Hashcat Guide: From Beginner to Expert
Introduction to Hashcat
Hashcat is one of the most powerful and versatile password recovery tools available. It supports various hash algorithms and attack modes, making it a go-to solution for penetration testers and security professionals. This guide covers the basic usage of Hashcat, common attack modes, advanced techniques, and optimizations for effective password cracking.
What is Hashcat?
Hashcat is an open-source password cracking tool that uses a variety of methods to recover plaintext passwords from hashed values. Hashcat can utilize both CPU and GPU power to perform high-speed attacks, making it an essential tool for security testing and password recovery.
Hashing Algorithms Supported by Hashcat
Hashcat supports a wide range of hashing algorithms, including:
- MD5 (Message Digest Algorithm 5)
- SHA-1 (Secure Hash Algorithm 1)
- SHA-256, SHA-512
- Bcrypt, Argon2
- NTLM (Windows New Technology LAN Manager)
- Kerberos
- WPA/WPA2 (Wi-Fi Protected Access)
- and many others...
Installing Hashcat
To install Hashcat, follow these steps:
Basic Usage
The basic syntax for running Hashcat is:
hashcat -m [hash type] -a [attack mode] -o [output file] [hash file] [wordlist]
For example, to run a dictionary attack on an MD5 hash using a wordlist:
hashcat -m 0 -a 0 -o cracked.txt hashes.txt wordlist.txt
Hashcat Attack Modes
Hashcat offers several attack modes, each suited for different scenarios:
- -a 0 (Straight): Dictionary attack using a wordlist.
- -a 1 (Combination): Combines words from two wordlists.
- -a 3 (Brute-force): Tries every possible combination of characters.
- -a 6 (Hybrid Wordlist + Mask): Adds custom rules to a wordlist.
- -a 7 (Hybrid Mask + Wordlist): Adds a wordlist to a custom mask.
Example: Cracking a WPA2 Hash
To crack a WPA2 handshake captured in a file named handshake.hccapx, use the following command:
hashcat -m 2500 -a 0 -o cracked.txt handshake.hccapx wordlist.txt
Explanation:
- -m 2500: Specifies WPA/WPA2 hash type.
- -a 0: Uses a dictionary attack.
- -o cracked.txt: Output file for recovered passwords.
- handshake.hccapx: Input file containing the captured handshake.
- wordlist.txt: The wordlist used for the attack.
Optimizing Performance
To maximize Hashcat's performance, consider the following tips:
- Use GPU Acceleration: Hashcat can leverage GPU acceleration for high-speed cracking. Ensure you have the necessary GPU drivers installed (NVIDIA or AMD).
- Adjust Workload Profiles: Use the `-w` parameter to set the workload profile (1 to 4), where `-w 3` is ideal for most setups.
hashcat -w 3 -m 0 hashes.txt wordlist.txt
- Use Masks for Targeted Attacks: Masks allow you to specify character sets and patterns for brute-force attacks. For example, a mask for all lowercase letters with a length of 6:
hashcat -m 0 -a 3 hashes.txt ?l?l?l?l?l?l
- Enable Rules: Hashcat supports rule-based attacks to modify words in a wordlist (e.g., `leetspeak` transformations, appending numbers). Use the `-r` option to apply a ruleset:
hashcat -m 0 -a 0 -r rules/best64.rule hashes.txt wordlist.txt
Advanced Techniques
For more experienced users, consider using these advanced Hashcat techniques:
- Hybrid Attacks: Combine wordlist and mask attacks to increase the chance of finding complex passwords.
- Custom Masks: Use masks like
?u?l?d for upper case, lower case, and digits to limit the search space.
- Rule-Based Modifications: Create custom rules for specific patterns or password conventions used by the target organization.Rule-Based Modifications: Create custom rules for specific patterns or password conventions used by the target organization.Rule-Based Modifications: Create custom rules for specific patterns or password conventions used by the target organization. For example, to create a rule that appends numbers 0-9 to each word in the wordlist, add the following line to a custom rule file:
$[0-9]
Then run Hashcat with the custom rule:
hashcat -m 0 -a 0 -r custom.rule hashes.txt wordlist.txt
Cracking Password Hashes with Salts: Some hashes include additional data known as a salt to prevent precomputation attacks. For these hashes, use the salt information when performing attacks (e.g., Unix shadow files).
Utilizing Multiple Hash Types: When unsure of the hash type, use the `--username` option and specify multiple hash types (e.g., `-m 1000` for NTLM and `-m 1800` for SHA512crypt).
Distributed Cracking: Use distributed systems like Hashtopolis or DistributedCracking.net to split large tasks among multiple machines.
Hashcat Output and Analysis
Hashcat outputs recovered passwords in a standard format: hash:password. You can analyze the cracked passwords to identify patterns and strengthen security policies. Use the `-o` option to specify the output file:
hashcat -m 0 -a 0 hashes.txt wordlist.txt -o cracked.txt
You can also enable show mode to display cracked passwords without running an attack:
hashcat -m 0 --show hashes.txt
Common Hashcat Errors and Troubleshooting
If you encounter errors while using Hashcat, consider the following troubleshooting tips:
- Check GPU/CPU Drivers: Ensure your hardware drivers (NVIDIA/AMD) are up-to-date. Outdated drivers can lead to errors or reduced performance.
- Insufficient Memory: Some hash types, such as bcrypt or Argon2, are memory-intensive. Use a system with sufficient RAM or reduce the workload profile with `-w 1` to limit memory usage.
- Verify Hash Type: Incorrect hash types can lead to "Line-length exception" errors. Use the `--example-hashes` option to view sample hashes and verify the format.
- Permission Errors: If using GPU acceleration, run Hashcat with administrative privileges or root to ensure it can access GPU resources.
Additional Learning Resources
To further explore and master Hashcat, consider the following resources: