Cracking hashes with hashcat
#1
Hashcat 101

Everyone knows what hashcat is, but not everyone seems to understand how to use it correctly. Correctly meaning, mask attacks, dictionary attacks etc. Today because I'm currently waiting for my hashes to get cracked, I'm going to teach you the best way to crack hashes using hashcat with not only a wordlist attack, but a mask attack as well. Lets get started:


Mask attacks


What is a mask? Well technically speaking a mask is something that covers the length of ones face, apply this same concept to a password a mask would be something that covers the length of your password, correct? (Rhetorical question I know it's correct). Hashcat has this awesome feature that is called "mask attacks" where you give your mask and it starts a bruteforce attack with the given mask. "What's the difference betwee nmask and bruteforce?" Is probably what you're asking right now. Well according to the awesome hashcat team this is the difference:

Code:
To make it short, with Mask attack we can reduce the keyspace to 52*26*26*26*26*10*10*10*10 (237.627.520.000) combinations

This basically means that it's faster. Hashcat comes complete with built in masks (you can create your own, but it's kinda pointless so we'll skip that tutorial for today). The built in masks are as follows:

  • ?l = abcdefghijklmnopqrstuvwxyz
  • ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • ?d = 0123456789
  • ?h = 0123456789abcdef
  • ?H = 0123456789ABCDEF
  • ?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  • ?a = ?l?u?d?s
  • ?b = 0x00 - 0xff

Super convenient right? Lets go ahead and crack a simple MD5 password with hashcat:

Making the password:
Code:
python
Python 2.7.12 (default, Dec  4 2017, 14:50:18)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> obj = hashlib.md5()
>>> obj.update("password")
>>> obj.hexdigest()
'5f4dcc3b5aa765d61d8327deb882cf99'
>>>

This leaves us with the hash 5f4dcc3b5aa765d61d8327deb882cf99, now to crack this we add it to a file for easy access:

Code:
TBG-a0216:ldap-utils admin$ echo "5f4dcc3b5aa765d61d8327deb882cf99" >> simple_hash.txt
TBG-a0216:ldap-utils admin$ ls | grep simple_
simple_hash.txt
TBG-a0216:ldap-utils admin$

Now we have a file that contains a single MD5 hash. Lets get crackin:

Code:
[align=center][align=left]TBG-a0216:ldap-utils admin$ hashcat -m0 -a3 -O -o simple_cracked_hash.txt --potfile-disable simple_hash.txt ?l?l?l?l?l?l?l?l
hashcat (v4.1.0) starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 450 Compute Engine, 512/2048 MB allocatable, 10MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 55

Watchdog: Temperature abort trigger disabled.

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Type........: MD5
Hash.Target......: 5f4dcc3b5aa765d61d8327deb882cf99
Time.Started.....: Fri Sep  7 15:42:21 2018 (2 secs)
Time.Estimated...: Fri Sep  7 15:44:05 2018 (1 min, 42 secs)
Guess.Mask.......: ?l?l?l?l?l?l?l?l [8]
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....:   109.8 MH/s (6.87ms) @ Accel:32 Loops:16 Thr:256 Vec:1
Speed.Dev.#3.....:  1896.0 MH/s (10.03ms) @ Accel:128 Loops:64 Thr:256 Vec:1
Speed.Dev.#*.....:  2005.9 MH/s
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 3727687680/208827064576 (1.79%)
Rejected.........: 0/3727687680 (0.00%)
Restore.Point....: 0/11881376 (0.00%)
Candidates.#2....: syaerane -> ndazphss
Candidates.#3....: sazwuain -> kepjnfia

                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: MD5
Hash.Target......: 5f4dcc3b5aa765d61d8327deb882cf99
Time.Started.....: Fri Sep  7 15:42:21 2018 (5 secs)
Time.Estimated...: Fri Sep  7 15:42:26 2018 (0 secs)
Guess.Mask.......: ?l?l?l?l?l?l?l?l [8]
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....:   110.4 MH/s (6.87ms) @ Accel:32 Loops:16 Thr:256 Vec:1
Speed.Dev.#3.....:  1908.3 MH/s (10.02ms) @ Accel:128 Loops:64 Thr:256 Vec:1
Speed.Dev.#*.....:  2018.7 MH/s
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 9796321280/208827064576 (4.69%)
Rejected.........: 0/9796321280 (0.00%)
Restore.Point....: 0/11881376 (0.00%)
Candidates.#2....: saserane -> naszphss
Candidates.#3....: cvfxbpes -> gzcqebpe

