Cracking Passwords with Hashcat
Cracking Hashes with Hashcat
Hashcat is one of the most popular password cracking tools that supports a wide range of algorithms, including NTLM, NTLMv2, and many others. This guide will walk you through the process of using Hashcat to crack hashes and explain the most commonly used cracking methods.
Introduction to Hashcat
Hashcat is a powerful and efficient password cracking tool that supports a variety of hashing algorithms. It can be used for cracking hashes of various services such as SMB, RDP, SSH, FTP, and others. Hashcat uses different attack modes and optimizations, such as dictionary-based attacks, brute-force attacks, and rule-based attacks, to perform cracking efficiently.
Installing Hashcat
If you don't have Hashcat installed, you can install it by following the instructions for your operating system.
On Linux:
sudo apt update
sudo apt install hashcatOn Windows:
Download the latest Hashcat release from the official website: https://hashcat.net/hashcat/
Extract the ZIP file to a folder and navigate to the folder to start using Hashcat.
Basic Usage of Hashcat
Step 1: Prepare Your Hashes
Before using Hashcat, you need to have a file with the hashes you want to crack. Hashcat supports many types of hashes, and they need to be placed in a plain text file. Here's an example of what your file should look like for NTLM hashes:
administrator:3c2a48f4ab5db6e2f3a02c10be38c7ab
user:5f4dcc3b5aa765d61d8327deb882cf99Step 2: Choose the Hash Type
You need to specify the hash type when running Hashcat. For example, NTLM hashes are identified by the code 1000 in Hashcat. Here are some common hash types and their corresponding codes:
NTLM:
1000NTLMv2:
5500SHA1:
100MD5:
0bcrypt:
3200
For example, to crack NTLM hashes, you would specify 1000 as the hash type.
Step 3: Use Hashcat to Crack the Hash
Here's the basic syntax for using Hashcat to crack hashes:
hashcat -m <hash-type> -a <attack-mode> <hash-file> <wordlist>-m <hash-type>: Specifies the hash type (e.g.,1000for NTLM,5500for NTLMv2).-a <attack-mode>: Specifies the attack mode. For example,0for a dictionary attack,3for a brute-force attack.<hash-file>: The file containing the hashes you want to crack.<wordlist>: The wordlist file you want to use for cracking.
Common Hashcat Cracking Methods
1. Cracking NTLM Hashes
NTLM hashes are often found in Windows authentication. To crack NTLM hashes with Hashcat:
hashcat -m 1000 -a 0 hashes.txt /path/to/wordlist.txtExplanation:
-m 1000: Specifies NTLM hash type.-a 0: Dictionary attack mode.hashes.txt: The file containing NTLM hashes./path/to/wordlist.txt: The wordlist file containing potential passwords.
Hashcat will attempt to match the hashes against the words in the wordlist.
2. Cracking NTLMv2 Hashes
NTLMv2 hashes are used in more modern systems and are more resistant to brute-force attacks. To crack NTLMv2 hashes, use the following command:
hashcat -m 5500 -a 0 hashes.txt /path/to/wordlist.txtExplanation:
-m 5500: Specifies NTLMv2 hash type.-a 0: Dictionary attack mode.hashes.txt: The file containing NTLMv2 hashes./path/to/wordlist.txt: The wordlist file.
3. Cracking MD5 Hashes
MD5 hashes are widely used for password storage. If you're cracking MD5 hashes, you can use:
hashcat -m 0 -a 0 hashes.txt /path/to/wordlist.txtExplanation:
-m 0: Specifies MD5 hash type.-a 0: Dictionary attack mode.hashes.txt: The file containing MD5 hashes./path/to/wordlist.txt: The wordlist file.
4. Brute Force Attack (Mask Attack)
A brute-force or mask attack is used when you don't have a wordlist or want to try every possible combination of characters. For example, to try all 4-character passwords consisting of lowercase letters, you can use:
hashcat -m 1000 -a 3 hashes.txt ?l?l?l?l-a 3: Specifies brute-force attack mode.?l?l?l?l: Specifies a mask pattern for four lowercase letters (e.g.,abcd).
You can adjust the mask to target different patterns (e.g., ?d for digits, ?u for uppercase letters, etc.).
5. Rule-Based Attack
Hashcat supports rule-based attacks, where you apply rules to a wordlist to generate additional password candidates. To use a rule-based attack:
hashcat -m 1000 -a 0 -r /path/to/rules.txt hashes.txt /path/to/wordlist.txt-r /path/to/rules.txt: Specifies a rule file to apply to the wordlist.hashes.txt: The file containing hashes./path/to/wordlist.txt: The wordlist file.
Rules can be used to generate variations of common passwords (e.g., adding numbers at the end, capitalizing the first letter, etc.).
Monitoring Hashcat's Progress
Hashcat shows its cracking progress in real-time. You can view its status at any point using the following command:
hashcat --statusThis will show the current progress, including the number of hashes cracked and the speed of the cracking process.
To stop the cracking process and resume later, use:
hashcat --pause
hashcat --restoreAdditional Tips and Notes
Use the Right Wordlist: A good wordlist is essential for successful cracking. Common wordlists include rockyou.txt and SecLists.
Rule-Based Attacks: You can combine a dictionary attack with rules to greatly increase your chances of cracking passwords.
Hardware Acceleration: Hashcat is designed to leverage GPUs for faster cracking. Make sure you have a compatible GPU and use the
-doption to specify your device.Speed: Hashcat is very fast and efficient, especially when using GPUs. The cracking speed depends on your hardware and the attack method.
Conclusion
Hashcat is a versatile and powerful password cracking tool that can be used to crack NTLM, NTLMv2, MD5, and many other types of hashes. With a wide range of attack modes (dictionary, brute-force, rule-based), and support for various hardware accelerations, Hashcat provides a robust solution for cracking hashes.
By understanding the hash types, using appropriate wordlists, and choosing the right attack mode, you can effectively use Hashcat to crack passwords for penetration testing, security auditing, and research purposes.
Last updated