Hashcat is a robust password cracking tool that can help you recover lost passwords, audit password security, benchmark, or just figure out what data is stored in a hash.
There are a number of great password cracking utilities out there, but Hashcat is known for being efficient, powerful, and full featured. Hashcat makes use of GPUs to accelerate hash cracking. GPUs are much better and handling cryptographic work than CPUs are, and they can be utilized in much greater numbers than CPUs. Hashcat also supports a very wide range of popular hashes, to ensure that it can handle deciphering nearly any password.
Please note that misuse of this program can be illegal. Only test on systems that you own or have written permission to test on. Don’t share or post hashes or results publicly. Hashcat should be used for password recovery and professional security audits.
Getting Some Hashes
If you’re going to test out Hashcat’s hash cracking capabilities, you’re going to need some hashes to test with. Don’t do something crazy and start digging up encrypted user passwords on your computer or server. You can create some dummy ones for just this purpose.
You can use OpenSSL to create a series of password hashes that you would like to test. You don’t have to go totally nuts, but you should have a few to really see what Hashcat can do.
cd into a folder where you would like to do your testing. Then, use the command below to echo possible passwords into OpenSSL and output them into a file. The
sed portion is just to strip away some garbage output and just get the hashes.
$ echo -n "Mybadpassword123" | openssl dgst -sha512 | sed 's/^.*= //' >> hashes.txt
Just run it a few times with different passwords, so you have a few in the file.
Getting A Wordlist
For this test, you’re going to need a wordlist of passwords to test against. There are tons of these online, and you can find them all over. You can also use a utility like Crunch, or just make one by typing a bunch of words into a text document.
To save time, just
wget the list below.
$ wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/500-worst-passwords.txt
You can now test out Hashcat. Take a look at the following linux command. If you run it, Hashcat will attempt to decipher the hashes that you created.
$ hashcat -m 1700 -a 1 -r /usr/share/hashcat/rules/combinator.rule hashes/hashes.txt passlists/500-worst-passwords.txt
Hashcat will take some time. If you have a slow system, it will take a lot of time. Just be mindful of that. If it’s taking too long, reduce the number of hashes in your list.
In the end, Hashcat should display each of your hashes along with its value. It might not get all of them, depending on which words you used.
As you have seen, Hashcat relies heavily on different flags and options to work properly. Taking it all in at once can be daunting, so this next section will break it all down.
The first flag that you see there is the
-m flag. In the case of the example, it’s set to 1700. This is a value in Hashcat that corresponds to SHA-512. To see the full list, run Hashcat’s help command,
$ hashcat --help. There are a lot there, so you can see why Hashcat has such a wide range of uses.
Hashcat is capable of several different attack modes. Each of these modes tests the hashes against your wordlist differently. Attack modes are specified with the
-a flag, and take values corresponding to a list available through the help command. The example used a very common option, the combination attack. Combination attacks attempt to re-arrange words and add common numbers in places users typically would. For basic usage, this is generally the best option.
There is also a rules file specified with the
-r command. The rules files are located at
/usr/share/hashcat/rules, and they provide context for how Hashcat could conduct its attacks. You must specify a rules file for many of the attack modes, including the one used in the example.
Though it wasn’t used in the example, you can specify an output file for Hashcat. Just add the
-o flag followed by the desired location of your output file. Hashcat will save the results of its cracking session as they appear in the terminal in the file.
Hashcat is an insanely powerful tool, and it scales with the tasks that it is assigned and the hardware that it is running on. Hashcat is designed to handle large scale tasks and work through them in the most efficient way possible. This isn’t some hobby tool. It is absolutely professional grade.
If you’re really interested in utilizing Hashcat’s full power, it’s definitely worth exploring the GPU options available to people with powerful graphics cards.
Of course, remember to use Hashcat responsibly, and keep your password cracking legal.