Hashcat
Its main purpose is to crack hashed passwords and discover the original plaintext password.
Hashcat supports several attack methods, including:
- Wordlist Attacks: Using lists of potential passwords.
- Brute-Force and Mask Attacks: Systematically trying all possible character combinations.
- Hybrid Attacks: Combining wordlists with brute-force masks.
- Rule-Based Attacks: Applying transformations to words from a wordlist.
Basic Usages
Identify the type of a hash.
hashid '$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f' -m
Analyzing '$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f'
[+] Domain Cached Credentials 2 [Hashcat Mode: 2100]Uses Hashcat to crack NTLM hashes using a specified wordlist.
hashcat -m 1000 dumpedhashes.txt /usr/share/wordlists/rockyou.txtUses Hashcat to attempt to crack a single NTLM hash and display the results in the terminal output.
hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt --showUses unshadow to combine data from passwd.bak and shadow.bk into one single file to prepare for cracking.
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashesUses Hashcat in conjunction with a wordlist to crack the unshadowed hashes and outputs the cracked hashes to a file called unshadowed.cracked.
hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.crackedUses Hashcat in conjunction with a word list to crack the md5 hashes in the md5-hashes.list file.
hashcat -m 500 -a 0 md5-hashes.list rockyou.txtUses Hashcat to crack the extracted BitLocker hashes using a wordlist and outputs the cracked hashes into a file called backup.cracked.
hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.crackedHashcat Rules
Rules modify words from a wordlist to generate new password candidates. They are applied using the -r flag.
Appends numbers or symbols to the end of a word.
Example: password -> password123, password!
hashcat -m <hash_type> -a 0 <hash_file> <wordlist> -r /usr/share/hashcat/rules/best64.ruleCombines a word with another word from the same list.
Example: password + 123 -> password123
hashcat -m <hash_type> -a 0 <hash_file> <wordlist> -r /usr/share/hashcat/rules/combinator.ruleApplies a series of complex and comprehensive modifications.
Example: password -> Pa$$w0rd, password!@#
hashcat -m <hash_type> -a 0 <hash_file> <wordlist> -r /usr/share/hashcat/rules/d3ad0ne.ruleReplaces letters with similar-looking numbers or symbols.
Example: password -> p@ssw0rd, pa$$w0rd
hashcat -m <hash_type> -a 0 <hash_file> <wordlist> -r /usr/share/hashcat/rules/leetspeak.ruleBased on common variations found in data breaches.
Example: password -> password1, password2019
hashcat -m <hash_type> -a 0 <hash_file> <wordlist> -r /usr/share/hashcat/rules/rockyou-30000.ruleCreates variations by toggling character case.
Example: password -> Password, pASSWORD, PassWord
hashcat -m <hash_type> -a 0 <hash_file> <wordlist> -r /usr/share/hashcat/rules/toggles1.ruleA variation of the leetspeak rule with specific adjustments.
Example: password -> p@55w0rd, PaSsWoRd
hashcat -m <hash_type> -a 0 <hash_file> <wordlist> -r /usr/share/hashcat/rules/unix-ninja-leetspeak.ruleAttack Modes
Attack modes define how Hashcat generates password candidates. They are set with the -a flag.
Wordlist Attack (-a 0)
Uses a wordlist without modifications.
hashcat -m <hash_type> -a 0 <hash_file> <wordlist>Combination Attack (-a 1)
Combines words from two different wordlists.
hashcat -m <hash_type> -a 1 <wordlist1> <wordlist2>Brute-Force / Mask Attack (-a 3)
Generates all possible combinations of characters based on a mask.
hashcat -m <hash_type> -a 3 <hash_file> ?d?d?d?d?d?d?d?dHybrid Wordlist + Mask Attack (-a 6)
Combines a wordlist with a mask pattern.
hashcat -m <hash_type> -a 6 <hash_file> <wordlist> ?d?dHybrid Mask + Wordlist Attack (-a 7)
Combines a mask pattern with a wordlist.
hashcat -m <hash_type> -a 7 <hash_file> ?d?d <wordlist>Mask Character Sets
Masks use built-in or custom character sets to define the search space in a brute-force attack.
?l:abcdefghijklmnopqrstuvwxyz?u:ABCDEFGHIJKLMNOPQRSTUVWXYZ?d:0123456789?h:0123456789abcdef?H:0123456789ABCDEF?s:"!#$%&'()*+,-./:;<=>?@[]^_{|}~"?a: Combination of?l,?u,?d, and?s.?b: All possible bytes from0x00to0xff.