Crack WordPress Password Hashes with hashcat How-To

By | 2013/04/23


By default, WordPress password hashes are simply salted MD5 hashes. This is a piece of cake to crack by today’s security standards. hashcat is a great multi-threaded password hash cracker which can eat these hashes for dinner. I’ll show you how to crack WordPress password hashes!


1. First, install hashcat. In this example I am using Gentoo Linux which has hashcat available in portage, otherwise you can just download from the hashcat.net website.
Gentoo:

$ sudo emerge -av hashcat-bin


2. Next you will need to find a good dictionary or wordlist. An excellent wordlist is available from http://360percents.com/wordlist

The English > Big Wordlist is good for starters. Download and unzip that wordlist. Note that most ‘serious’ hackers have their own wordlists which can be 10G or more in size.


3. Next, make a text file of the WordPress password hashes from the wp_user table from a WordPress database, each on a single line.

For example, a file hash.txt could look like this:

$P$BjsWoVfZrkl13QryXsLRCEOomnoQpW0 
$P$BcSda3/tRXQcRZMPj3cUI0jZJFdMgL0 
$P$BNclJc4wbM.vSjKPYxKggDPtw3siXQ0 
$P$BdPnevgAM4xzttiTM3cRkwKcBUiDi5/ 
$P$BXepaVhs0UByWfkLcu62b6ONB5aTkF/ 
$P$BLxxnkSnCdIgKrzRvY4iGNWiDlEiMX.
$P$BgwpDDhzFKOrGHM5GmOqaEYpbZBApm/
$P$BNs8eOvBh2VwGmrvv1LCMUkXVp3dOS0
$P$BbOM8PaeWt2C0p4yBXma1SqXCiayR20
$P$BsxzJ5q0tp2fSbNyZwV4Y2kfP10li41
$P$B4UxiYkCiE849SisjMi80Wq1Q5QT9j.
$P$B77uJ.fF0CS9uXK1.WRY3prnpDSSGP.
$P$BYENdJJ9xjnO1Op4k3JaTMwa0eG4lt1
$P$BrxrMRnrUpU0CWl1mPxvrI5u90D1Gf/
$P$B0lALHh4n0FPChliDSaFc.1MT.rV6Q.
$P$BszaNsPu/kf6F7p6eDlRBISPmE8Bgu/
$P$B9fyhT.lw.uyjPvGrHJfsxylMGHOjX0
$P$BimzaP3WIOqO8edQwfPirHYUPomyaS/
$P$BPAl90Cin9RVTORHXf48PAN/NPX2be1
$P$B6hicNqHWfJw3xig14Zx4Yho4ycstr1
$P$BG3QbfGAl82SsroCXhhTiE7elitggz1
$P$B6QFSS8HR1ShgM2KXpY7qVGzboC3tf0
$P$Bb54FItDf4yrJ5u3Rjydsk6cuIdH9s/
$P$BSrIn.qn9YxycturSoJflmyaF8qk8X/
$P$Bff71tsrNjnXL.hU1wuxpnmNg9QyiI.
$P$BJOpY.sfGkwoMUdN5FJymo6wsjnkul/


4. Run hashcat-cli* –help

Running hashcat-cli32.bin –help will show options. Pay particular attention to the Hash types as well as Attack modes.


Crack away!

5. Now run hashcat as follows:

$ hashcat-cli32.bin -m[hash type] -a[attack mode] hashfile.txt wordlist.list

One example:

$ hashcat-cli32.bin -m400 -a4 /home/stmiller/hash.txt /home/stmiller/eng_alnum_big.lst

Warning: hashcat-cli32.bin is running from /opt/hashcat-bin so be careful of relative paths.
Initializing hashcat v0.44 by atom with 8 threads and 32mb segment-size...

Added hashes from file /home/stmiller/hash.txt: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

NOTE: press enter for status-screen


Input.Mode: Dict (/home/stmiller/eng_alnum_big.lst)
Index.....: 1/1 (segment), 520644 (words), 8035785 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 4.28k plains, - words
Progress..: 17/520644 (0.00%)
Running...: 00:00:01:27
Estimated.: --:--:--:--


Input.Mode: Dict (/home/stmiller/eng_alnum_big.lst)
Index.....: 1/1 (segment), 520644 (words), 8035785 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 4.28k plains, - words
Progress..: 17/520644 (0.00%)
Running...: 00:00:01:29
Estimated.: --:--:--:--

Now go get some coffee!


For an easy hash to crack, this this:

hash.txt = 85267b760313713f2e5d5fe11a83af03

$ hashcat-cli32.bin -m0 -a2 /home/stmiller/nobackup/wordlist/hash.txt /home/stmiller/nobackup/wordlist/Super-WPA 
Warning: hashcat-cli32.bin is running from /opt/hashcat-bin so be careful of relative paths.
Initializing hashcat v0.44 by atom with 8 threads and 32mb segment-size...

Added hashes from file /home/stmiller/nobackup/wordlist/hash.txt: 1 (1 salts)
Activating quick-digest mode for single-hash

NOTE: press enter for status-screen


Input.Mode: Dict (/home/stmiller/nobackup/wordlist/Super-WPA)
Index.....: 1/344 (segment), 3377508 (words), 33550344 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 1.74M plains, 427.26k words
Progress..: 470572/3377508 (13.93%)
Running...: 00:00:00:01
Estimated.: 00:00:00:06


Input.Mode: Dict (/home/stmiller/nobackup/wordlist/Super-WPA)
Index.....: 1/344 (segment), 3377508 (words), 33550344 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 1.25M plains, 9.42k words
Progress..: 3002901/3377508 (88.91%)
Running...: 00:00:05:19
Estimated.: 00:00:00:39


85267b760313713f2e5d5fe11a83af03:ladiesman
All hashes have been recovered

hashchat is multi-threaded so it works faster than johntheripper. A video card using oclhashcat-plus is even faster if you have an available high end video card. For a better wordlist, a few good ones are floating around on piratebay.

8 thoughts on “Crack WordPress Password Hashes with hashcat How-To

  1. Marguerite Maynard

    The above line was my attempt to run Hashcat against my MD5.txt collection of hashes using attack mode 3 (“brute force”) and hashing method 0 (MD5) while applying the “perfect.rule” variations. This turned out to be badly misguided. For one thing, as I later learned, I had managed to parse the syntax of the command line incorrectly and had the “MD5.txt” entry in the wrong spot. And brute force attacks don’t accept rules, which only operate on wordlists—though they do require a host of other options involving masks and minimum/maximum password lengths.

    Reply
  2. Peter T

    I’m sorry but I don’t see where do you get the hash salt .. I mean we obviously need the salt and it is not stored in the mySQl table but in the wp_config.php along with the other encryption keys. Or did I miss something?

    Reply
  3. SoulN

    thank you for your posts, they’ve helped me a lot! i have to find an access for a certain username from a website using wp-login.php, i’ve tried the following:
    1) burp suite recommends localhost with proxy 8080 but unfortunately burp suite doesn’t intercept anymore
    2) havij, i’ve tried but it can’t find the password

    i’m a newbie, maybe i’m doing it wrong, help me please, thank you!

    Reply
  4. John Blackbourn

    By default, WordPress password hashes are simply salted MD5 hashes.

    This hasn’t been the case for about seven years.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.