hashcat
hashcat (18.9k โญ) is a well-known, and popular tool to crack passwords. For convenienceโs sake, we store the hash in a file hash
.
# use quotes, so that $/... aren't interpreted
$ echo 'some hash here' > myhash
Crack a password/hash:
$ hashcat -m hcode myhash wordlist
$ hashcat -m hcode myhash /usr/share/wordlists/rockyou.txt
# you can provide a list of hashes too
$ hashcat -m hcode myhashes wordlist -o hashes_cracked
Once a hash was cracked, hashcat will store it in its data folder, which may be one of ~/.hashcat/hashcat.potfile
or ~/.local/share/hashcat/hashcat.potfile
. You can also use --show
:
$ hashcat -m hcode --show myhash # unique hashes
$ hashcat -m hcode --show --username myhash # all
Common options:
-
-m hcode
: the hashing algorithm code | provided by nth/haiti/...- MD5 (0) / MD4 (900) / SHA1 (100) / NTLM (1000)
- SHA256 (1400) / bcrypt (3200) / sha512crypt (1800)
- See the hashcat help or hashcat reference
-
-a acode
: the kind of attack (Default is 0=Straight) -
-o output
: file to store cracked passwords -
--show
: show cracked passwords -
--remove
: remove cracked hashes -
--username
: can be used to ignore username in hashuser:password
-
-r /path/to/xxx.rule
: load a rule file
You can run a benchmark test and add optimization parameters:
$ hashcat -m hcode -b
$ hashcat -m hcode [...] -O # kernel optimization
$ hashcat -m hcode [...] -w 3 # 1="half power", 3="full power"
โ ๏ธ Test with and then without kernel optimization.
โ ๏ธ Never use --force
, try to troubleshoot the root cause.
Hashcat Attack Modes
Combination Attack Mode
The combination attack mode takes a variable number of wordlists and generate a wordlist that is a combination of them. The final wordlist is used to crack the hashes.
$ hashcat -a 1 -m hcode myhash <list of wordlists>
Brute force Attack Mode
Generate or use a mask and try every combination until either the password is found or the character set is exhausted.
$ hashcat -a 3 <mask>
Hybrid Attack Modes
You can append (6
) a mask to a wordlist:
$ hashcat -a 6 wordlist <mask>
You can prepend (7
) a mask to a wordlist:
$ hashcat -a 7 <mask> wordlist
Hashcat Masks
A mask is similar to a pattern/regex but with hashcat specific rules. Everything is explained in the documentation.
-
?l
: lower characters (a-z) -
?u
: upper characters (A-Z) -
?d
: number (0-9) -
?h
: same as?l
+?d
-
?H
: same as?u
+?d
- ...
We can use placeholders: ?1
, ?2
, ?3
, and ?4
to specify a custom charset. Other characters are not replaced.
Examples with/without a custom charset:
$ hashcat [...] "?u?l?l?l" # Matches: Toto
$ hashcat [...] -1 ?u?l "?1?l?l?l" # Matches: Toto or toto
See also: --increment
, --increment-max
.
Hashcat Rules
Hashcat rules allow us to define complex password rules/patterns. The complete list is available here but in short, we can:
- Append/Prepend letters
- Delete letters/Truncate words
- Duplicate letters
- Reverse words
- ...
Existing rules are stored in: /usr/share/hashcat/rules/
. You can use -g n
to generate and use n
random rules.
For instance, example.rule
contains 3 rules:
# replace "o" with "0"
so0
# replace "a" with "@" and append "00"
sa@ $0 $0
# capitalize and append 1
c $1
Debugging Example.rule
$ cat ./wordlist
toto
tata
titi
$ hashcat -a 0 --stdout -r ./example.rule ./wordlist
t0t0
toto00
Toto1
tata
t@t@00
Tata1
titi
titi00
Titi1
Wordlist generation
You can use hashcat to generate a wordlist using --stdout
. The kind of generated wordlist is determined by the attack mode selected.
$ hashcat -a 1 --stdout wordlist1 wordlist2
<combination wordlist>
You can do the same with masks:
$ hashcat -a 3 <mask> --stdout
<brute force wordlist from the mask>
If you are using a rule:
$ hashcat -a 0 --stdout -r /path/to/xxx.rule wordlist
<wordlist from the rule>
๐ป To-do ๐ป
Stuff that I found, but never read/used yet.