In this post, the popular password cracker Hashcat is explained.
Besides the most know password cracker John the Ripper (JtR), there exists also another very powerful tool called Hashcat. Hashcat is already installed on Kali Linux (pentester’s favorite OS) but can also be downloaded and run on any Linux and Windows machine. Support is provided for both the usage of CPU and GPU-based cracking which makes it generally faster than JtR, and it also supports much more hash types. The disadvantages of Hascat are that it has a less user-friendly command-line interface and the absence of the capability to autodetect the hash type.
Password hashes
Password login is the default authentication mechanism. Passwords are normally not stored in plain text, instead, they are stored in hashed format. Whenever a user tries to log in, the entered password is hashed and compared to the stored hash value for authentication. For example, in case the system makes use of the MD5 hash function, the password ‘secret’ would be hashed and the resulting hash value would be saved in passwd_file.txt as shown:
Password cracking
Password cracking is an iterative process in which a word is selected from a wordlist as a possible password, after which the computed hash value of this selected word is compared with the password hash. This iterative process is repeated until a match is found.
Before we can run Hashcat to crack the password, we need to find the number that specifies the hash type MD5 we used above. Searching on Google is the easiest manner, but you could also use the following command to find this number.
We run Hashcat with the following command and specify the hash type with option -m [hash_type_num] and choose dictionary attack mode -a [attack_mode_num]and filename with the hashed password we created and finally the wordlist.
hashcat -a [attack_mode] -m [hash_type_num] [hash_in] [wordlist_in]hashcat -a 0 -m 0 ~/passwd_file.txt /usr/share/john/password.lst --force
This results in the following output with the cracked password.
Hashcat found that the hash value stored in the file belonged to the password ‘secret’. In the screenshot above, we see in the red rectangular the hashed value and the recovered password that Hashcat successfully cracked the password in dictionary attack mode using John the Rippers’ default wordlist file password.lst.
Modes of cracking
Similar to JtR, Hashcat also has different attack modes that need to be specified in the command after -a [attack_mode_num]when running Hashcat. In the previous example, we used Straight attack mode for a dictionary attack with a wordlist. It is also possible to add mangling rules by adding -r [mangling_rule_file] to mangle the specified wordlist. This approach with rule-based attack requires that the attacker has some idea how the password is likely constructed.
- [ Attack Modes ] -
# | Mode
===+======
0 | Straight
1 | Combination
3 | Brute-force
6 | Hybrid Wordlist + Mask
7 | Hybrid Mask + Wordlist
Straight attack mode [0] is also known as dictionary or wordlist attack. Hashcat tries each password in the wordlist.
Combination attack mode [1] in Hascat creates a new password list from a wordlist by appending each word in the wordlist with another word in the wordlist. For example, Hashcat generates from a wordlist consisting of only 3 words a password list of 9 new password combinations.
Bruteforce attack mode [3] tries all combinations of the specified character set and password length.
Hybrid attacks are a sort of Combination attack mode, whereby a word from a wordlist is combined (appended or pre-appended) with a word from Brute-Force keyspace.
- [ Built-in Charsets ] -
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xffMask for to brute force all possible passwords which start with uppercase, followed by five lowercase letters and end with a symbol
?u?l?l?l?l?l?s Hybrid Wordlist + Mask attack mode [6]. Mask attack results in a small number of combinations than the brute force attack. Actually, it is a subset knowing behavioral choices humans make, like uppercase character only in the first position.
The following example is words from the wordlist appended with 4 numerical characters in a possible password like ‘secret1234’.
... -a 6 wordlist.txt ?d?d?d?dhashcat -m 0 -r rules/best64.rule captured.txt /usr/share/john/password.lst --force
Hybrid Mask + Wordlist attack mode [7]
The following example is a word from the wordlist pre-appended with 4 numerical characters in a possible password like ‘1234secret’.
... -a 7 ?d?d?d?d wordlist.txtOther Hashcat useful commands
Call help function
hashcat -hGet Hashcat version
hashcat -VSee my other posts for cracking passwords with John the Ripper
