Return to Red Team Tools, Red Team or Password cracking

• Definition: hashcat is an advanced password recovery tool that utilizes the power of GPU (Graphics Processing Unit) acceleration to crack hashed passwords. It is widely used for security auditing and security testing the strength of password hashes.
• Function: Performs password brute-force attacks, password dictionary attacks, and other advanced password recovery techniques to decrypt password hashes.
• Components:
  • Hashcat CLI: Command-line interface for configuring and running hashcat attacks.
  • Hash Algorithms: Supports a wide range of password hashing algorithms, including MD5, SHA-1, SHA-256, NTLM, bcrypt, and many others.
  • Password Attack Modes: Various methods for cracking passwords, such as brute-force, dictionary attack, mask attack, [[combinator attack, and hybrid attacks.

• Features:
  • GPU Acceleration: Utilizes GPUs to significantly increase the speed of hash cracking.
  • Multi-Hash Support: Can handle multiple hashes simultaneously.
  • Rule-Based Attacks: Allows the use of rules to modify dictionary words and increase the chances of finding a match.
  • Resume Capability: Can resume cracking sessions from the last checkpoint in case of interruption.
  • Cross-Platform: Available for Windows, Linux, and macOS.

• Usage: Used by security professionals for penetration testing, password recovery, and security auditing to evaluate the strength of password protection mechanisms.

• Cracking an NTLM hash using a dictionary attack:

   ```bash
   hashcat -m 1000 -a 0 -o cracked.txt ntlm_hashes.txt rockyou.txt
   ```
   * `-m 1000`: Specifies the hash type (1000 for NTLM).
   * `-a 0`: Specifies the attack mode (0 for dictionary attack).
   * `-o cracked.txt`: Specifies the output file for cracked passwords.
   * `ntlm_hashes.txt`: Input file containing NTLM hashes.
   * `rockyou.txt`: Dictionary file containing potential passwords.

• Performing a brute-force attack on a MD5 hash:

   ```bash
   hashcat -m 0 -a 3 -o cracked.txt md5_hashes.txt ?a?a?a?a?a?a?a?a
   ```
   * `-m 0`: Specifies the hash type (0 for MD5).
   * `-a 3`: Specifies the attack mode (3 for brute-force).
   * `-o cracked.txt`: Specifies the output file for cracked passwords.
   * `md5_hashes.txt`: Input file containing MD5 hashes.
   * `?a?a?a?a?a?a?a?a`: Mask for brute-force attack (all possible characters for an 8-character password).

• Using rule-based attacks to modify dictionary words:

   ```bash
   hashcat -m 1000 -a 0 -r rules/best64.rule -o cracked.txt ntlm_hashes.txt rockyou.txt
   ```
   * `-r rules/best64.rule`: Applies the specified rule file to modify dictionary words.

• hashcat: A powerful password recovery tool that leverages GPU acceleration to crack hashed passwords using various attack modes and algorithms. It is widely used for security auditing, penetration testing, and password recovery, supporting multiple platforms and offering advanced features for effective password cracking.

```

“Red team members and penetration testers need to know how to crack passwords with different password cracking techniques. In this course, Credential Access with Hashcat, you will learn about Hashcat, the number one offline password cracker. First, you will see how to launch a dictionary attack using Hashcat. Next, you will discover how you can crack more passwords when you launch a dictionary attack with a rule. Then, you will learn how to launch a dictionary attack with a mask, also known as a hybrid attack). Finally, you will explore how to use Hashcat to crack password-protected PDF and password-protected DOCX files. By the end of this course, you will know how to use Hashcat to crack passwords with different password cracking techniques.”

Fair Use Source: https://app.pluralsight.com/library/courses/credential-access-hashcat/description

By Dawid Czagan - @dawidczagan - SECURITY INSTRUCTOR

Credential Access with Hashcat

Creator of Hashcat: Jens Steube

• Hashcat is the no. 1 offline password cracker.

• “It supports different password cracking techniques and many hash algorithms. What's more – it supports CPUs], GPUs, and other hardware accelerators on Linux, Windows, and macOS.

• Hashcat is available at https://hashcat.net

• You can use Hashcat to launch:
  • dictionary attack
  • dictionary attack with a rule
  • dictionary attack with a mask

• You can use Hashcat to crack password protected PDF and DOCX files

• Kill Chain
  • Recon
  • Exploit
  • Escalate
  • Lateral Movement Action
  • Evade

• Hashcat is between the Exploit and the Escalate stages of the [Kill Chain

• Red Team Kill Chain
  • Red Team Recon
  • Red Team Exploit
  • Red Team Escalate
  • Red Team Lateral Movement Action
  • Red Team Evade

• MITRE ATT&CK Tactics:
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Command & Control
  • Exfiltration
  • Impact

• MITRE ATT&CK Tactics:
  • Red Team Initial Access
  • Red Team Execution
  • Red Team Persistence
  • Red Team Privilege Escalation
  • Red Team Defense Evasion
  • Red Team Credential Access
  • Red Team Discovery
  • Red Team Lateral Movement
  • Red Team Collection
  • Red Team Command & Control
  • Red Team Exfiltration
  • Red Team Impact

In MITRE ATT&CK Tactics, Hashcat is used for Red Team Credential Access with a T1110 Brute Force attack.

• https://hashcat.net
• pdf2john.pl, office2john.py (John the Ripper) - https://www.openwall.com/john
• Dictionaries and Probable Wordlists - https://github.com/berzerk0/Probable-Wordlists
• Electronic Frontier Foundation - https://www.eff.org/pl/deeplinks/2016/07/new-wordlists-random-passphrases