Hashcat

Password cracker.

Installation
Help
Hash
Performance & GPU
Sessions
Generate wordlists
Dictionary Attack
Mask Attack
Examples
Hashcat on AWS

Installation

Windows

Download binaries from Hashcat.

Kali Linux & Ubuntu

sudo apt update
sudo apt install hashcat

If you have NVIDIA GPU on your computer, you should install the corresponding package for better performance. See Install OpenCL Drivers On Ubuntu (Zivid).

sudo apt install hashcat-nvidia
sudo apt install nvidia-driver

RedHat Linux

# Prereq
sudo yum install gcc-c++
sudo yum install p7zip

cd
wget https://hashcat.net/files/hashcat-6.2.6.tar.gz
7za x hashcat-6.2.6.tar.gz
tar xvf hashcat-6.2.6.tar
cd hashcat-6.2.6
make
sudo make install

Help

hashcat --help

Hash

Hash types

hashcat --hash-info

Removing the result of a cracked hash

nano ~/.local/share/hashcat/hashcat.potfile

Performance & GPUs

❗ GPUs are quite slow and dumb compared to CPUs. We need to parallelize the workload so that each of these slow, dumb cores have enough work to do.

  • AMD GPUs on Linux require “RadeonOpenCompute (ROCm)” Software Platform (3.1 or later)
  • Intel CPUs require “OpenCL Runtime for Intel Core and Intel Xeon Processors” (16.1.1 or later)
  • NVIDIA GPUs require “NVIDIA Driver” (440.64 or later) and “CUDA Toolkit” (9.0 or later)

Benchmark

hashcat -b
hashcat -b -m <hash type>
hashcat -b -d <backend device id> -w 3
hashcat -b -D <OpenCL device type> -w 3

Workload profiles

# | Performance | Runtime | Power Consumption | Desktop Impact
1 | Low         |   2 ms  | Low               | Minimal
2 | Default     |  12 ms  | Economic          | Noticeable
3 | High        |  96 ms  | High              | Unresponsive
4 | Nightmare   | 480 ms  | Insane            | Headless
hashcat -w3 ...

OpenCL

OpenCL (Open Computing Language) is a framework for writing programs. OpenCL views a computing system as consisting of a number of compute devices, which might be central processing units (CPUs) or “accelerators” such as graphics processing units (GPUs), attached to a host processor (a CPU).

OpenCL device type: 1=CPU, 2=GPU, 3=FPGA, DSP, Co-Processor

hashcat -D <OpenCL device type> ...
hashcat -D 2 ...

List devices (GPU)

# On Windows, to fix "./OpenCL/: No such file or directory"
cd <hashcat directory>
# Capital "i" ;)
hashcat -I

💡 Fix for error: CUDA SDK Toolkit not installed or incorrectly installed.

  • Install the CUBA SDK Toolkit.
  • Start the command prompt with Run as administrator.
  • Do the benchmark with “-d 1” (CUDA) and “-d 2” (OpenCL). Depending on the hash type, the times are sometimes twice faster with OpenCL (“-d 2”).

Use device

❗ Use of GPUs does not work in a virtual machine.

-d, Backend devices to use, separated with commas, e.g. -d 1
-D, OpenCL device-types to use, separated with commas , e.g. -D 1
OpenCL Device Types:  1 (CPU), 2 (GPU), 3 (FPGA, DSP, Co-Processor)

If the graphic card is not listed, you might need to install the driver.

hashcat -d <device id> -b
hashcat -d 1 -b

List graphic cards

lspci | grep VGA
sudo lspci -s 01:00.0 -v  # Change version 01:00.0 by output from first command

Use graphic card + workload profile

hashcat -d <device id> -w 3 ...

Sessions

When running Hashcat

Press “c” for checkpoint. To restore, use:

hashcat --restore

When starting Hashcat

hashcat --session=session1 [...]
hashcat --restore --session=session1

Generate wordlists

Create a small list of words in a file. Apply rules on this list to generate a word list for password cracking.

💡 Do not forget to remove duplicates.

WL=./words.txt
RULE=/usr/share/hashcat/rules/best64.rule
hashcat $WL -r $RULE --stdout > hashcat_words.txt
cat hashcat_words.txt | sort | uniq > hashcat_words_uniq.txt

Dictionary attack

Attack mode “Straight” (-a 0).

❗ When getting error “Hashfile ‘/usr/share/wordlists/rockyou.txt’ on line […] Token length exception”, it means that the hash file was not specified (check value of custom variables like $HASH in command).

