Zero Day Archives
  • What is Zero Day Archives?
  • Contributors
  • Wireless Security
    • Intro to WiFi Pentesting
      • WEP Networks
      • WPS
      • WPA-PSK Networks
      • WPA & WPA2 PSK
      • WPA2 & WPA3 Enterprise Networks
      • WPA2 & WPA3-APLess
  • Reverse Engineering
    • Reverse Engineering
      • Introduction to Software Reverse Engineering
        • Introduction to Capture the Flag (CTF) Competitions
        • What are PE & Elf Binaries
        • Assembly Language for Beginner Reverse Engineers
        • Memory Registers for x86-64 (64-bit) and x86 (32-bit)
        • Reversing Tools: Command-Line Utilities for Binary Analysis
        • Reversing ELF Binaries: Techniques and Tools
      • Disassembly & Debugging
        • GDB for Reverse Engineering
        • RADARE2 for Reverse Engineering
        • GHIDRA for Reverse Engineering
        • IDA Pro for Reverse Engineering
      • Binary Exploitation
        • Buffer Overflows
          • What are Buffer Overflows and Stack Protections?
          • Commonly Exploited C Functions and Their Secure Alternatives
          • Basic Buffer Overflow in x86-64 Using GDB
        • Cryptography
          • Understanding Ciphers and Identifying Common Patterns
          • Teaching XOR Operations in Binary Exploitation
        • Return Oriented Programming (ROP)
          • Practical Guide to Exploring and Identifying Return-Oriented Programming (ROP)
        • Cracking and Patching Binaries
          • Tactics, Tools, and Procedures for Cracking and Patching Binaries
        • Ret2Win Challenges
  • Malware Analysis
    • Malware Analysis
      • Static Analysis
  • Transporting Files to/from Victims
    • Transferring Files to/from High Value Targets
      • Linux
      • Windows
      • CrackMapExec (NetExec)
  • Penetration Testing against GIT Remote Repositories
    • Targeting GIT Repositories
      • Attacking GIT
  • Network Pivoting, Port Forwarding, and Tunneling
    • Pivoting
      • Ligolo-ng
        • Basic Pivoting
        • Setup Reverse Shells through Pivot
        • Transferring Files through Pivot
      • Pivoting: Using Remote Desktop
      • ProxyChains
      • Metasploit
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Dynamic Port Forwarding
      • Sshuttle over SSH
    • Port Fowarding
      • Chisel Port Forwarding
      • NetSH for Port Forwarding
      • Plink for Port Forwarding
      • SoCat
      • Metasploit: Port Forwarding
  • Anti-Virus Evasion
    • Anti-Virus Evasion
      • Evasion with Metasploit
      • Evasion wtih Shellter
      • Evasion with Virus Total
  • Public Exploit Research
    • Online Exploit Research & Methods
  • Password Attacks
    • Password Attacks
      • Identifying Hashes
        • Hash Identifier Tools
      • John The Ripper
        • Cracking Passwords with John
        • Convert to Hashes with John
        • NTLM vs NTLMv2 Hashes + CrackMapExec
      • Hashcat
        • Cracking Passwords with Hashcat
      • Hydra
        • Hydra for Network Services
        • Hydra for Web Services
      • Mutating Wordlists for John & Hashcat
        • Mutating Wordlists
  • Digital Forensics & Incident Response (DFIR)
    • Digital Forensics
  • Data Science
    • Data Science/AI
  • Software Defined Radio (SDR)
    • Software Defined Radio
  • Embedded Systems Programming
    • Field Programmable Gate Arrays (FPGAs)
  • Other Resources
    • Resources for Hackers
Powered by GitBook
On this page
  • Cracking Hashes with Hashcat
  • Introduction to Hashcat
  • Basic Usage of Hashcat
  • Common Hashcat Cracking Methods
  • Monitoring Hashcat's Progress
  • Additional Tips and Notes
  • Conclusion
  1. Password Attacks
  2. Password Attacks
  3. Hashcat

Cracking Passwords with Hashcat

Cracking Hashes with Hashcat

Hashcat is one of the most popular password cracking tools that supports a wide range of algorithms, including NTLM, NTLMv2, and many others. This guide will walk you through the process of using Hashcat to crack hashes and explain the most commonly used cracking methods.

Introduction to Hashcat

Hashcat is a powerful and efficient password cracking tool that supports a variety of hashing algorithms. It can be used for cracking hashes of various services such as SMB, RDP, SSH, FTP, and others. Hashcat uses different attack modes and optimizations, such as dictionary-based attacks, brute-force attacks, and rule-based attacks, to perform cracking efficiently.

Installing Hashcat

If you don't have Hashcat installed, you can install it by following the instructions for your operating system.