Started: Fri Sep  7 15:42:19 2018
Stopped: Fri Sep  7 15:42:27 2018
TBG-a0216:ldap-utils admin$ ls | grep simple_cracked_hash.txt
simple_cracked_hash.txt
TBG-a0216:ldap-utils admin$ cat simple_cracked_hash.txt
5f4dcc3b5aa765d61d8327deb882cf99:password
TBG-a0216:ldap-utils admin$ [/align]
[/align]

So what did we just do? Lets go through the commands that I used in hashcat:

Code:
-m0     =>  Specifies the hashtype to be used
-a3      => Specifies the attack mode to be used
-O       => Enables optimized Kernels (limits password length for speed boost)
-o simple_cracked_hash.txt      => Specifies the file that stores the cracked hashes
--potfile-disable      => Disables the cached (potfiled) hashes that have already been cracked
simple_hash.txt      => Specifies what file we're reading from
?l?l?l?l?l?l?l?l          => Specifies the mask

For a mask attack you use a single mask for each character in the password. So you can make an educated guess on the characters by looking at the most common passwords used, a decent mask to use is ?u?l?l?l?l?s?d?d which is 1 uppercase, 4 lowercase, 1 special character, and 2 integers. This gets almost every simple password requirements from almost every system at the lowest level. 8 characters, contains at least 1 uppercase, 1 lowercase and at least 1 special character. Now mask attacks use a lot of power, and use a lot of memory so it's best to have a dedicated rig to do this for you, that way it won't be disturbed by you while it's working. This is all there really is to mask attacks. I'll give you a list of the masks I use to crack peoples hashes when I score a database:
  • ?u?l?l?l?l?s?d?d
  • ?u?l?l?l?l?l?s?d?d?d
  • ?l?l?l?l?l?l?d?d?d
  • ?u?l?l?l?l?l?d?d
  • ?u?l?l?l?l?l?l?l?d?d
  • ?u?l?l?l?d?d?d?d
  • ?u?l?l?l?l?l?d?d?d
(Pro-tip you can put all these in a .hcmask file and pass it as a single argument to due multiple masks)


Dictionary attacks

Everyone knows what a dictionary attack is and most will argue that dictionary based attacks are better then bruteforce attacks. Well most of you would be correct. A dictionary attack consists of a given hash and a list of words or previously cracked passwords, this not only saves CPU and power, but is faster then a bruteforce attack and is extremely, extremely reliable. If you need some dictionaries, or wordlists, you can use the rockyou.txt with this command:

Code:
wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

This will download the wordlist into your current directory as rockyou.txt, so choose wisely. To implement a wordlist attack in hashcat, you change one simple thing:

Code:
[align=left]TBG-a0216:ldap-utils admin$ hashcat -m0 -a0 -O -o simple_cracked_hash.txt --potfile-disable simple_hash.txt rockyou.txt[/align]
hashcat (v4.1.0) starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 450 Compute Engine, 512/2048 MB allocatable, 10MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 31

Watchdog: Temperature abort trigger disabled.

Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec

                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: MD5
Hash.Target......: 5f4dcc3b5aa765d61d8327deb882cf99
Time.Started.....: Fri Sep  7 16:00:43 2018 (0 secs)
Time.Estimated...: Fri Sep  7 16:00:43 2018 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....: 10584.5 kH/s (7.99ms) @ Accel:128 Loops:1 Thr:256 Vec:1
Speed.Dev.#3.....: 27548.3 kH/s (3.15ms) @ Accel:512 Loops:1 Thr:256 Vec:1
Speed.Dev.#*.....: 38132.8 kH/s
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 2097218/14344384 (14.62%)
Rejected.........: 66/2097218 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Candidates.#2....: 123456 -> SAKURA08
Candidates.#3....: sonile -> SAGEM

Started: Fri Sep  7 16:00:40 2018
Stopped: Fri Sep  7 16:00:45 2018
TBG-a0216:ldap-utils admin$ cat simple_cracked_hash.txt
5f4dcc3b5aa765d61d8327deb882cf99:password
TBG-a0216:ldap-utils admin$

All you'll have to do to go from a mask attack to a wordlist attack is change the -a3 to -a0 to signify that you are using a wordlist instead. If you notice the time it took 5 seconds compared to our mask attacks almost 10 seconds.