Generate a MD5 hash for testing

echo -n "rockyou1" | md5sum | tr -d " -" > hash.txt

Recommendations

Best cracking sequence:

  • rockyou.txt
  • rockyou.txt + rule (best64)
  • Mask attack 8 characters (all)

Using Wordlists

Hash Types Examples: 0 (MD5), 100 (SHA1), 2500 (WPA), 13400 (KeePass)

HASH=hash.txt
#HASH="d104c9a2d916d5ea96f250f8a0143c47" #rockyou1
TYPE=0
WL=/usr/share/wordlists/rockyou.txt
hashcat -m $TYPE -a 0 $HASH $WL

Show results

hashcat -m $TYPE $HASH --show

Using Wordlists + Rules

See Rule-based Attack (Hashcat).

OneRuleToRuleThemAll – Combined rules

💡 OneRuleToRuleThemAll

sudo wget -O /usr/share/hashcat/rules/OneRuleToRuleThemAll.rule "https://raw.githubusercontent.com/NotSoSecure/password_cracking_rules/master/OneRuleToRuleThemAll.rule"

Crack using wordlist + rules

HASH=hash.txt
#HASH="d104c9a2d916d5ea96f250f8a0143c47" #rockyou1
TYPE=0
WL=/usr/share/wordlists/rockyou.txt
RULE=/usr/share/hashcat/rules/best64.rule
#RULE=/usr/share/hashcat/rules/OneRuleToRuleThemAll.rule
hashcat -m $TYPE $HASH $WL -r $RULE

Show results

hashcat -m $TYPE $HASH --show

Mask Attack

Attack mode “Brute-force” (-a 3).

Predefined characters

?Charset
?labcdefghijklmnopqrstuvwxyz
?uABCDEFGHIJKLMNOPQRSTUVWXYZ
?d0123456789
?h0123456789abcdef
?H0123456789ABCDEF
?s !”#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a?l?u?d?s
?b0x00 – 0xff
Built-in charsets
HASH=hash.txt
TYPE=0

Brute force 1 to 8-character passwords

hashcat -O -m $TYPE -a 3 --increment --increment-min=1 --increment-max=8 $HASH ?a?a?a?a?a?a?a?a

Brute force passwords with prefix

💡 “–increment-min” should be the prefix length.
💡 “–increment-max” should be the prefix length + mask length.

hashcat -O -m $TYPE -a 3 --increment --increment-min=4 --increment-max=13 $HASH Hello?a?a?a?a?a?a?a?a

Brute force exactly 8-character passwords

hashcat -O -m $TYPE -a 3 $HASH ?a?a?a?a?a?a?a?a

Brute force 8-character passwords, French charset

CHARSET=/usr/share/hashcat/charsets/standard/French/fr_cp1252.hcchr
hashcat -O -m $TYPE -a 3 $HASH -1 $CHARSET ?a?a?a?a?a?a?a?a

Brute force 8-character passwords, uppercase

You can specify up to 4 charset (-1 to -4).

hashcat -m $TYPE -a 3 $HASH -1 ?u?d?s ?1?1?1?1?1?1?1?1

8 chars: Upper + Lower*5 + Digit + Special, e.g. Abcdef1!

hashcat -m $TYPE -a 3 $HASH ?u?l?l?l?l?l?d?s
CHARSET=/usr/share/hashcat/charsets/standard/French/fr_cp1252.hcchr
hashcat -m $TYPE -a 3 $HASH -1 $CHARSET ?u?l?l?l?l?l?d?s

PDF with Mask on command line

hashcat -w3 -m 10410 hash -a 3 ?b?b?b?b?b

Show results

hashcat -m $TYPE $HASH --show

/usr/share/hashcat/masks/brute1_8_french.hcmask

# Syntax: [?1,][?2,][?3,][?4,]mask
# -1 charsets/special/French/fr_ISO-8859-16.hcchr
?a
?a?a
?a?a?a
?a?a?a?a
?a?a?a?a?a
?a?a?a?a?a?a
?a?a?a?a?a?a?a
?a?a?a?a?a?a?a?a

/usr/share/hashcat/masks/wpa.hcmask

# WPA requires minimum 8 chars
?l?d, ?1?1?1?1?1?1?1?1 \# lcase + digit
?l?u?d, ?1?1?1?1?1?1?1?1 \# lcase + ucase + digit
?a?a?a?a?a?a?a?a \# all chars

Examples

Crack RSA private key passphrase

HASH=/root/.ssh/id_rsa_userX
TYPE=1500
WL=/usr/share/wordlists/rockyou.txt

hashcat -m $TYPE -a 0 $HASH $WL --force

Shadow file

💡 When there are hashes in second column… If not, see John the Ripper and unshadow the file.

Extract hashes, put them in a file

cat shadow | cut -d ":" -f2
cat shadow | cut -d ":" -f2 | grep -v -E "^\*" | grep -v \! > hash.txt
HASH=hash.txt
TYPE=500 # DO NOT USE TYPE 1800! See below
WL=/usr/share/wordlists/rockyou.txt

hashcat -O -m $TYPE -a 0 $HASH $WL
hashcat -O -m $TYPE -a 0 $HASH $WL --debug-mode=1 --force

Type 1800 (starting with $6$) – Limitations

❗ For type 1800, limitation is 16 characters. See this FAQ (search for “1800”). This will not work with some passwords in rockyou.txt. USE JtR INSTEAD!!!

