Hashcat
About
Hashcat is a free powerful open-source hash cracking tool. From their github "hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking."
hashcat has a lot of additional and helpful tools as well as ZerBea has made some helpful tools as well.
HCXTools
From their github "Small set of tools convert packets from captures (h = hash, c = capture, convert and calculate candidates, x = different hashtypes) for the use with latest hashcat or John the Ripper. The tools are 100% compatible to hashcat and John the Ripper and recommended by hashcat. This branch is pretty closely synced to hashcat git and John the Ripper git."
Install
You can download their binaries or sources from their homepage or compile from source on linux.
Hashcat
cd /opt/
sudo git clone https://github.com/hashcat/hashcat && cd hashcat
sudo make
sudo make install
Hashcat-Utils
cd /opt/
sudo git clone https://github.com/hashcat/hashcat-utils.git && cd hashcat-utils/src
sudo make
sudo cp *bin ../bin
HCXTools
sudo apt install libcurl4-openssl-dev libssl-dev zlib1g-dev
cd /opt/
sudo git clone https://github.com/ZerBea/hcxtools.git && cd hcxtools
sudo make
sudo make install
Usage
General
hashcat can be used in many forms but the usual format I follow is:
hashcat (attackmode) (hashtype) (workload profile) (hashfile)
Example: hashcat -a # -m # -w # CrackMe.txt
The types of attackmodes are:
Straight - Tries the exact words that are in your chosen wordlist(s), with no modifications other than rules.
Combination(Combinator) - Combines the current word with the rest of the words in the wordlist.
If your wordlist was:
aa
bb
cc
dd
It woud generate hashes for the keys: aabb, aacc, aadd, bbcc, bbdd, ccdd, with no modifications other than rules.
Brute-Force - Tries all combinations from a given Keyspace. It is the easiest of all the attacks.
Hybrid Wordlist+Mask - "The hybrid attack is just a Combinator attack. One side is simply a dictionary, the other is the result of a Brute-Force attack. In other words, the full Brute-Force keyspace is either appended or prepended to each of the words from the dictionary. Hence the name, βhybridβ."
Hybrid Mask+Wordlist - Same as "Hybrid Mask+Wordlist" above but swapped.
Association - This attack is not yet ready. More info can be found here.
There are a lot of hashtypes so I won't try to list them here but these can be found with hashcat --help | less
and running down till we find the list. We can also grep for specific hash types as well. hashcat --help | grep NTLM
.
The workload profile is something we use to speed up the process but can make it so the rest of the computer is slow as it uses much more processing power. Workload Profile types are:
Dictionary
If we want to use a dictionary attack, like using rockyou.txt
for example
hashcat -a 0 -w 3 -m 22000 -w 3(hash file) (wordlist)
Depending on your hardware, the dictionary you chose, and the password, this may take some time. You can press S for a status to see the time time estimated on finishing, as well as the updated "Recovered.Total" to see the recovered keys"
We can run the same command again with --show appended to the end to see our cracked passwords.
Brute Force
If we wanted to run a brute force attack rather than a dictionary attack, it's a similar command
hashcat -a 3 -w 3 -m 22000 -w 3 (hash file) '?l?l?l?l?l?l?l'
Replace the ?l
with whatever we deem fit.
?l = a-z
?u = A-Z
?d = 0-9
?h = 0-9a-f
?H = 0-9A-F
?s = !"#$%&'()*+,-./:;<=>?@[]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff
This will cover the basics of the hash cracking with hashcat but it can get SO much more advanced with hashcat.
Last updated