Hashcat

About

Hashcat is a free powerful open-source hash cracking tool. From their github "hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking."

hashcat has a lot of additional and helpful tools as well as ZerBea has made some helpful tools as well.

Hashcat Homepage

Hashcat Github

HCXTools

From their github "Small set of tools convert packets from captures (h = hash, c = capture, convert and calculate candidates, x = different hashtypes) for the use with latest hashcat or John the Ripper. The tools are 100% compatible to hashcat and John the Ripper and recommended by hashcat. This branch is pretty closely synced to hashcat git and John the Ripper git."

HCXTools Github

Install

You can download their binaries or sources from their homepage or compile from source on linux.

Hashcat

cd /opt/

sudo git clone https://github.com/hashcat/hashcat && cd hashcat

sudo make

sudo make install

Hashcat-Utils

cd /opt/

sudo git clone https://github.com/hashcat/hashcat-utils.git && cd hashcat-utils/src

sudo make

sudo cp *bin ../bin

HCXTools

sudo apt install libcurl4-openssl-dev libssl-dev zlib1g-dev

cd /opt/

sudo git clone https://github.com/ZerBea/hcxtools.git && cd hcxtools

sudo make

sudo make install

Usage

General

hashcat can be used in many forms but the usual format I follow is:

hashcat (attackmode) (hashtype) (workload profile) (hashfile)

Example: hashcat -a # -m # -w # CrackMe.txt

The types of attackmodes are:

• Straight - Tries the exact words that are in your chosen wordlist(s), with no modifications other than rules.

• Combination(Combinator) - Combines the current word with the rest of the words in the wordlist.

If your wordlist was:

aa

bb

cc

dd

It woud generate hashes for the keys: aabb, aacc, aadd, bbcc, bbdd, ccdd, with no modifications other than rules.

• Brute-Force - Tries all combinations from a given Keyspace. It is the easiest of all the attacks.

• Hybrid Wordlist+Mask - "The hybrid attack is just a Combinator attack. One side is simply a dictionary, the other is the result of a Brute-Force attack. In other words, the full Brute-Force keyspace is either appended or prepended to each of the words from the dictionary. Hence the name, “hybrid”."

• Hybrid Mask+Wordlist - Same as "Hybrid Mask+Wordlist" above but swapped.

• Association - This attack is not yet ready. More info can be found here.

There are a lot of hashtypes so I won't try to list them here but these can be found with hashcat --help | less and running down till we find the list. We can also grep for specific hash types as well. hashcat --help | grep NTLM.

The workload profile is something we use to speed up the process but can make it so the rest of the computer is slow as it uses much more processing power. Workload Profile types are:

Dictionary

If we want to use a dictionary attack, like using rockyou.txt for example

hashcat -a 0 -w 3 -m 22000 -w 3(hash file) (wordlist)

Depending on your hardware, the dictionary you chose, and the password, this may take some time. You can press S for a status to see the time time estimated on finishing, as well as the updated "Recovered.Total" to see the recovered keys"

We can run the same command again with --show appended to the end to see our cracked passwords.

Brute Force

If we wanted to run a brute force attack rather than a dictionary attack, it's a similar command

hashcat -a 3 -w 3 -m 22000 -w 3 (hash file) '?l?l?l?l?l?l?l'

Replace the ?l with whatever we deem fit.

• ?l = a-z

• ?u = A-Z

• ?d = 0-9

• ?h = 0-9a-f

• ?H = 0-9A-F

• ?s = !"#$%&'()*+,-./:;<=>?@[]^_`{|}~

• ?a = ?l?u?d?s

• ?b = 0x00 - 0xff

This will cover the basics of the hash cracking with hashcat but it can get SO much more advanced with hashcat.