Hashcat is a well-known password cracking tool for Linux, Windows, and macOS. From 2009 until 2015 it was proprietary software, but has since been released as open-source. Featuring fantastic GPU support, it can be used to crack a large variety of hashes. Similar to JtR, hashcat supports multiple attack (cracking) modes which can be used to efficiently attack password hashes.
hashcat -a 0 -m 0 <hashes> [wordlist, rule, mask, ...]In the command above:
-ais used to specify theattack mode-mis used to specify thehash type<hashes>is a either a hash string, or a file containing one or more password hashes of the same type[wordlist, rule, mask, ...]is a placeholder for additional arguments that depend on the attack mode
Hash types
hashcat --helpAlternatively, hashID can be used to quickly identify the hashcat hash type by specifying the -m argument.
Attack modes
Hashcat has many different attack mode, including dictionary, mask, combinator, and association. In this section we will go over the first two, as they are likely the most common ones that you will need to use.
Dictionary attack
Dictionary attack (-a 0) is, as the name suggests, a dictionary attack. The user provides password hashes and a wordlist as input, and Hashcat tests each word in the list as a potential password until the correct one is found or the list is exhausted.
hashcat -a 0 -m 0 e3e3ec5831ad5e7288241960e5d4fdb8 /usr/share/wordlists/rockyou.txtA wordlist alone is often not enough to crack a password hash. As was the case with JtR, rules can be used to perform specific modifications to passwords to generate even more guesses. The rule files that come with hashcat are typically found under /usr/share/hashcat/rules:
ls -l /usr/share/hashcat/rulesAs another example, imagine an additional md5 hash was leaked from the SQL database: 1b0556a75770563578569ae21392630c. We weren’t able to crack it using rockyou.txt alone, so in a subsequent attempt, we might apply some common rule-based transformations. One ruleset we could try is best64.rule, which contains 64 standard password modifications—such as appending numbers or substituting characters with their “leet” equivalents. To perform this kind of attack, we would append the -r <ruleset> option to the command, as shown below:
hashcat -a 0 -m 0 1b0556a75770563578569ae21392630c /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.ruleMask attack
Mask attack (-a 3) is a type of brute-force attack in which the keyspace is explicitly defined by the user. For example, if we know that a password is eight characters long, rather than attempting every possible combination, we might define a mask that tests combinations of six letters followed by two numbers.
A mask is defined by combining a sequence of symbols, each representing a built-in or custom character set. Hashcat includes several built-in character sets:
| Symbol | Charset |
|---|---|
| ?l | abcdefghijklmnopqrstuvwxyz |
| ?u | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
| ?d | 0123456789 |
| ?h | 0123456789abcdef |
| ?H | 0123456789ABCDEF |
| ?s | «space»!”#$%&’()*+,-./:;⇐>?@[]^_`{ |
| ?a | ?l?u?d?s |
| ?b | 0x00 - 0xff |
Custom charsets can be defined with the -1, -2, -3, and -4 arguments, then referred to with ?1, ?2, ?3, and ?4. |
hashcat -a 3 -m 0 1e293d6912d074c0fd15844d803400dd '?u?l?l?l?l?d?s'