Cracking Passwords with Hashcat

 

                                                        Password Cracking Overview

Password cracking, or offline brute force attacks, is an effective way of gaining access to unauthorized resources. Various applications and systems make use of cryptographic algorithms to hash or encrypt data. Weak and reused passwords are two major factors that can determine the success of this attack. Additionally, attackers can create fine-tuned wordlists and use rules to mutate the passwords based on the target application or environment. Password cracking is an extremely beneficial skill for a penetration tester, red teamer, or even those on the defensive side of information security. 

                                                                  Hashing vs. Encryption

Hashing is the process of converting some text to a string, which is unique to that particular text and Encryption is the process of converting data into a format in which the original content is not accessible. Usually, a hash function always returns hashes with the same length irrespective of the type, length, or size of the data. Hashing is a one-way process, meaning there is no way of reconstructing the original plaintext from a hash. Unlike hashing, encryption is reversible, i.e., it's possible to decrypt the ciphertext (encrypted data) and obtain the original content. As hashing is a one-way process, the only way to attack it is to use a list containing possible passwords. Each password from this list is hashed and compared to the original hash. Encryption algorithms are of two types: Symmetric and Asymmetric. Symmetric algorithms use a key or secret to encrypt the data and use the same key to decrypt it. A basic example of symmetric encryption is XOR. On the other hand, asymmetric algorithms divide the key into two parts (i.e., public and private). The public key can be given to anyone who wishes to encrypt some information and pass it securely to the owner. The owner then uses their private key to decrypt the content. 

                                                        Identifying Hashes

Most hashing algorithms produce hashes of a constant length. The length of a particular hash can be used to map it to the algorithm it was hashed with. For example, a hash of 32 characters in length can be an MD5 or NTLM hash. Sometimes, hashes are stored in certain formats. For example, hash:salt or $id$salt$hash. Many different cryptographic hash methods were used in the past and are still used by some systems today. It is not always possible to identify the algorithm based on the obtained hash. Depending on the software, the plaintext might undergo multiple encryption rounds and salting transformations, making it harder to recover. It is important to note that hashid uses regex to make a best-effort determination for the type of hash provided. Hashcat provides an excellent reference, which maps hash modes to example hashes. This reference is invaluable during a penetration test to determine the type of hash we are dealing with and the associated hash mode required to pass it to Hashcat. If known, hashid can also provide the corresponding Hashcat hash mode with the -m flag if it is able to determine the hash type. there is another tools call haiti you can use for identifying hashes. 

                                                           Hashcat Overview

Hashcat is a popular open-source password cracking tool. It is preinstall in Linux. The latest version can always be obtained directly from their GitHub repo and install from the source. The full help menu can be viewed by typing hashcat -h. The -a and -m arguments are used to specify the type of attack mode and hash type. Hashcat supports the following attack modes: 

 

0	Straight
1	Combination
3	Brute-force/mask
6	Hybrid Wordlist + Mask
7	Hybrid Mask + Wordlist

 

9                                  Association

The hash type value is based on the algorithm of the hash to be cracked. A complete list of hash types and their corresponding examples can be found here. The table helps in quickly identifying the number for a given hash type. You can also view the list of example hashes via the command line using the following command:  hashcat --example-hashes | less  You can scroll through the list and press q to exit. The benchmark test (or performance test) for a particular hash type can be performed using the -b flag. We can also run hashcat -b to run benchmarks for all hash modes. It is important to note that the use of --force should be avoided. While this appears to make Hashcat work on certain hosts, it is actually disabling safety checks, muting warnings, and bypasses problems that the tool's developers have deemed to be blockers. Using --force is discouraged by the tool's developers and should only be used by experienced users or developers. 

                                                                  Different attack modes

Hashcat has different attack modes that have different applications depending on the type of hash you are trying to crack and the complexity of the password. here's the some most effective attack methods with examples given in the below .

                                                     Dictionary Attack

The most straightforward but extremely effective attack type is the dictionary attack. Uses a wordlist, checking each word against the hash. The most straightforward but extremely effective attack type is the dictionary attack. It is not uncommon to encounter organizations with weak password policies whose users select common words and phrases with little to no complexity as their passwords. Based on an analysis of millions of leaked passwords. These passwords would appear in most any dictionary file used to perform this type of attack. Dictionary attacks are useful if you know that the target organization uses weak passwords or just wants to run through some cracking attempts rather quickly. This attack is typically faster to complete than the more complex attacks There are many sources for obtaining password lists such as SecLists, a large collection of password lists, and the rockyou.txt wordlist, which is found in most penetration testing Linux distros. We can also find large wordlists such as CrackStation's Password Cracking Dictionary, which contains 1,493,677,782 words and is 15GB in size. 

Hashcat command for dictionary attack: hashcat -a 0 -m <hash type> <hash file> <wordlist>

The -m option in Hashcat allows you to specify different hash types. You can use MD5, SHA-256, SHA-512, and many others or the hash values like 0, 100 etc. Here are some common values:

hash                                                                   value

md5($1$)                                                             500

blowfish/bcrypt($2a$,$2y$,$2*$)                     3200

sha-256 ($5$)                                                      7400

sha-512($6$)                                                       1800

sha1crypt                                                              110

scrypt($7$)                                                          8900

yescrypt($y$)&Goht-yescrypt($gy$) ::::Not officially supported in Hashcat.