Generate hash for 15-char password and 16-char password. Hashcat will successfully crack the 15-char, but NOT the 16 chars!

python2 -c "import crypt; print crypt.crypt ('MyPassword12345', '\$6\$vkAzDkveIBc6PmO1')" > hash.txt
python2 -c "import crypt; print crypt.crypt ('MyPassword123456', '\$6\$vkAzDkveIBc6PmO1')" >> hash.txt
echo MyPassword12345 > passwords.txt
echo MyPassword123456 >> passwords.txt
HASH=hash.txt
TYPE=1800
WL=passwords.txt

hashcat -O -m $TYPE -a 0 $HASH $WL
hashcat -O -m $TYPE -a 0 $HASH $WL --show

Oracle Database

Oracle hash types explained

alter user user1 identified by VALUES 'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C';
hashcat --help | grep Oracle
# 3100 | Oracle H: Type (Oracle 7+)                       | Database Server
#  112 | Oracle S: Type (Oracle 11+)                      | Database Server
#12300 | Oracle T: Type (Oracle 12+)                      | Database Server

HASH=/root/hash.txt
WL=/usr/share/wordlists/rockyou.txt

# T: Type, hash.txt contains value of T
TYPE=12300
hashcat -m $TYPE -a 0 $HASH $WL --force

WPA Cracking

# CONVERT .CAP FILES FOR HASHCAT
# Convert .CAP file before cracking with Hashcat
# Clean the .CAP to get only the 4-way handshake and one beacon

CAP=/root/hs/XX-XX-XX-XX-XX-XX.cap
CAP2="$CAP".clean
wpaclean $CAP2 $CAP

/usr/share/hashcat-utils/cap2hccapx.bin $CAP2 $CAP.hccapx

HASH=$CAP2.hccapx
TYPE=2500
hashcat -m $TYPE -a 0 $HASH $WL $OPT
hashcat -m $TYPE $HASH $WL -r $RULE1 $OPT
hashcat -m $TYPE -a 3 $HASH $MASK $OPT

# Show results
hashcat -m $TYPE $HASH --show

Microsoft Excel Protected Workbook

  • First, look in VBA code (F11). Search for “protect” to see if the password is hardcoded…
  • Download office2hashcat.py to extract hash from the Excel
  • Find the Excel version: compare the hashes
python office2hashcat.py crackme.xls > hash.lst
# CHANGE HASH TYPE IF NEEDED (9800 is used here)
hashcat -a 3 -w 3 -m 9800 hash.lst -i --increment-min=4 --increment-max=8 -1 ?l ?1?1?1?1?1?1?1?1

Hashcat on AWS

AWS instance

  • “g”: designed to accelerate graphics-intensive applications and machine learning inference, has been longer around than the P instances.
  • “p”: GPU-based instances, more expensive than “g”. ($$$)

💡 Use g5.12xlarge, which costs around $5.672 USD per hour. Has 4 x NVIDIA A10G. MD5 benchmark speed at 242 GH/s. See g5 specs & pricing (AWS).

❗ Pricing is per instance-hour consumed for each instance, from the time an instance is launched until it is terminated or stopped. Stop your AWS instance when it is not needed or you will be charged. YOU WILL STILL BE CHARGED FOR EBS STORAGE. See Amazon EBS pricing (Amazon).

  • Create an AWS account and set a budget limit. See Amazon Web Services (AWS).
  • IMPORTANT: Increase vCPU quota here. Select region and instance type “All G instances”. Set limit to 48 vCPU (from g5.12xlarge description). This will open a case with support. You need to wait until this case is closed.
  • Create an EC2 instance:
    • Enter instance name “Hashcat g5.12xlarge”.
    • Click on Ubuntu and select Amazon Machine Image (AMI) AWS Deep Learning Base OSS Nvidia Driver GPU AMI (Ubuntu 20.04).
    • Select instance type “g5.12xlarge”.
    • Click Create new key pair, choose RSA with .ppk and give it a name like “EC2-Hashcat-Putty”. Click on Create key pair. KEEP THESE KEYS SECURE. DO NOT LOOSE THEM. They cannot be downloaded from the AWS console later.
    • Leave default network settings.
    • Use minimum storage of 1x75GB with gp3 (General Purpose SSD). See Amazon EBS pricing (Amazon).
    • Leave default advanced details.
    • Click on Launch instance.

Install Hashcat

sudo apt update
sudo apt install hashcat
sudo apt install hashcat-nvidia
sudo apt install nvidia-driver

Test

echo -n "Hi!" | md5sum | tr -d " -" > hash.txt
hashcat -O -m 0 -a 3 hash.txt ?a?a?a

Depending on your attack mode, you may need to download wordlists like rockyou. See Password Attacks.