Is It Possible to Use Hashcat in a Virtual Machine on Azure?

Is it possible to use Hashcat in a virtual machine on Azure?

Let see if this answers your question, if not, ring the bell again and we’ll see what I can do. This post steps through the process of using the popular hashcat password recovery utility to recover PDF file passwords on an Azure virtual machine. I am curious to see how secure my own emailed PDF statements really are. The examples uses (fictitious) South African ID numbers as passwords, since this protection is common for emailed PDF account statements in South Africa. Hashcat proclaims itself as the world’s fastest and most advanced password recovery tool. It can be used to recover passwords for Microsoft Office, Wi-Fi, TrueCrypt/VeraCrypt, Windows login, Bitcoin wallet, iTunes & Android backups, Lastpass & 1Password, RAR, WinZip, 7Zip, and many more. Below are the steps I took to recover PDF passwords. Step 1 — Identify the PDF encryption Not all PDF encryption are alike. Old versions of the PDF format had weak encryption while recent versions of support up to 256-bit keys. It common to see 128-bit keys used for compatibility with Add Page Numbers To Pdf.online Reader 5, 6, 7, and 8. Password-protected PDF files created by Microsoft Word use 128-bit keys. Below table shows the different PDF encryption types along with hashcat’s “hash mode” codes. PDF encryption types (source. hashcat wiki) The best tool to identify the PDF encryption type for your PDF file is called ‘John the Ripper’, available on GitHub. There is also a website which runs the tool for you so you do not have to. Output from John the Ripper’s pdf2john command The result from the tool will look like below. The 128 near the start shows that the PDF uses 128-bit encryption. From the table above, we see that hashcat should use hash mode 10500 to recover the password (remember this for step 5). $pdf$4*4*128*-1060*1*16*37a47e9c9c7fd444af130fd55eb4a6c6*32*2975e1119cfae57c187faae26ef8be2400000000000000000000000000000000*32*f3ab923457da9df62ba5a06c43dfbd5e5f2dbf5f1e36b3d18274100c04dc3a4d The output from these tools is called the encryption hash for the file and is the input for hashcat. Save the hashes to a text file called hashes.txt, one hash per line, starting with $pdf$. You will need this file in Step 5. Note that John the Ripper adds the filename and a colon to the beginning of the hash. This should be removed for hashcat. Step 2 — Limit the search space I am interested in recovering a PDF document protected by a South African national ID number as the password, since this is often used by banks, insurance companies, telecoms, etc. to email PDF statements. SA ID numbers are 13 digits long. The simplest approach is to just tell hashcat to try all possible 10¹³ number combinations. Fortunately we can do better than this... South African national identification numbers contain no whitespace, no punctuation, and no alpha characters. It is defined as YYMMDDSSSSCAZ, where. YYMMDD represents the date of birth. MM can only be 01 to 12, and DD can only be 01 to 31. SSSS is a sequence number registered with the birth date (females are assigned sequential numbers starting with 0 to 4 and males from 5 to 9). The first digit is most likely 0, 4 or 5. We can start with these in the hashcat rule and expand if nothing is found. C is the citizenship with 0 if the person is a SA citizen, 1 if the person is a permanent resident. We can start with 0 in the hashcat rule and include 1 if nothing is found. A is 8 or 9. Z is a checksum digit. It can be any digit, 0 to 9. Above information shrinks the password space to roughly 10⁹ possible combinations. This is 10,000 times fewer combinations than before! It means hashcat can recover the password about 10,000 times faster than just trying 0 to 9 for each digit in a 13-digit South African ID number. The next step explains how to translate this into something that hashcat can understand. Step 3 — Create a hashcat mask Hashcat has a high-performance template system which generates password guesses for it to test. Documentation can be found here. When guessing a 13-digit password, the mask is ?d?d?d?d?d?d?d?d?d?d?d?d?d. Our knowledge about SA ID number formats means we can create smarter masks. For example, if the third last digit is 0, we replace the ?d with an 0. Four possible masks are shown below. My final list of masks can be downloaded here. All of these masks should be saved into a text file, one mask per line. ?d?d0?d0?d0?d?d?d08?d — months 1 to 9, day 0 to 9, female, A=8 ?d?d0?d0?d5?d?d?d08?d — months 1 to 9, day 0 to 9, male, A=8 ?d?d0?d1?d0?d?d?d08?d — months 1 to 9, day 10 to 19, female, A=8 … ?d?d12315?d?d?d09?d — month 12, day 31, male, A=9 Step 4— Create an Azure instance Hashcat’s algorithms can be accelerated with Azure’s graphics-intensive virtual machines, namely the N-series and NV-series. Setting it up is a long process, so I created an easy-to-deploy template to launch your own hashcat password recovery server on Azure. It is available here. https.//github.com/carlmon/Hashcat-Azure. Click the “Deploy to Azure” button on the GitHub page and follow the steps. You will need an Azure subscription. NV-series virtual machines are expensive resources and should not be left running while not used. Wait for the deployment to complete and connect to the instance over SSH with certificate authentication. Step 5— Execute To recover the passwords, we need to provide hashcat three things. A list of hashes as extracted from the PDF files during Step 1, hashes.txt. The list of masks created during Step 3, masks.txt. The hash mode, which is 10500 in this case for 128-bit PDF encryption. This was identified in Step 1. The full command to run hashcat is shown below. The -a 3 flag indicates that this is a hashcat mask attack, and the -o results.txt says that recovered passwords should be saved in a file called results.txt. hashcat -m 10500 -a 3 hashes.txt masks.txt -o results.txt Execution on an Azure NV12 virtual machine takes 1–2 minutes to recover both passwords, shown below. The results file contains the full hash with the passwords at the end of each line. Note that these are fictitious ID numbers from PDF files created as an example. Real-world recovery PDF passwords protected with a South African ID number can be achieved in the same time. Recovered passwords Summary This post shows how to create a hashcat server for GPU-based password recovery on Microsoft Azure and use it for recovering passwords from encrypted PDF files. It includes an example of creating a hashcat mask for South African ID numbers. Finally, my curiosity was satisfied by learning that SA ID numbers are not very secure passwords for PDF documents.