Crack this hash:

$2y$10$BX0dlvCO1yqOAx3KWk8squAToRrwY3ulySPX4zh1X5pK4gbaz5wUq1234

you can see here hashcat crack the password only 49 second. let's see more...

here this sites use the md5 hash for this the crackstation easily crack the password needn't use hashcat.

let's see this hash and try to crack  :  

;48bb6e862e54f2a795ffc4e541caed4d ; CBFDAC6008F9CAB4083784CBD1874F76618D2A97 ; 1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032

; $2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom ;279412f945939ba78ce0758d3fd83daa

;F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85

;1DFECA0C002AE40B8619ECF94819CC1B

; $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.

;e5d8870e5bdd26602cab8dbe07a942c8669e56d6

                                                         

                                                    combination attack

The combination attack modes take in two wordlists as input and create combinations from them. This attack is useful because it is not uncommon for users to join two or more words together, thinking that this creates a stronger password. in this attack hashcat use awk mode. AWK is a powerful text-processing tool used in Unix/Linux systems for pattern scanning and data manipulation. It allows you to filter, format, and transform text files efficiently. supposed If given two word lists with 5 and 10 word Hashcat will produce exactly 5 x 10 = 50 words. command: awk '(NR==FNR) { a[NR]=$0 } (NR != FNR) { for (i in a) { print $0 a[i] } }' filename filename .....   |||| NR=NUMBER OF RECORDS,  FNR=FILE NUMBER OF RECORDS. This can also be done with Hashcat using the --stdout flag which can be very helpful for debugging purposes and seeing how the tool is handling things. Command::  hashcat -a 1 --stdout filename filename .. .. . This attack provides more flexibility and customization when using wordlists. The syntax for the combination attack is: hashcat -a 1 -m <hash type> <hash file> <wordlist1> <wordlist2> . The Combination Attack (-a 1) only accepts two wordlists. 

 let see some examples: 

this is bcrypt hashes: $2y$10$8kpnZ91jjVOzW/i2qGzvUeMM8wq2r1b3KZrDs6gEcADtn9b1o0dD2

                                                                Mask attacks

Mask attacks are used to generate words matching a specific pattern. This type of attack is particularly useful when the password length or format is known. A mask can be created using static characters, ranges of characters (e.g. [a-z] or [A-Z0-9]), or placeholders.  A static letter is not indicated by a letter. An exception is if we want the static letter ? itself, which must be written as ??. -i (increment) parameter for brute-force mode. command : hashcat -m 0 -a 3 hash.txt ?l?l?l?l?d?s -i --increment-min=3 --increment-max=6 . meaning the attack starts with 3 characters and gradually increases up to 6 characters. If you use only -i in Hashcat without specifying --increment-min or --increment-max, the attack will start with the shortest possible version of your mask and automatically increase the length step-by-step until it reaches the full mask length.

The following list shows some important placeholders: 

Placeholder	Meaning
?l	lower-case ASCII letters (a-z)
?u	upper-case ASCII letters (A-Z)
?d	digits (0-9)
?h	0123456789abcdef(hexadecimal lower)
?H	0123456789ABCDEF(hexadecimal upper)
?s	special characters («space»!"#$%&'()*+,-./:;<=>?@[]^_`{
?a	?l?u?d?s ||| All
?b	0x00 - 0xff |||| ?b means bytes meaning it could contain any                                             character from 0x00 to 0xFF. You can use ?b to cover all                                                   possibilities. every possible character, meaning all ASCII                                               characters like latter, symbol, special character and digital.

Notes: if you want to add aft. and pre. like first aws then ?l?l?d?s and then 1999. just write it just beside the s. like s1999. you can also use anywhere where you need. 

see the examples of the masks attack. md5 :50a742905949102c961929823a2e8ca0, 4f08b69a09a112cbc0df4626259c674f

now let's see an incremental mode ex: 4ae2c526b068db266e195490fdd8645e

                                                                      Hybrid Attack

Hybrid  means mix of two different species or varieties or combines two different elements Hybrid mode is a variation of the combinator attack, wherein multiple modes can be used together for a fine-tuned wordlist creation. This mode can be used to perform very targeted attacks by creating very customized wordlists. It is particularly useful when you know or have a general idea of the organization's password policy or common password syntax. The attack mode for the hybrid attack is "6" and "7". A Hybrid Attack in Hashcat combines two different password-cracking techniques: Dictionary Attack and Mask Attack. 

Mode 6: Dictionary + Mask (hashcat -a 6 hash.txt wordlist.txt ?d?d?d) 

command :: 

hashcat -a 6 -m 0 hash file password list mask pattern |||| EX:hashcat -a 6 -m 0 hash.txt /home/kali/rockyou.txt '?l?d?s?u'.

Mode 7: Mask + Dictionary (hashcat -a 7 hash.txt ?d?d?d wordlist.txt) 

command :: hashcat -a 6 -m 0 hash file mask pattern password list |||| Ex: hashcat -a 6 -m 0 hash.txt ?l?l?l?l?d?s?s?u password file. 

sha1 hash: 978078e7845f2fb2e20399d9e80475bc1c275e06

                                                             The rule-based attack 

The rule-based attack is the most advanced and complex password cracking mode. Rules help perform various operations on the input wordlist, such as prefixing, suffixing, toggling case, cutting, reversing, and much more. Rules take mask-based attacks to another level and provide increased cracking rates. Additionally, the usage of rules saves disk space and processing time incurred as a result of larger wordlists. A rule can be created using functions, which take a word as input and output it's modified version. The following table describes some functions which are compatible with JtR as well as Hashcat. 

Function	Description	Input	Output
l	Convert all letters to lowercase	InlaneFreight2020	inlanefreight2020
u	Convert all letters to uppercase	InlaneFreight2020	INLANEFREIGHT2020
c / C	capitalize / lowercase first letter and invert the rest	inlaneFreight2020 / Inlanefreight2020	Inlanefreight2020 / iNLANEFREIGHT2020
t / TN	Toggle case : whole word / at position N	InlaneFreight2020	iNLANEfREIGHT2020
d / q / zN / ZN	Duplicate word / all characters / first character / last character	InlaneFreight2020	InlaneFreight2020InlaneFreight2020 / IInnllaanneeFFrreeiigghhtt22002200 / IInlaneFreight2020 / InlaneFreight20200
{ / }	Rotate word left / right	InlaneFreight2020	nlaneFreight2020I / 0InlaneFreight202
^X / $X	Prepend / Append character X	InlaneFreight2020 (^! / $! )	!InlaneFreight2020 / InlaneFreight2020!
r	Reverse	InlaneFreight2020	0202thgierFenalnI

A complete list of functions can be found here. Reject rules in Hashcat are special conditions that filter out password candidates before they are processed. They help optimize attacks by removing unwanted words based on specific criteria.

How Reject Rules Work:

• They discard words that don’t meet certain conditions.
• They are not used in standard rule files (rules.txt).
• They only work with Hashcat-Legacy or when using -j (input rejection) and -k (output rejection).

Example Reject Rules:

Rule	Function	Example Input	Result
-j 'r'	Reject words shorter than 8 characters	pass123	❌ Rejected
-k 'd'	Reject words containing digits	password123	❌ Rejected
-j 's@'	Reject words containing @	p@ssword	❌ Rejected

Running Reject Rules:

hashcat -m 0 -a 0 hashes.txt wordlist.txt -j 'r' -k 'd'

• -j 'r': Reject words shorter than 8 characters.
• -k 'd': Reject words containing digits.

Since reject rules don’t work in regular rule files, they must be applied dynamically using -j and -k. You can find more details here and here.  

in this case you can create a custom rules which are work for changing the password file words with custom words. for example you want to make sure that all containing r words will be change with 7 so you can just create a file and put it on the file. like echo 'se3 sa0'>rule.txt this will change all s with 3 and a with 0. now if we see the output hashcat -r rule.txt pass.txt --stdout lks0m0, hyt3, bl3rz3d, m0ck, n0nd3r, b0nn d3rft,msk0n, m0h0mm0d. 

now let's see an attack. hash files:8bbc3187123ff36cd2d89988dd684830

                                                  Cracking Common Hashes

During penetration test engagements, we encounter a wide variety of hash types; some are extremely common and seen on most engagements, while others are seen very rarely or not at all. MD5, SHA1, and bcrypt hashes are often seen in database dumps. Sha512crypt hashes are commonly found in the /etc/shadow file on Linux systems. The hash contains nine fields separated by colons. The first two fields contain the username and its encrypted hash. The rest of the fields contain various attributes such as password creation time, last change time, and expiry. Active Directory primarily uses NTLM hashes for storing passwords. During a penetration test it is common to run tools such as Responder to perform MITM attacks to attempt to "steal" credentials. These types of attacks are covered in-depth in other modules. We can also check the Example hashes page if in doubt and confirm that this is indeed a NetNTLMv2 hash, or mode 5600 in Hashcat.One additional tool ported to Python by @Harmj0y is the keepass2john.py tool for extracting a crackable hash from KeePass 1.x/2.x databases that can be run through Hashcat. Hashcat can be used to attempt to crack password hashes extracted from some Microsoft Office documents using the office2john.py tool. zip file, but it is password protected! We can extract these hashes using the compiled version of the zip2john tool. we can take any document and add it to a password protected zip file. We can then use the compiled version of zip2john to extract the hash in a format that can be run through Hashcat.  see we successfully cracked the zip file password. 

                                            Wrap Up

As we have seen in this section, Hashcat has many additional uses outside of just cracking Windows, Unix/Linux, and Active Directory related password hashes. As a penetration tester or red teamer, it is important to be well-rounded and versed in a multitude of tactics necessary to achieve our assessments' goals. Sometimes an elaborate exploit or attack is not possible or even necessary, but the contents of a (weakly) password-protected document laying exposed on a file share could give us the keys to the kingdom.