Password Hashing with Python

What You Need

Any computer with Python 2.7 installed.

Purpose

Learn how passwords are stored with hashing, and how to use hashes in Python.

Task 1: Understanding Hashes

Understanding Hashes

Long ago, passwords were just stored in a file on a server, but in 1978, Robert Morris released a better system for Linux called crypt.

Unfortunately, Microsoft uses a system named "NTLM hashing" that is millions of times weaker, which has never been updated since it was released in 1993 with Windows NT.

An Example

Here's a simple test case. A password of 
password
has this hash on Windows machines: 
8846f7eaee8fb117ad06bdd830b7586c
Windows does not use any salt, so every user with the same password has the same password hash.

Task 2: Calculating Windows Password Hashes with Python

Using a text editor such as Notepad, create a file with this code, as shown below: 
import hashlib
passwd = raw_input('Enter password: ')
print hashlib.new('md4', passwd)

Save the file as hash1.py. Save it in a location where you can find it, such as your Documents folder.

Running the hash1.py Script

In a Command Prompt window, execute these commands to move into your Documents folder and run the hash1.py program.

(You will probably need to change "Administrator" to your login name.) 

cd C:\Users\Administrator\Documents
python hash1.py
You get an "md4 HASH object", instead of the expected hash value, as shown below.

This is a hash, but it's a binary object and all you see is its memory location. To see the normal result in hexadecimal, add the hexdigest() method like this:

Run the program again. This time you should get the exact hash shown below:

This looks more like a hexadecimal hash, but it's incorrect for Windows passwords. As shown above, the correct NT hash starts with 8846.

That's because the Windows algorithm uses Unicode, not ASCII, to encode the characters.

Modify your program to use Unicode, as shown below. (NOTE: the code for Unicode is "UTF-16LE" with the letters in lowercase, NOT "utf-161e".)

Run the program again. This time you should get the exact hash shown below:

Task 3: Making a Hash Dictionary

Create a program that calculates the NTLM hashes for all two-digit passwords from 00 to 99.

Here is an example that calculates five hashes.

Your last few hashes should match the imge below.

Challenge 1: Cracking Windows Hashes

The following Windows passwords are constructed according to this system:
CCSF-username-PIN
Where "username" is the username in lowercase and PIN is a two-digit number.

For example, a user named "Sam" might have a password like this:

CCSF-sam-01
Crack these passwords, which were collected from a Windows 7 machine with Cain.
Ming:"":"":AAD3B435B51404EEAAD3B435B51404EE:52C4859C0617E4A8FEC24BA890C5FC57
Mohammed:"":"":AAD3B435B51404EEAAD3B435B51404EE:39057EF3A9FE57D98E7A9BAB7CD2F4F9
sam:"":"":AAD3B435B51404EEAAD3B435B51404EE:19A641D2520B983ABB7C931CEFF933FA
Note that the NTLM hash is the rightmost part of each line, after the last colon.

You'll be able to get your name onto these pages:

Username:            Password:    

Challenge 2: MD5 Hashes with Several Rounds

The company using the Windows passwords in the previous challenge sets up an online system, with passwords formed the same way.

Somewhere in the Terms of Service, it strongly warns users not to re-use the same password as their Windows password.

In addition, it is now much more secure, because it uses MD5 instead of MD4, and not only that, it uses many rounds of MD5.

It doesn't use Unicode encoding.

Crack these hashes:

Ming: 7621eca98fe6a1885d4f5f56a0525915
Mohammed: b2173861e8787a326fb4476aa9585e1c
sam: 42e646b706acfab0cf8079351d176121

You'll be able to get your name onto these pages:

Username:            Password:    

Challenge 3: Many Rounds of MD5 and SHA-1

Somehow, evil hackers broke into the previous Web application.

So the new, super-enhanced system uses a much larger number of MD5 rounds, followed by an even larger number of SHA1 hash rounds. Of course, the total number of hashing rounds is less than 500, because management is sure that's enough.

And now each user has to click "I Agree" to a pop-up box requiring them not to re-use passwords, so only a complete idiot would do that.

Crack these hashes if you can!

Ming: ce788ed5f855e51e6fd78f923b43a6407467c5f2
Mohammed: 582d99006950cddeb2df9f40b3f65ebc283dc378
sam: da660655f4d4714fe605e9063d1ded4b749c50a9

You'll be able to get your name onto these pages:

Username:            Password:    

Updated to Arial and https 10-20-18