Hashcat Guide for Password Cracking

Introduction to Hash Cracking with Hashcat
How Hashcat Works: GPU vs CPU
Setting Up Hashcat
Basic Hashcat Syntax
Hash Modes
Common Attack Modes
- Dictionary Attack
- Brute-Force Attack
- Mask Attack
- Rule-Based Attack
Cracking Windows Hashes with Hashcat
Advanced Techniques
- Combinator Attack
- Hybrid Attacks
- Using Rules for Custom Transformations
Real-World Examples
Performance Tuning
Hashcat Tips and Tricks

Introduction to Hash Cracking with Hashcat

Hashcat is a widely used, high-performance password-cracking tool that specializes in GPU-based cracking. Its support for GPU acceleration allows it to crack passwords significantly faster than many CPU-based tools. Alongside John the Ripper, Hashcat is favored for its flexibility and performance in both simple and complex password recovery tasks.

How Hashcat Works: GPU vs CPU

Hashcat is primarily optimized for GPU-based cracking, leveraging the thousands of cores in modern GPUs to perform password cracking operations efficiently. While Hashcat also supports CPU-based cracking, a GPU is generally much faster for most algorithms. However, certain slower algorithms (like bcrypt) are often better suited to CPU-based cracking due to the design of the algorithm itself.

GPU Requirements

Hashcat requires OpenCL or CUDA drivers to harness GPU power. Ensure that your system’s GPU drivers are up to date for optimal performance.

Setting Up Hashcat

To install Hashcat on a Linux system, use:

sudo apt update
sudo apt install hashcat

To verify the installation, run:

hashcat -I

This command checks for OpenCL and CUDA drivers and lists supported devices.

Basic Hashcat Syntax

Hashcat’s basic syntax is as follows:

hashcat -m [hash mode] -a [attack mode] -o [output file] [hash file] [wordlist/mask/rules]

-m: Specifies the hash type (e.g., NTLM, MD5, SHA-1).
-a: Sets the attack mode (e.g., dictionary, brute-force, mask).
-o: Defines the output file for cracked passwords.
[hash file]: Path to the file containing hashes.
[wordlist/mask/rules]: Specifies the wordlist, mask, or rules for the attack.

Hash Modes

Hashcat supports a wide array of hash types. The hash mode (-m) parameter tells Hashcat what type of hash to crack. Common examples include:

0: MD5
1000: NTLM (Windows)
1800: SHA-512 (Unix)
22000: WPA/WPA2 (Handshakes)

To list all supported hash modes, use:

hashcat --help | grep Hashmodes

Common Attack Modes

Hashcat offers several attack modes for password cracking. The most common ones include:

1. Dictionary Attack

A dictionary attack (mode -a 0) uses a predefined wordlist as input. This is ideal for passwords derived from common words or phrases.

hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

2. Brute-Force Attack

A brute-force attack (mode -a 3) attempts every possible combination within specified character sets. This can be time-consuming but is effective for short passwords.

hashcat -m 1000 -a 3 hashes.txt ?a?a?a?a?a?a

3. Mask Attack

The mask attack (also mode -a 3) allows for targeted brute-force based on known patterns, such as “passwords that end with a number.”

hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?l?d?d

4. Rule-Based Attack

A rule-based attack (mode -a 0 with -r) applies transformation rules to each word in the dictionary, increasing the likelihood of cracking complex passwords based on common patterns.

hashcat -m 1000 -a 0 -r rules/best64.rule hashes.txt /usr/share/wordlists/rockyou.txt

Cracking Windows Hashes with Hashcat

Hashcat can crack Windows NTLM hashes (mode -m 1000) dumped from the Security Account Manager (SAM) file on a Windows system.

Obtain NTLM Hashes: Extract NTLM hashes from the SAM file using tools like Mimikatz or SAMdump2.

Crack NTLM Hashes:

hashcat -m 1000 -a 0 -o cracked.txt ntlm_hashes.txt /usr/share/wordlists/rockyou.txt

Advanced Techniques

1. Combinator Attack

A combinator attack (mode -a 1) merges two wordlists to try combinations of words.

hashcat -m 1000 -a 1 hashes.txt wordlist1.txt wordlist2.txt

2. Hybrid Attacks

Hybrid attacks combine dictionary attacks with mask attacks. For example, a common dictionary word followed by two digits.

hashcat -m 1000 -a 6 hashes.txt /usr/share/wordlists/rockyou.txt ?d?d

3. Using Rules for Custom Transformations

Rules allow custom modifications to dictionary words, such as adding a digit or changing capitalization.

hashcat -m 1000 -a 0 -r rules/custom.rule hashes.txt /usr/share/wordlists/rockyou.txt

Real-World Examples

Cracking an MD5 Hash

Suppose you have an MD5 hash and want to crack it using a dictionary attack:

hashcat -m 0 -a 0 -o cracked_md5.txt md5_hashes.txt /usr/share/wordlists/rockyou.txt

Cracking WPA2 Wi-Fi Passwords

Hashcat can crack WPA2 handshakes using a captured .hccapx file.

Capture Handshake: Use a tool like Aircrack-ng to capture the WPA handshake and convert it to .hccapx format.

Run Hashcat:

hashcat -m 22000 -a 0 -o cracked_wifi.txt wifi_handshake.hccapx /usr/share/wordlists/rockyou.txt

Performance Tuning

Optimizing Hashcat’s performance can significantly speed up cracking. Here are some key settings:

Optimize Kernel: Use -O to enable optimized kernels, which can increase speed but may reduce supported password length.
Workload Profiles: Use -w to adjust workload, with values from 1 (low) to 4 (high).
Limit GPU Temperature: To avoid overheating, use --gpu-temp-abort to set a max temperature.

hashcat -m 1000 -a 0 -w 3 --gpu-temp-abort=85 hashes.txt /usr/share/wordlists/rockyou.txt

Hashcat Tips and Tricks

Identifying Hashes: Use hashid to identify hash formats.

Session Management: Use --session to name and save your sessions, enabling you to resume later.

hashcat -m 1000 -a 0 --session=ntlm_session hashes.txt /usr/share/wordlists/rockyou.txt

Masking Patterns:
- ?l for lowercase, ?u for uppercase, ?d for digits, ?s for special characters, and ?a for all.
Pause and Resume:
- Use q to pause and r to resume a cracking session in Hashcat’s interactive mode.
Excessive Padding in Mask Attacks:
- In mask attacks, padding with additional characters (like ?a?a?a?a?a?a?a?a?a) can reach deeper search spaces quickly.