conclusion

I was actually quite surprised how quickly even my modest 1050 Ti graphics card can power through most of these hashes in a few minutes the only one that took any substantial amount of time was Task 1.4 the bcrypt hash.


Some of the take away’s from this challenge is that even strong hashing techniques can be circumvented with weak passwords, The length of the password is more important than its complexity and some hashing techniques are better than others at resisting cracking attempts.


I would also like to quickly thank TryHackMe.com for there fantastic platform which hopefully i will cover more of there rooms in the future.

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.








    


I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

Find Leaked Email and Password via onion service

Leaked Email and Password

Billions of email addresses and plain text passwords have been leaked online by an unknown party, leaving countless Internet users at risk from credential stuffing and other attacks. Search for leaked email and password using the onion service

Security researcher Bob Diachenko discovered the unsafe elastics search database on 4 December, although it was first indexed by the BinaryAidz search engine and therefore has been publicly available since the beginning of the month.

Access to the database was disabled on 9 December when it reported to the US-based ISP hosting the IP address, giving potential hackers more than enough time to scrape the logged-in data.

In total, the database contained 2.7 billion email addresses and plain text passwords for more than a billion of them - providing a true starting point for a credential stuffing campaign.

How To Find Leaked Email and Passwords

We will use pwndb tool to find the password email leaked here...pwndb.py is a python command-line tool for searching leaked credentials using the Onion service with the same name. Search for leaked email and password using the onion service

Installation

git clone https://github.com/davidtavarez/pwndb




cd

ls





pip3 install -r requirements.txt  OR  pip install -r requirements.txt





Then, type "  virtualenv venv   " without quotes and hit enter...





source venv/bin/activate








Full Post :-  Click Here

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.

Video Tutorial :- 

          

फेसबुक ने शुक्रवार को घोषणा की कि हैकरों द्वारा सुरक्षा में खामी पैदा करने के कारण पांच करोड़ अकाउंट प्रभावित हुए। दुनिया के इस बड़े सोशल नेटवर्क ने कहा कि इस सप्ताह हमें पता चला कि हैकरों ने ‘एक्सेस टोकंस’ चुरा लिये जिसके कारण ये अकाउंट प्रभावित हुए। 'एक्सेस टोकंस' एक प्रकार की डिजिटल चाबियां हैं जिससे हैकर उन अकाउंट तक पहुंच बनाने में सफल रहे।


फेसबुक के प्रोडक्ट मैनेजमेंट के उपाध्यक्ष गे रोसेन ने एक ब्लॉग पोस्ट में लिखा, ‘‘यह स्पष्ट है कि हमलावर फेसबुक का कोड भेदने में सफल रहे।’’ फेसबुक के मुख्य कार्यकारी मार्क जुकरबर्ग ने कहा कि इंजीनियरों ने मंगलवार को इस खामी का पता लगाया गुरुवार रात तक इसे ठीक कर लिया गया। उन्होंने कहा, ‘‘हमने ये खामी दूर कर ली है और कानून प्रवर्तन को सूचित कर दिया है।’’ 

जुकरबर्ग ने कहा, ‘‘हमें पता नहीं है कि क्या किसी अकाउंट का वास्तव में गलत इस्तेमाल हुआ है। यह गंभीर मुद्दा है। फेसबुक ने एहतियातन अस्थायी तौर पर ‘‘व्यू एज’’ फीचर को हटा लिया है। यह फीचर एक प्राइवेसी टूल (निजता उपकरण) है जो यूजर को देखने की अनुमति देता है कि उसका अपना प्रोफाइल किसी अन्य व्यक्ति को कैसा दिखेगा।’’ 


कैसे हुआ?
दरअसल, फेसबुक में 'व्यू एज' एक फीचर है जिसके जरिए हम देख पाते हैं कि कोई अन्य व्यक्ति हमारी प्रोफाइल को देखेगा तो कैसा दिखेगा। इस फीचर को ऑन करने पर ही पासवर्ड लीक हैकर्स के हाथ में पहुंचा है। फेसबुक के व्यू एज फीचर के इस बग के कारण 50 मिलियन लोगों के अकाउंट में सेंध लगी है।  इसके बाद कंपनी ने सुरक्षा के लिहाज से फेसबुक प्लेटफॉर्म से अपने एक बड़े फीचर को हटा लिया है। 

रिपोर्ट्स के मुताबिक, पिछले साल जिन यूजर्स ने अपने प्रोफाइल में 'व्यू एज' टूल का इस्तेमाल किया था, उन्हें फिर से फेसबुक लॉग इन करना होगा, और साथ ही उन एप्स को भी जिनके जरिए फेसबुक लॉग इन किया गया। इसके बाद वह फेसबुक के द्वारा उपलब्ध कराया गया एक बयान देख पाएंगे कि क्या हुआ। कंपनी के अनुमान के मुताबिक लगभग 90 मिलियन लोगों को फिर से लॉग इन करना होगा।