What is Dehashing?

  • Post category:Tutorials
  • Reading time:4 mins read

What Is Dehashing ?

First of all, what is dehashing? It is a process of getting a plain string of random letters and numbers. It is also a security measure not to store plain passwords in the database. There are many types of hashes. There also exist ‘salt’ term, but what is that? Salt is an additional part of the hash.

It has randomly generated string added to the hash. If it is added, then the hash is harder to dehash. I will not explain every hash type there. To recognize a hash type you can use this site (in hashcat every hash have it is own code, for example, MD5 have 0). However, how can you recognize hash? It is just a combination of letters and numbers. For example:

MD5hash:8743b52063cd84097a65d1633f5c74f5

SHA-256 hash: 127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935

Dehashing

You cannot even recognize what letters are used in the real password, so how you can check it? There are some programs to do it, but the most advanced and the best is hashcat – console program that allows you to dehash almost every type of hash and get a plain string (password)(do not buy any paid dehashing programs, hashcat is free and the best). It is world’s fastest password recovery tool and can come in CPU-based or GPU-based variants. This software can dehash for you large databases with millions of rows.

The dehashing process speed depends on your PC components. You will also need large disk for dictionaries. However, why you need them? Hashcat without dictionaries/wordlists is useless (you can use a bruteforce mode to dehash without dictionaries, but it will take years to crack a simple password like Madonna5432Sarah, that is why we will use wordlists). Wordlist contains billions of passwords combinations. Where can you find the wordlists? What is the good amount of wordlists? As much as possible.

There is a list of useful links to download the dictionaries. Let’s move to the practical part. Download hashcat and unzip it into a folder. Open this folder, right click on blank space and select Open command window here option from context menu. You will see a console window with hashcat path. As you probably already guess, it will not work without commands, so you have to learn some, but you have to do something else before it.

You have to create one folder and one .txt file in hashcat folder. Name the .txt file hashes.txt and the folder dict. In folder put all your wordlists (do not have to be in .txt extension, some of the wordlist have .wordlist extension, and hashcat still loads them). In the hashes.txt file, you will have to put your hashed database/combo in format user:hash or e-mail:hash. Move again to console window and type command :

hashcat64.exe -m 0 –username hashes.txt dict

  • -m – after this argument type the hash ID (you can find all ID’s there),
  • 0 – the hash ID/code,
  • hashes.txt – file with hashes,
  • dict – folder with dictionaries/wordlists.
After initializing this command hashcat will check compatibility and format of loaded hashes, then dehashing process will start. You can check actual status by clicking S on keyboard (you will see info like wordlist positon, current status, how much hashes got cracked already and much more) and bypass current wordlist by pressing B. You can also exit by clicking E. When hashcat will finish dehashing you have to save your dehashed combo in format user/e-mail:pass. To do it execute this command:

hashcat64.exe -m 0 –username –show hashes.txt –outfile-format=2 -o cracked.txt

  • 0 – hash code that you set in the previous command,
  • hashes.txt – file with hashes,
  • cracked.txt – will be a file with your plain user/e-mail:pass output. You can name it as you want.
That is all. Simple and noob-friendly. Now you can open your output file, load it to Sentry MBA or SNIPR and start cracking.


Check this out :
4.7/5 - (8 votes)

Leave a Reply