Rule based


From here we will continue on to using a rule set with our wordlist. Rules are cool little things (much like a programming language) that will set the stage for password generation, creating your own rule list is a pain in the ass and I will not cover it in this post, if you want to look into how, you can see here.

Using a rule based is a lot like using a dictionary, but you pass a rule file with the -r command instead of just password the dictionary. If you need a good rule file you can get dive.rule with this command:

Code:
curl -o dive.rule https://raw.githubusercontent.com/hashcat/hashcat/master/rules/dive.rule

Rules allow us not only to hack stronger and more sophisticated passwords, but help us to add more options to our wordlist. Lets create a stronger hash for this attack:

Code:
Python 2.7.12 (default, Dec  4 2017, 14:50:18)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> obj = hashlib.md5()
>>> obj.update("Passw0rd!@09")
>>> obj.hexdigest()
'23ff9c95ff8fa7b0b7a176cb1cdb8a78'
>>>

Same concept applies but we're creating a much stringer password this time:

Code:
TBG-a0216:ldap-utils admin$ echo "23ff9c95ff8fa7b0b7a176cb1cdb8a78" >> stronger_hash.txt
TBG-a0216:ldap-utils admin$ cat stronger_hash.txt
23ff9c95ff8fa7b0b7a176cb1cdb8a78
TBG-a0216:ldap-utils admin$

Lets get cracking again:


Code:
TBG-a0216:ldap-utils admin$ hashcat -m0 -a0 -O -r ~/Desktop/etc/fuzz/rules/dive.rule -potfile-disable -o stronger_cracked_hash.txt stronger_hash.txt ~/Desktop/etc/fuzz/wordlists/rockyou.txt
hashcat (v4.1.0) starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 450 Compute Engine, 512/2048 MB allocatable, 10MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 99086

Applicable optimizers:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 31

Watchdog: Temperature abort trigger disabled.

Dictionary cache hit:
* Filename..: /Users/admin/Desktop/etc/fuzz/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921510
* Keyspace..: 1421327732110

                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: MD5
Hash.Target......: 23ff9c95ff8fa7b0b7a176cb1cdb8a78
Time.Started.....: Fri Sep  7 16:13:05 2018 (0 secs)
Time.Estimated...: Fri Sep  7 16:13:05 2018 (0 secs)
Guess.Base.......: File (/Users/admin/Desktop/etc/fuzz/wordlists/rockyou.txt)
Guess.Mod........: Rules (/Users/admin/Desktop/etc/fuzz/rules/dive.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....: 27088.5 kH/s (5.80ms) @ Accel:16 Loops:4 Thr:256 Vec:1
Speed.Dev.#3.....:        0 H/s (0.00ms) @ Accel:128 Loops:32 Thr:256 Vec:1
Speed.Dev.#*.....: 27088.5 kH/s
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 32469389126/1421327732110 (2.28%)
Rejected.........: 495430/32469389126 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Candidates.#2....: 123456 -> Colts29
Candidates.#3....: Dominic1.g -> co8ltonjamesco8ltonjames

Started: Fri Sep  7 16:13:04 2018
Stopped: Fri Sep  7 16:13:06 2018
TBG-a0216:ldap-utils admin$ cat stronger_cracked_hash.txt
23ff9c95ff8fa7b0b7a176cb1cdb8a78:Passw0rd!@09
TBG-a0216:ldap-utils admin$

As you can see it just took us about 2 seconds to crack that stronger hash. That's all for now hope this helped and you learned something cool. If you have an questions, feel free to ask them!


Notes to keep in mind:
  • It is very rare that you come across MD5 hashes in the wild
  • Hashcat should be run on a dedicated host designed to run hashcat with a good GPU
  • It's never a good idea to steal databases or hashes

Reply
#2
Definitely a great post for those who are new to this kind of stuff. Great post man !
I think you did a great job by not explaining every argument in detail so the ones who really are not used to read the --help/-h, now are forced to do it and definitely they will discover new capabilities of the tool this way. Start reading the help and man pages Big Grin
Reply
#3
Thanks bro ! Great post ! your way of explanation is  very easy to grab all the details ! Wink
Reply
#4
Thank you for this ! I'm looking for clever masks and rules trying all this out on my production rig.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Can you name a few open source tools for offline password cracking? ShadowRaider 2 7,162 06-30-2020, 01:54 AM
Last Post: poppopret