Hashcat
Usage
If using hashcat.exe on Windows, open the hash file with Notepad++ and go to: Encoding → Convert to UTF-8 (without BOM).
hashcat -a 0 -m 18200 user_hash /usr/share/wordlists/rockyou# Mode code enumeration
hashcat -hh | grep <FORMAT>
# Example formats
hashcat -m 2100 --example-hasheshashcat hashes.txt /usr/share/wordlists/rockyou.txt --usernamehashcat --show hashes.txtFor the Domain Cached Credentials 2 (DCC2), the domain and username must be removed; only the value starting with $DCC2$ is required.
$ cat /home/plaintext/.cme/logs/MS01_10.129.204.133_2022-11-08_093944.cached| cut -d ":" -f 2
$DCC2$10240#julio#c2139497f24725b345aa1e23352481f3
$DCC2$10240#david#a8338587a1c6ee53624372572e39b93f
$DCC2$10240#john#fbdeac2c1d121818f75796cedd0caf0aRules
hashcatincludes a variety of effective rules in/usr/share/hashcat/rules. Custom file rules can also be created.
If rule functions are on the same line, they are applied consecutively to each word.
If rule functions are on separate lines, each line is treated as a separate rule.
# initial password file
$ cat mutating_example.txt
password
# capitalize the first letter & add '1' at the end simultaneously
$ echo 'c $1' > rule1.txt && cat rule1.txt
c $1
$ hashcat -r rule1.txt --stdout mutating_example.txt
Password1
# capitalize the first letter, add '1' at the end
$ echo -e 'c\n$1' > rule2.txt && cat rule2.txt
c
$1
$ hashcat -r rule2.txt --stdout mutating_example.txt
Password
password1Optimization
Enable a specific workload profile -> default is 2; use 3 if the PC focuses just on Hashcat.
hashcat -a 0 -m 18200 user_hash /usr/share/wordlists/rockyou -w 3Hash Types
Just passing the hash file (
$ hashcat example_hash) will have the hash type autodetected.
$krb5asrep$23$
18200
$krb5tgs$23$
13100
NTLMv2
5600
NTLM
1000
$krb5asrep$17$
32100
$krb5asrep$18$
32200
$krb5tgs$17$
19600
$krb5tgs$18$
19700
NTLMv2 (NT)
27100
$DCC2$10240
2100
MD5
500
KeePass (keepass2john)
13400
$sshng$6$ (ssh2john)
22921
Cracking Time
Cracking time is determined by dividing the keyspace by the hash rate:
Keyspace is calculated as the character set raised to the power of the password length. For example, with lowercase (
26), uppercase (26), and digits (10), the character set totals62. A five-character password would have62^5possible combinations.The hash rate is a measure of how many hash calculations can be performed in a second (
1MH/s equals1,000,000hashes per second).
# keyspace calculation
$ echo -n "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" | wc -c
62
$ python3 -c "print(62**5)"
916132832# hash rate calculation (benchmark mode) for a CPU-based system
$ hashcat -b
hashcat (v6.2.5) starting in benchmark mode
...
* Device #1: pthread-Intel(R) Core(TM) i9-10885H CPU @ 2.40GHz, 1545/3154 MB (512 MB allocatable), 4MCU
Benchmark relevant options:
===========================
* --optimized-kernel-enable
-------------------
* Hash-Mode 0 (MD5)
-------------------
Speed.#1.........: 450.8 MH/s (2.19ms) @ Accel:256 Loops:1024 Thr:1 Vec:8
----------------------
* Hash-Mode 100 (SHA1)
----------------------
Speed.#1.........: 298.3 MH/s (3.22ms) @ Accel:256 Loops:1024 Thr:1 Vec:8
---------------------------
* Hash-Mode 1400 (SHA2-256)
---------------------------
Speed.#1.........: 134.2 MH/s (7.63ms) @ Accel:256 Loops:1024 Thr:1 Vec:8
# hash rate calculation (benchmark mode) for a GPU-based system
* Device #1: NVIDIA GeForce RTX 3090, 23336/24575 MB, 82MCU
Benchmark relevant options:
===========================
* --optimized-kernel-enable
-------------------
* Hash-Mode 0 (MD5)
-------------------
Speed.#1.........: 68185.1 MH/s (39.99ms) @ Accel:256 Loops:1024 Thr:128 Vec:8
----------------------
* Hash-Mode 100 (SHA1)
----------------------
Speed.#1.........: 21528.2 MH/s (63.45ms) @ Accel:64 Loops:512 Thr:512 Vec:1
---------------------------
* Hash-Mode 1400 (SHA2-256)
---------------------------
Speed.#1.........: 9276.3 MH/s (73.85ms) @ Accel:16 Loops:1024 Thr:512 Vec:1# cracking time calculation (in seconds) for SHA256
# CPU
$ python3 -c "print(916132832 / 134200000)"
6.826623189269746
# GPU
$ python3 -c "print(916132832 / 9276300000)"
0.09876058687192092Increasing password length increases cracking duration by exponential time, while increasing password complexity (charset) only increases cracking duration by polynomial time.
Exponential time grows much faster than polynomial time.
Polynomial time (e.g., n2n^2n2, n3n^3n3): As input
nnnincreases, the number of steps grows at a manageable rate.Exponential time (e.g., 2n2^n2n, 3n3^n3n): The number of steps doubles, triples, or grows even faster with each increase in
nnn, making it impractical for large inputs.
# keyspace for an 8-length password
$ python3 -c "print(62**8)"
218340105584896
# cracking time
$ python3 -c "print(218340105584896 / 9276300000)"
23537.41314801117 # ~6.5 hours
# keyspace for a 10-length password
$ python3 -c "print(62**10)"
839299365868340224
# cracking time
$ python3 -c "print(839299365868340224 / 9276300000)"
90477816.14095493 # ~2.8 years# simple charset
$ echo -n "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" | wc -c
62
# keyspace
$ python3 -c "print(62**5)"
916132832
# cracking time
$ python3 -c "print(916132832/9276300000)"
0.09876058687192092 # ~2.7 hours
# complex charset
$ echo -n "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$!@#$%^&*()_+=-[]{}|;:/?.><,." | wc -c
89
# new keyspace (polynomial increase)
$ python3 -c "print(89**5)"
5584059449
# cracking time
$ python3 -c "print(5584059449/9276300000)"
0.6019705538846307 # ~16.7 hours Resources
Last updated
Was this helpful?