Hashcat

Usage

If using hashcat.exe on Windows, open the hash file with Notepad++ and go to: Encoding → Convert to UTF-8 (without BOM).

hashcat -a 0 -m 18200 user_hash /usr/share/wordlists/rockyou

# Mode code enumeration
hashcat -hh | grep <FORMAT>

# Example formats
hashcat -m 2100 --example-hashes

hashcat hashes.txt /usr/share/wordlists/rockyou.txt --username

hashcat --show hashes.txt

For the Domain Cached Credentials 2 (DCC2), the domain and username must be removed; only the value starting with $DCC2$ is required.

$ cat /home/plaintext/.cme/logs/MS01_10.129.204.133_2022-11-08_093944.cached| cut -d ":" -f 2
$DCC2$10240#julio#c2139497f24725b345aa1e23352481f3
$DCC2$10240#david#a8338587a1c6ee53624372572e39b93f
$DCC2$10240#john#fbdeac2c1d121818f75796cedd0caf0a

Rules

hashcat includes a variety of effective rules in /usr/share/hashcat/rules. Custom file rules can also be created.

If rule functions are on the same line, they are applied consecutively to each word.
If rule functions are on separate lines, each line is treated as a separate rule.

# initial password file
$ cat mutating_example.txt
password

# capitalize the first letter & add '1' at the end simultaneously
$ echo 'c $1' > rule1.txt && cat rule1.txt
c $1

$ hashcat -r rule1.txt --stdout mutating_example.txt
Password1

# capitalize the first letter, add '1' at the end
$ echo -e 'c\n$1' > rule2.txt && cat rule2.txt
c
$1

$ hashcat -r rule2.txt --stdout mutating_example.txt
Password
password1

Optimization

Enable a specific workload profile -> default is 2; use 3 if the PC focuses just on Hashcat.

hashcat -a 0 -m 18200 user_hash /usr/share/wordlists/rockyou -w 3

Hash Types

Just passing the hash file ($ hashcat example_hash) will have the hash type autodetected.

Type

Mode

$krb5asrep$23$

18200

$krb5tgs$23$

13100

NTLMv2

5600

NTLM

1000

$krb5asrep$17$

32100

$krb5asrep$18$

32200

$krb5tgs$17$

19600

$krb5tgs$18$

19700

NTLMv2 (NT)

27100

$DCC2$10240

2100

MD5

500

KeePass (keepass2john)

13400

$sshng$6$ (ssh2john)

22921

Cracking Time

Cracking time is determined by dividing the keyspace by the hash rate:

Keyspace is calculated as the character set raised to the power of the password length. For example, with lowercase (26), uppercase (26), and digits (10), the character set totals 62. A five-character password would have 62^5 possible combinations.
The hash rate is a measure of how many hash calculations can be performed in a second (1 MH/s equals 1,000,000 hashes per second).

# keyspace calculation
$ echo -n "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" | wc -c
62

$ python3 -c "print(62**5)"
916132832

# hash rate calculation (benchmark mode) for a CPU-based system
$ hashcat -b
hashcat (v6.2.5) starting in benchmark mode
...
* Device #1: pthread-Intel(R) Core(TM) i9-10885H CPU @ 2.40GHz, 1545/3154 MB (512 MB allocatable), 4MCU

Benchmark relevant options:
===========================
* --optimized-kernel-enable
-------------------
* Hash-Mode 0 (MD5)
-------------------
Speed.#1.........:   450.8 MH/s (2.19ms) @ Accel:256 Loops:1024 Thr:1 Vec:8
----------------------
* Hash-Mode 100 (SHA1)
----------------------
Speed.#1.........:   298.3 MH/s (3.22ms) @ Accel:256 Loops:1024 Thr:1 Vec:8
---------------------------
* Hash-Mode 1400 (SHA2-256)
---------------------------
Speed.#1.........:   134.2 MH/s (7.63ms) @ Accel:256 Loops:1024 Thr:1 Vec:8

# hash rate calculation (benchmark mode) for a GPU-based system
* Device #1: NVIDIA GeForce RTX 3090, 23336/24575 MB, 82MCU

Benchmark relevant options:
===========================
* --optimized-kernel-enable
-------------------
* Hash-Mode 0 (MD5)
-------------------
Speed.#1.........: 68185.1 MH/s (39.99ms) @ Accel:256 Loops:1024 Thr:128 Vec:8
----------------------
* Hash-Mode 100 (SHA1)
----------------------
Speed.#1.........: 21528.2 MH/s (63.45ms) @ Accel:64 Loops:512 Thr:512 Vec:1
---------------------------
* Hash-Mode 1400 (SHA2-256)
---------------------------
Speed.#1.........:  9276.3 MH/s (73.85ms) @ Accel:16 Loops:1024 Thr:512 Vec:1

# cracking time calculation (in seconds) for SHA256

# CPU
$ python3 -c "print(916132832 / 134200000)"
6.826623189269746
# GPU
$ python3 -c "print(916132832 / 9276300000)"
0.09876058687192092

Increasing password length increases cracking duration by exponential time, while increasing password complexity (charset) only increases cracking duration by polynomial time.

Exponential time grows much faster than polynomial time.
Polynomial time (e.g., n2n^2n2, n3n^3n3): As input nnn increases, the number of steps grows at a manageable rate.
Exponential time (e.g., 2n2^n2n, 3n3^n3n): The number of steps doubles, triples, or grows even faster with each increase in nnn, making it impractical for large inputs.

# keyspace for an 8-length password
$ python3 -c "print(62**8)"
218340105584896
# cracking time
$ python3 -c "print(218340105584896 / 9276300000)"
23537.41314801117 # ~6.5 hours

# keyspace for a 10-length password
$ python3 -c "print(62**10)"
839299365868340224
# cracking time
$ python3 -c "print(839299365868340224 / 9276300000)"
90477816.14095493 # ~2.8 years

# simple charset
$ echo -n "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" | wc -c
62
# keyspace
$ python3 -c "print(62**5)"
916132832
# cracking time
$ python3 -c "print(916132832/9276300000)"
0.09876058687192092 # ~2.7 hours


# complex charset
$ echo -n "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$!@#$%^&*()_+=-[]{}|;:/?.><,." | wc -c
89
# new keyspace (polynomial increase)
$ python3 -c "print(89**5)"
5584059449
# cracking time
$ python3 -c "print(5584059449/9276300000)"
0.6019705538846307 # ~16.7 hours

Resources

GitHub - hashcat/hashcat: World's fastest and most advanced password recovery utilityGitHub

PreviousHashID NextJohn

Last updated 18 days ago

Was this helpful?