IntroductionHashcat is a robust password cracking tool that can help you recover lost passwords, audit password security, benchmark, or just figure out what data is stored in a hash.
There are a number of great password cracking utilities out there, but Hashcat is known for being efficient, powerful, and full featured. Hashcat makes use of GPUs to accelerate hash cracking. GPUs are much better and handling cryptographic work than CPUs are, and they can be utilized in much greater numbers than CPUs. Hashcat also supports a very wide range of popular hashes, to ensure that it can handle deciphering nearly any password.
Please note that misuse of this program can be illegal. Only test on systems that you own or have written permission to test on. Don't share or post hashes or results publicly. Hashcat should be used for password recovery and professional security audits.
Getting Some HashesIf you're going to test out Hashcat's hash cracking capabilities, you're going to need some hashes to test with. Don't do something crazy and start digging up encrypted user passwords on your computer or server. You can create some dummy ones for just this purpose.
You can use OpenSSL to create a series of password hashes that you would like to test. You don't have to go totally nuts, but you should have a few to really see what Hashcat can do.
cdinto a folder where you would like to do your testing. Then, use the command below to echo possible passwords into OpenSSL and output them into a file. The
sedportion is just to strip away some garbage output and just get the hashes.
$ echo -n "Mybadpassword123" | openssl dgst -sha512 | sed 's/^.*= //' >> hashes.txtJust run it a few times with different passwords, so you have a few in the file.
Getting A WordlistFor this test, you're going to need a wordlist of passwords to test against. There are tons of these online, and you can find them all over. You can also use a utility like Crunch, or just make one by typing a bunch of words into a text document.
To save time, just
wgetthe list below.
$ wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/500-worst-passwords.txt
Basic CrackingYou can now test out Hashcat. Take a look at the following command. If you run it, Hashcat will attempt to decipher the hashes that you created.
$ hashcat -m 1700 -a 1 -r /usr/share/hashcat/rules/combinator.rule hashes/hashes.txt passlists/500-worst-passwords.txtHashcat will take some time. If you have a slow system, it will take a lot of time. Just be mindful of that. If it's taking too long, reduce the number of hashes in your list.
In the end, Hashcat should display each of your hashes along with its value. It might not get all of them, depending on which words you used.
OptionsAs you have seen, Hashcat relies heavily on different flags and options to work properly. Taking it all in at once can be daunting, so this next section will break it all down.
Hash TypesThe first flag that you see there is the
-mflag. In the case of the example, it's set to 1700. This is a value in Hashcat that corresponds to SHA-512. To see the full list, run Hashcat's help command,
$ hashcat --help. There are a lot there, so you can see why Hashcat has such a wide range of uses.
Attack ModesHashcat is capable of several different attack modes. Each of these modes tests the hashes against your wordlist differently. Attack modes are specified with the
-aflag, and take values corresponding to a list available through the help command. The example used a very common option, the combination attack. Combination attacks attempt to re-arrange words and add common numbers in places users typically would. For basic usage, this is generally the best option.
RulesThere is also a rules file specified with the
-rcommand. The rules files are located at
/usr/share/hashcat/rules, and they provide context for how Hashcat could conduct its attacks. You must specify a rules file for many of the attack modes, including the one used in the example.
OutputThough it wasn't used in the example, you can specify an output file for Hashcat. Just add the
-oflag followed by the desired location of your output file. Hashcat will save the results of its cracking session as they appear in the terminal in the file.
Closing ThoughtsHashcat is an insanely powerful tool, and it scales with the tasks that it is assigned and the hardware that it is running on. Hashcat is designed to handle large scale tasks and work through them in the most efficient way possible. This isn't some hobby tool. It is absolutely professional grade.
If you're really interested in utilizing Hashcat's full power, it's definitely worth exploring the GPU options available to people with powerful graphics cards.
Of course, remember to use Hashcat responsibly, and keep your password cracking legal.