Table of Contents
Hashcat
Return to Red Team Tools, Red Team or Password cracking
- Definition: hashcat is an advanced password recovery tool that utilizes the power of GPU (Graphics Processing Unit) acceleration to crack hashed passwords. It is widely used for security auditing and security testing the strength of password hashes.
- Function: Performs password brute-force attacks, password dictionary attacks, and other advanced password recovery techniques to decrypt password hashes.
- Components:
- Hashcat CLI: Command-line interface for configuring and running hashcat attacks.
- Password Attack Modes: Various methods for cracking passwords, such as brute-force, dictionary attack, mask attack, [[combinator attack, and hybrid attacks.
- Features:
- GPU Acceleration: Utilizes GPUs to significantly increase the speed of hash cracking.
- Multi-Hash Support: Can handle multiple hashes simultaneously.
- Rule-Based Attacks: Allows the use of rules to modify dictionary words and increase the chances of finding a match.
- Resume Capability: Can resume cracking sessions from the last checkpoint in case of interruption.
- Usage: Used by security professionals for penetration testing, password recovery, and security auditing to evaluate the strength of password protection mechanisms.
Examples
- Cracking an NTLM hash using a dictionary attack:
```bash hashcat -m 1000 -a 0 -o cracked.txt ntlm_hashes.txt rockyou.txt ``` * `-m 1000`: Specifies the hash type (1000 for NTLM). * `-a 0`: Specifies the attack mode (0 for dictionary attack). * `-o cracked.txt`: Specifies the output file for cracked passwords. * `ntlm_hashes.txt`: Input file containing NTLM hashes. * `rockyou.txt`: Dictionary file containing potential passwords.
- Performing a brute-force attack on a MD5 hash:
```bash hashcat -m 0 -a 3 -o cracked.txt md5_hashes.txt ?a?a?a?a?a?a?a?a ``` * `-m 0`: Specifies the hash type (0 for MD5). * `-a 3`: Specifies the attack mode (3 for brute-force). * `-o cracked.txt`: Specifies the output file for cracked passwords. * `md5_hashes.txt`: Input file containing MD5 hashes. * `?a?a?a?a?a?a?a?a`: Mask for brute-force attack (all possible characters for an 8-character password).
- Using rule-based attacks to modify dictionary words:
```bash hashcat -m 1000 -a 0 -r rules/best64.rule -o cracked.txt ntlm_hashes.txt rockyou.txt ``` * `-r rules/best64.rule`: Applies the specified rule file to modify dictionary words.
Summary
- hashcat: A powerful password recovery tool that leverages GPU acceleration to crack hashed passwords using various attack modes and algorithms. It is widely used for security auditing, penetration testing, and password recovery, supporting multiple platforms and offering advanced features for effective password cracking.
```
“Red team members and penetration testers need to know how to crack passwords with different password cracking techniques. In this course, Credential Access with Hashcat, you will learn about Hashcat, the number one offline password cracker. First, you will see how to launch a dictionary attack using Hashcat. Next, you will discover how you can crack more passwords when you launch a dictionary attack with a rule. Then, you will learn how to launch a dictionary attack with a mask, also known as a hybrid attack). Finally, you will explore how to use Hashcat to crack password-protected PDF and password-protected DOCX files. By the end of this course, you will know how to use Hashcat to crack passwords with different password cracking techniques.”
Fair Use Source: https://app.pluralsight.com/library/courses/credential-access-hashcat/description
By Dawid Czagan - @dawidczagan - SECURITY INSTRUCTOR
Credential Access with Hashcat
Creator of Hashcat: Jens Steube
- Hashcat is the no. 1 offline password cracker.
- Hashcat is available at https://hashcat.net
- You can use Hashcat to launch:
Red Team Kill Chain
MITRE ATT&CK
- MITRE ATT&CK Tactics:
- MITRE ATT&CK Tactics:
In MITRE ATT&CK Tactics, Hashcat is used for Red Team Credential Access with a T1110 Brute Force attack.
Websites
- pdf2john.pl, office2john.py (John the Ripper) - https://www.openwall.com/john
- Dictionaries and Probable Wordlists - https://github.com/berzerk0/Probable-Wordlists
- Electronic Frontier Foundation - https://www.eff.org/pl/deeplinks/2016/07/new-wordlists-random-passphrases