Hashcat

Usage

Usage

hashcat -a 0 -m 18200 user_hash /usr/share/wordlists/rockyou

Format

hashcat -hh | grep <FORMAT>

Username

hashcat hashes.txt /usr/share/wordlists/rockyou.txt --username

Show

hashcat --show hashes.txt

For the Domain Cached Credentials 2 (DCC2), the domain and username must be removed; only the value starting with $DCC2$ is required.

$ cat /home/plaintext/.cme/logs/MS01_10.129.204.133_2022-11-08_093944.cached| cut -d ":" -f 2
$DCC2$10240#julio#c2139497f24725b345aa1e23352481f3
$DCC2$10240#david#a8338587a1c6ee53624372572e39b93f
$DCC2$10240#john#fbdeac2c1d121818f75796cedd0caf0a

Rules

hashcat includes a variety of effective rules in /usr/share/hashcat/rules. Custom file rules can also be created.

• If rule functions are on the same line, they are applied consecutively to each word.

• If rule functions are on separate lines, each line is treated as a separate rule.

# initial password file
$ cat mutating_example.txt
password

# capitalize the first letter & add '1' at the end simultaneously
$ echo 'c $1' > rule1.txt && cat rule1.txt
c $1

$ hashcat -r rule1.txt --stdout mutating_example.txt
Password1

# capitalize the first letter, add '1' at the end
$ echo -e 'c\n$1' > rule2.txt && cat rule2.txt
c
$1

$ hashcat -r rule2.txt --stdout mutating_example.txt
Password
password1

Optimization

Enable a specific workload profile -> default is 2; use 3 if the PC focuses just on Hashcat.

Workload

hashcat -a 0 -m 18200 user_hash /usr/share/wordlists/rockyou -w 3

Hash Types

Just passing the hash file ($ hashcat example_hash) will have the hash type autodetected.

Type	Mode
$krb5asrep$23$	18200
$krb5tgs$23$	13100
NTLMv2	5600
NTLM	1000
$krb5asrep$17$	32100
$krb5asrep$18$	32200
$krb5tgs$17$	19600
$krb5tgs$18$	19700
NTLMv2 (NT)	27100
$DCC2$10240	2100
MD5	500
KeePass (keepass2john)	13400
$sshng$6$ (ssh2john)	22921

Cracking Time

Cracking time is determined by dividing the keyspace by the hash rate:

• Keyspace is calculated as the character set raised to the power of the password length. For example, with lowercase (26), uppercase (26), and digits (10), the character set totals 62. A five-character password would have 62^5 possible combinations.

• The hash rate is a measure of how many hash calculations can be performed in a second (1 MH/s equals 1,000,000 hashes per second).

Keyspace

# keyspace calculation
$ echo -n "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" | wc -c
62

$ python3 -c "print(62**5)"
916132832

Hash Rate

# hash rate calculation (benchmark mode) for a CPU-based system
$ hashcat -b
hashcat (v6.2.5) starting in benchmark mode
...
* Device #1: pthread-Intel(R) Core(TM) i9-10885H CPU @ 2.40GHz, 1545/3154 MB (512 MB allocatable), 4MCU

Benchmark relevant options:
===========================
* --optimized-kernel-enable
-------------------
* Hash-Mode 0 (MD5)
-------------------
Speed.#1.........:   450.8 MH/s (2.19ms) @ Accel:256 Loops:1024 Thr:1 Vec:8
----------------------
* Hash-Mode 100 (SHA1)
----------------------
Speed.#1.........:   298.3 MH/s (3.22ms) @ Accel:256 Loops:1024 Thr:1 Vec:8
---------------------------
* Hash-Mode 1400 (SHA2-256)
---------------------------
Speed.#1.........:   134.2 MH/s (7.63ms) @ Accel:256 Loops:1024 Thr:1 Vec:8

# hash rate calculation (benchmark mode) for a GPU-based system
* Device #1: NVIDIA GeForce RTX 3090, 23336/24575 MB, 82MCU

Benchmark relevant options:
===========================
* --optimized-kernel-enable
-------------------
* Hash-Mode 0 (MD5)
-------------------
Speed.#1.........: 68185.1 MH/s (39.99ms) @ Accel:256 Loops:1024 Thr:128 Vec:8
----------------------
* Hash-Mode 100 (SHA1)
----------------------
Speed.#1.........: 21528.2 MH/s (63.45ms) @ Accel:64 Loops:512 Thr:512 Vec:1
---------------------------
* Hash-Mode 1400 (SHA2-256)
---------------------------
Speed.#1.........:  9276.3 MH/s (73.85ms) @ Accel:16 Loops:1024 Thr:512 Vec:1

Cracking Time

# cracking time calculation (in seconds) for SHA256

# CPU
$ python3 -c "print(916132832 / 134200000)"
6.826623189269746
# GPU
$ python3 -c "print(916132832 / 9276300000)"
0.09876058687192092

Increasing password length increases cracking duration by exponential time, while increasing password complexity (charset) only increases cracking duration by polynomial time.

Exponential time grows much faster than polynomial time.

• Polynomial time (e.g., n2n^2n2, n3n^3n3): As input nnn increases, the number of steps grows at a manageable rate.

• Exponential time (e.g., 2n2^n2n, 3n3^n3n): The number of steps doubles, triples, or grows even faster with each increase in nnn, making it impractical for large inputs.

Increasing Password Length

# keyspace for an 8-length password
$ python3 -c "print(62**8)"
218340105584896
# cracking time
$ python3 -c "print(218340105584896 / 9276300000)"
23537.41314801117 # ~6.5 hours

# keyspace for a 10-length password
$ python3 -c "print(62**10)"
839299365868340224
# cracking time
$ python3 -c "print(839299365868340224 / 9276300000)"
90477816.14095493 # ~2.8 years

Increasing Password Complexity

# simple charset
$ echo -n "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" | wc -c
62
# keyspace
$ python3 -c "print(62**5)"
916132832
# cracking time
$ python3 -c "print(916132832/9276300000)"
0.09876058687192092 # ~2.7 hours


# complex charset
$ echo -n "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$!@#$%^&*()_+=-[]{}|;:/?.><,." | wc -c
89
# new keyspace (polynomial increase)
$ python3 -c "print(89**5)"
5584059449
# cracking time
$ python3 -c "print(5584059449/9276300000)"
0.6019705538846307 # ~16.7 hours 

Resources

GitHub

GitHub - hashcat/hashcat: World's fastest and most advanced password recovery utilityGitHub

Wiki

start [hashcat wiki]

GUI

Releases · s77rt/hashcat.launcherGitHub