On Linux:

sudo apt update
sudo apt install hashcat

On Windows:

  1. Download the latest Hashcat release from the official website: https://hashcat.net/hashcat/

  2. Extract the ZIP file to a folder and navigate to the folder to start using Hashcat.

Basic Usage of Hashcat

Step 1: Prepare Your Hashes

Before using Hashcat, you need to have a file with the hashes you want to crack. Hashcat supports many types of hashes, and they need to be placed in a plain text file. Here's an example of what your file should look like for NTLM hashes:

administrator:3c2a48f4ab5db6e2f3a02c10be38c7ab
user:5f4dcc3b5aa765d61d8327deb882cf99

Step 2: Choose the Hash Type

You need to specify the hash type when running Hashcat. For example, NTLM hashes are identified by the code 1000 in Hashcat. Here are some common hash types and their corresponding codes:

  • NTLM: 1000

  • NTLMv2: 5500

  • SHA1: 100

  • MD5: 0

  • bcrypt: 3200

For example, to crack NTLM hashes, you would specify 1000 as the hash type.

Step 3: Use Hashcat to Crack the Hash

Here's the basic syntax for using Hashcat to crack hashes:

hashcat -m <hash-type> -a <attack-mode> <hash-file> <wordlist>

  • -m <hash-type>: Specifies the hash type (e.g., 1000 for NTLM, 5500 for NTLMv2).

  • -a <attack-mode>: Specifies the attack mode. For example, 0 for a dictionary attack, 3 for a brute-force attack.

  • <hash-file>: The file containing the hashes you want to crack.

  • <wordlist>: The wordlist file you want to use for cracking.

Common Hashcat Cracking Methods

1. Cracking NTLM Hashes

NTLM hashes are often found in Windows authentication. To crack NTLM hashes with Hashcat:

hashcat -m 1000 -a 0 hashes.txt /path/to/wordlist.txt

  • Explanation:

    • -m 1000: Specifies NTLM hash type.

    • -a 0: Dictionary attack mode.

    • hashes.txt: The file containing NTLM hashes.

    • /path/to/wordlist.txt: The wordlist file containing potential passwords.

Hashcat will attempt to match the hashes against the words in the wordlist.

2. Cracking NTLMv2 Hashes

NTLMv2 hashes are used in more modern systems and are more resistant to brute-force attacks. To crack NTLMv2 hashes, use the following command:

hashcat -m 5500 -a 0 hashes.txt /path/to/wordlist.txt

  • Explanation:

    • -m 5500: Specifies NTLMv2 hash type.

    • -a 0: Dictionary attack mode.

    • hashes.txt: The file containing NTLMv2 hashes.

    • /path/to/wordlist.txt: The wordlist file.

3. Cracking MD5 Hashes

MD5 hashes are widely used for password storage. If you're cracking MD5 hashes, you can use:

hashcat -m 0 -a 0 hashes.txt /path/to/wordlist.txt

  • Explanation:

    • -m 0: Specifies MD5 hash type.

    • -a 0: Dictionary attack mode.

    • hashes.txt: The file containing MD5 hashes.

    • /path/to/wordlist.txt: The wordlist file.

4. Brute Force Attack (Mask Attack)

A brute-force or mask attack is used when you don't have a wordlist or want to try every possible combination of characters. For example, to try all 4-character passwords consisting of lowercase letters, you can use:

hashcat -m 1000 -a 3 hashes.txt ?l?l?l?l

  • -a 3: Specifies brute-force attack mode.

  • ?l?l?l?l: Specifies a mask pattern for four lowercase letters (e.g., abcd).

You can adjust the mask to target different patterns (e.g., ?d for digits, ?u for uppercase letters, etc.).

5. Rule-Based Attack

Hashcat supports rule-based attacks, where you apply rules to a wordlist to generate additional password candidates. To use a rule-based attack:

hashcat -m 1000 -a 0 -r /path/to/rules.txt hashes.txt /path/to/wordlist.txt

  • -r /path/to/rules.txt: Specifies a rule file to apply to the wordlist.

  • hashes.txt: The file containing hashes.

  • /path/to/wordlist.txt: The wordlist file.

Rules can be used to generate variations of common passwords (e.g., adding numbers at the end, capitalizing the first letter, etc.).

Monitoring Hashcat's Progress

Hashcat shows its cracking progress in real-time. You can view its status at any point using the following command:

hashcat --status

This will show the current progress, including the number of hashes cracked and the speed of the cracking process.

To stop the cracking process and resume later, use:

hashcat --pause
hashcat --restore

Additional Tips and Notes

  • Use the Right Wordlist: A good wordlist is essential for successful cracking. Common wordlists include rockyou.txt and SecLists.

  • Rule-Based Attacks: You can combine a dictionary attack with rules to greatly increase your chances of cracking passwords.

  • Hardware Acceleration: Hashcat is designed to leverage GPUs for faster cracking. Make sure you have a compatible GPU and use the -d option to specify your device.

  • Speed: Hashcat is very fast and efficient, especially when using GPUs. The cracking speed depends on your hardware and the attack method.

Conclusion

Hashcat is a versatile and powerful password cracking tool that can be used to crack NTLM, NTLMv2, MD5, and many other types of hashes. With a wide range of attack modes (dictionary, brute-force, rule-based), and support for various hardware accelerations, Hashcat provides a robust solution for cracking hashes.

By understanding the hash types, using appropriate wordlists, and choosing the right attack mode, you can effectively use Hashcat to crack passwords for penetration testing, security auditing, and research purposes.

PreviousHashcatNextHydra

Last updated 15 days ago