Hashcat Tutorial for Beginners

hashcat

Hashcat is a well-known password cracker. It is designed to break even the most complex passwords. To do this, it enables the cracking of a specific password in multiple ways, combined with versatility and speed.

Password representations are primarily associated with hash keys, such as MD5, SHA, WHIRLPOOL, RipeMD, etc. They are also defined as a one-way function — this is a mathematical operation that is easy to perform, but very difficult to reverse engineer.

Hashcat turns readable data into a garbled state (this is a random string of fixed length size). Hashes do not allow someone to decrypt data with a specific key, as standard encryption protocols allow.

Hashcat uses precomputed dictionaries, rainbow tables, and even a brute-force approach to find an effective and efficient way crack passwords. This article provides an introductory tutorial for cracking passwords using the Hashcat software package.

Other approaches that are used to crack passwords are as follows:

  • Lookup Tables: Hashes are pre-computed from a dictionary and then stored with their corresponding password into a lookup table structure.
  • Reverse Lookup Tables: This attack allows for a cyber attacker to apply a dictionary or brute-force attack to many hashes at the same time, without having to pre-compute a lookup table.
  • Rainbow Tables: Rainbow tables are a time-memory technique. They are similar to lookup tables, except that they sacrifice hash cracking speed to make the lookup tables smaller.
  • Hashing with Salt: With this technique, the hashes are randomized by appending or prepending a random string, called a “salt.” This is applied to the password before hashing.

Installation

  • You can download Hashcat from here.
  • Extract the folder from the archive using 7-zip, and open a terminal in the extracted folder.
  • The folder includes 32 and 64 bit binaries for both Windows and Linux, along with other files and documentation.
  • Choosing the appropriate binary according to your system.

Hashcat Attack Modes

Hashcat can perform multiple types of attacks:

  • Dictionary (-a 0) – Reads from a text file and uses each line as a password candidate.
  • Combination (-a 1) – Like the Dictionary attack except it uses two dictionaries. Each word of a dictionary is appended to each word in a dictionary.
  • Mask (-a 3) – Try all combinations in a given keyspace. It is effectively a brute-force on user specified character sets.
  • Hybrid (-a 6 and -a 7) – A combination of a dictionary attack and a mask attack.

Attack Examples

Dictionary attack

I’ll first start with a dictionary attack against the list of MD5 hashes.

hashcat64.exe -a 0 -m 0 example_md5_hashes.txt combined_seclists_password_list.txt -O

The -O will greatly increase the cracking speed, but will limit the password length that you’ll be able to crack. This is usually fine, unless you are cracking passwords greater than 27 characters.

Dictionary attack with rules

Hashcat ships with several rules located in the rules directory. You use the -r <rulefile.rule> option to apply a rule. For example, I’ll use the d3ad0ne.rule:

hashcat64.exe -a 0 -m 0 example_md5_hashes.txt combined_seclists_password_list.txt -r rules\d3ad0ne.rule -O

Combinator attack

A combinator attack is an attack that combines two dictionaries.

hashcat64.exe -a 1 -m 0 example_md5_hashes.txt combined_seclists_password_list_caps.txt combined_seclists_password_list_caps.txt -k "$!" -O

This attack uses my two dictionaries (I used the same one twice) and also adds a single ! character (-k “$!”) to the right of the second dictionary. So if I have the combined word candidate of ThePassword, the -k “$!” transforms it to ThePassword!. Similarly, you can use the -j option to add characters to the left of the second dictionary. For example, if I had also added -j “$&”, my word candidate would be The&Password!.

Mask attack

Next, let’s try a mask attack (-a 3).

hashcat64.exe -a 3 -m 0 example_md5_hashes.txt ?u?l?l?l?d?d?d?d

The -a 3 specifies a mask attack, -m 0 specifies MD5 as the hash type, and example_md5_hashes.txt is my file containing the hashes. After that, you have the mask. This particular mask will attempt to bruteforce an 8 character password, where the first character (?u) is an uppercase letter, the next three characters (?l?l?l) are lowercase letters, and the last four characters (?d?d?d?d) are digits. Hashcat has the following charsets built-in:

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?h = 0123456789abcdef
?H = 0123456789ABCDEF
?s = «space»!"#$%&'()*+,-./:;<=>[email protected][\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 – 0xff

You can also specify your own charsets. I’m going to do that against my hashfile:

hashcat64.exe -a 3 -m 0 example_md5_hashes.txt -1 ?s?d ?u?l?l?l?1?1?1?1

This may be slightly difficult to read, but what I’ve done is specified a custom charset using the -1 ?s?d. This has created a character set that includes special characters and digits. When I want to use this character set, I’ll use ?1. Hashcat allows you to specify four custom charsets per mask. So, this particular command is looking for an 8 character password that starts with an uppercase letter, followed by three lowercase letters, where the last four characters will be a number or a special character. Running through all of these characters will take some time, but it will recover another password.

Hashcat also allows you to record your masks in a file, and then point hashcat to the file instead. This is great, because it allows you to try many masks automatically one right after the other. Hashcat comes with some pregenerated masks, which can be found in the masks directory. To run masks from a file, instead of specifying the mask (?l?u?d) on the command line you’ll instead just specify the filename:

hashcat64.exe -a 3 -m 0 example_md5_hashes.txt masks\8char-1l-1u-1d-1s-compliant.hcmask

Hashcat will go through each of these masks one after the other. In this example, it will look first for one character passwords, cycling through all characters, and it will continue to do this for up to 7 characters. After that, I use a mask with a custom charset. Instead of using -1 to specify the charset, I instead separate the charset with a comma (?s?d,?u?l?l?l?1?1?1?1). I then write the mask I want, using 1 for the charset I specified (?s?d,?u?l?l?l?1?1?1?1)If I wanted another charset, I could specify another and use another comma. After that completes, hashcat will run the next mask, and so on…

Hybrid attack

A hybrid attack combines a dictionary attack and a mask attack. Mask attacks by themselves are great, but typically when you work with a mask greater than 8 characters, the time it takes to complete the attack becomes an issue. A hybrid solves that problem because you can use a longer base word, such as September, and then add a mask of ?d?d?d?d, to cover all iteration of September0000 to September9999, which of course includes popular passwords like September2018 among others.

Hybrid attacks can use a mask after the word (-a 6), or prior to the word (-a 7), but can not do both at the same time.

hashcat64.exe -a 6 -m 0 example_md5_hashes.txt combined_seclists_password_list.txt ?d?d?d?d

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *