# Cryptography ### Key Terms #### Plaintext Data before encryption or hashing, often text but not always as it could be a photograph or other file instead. #### Encoding This is NOT a form of encryption, just a form of data representation like base64 or hexadecimal. Immediately reversible. #### Hash A hash is the output of a hash function. Hashing can also be used as a verb, "to hash", meaning to produce the hash value of some data. #### Brute force Attacking cryptography by trying every different password or every different key #### Cryptanalysis Attacking cryptography by finding a weakness in the underlying maths *** ### Rainbow Tables A rainbow table is a lookup table of hashes to plaintexts, so you can quickly find out what password a user had just from the hash. A rainbow table trades time taken to crack a hash for hard disk space, but they do take time to create. #### Example `Hash : Password` `02c75fb22c75b23dc963c7eb91a062cc : zxcvbnm` `b0baee9d279d34fa1dfd71aadb908c3f : 11111` *** ### Protection against Rainbow Tables To protect against rainbow tables, we add a salt to the passwords. The salt is randomly generated and stored in the database, unique to each user. The salt is added to either the start or the end of the password before it’s hashed, and this means that every user will have a different password hash even if they have the same password. *** ### Recognizing Password Hashes Automated hash recognition tools exist, but they are unreliable for many formats. For hashes that have a prefix, the tools are reliable. If you found the hash in a web application database, it's more likely to be md5 than NTLM. Automated hash recognition tools often get these hash types mixed up, #### Unix Password Hashes Unix style password hashes are very easy to recognise, as they have a prefix. The prefix tells you the hashing algorithm used to generate the hash. The standard format is `$id$salt$hashed` On Linux, password hashes are stored in /etc/shadow. This file is normally only readable by root. They used to be stored in /etc/passwd, and were readable by everyone. #### Windows Password Hashes Windows passwords are hashed using NTHash/NTLM, which is a variant of md4. They're visually identical to md4 and md5 hashes, so it's very important to use context to work out the hash type. On Windows, password hashes are stored in the SAM. Windows tries to prevent normal users from dumping them, but tools like `mimikatz` or from the Active Directory database: `NTDS.dit` exist for this. Importantly, the hashes found there are split into NT hashes and LM hashes. You may not have to crack the hash to continue privilege escalation- as you can often conduct a "pass the hash" attack instead, but sometimes hash cracking is a viable option if there is a weak password policy. Windows NLTM hash format is `Username:Relative Identifier:LM Hash:NT Hash` A great place to find more hash formats and password prefixes is the [hashcat example page](https://hashcat.net/wiki/doku.php?id=example_hashes) *** ### HMACs HMAC is a method of using a cryptographic hashing function to verify the authenticity and integrity of data. A HMAC can be used to ensure that the person who created the HMAC is who they say they are (authenticity), and that the message hasn’t been modified or corrupted (integrity). They use a secret key, and a hashing algorithm in order to produce a hash. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.nomanaziz.me/cybersecurity/penetration-testing/tryhackme/main-methodology/3.-gaining-access-exploitation/cryptography.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.