Summary of Results

Type of HashCracking Performance
for 4 Hashes
Windows 71.3 sec. with dictionary of 500,000 words Instructions
Linux20 sec. with dictionary of 500 words Instructions
Wordpress4 min. with dictionary of 500,000 words Instructions
Joomla1.1 sec. with dictionary of 500,000 words Instructions

Hash Types

Windows hashes are one round of MD4 with no salt.

Wordpress hashes are now $P$B type phpass: 8193 iterations of MD5, with salt

Drupal 7 hashes are $S$C type phpass: 16385 interations of SHA-512, with salt. They are even more secure than Linux hashes, as shown below.

Linux passwords are 5000 rounds of SHA-512, with salt.

Comparing Drupal 7 and Linux Hashes

I was able to test Drupal 7 and Linux hashes with John the Ripper and the list of 500 passwords.

As shown below, john took 3.6 seconds to crack Linux hashes, but 39 seconds to crack Drupal 7 passwords. This verifies that Drupal 7 passwords are even more secure than Linux passwords.

John Cracking Linux Hashes

John Cracking Drupal 7 Hashes


Joomla Security Extensions

Cracking Linux and Windows Password Hashes with Hashcat

I decided to write up some Hashcat projects for my students:

Cracking Linux Password Hashes with Hashcat

Cracking Windows Password Hashes with Hashcat

The results were impressive and easy to understand.

By default, Kali Linux uses Type 6 Crypt password hashes--salted, with 5000 rounds of SHA512.

It takes 20 seconds to crack four hashes like that, using a dictionary of only 500 words (a very small dictionary).

Windows 7, however, uses NT hashes--no salt, one round of MD4.

It takes 1.3 seconds to crack four NT hashes, using a dictionary of 500,000 words.

So Windows hashes are more than 10,000 times weaker than Linux hashes.

Posted 1:56 PM 6-16-13 by Sam Bowne
Added Wordpress and Joomla Hashes 11:40 am 6-19-13
Added Joomla Security Extensions 3:53 PM 6-19-13
Linux instructions link fixed 4:30 PM 6-19-13

Drupal information added 4:28 PM 6-20-13