How to Crack Passwords with Hashcat
Objective
Learn how to use Hashcat, a powerful password recovery tool, to crack password hashes in a controlled environment. This lab demonstrates how to identify hash types, perform dictionary and brute-force attacks, and interpret results.
Prerequisites
- Hashcat Installed:
- Install Hashcat on your system:
- Linux:
sudo apt update && sudo apt install hashcat
- Windows:
- Download from https://hashcat.net/hashcat/.
- macOS:
brew install hashcat
- Linux:
- Install Hashcat on your system:
- Hash File:
- A file containing password hashes to test.
- Example hash:
$6$rounds=656000$6DxTvhECQZs...$UEQoPV...
- Wordlist File (for dictionary attacks):
- Download a wordlist like rockyou.txt from SecLists.
- GPU Support (Optional):
- Hashcat can utilize GPUs for faster cracking. Ensure proper GPU drivers are installed.
- Testing Environment:
- Ensure you have explicit permission to test any hashes.
Step 1: Identifying the Hash Type
- Use Hashcat’s Built-in Documentation:
hashcat --help
- Identify the Hash Type:
- Use tools like hash-identifier:
sudo apt install hash-identifier hash-identifier
- Enter your hash to determine its type.
- Use tools like hash-identifier:
- Example Hash Types:
- MD5:
$1$...
- SHA-256:
$5$...
- bcrypt:
$2b$...
- MD5:
Step 2: Performing a Dictionary Attack
- Use the following command:
hashcat -m <hash_type> -a 0 <hash_file> <wordlist_file>
- Replace
<hash_type>
with the hash mode (e.g.,0
for MD5,100
for SHA1). - Replace
<hash_file>
with the file containing the hashes. - Replace
<wordlist_file>
with your wordlist.
- Replace
- Example:
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
- Monitor Progress:
- Hashcat will display the cracking progress and results in real-time.
- View Cracked Passwords:
cat hashcat.potfile
Step 3: Performing a Brute-Force Attack
- Use the following command:
hashcat -m <hash_type> -a 3 <hash_file> <mask>
- Replace
<mask>
with a pattern (e.g.,?a?a?a?a
for any 4-character password).
- Replace
- Example:
hashcat -m 0 -a 3 hashes.txt ?d?d?d?d
?d
: Digit (0–9).?l
: Lowercase letter.?u
: Uppercase letter.?a
: Any character.
- Increase Password Length:
- Use the
--increment
flag to try progressively longer passwords:hashcat -m 0 -a 3 --increment hashes.txt ?d?d?d
- Use the
Step 4: Cracking Salts and Complex Hashes
- Some hashes include salts (additional random data).
- Add the salt to the hash file if needed:
$6$salt$hash
- Use the appropriate hash type and wordlist for cracking.
Step 5: Using Rules for Smarter Cracking
- Apply a rule file for transformations:
hashcat -m <hash_type> -a 0 -r <rule_file> <hash_file> <wordlist_file>
- Replace
<rule_file>
with a rules file (e.g.,rules/best64.rule
).
- Replace
- Example:
hashcat -m 0 -a 0 -r rules/best64.rule hashes.txt /usr/share/wordlists/rockyou.txt
- Hashcat will modify entries in the wordlist based on the rules (e.g., adding numbers, reversing).
Step 6: Interpreting Results
- Cracked passwords are stored in the
hashcat.potfile
. - View the results:
cat hashcat.potfile
- Example Output:
$6$rounds=656000$6DxTvhECQZs...:password123
- The cracked password follows the hash.
Step 7: Ethical Considerations
- Permission Required:
- Only test hashes you own or have explicit authorization to test.
- Secure the Hash File:
- Store hashes and cracked passwords securely to prevent misuse.
- Minimize Brute-Force Attacks:
- Focus on dictionary and rule-based attacks to save resources and time.
Additional Tips and Insights
- Optimize Performance:
- Use
--force
to bypass warnings but only in safe environments. - Ensure GPU drivers are updated for better performance.
- Use
- Combine with Other Tools:
- Use
john
orhashid
for hash identification and cracking alongside Hashcat.
- Use
- Automate Testing:
- Create scripts to automate hash cracking tasks.
- Test Custom Wordlists:
- Generate wordlists with tools like
crunch
orCeWL
tailored to the target.
- Generate wordlists with tools like
Key Takeaways
- Hashcat is a powerful tool for cracking password hashes in a controlled, ethical environment.
- Understanding hash types and selecting the appropriate attack method is critical for success.
- Always follow ethical guidelines and ensure permission for any testing activity.