hashcat
hashcat (18.9k โญ) is a well-known, and popular tool to crack passwords. For convenienceโs sake, we store the hash in a file hash.
# use quotes, so that $/... aren't interpreted
$ echo 'some hash here' > myhash
Crack a password/hash:
$ hashcat -m hcode myhash wordlist
$ hashcat -m hcode myhash /usr/share/wordlists/rockyou.txt
# you can provide a list of hashes too
$ hashcat -m hcode myhashes wordlist -o hashes_cracked
Once a hash was cracked, hashcat will store it in its data folder, which may be one of ~/.hashcat/hashcat.potfile or ~/.local/share/hashcat/hashcat.potfile. You can also use --show:
$ hashcat -m hcode --show myhash # unique hashes
$ hashcat -m hcode --show --username myhash # all
Common options:
-
-m hcode: the hashing algorithm code | provided by nth/haiti/...- MD5 (0) / MD4 (900) / SHA1 (100) / NTLM (1000)
- SHA256 (1400) / bcrypt (3200) / sha512crypt (1800)
- See the hashcat help or hashcat reference
-
-a acode: the kind of attack (Default is 0=Straight) -
-o output: file to store cracked passwords -
--show: show cracked passwords -
--remove: remove cracked hashes -
--username: can be used to ignore username in hashuser:password -
-r /path/to/xxx.rule: load a rule file
You can run a benchmark test and add optimization parameters:
$ hashcat -m hcode -b
$ hashcat -m hcode [...] -O # kernel optimization
$ hashcat -m hcode [...] -w 3 # 1="half power", 3="full power"
โ ๏ธ Test with and then without kernel optimization.
โ ๏ธ Never use --force, try to troubleshoot the root cause.
Hashcat Attack Modes
Combination Attack Mode
The combination attack mode takes a variable number of wordlists and generate a wordlist that is a combination of them. The final wordlist is used to crack the hashes.
$ hashcat -a 1 -m hcode myhash <list of wordlists>
Brute force Attack Mode
Generate or use a mask and try every combination until either the password is found or the character set is exhausted.
$ hashcat -a 3 <mask>
Hybrid Attack Modes
You can append (6) a mask to a wordlist:
$ hashcat -a 6 wordlist <mask>
You can prepend (7) a mask to a wordlist:
$ hashcat -a 7 <mask> wordlist
Hashcat Masks
A mask is similar to a pattern/regex but with hashcat specific rules. Everything is explained in the documentation.
-
?l: lower characters (a-z) -
?u: upper characters (A-Z) -
?d: number (0-9) -
?h: same as?l+?d -
?H: same as?u+?d - ...
We can use placeholders: ?1, ?2, ?3, and ?4 to specify a custom charset. Other characters are not replaced.
Examples with/without a custom charset:
$ hashcat [...] "?u?l?l?l" # Matches: Toto
$ hashcat [...] -1 ?u?l "?1?l?l?l" # Matches: Toto or toto
See also: --increment, --increment-max.
Hashcat Rules
Hashcat rules allow us to define complex password rules/patterns. The complete list is available here but in short, we can:
- Append/Prepend letters
- Delete letters/Truncate words
- Duplicate letters
- Reverse words
- ...
Existing rules are stored in: /usr/share/hashcat/rules/. You can use -g n to generate and use n random rules.
For instance, example.rule contains 3 rules:
# replace "o" with "0"
so0
# replace "a" with "@" and append "00"
sa@ $0 $0
# capitalize and append 1
c $1
Debugging Example.rule
$ cat ./wordlist
toto
tata
titi
$ hashcat -a 0 --stdout -r ./example.rule ./wordlist
t0t0
toto00
Toto1
tata
t@t@00
Tata1
titi
titi00
Titi1
Wordlist generation
You can use hashcat to generate a wordlist using --stdout. The kind of generated wordlist is determined by the attack mode selected.
$ hashcat -a 1 --stdout wordlist1 wordlist2
<combination wordlist>
You can do the same with masks:
$ hashcat -a 3 <mask> --stdout
<brute force wordlist from the mask>
If you are using a rule:
$ hashcat -a 0 --stdout -r /path/to/xxx.rule wordlist
<wordlist from the rule>
๐ป To-do ๐ป
Stuff that I found, but never read/used yet.