# Hashing & Cracking ## What is hashing Hashing is **simply passing some data through a formula that produces a result**, called a hash. That hash is usually a string of characters and the hashes generated by a formula are always the same length, regardless of how much data you feed into it. (SHA,MD5,MD4,GOST) ## Cracking hashes ### Using Hashcat You can use the [list here ](https://hashcat.net/wiki/doku.php?id=example_hashes)which is a complete list of Hashcat supported hash types. ``` hashcat -m -a 0 ``` ### Using John Sometimes you might have difficulties with Hashcat, try John ``` john --wordlist=/usr/share/wordlists/rockyou.txt ``` ### HTTP Basic Authorization Header Brute Force Basic authorization is..**basic**. A username and a password separated by a colon is then encoded in Base64. The screenshot below demonstrate the credentials admin:admin being sent through the Authorization header of an HTTP request. ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Mk3RnfEHBP3zuZMsnli%2F-MkV9dCxoroYOZmK8JfL%2F-MkXr148onxpziKddnkj%2Fimage.png?alt=media\&token=19dacfd0-fb6d-4ec4-8676-820b3956052b) ``` hydra -l admin -P passwordlist -s -f example.com http-get /api/v1/users -vV -t 64 ``` {% hint style="info" %} **ProTip:** You can/should always test first by using a set of valid credentials and check if it returns it valid. ``` hydra -l known_user -p known_password -s -f example.com http-get /api/v1/users -vV ``` {% endhint %} ### HTTP Post form Brute Force Most of the time, authentication is made via a form posted to the web server. You can try to brute force it but watch out for **CSRF**. Try sending the same request twice using **burp.** ``` hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 31111 -f example.com http-post-form '/user/login:user_name=^USER^&password=^PASS^:Credz are incorrect.' -vV -t 64 ```