The Complete Hashcat Tutorial

There are hashcat tutorial guides and walkthroughs but actually good ones that are curated to provide a complete and practical use by ethical hackers are few and far between.

As an Amazon Associate I earn from qualifying purchases.

In this hashcat tutorial I am going to cover the best use cases for hashcat and explain how you can use it to crack password hashes quickly and effectively.

I highly recommend buying Georgia Wiedman’s Penetration Testing. Check the price on Amazon.

What Is Hashcat?

Hashcat is a “password recovery” tool, although I am not sure of this is an accepted legal defense against using it inappropriately. While technically it is a password recovery tool, we are using it to crack the password hashes of our target in the ethical hacking lab.

So in a way we are recovering passwords, just in the sense that we never owned them to begin with. Unlike John Hashcat is not installed by default on Kali Linux.

There is also a large drain on the performance of using hashcat in a virtual machine since it is a tool that uses the GPU of your computer which in the case of a VM is limited.

With that in mind the passwords we are cracking are designed to be crackable even in this case, but the author highly recommends not cracking them in a VM. Instead you should install hashcat on your host computer and use it to crack the password hashes.

The -a flag represents the attack mode while the -m flag indicates what kind of hash you are trying to crack.

When using hashcat the cracked or partial is saved by default in a file hashcat.potfile. You can delete it and start again or use the -remove flag each time to not store any. This second option is not recommended since it will not help resume partial progress in the future for hash cracking.

Create Some Hashes To Crack

First thing you are going to do is make some NT hashes to crack using a tool called smbencrypt.

To get smbencrypt on Kali Linux you have to install a package named freeradius which includes the smbencrypt binary.

“smbencrypt – produce LM & NT password hashes from cleartext passwords” – from the freeradius manpage.

apt install freeradius

Now we can use the smbencrypt command to create hashes to crack.

smbencrypt Summer2020$
smbencrypt P@ssword123
smbencrypt P@ssword!
smbencrypt Summer2020
smbencrypt Summer2019

A882591C875AE54533FC6F14FA6173CE
13B29964CC2480B4EF454C59562E675C
CB8A428385459087A76793010D60F5DC
2B391DFC6690CC38547D74B8BD8A5B49
ACBFC03DF96E93CF7294A01A6ABBDA33
E62830DAED8DBEA4ACD0B99D682946BB

Here are all the hashcat flags explained.

Dictionary (-a 0)
Mask (-a 3)
Add mask after word (-a 6) e.g. 2020Summer
Add mask before word (-a 7) e.g. Summer2020

NT (-m 1000)

Dictionary Attack

Let’s say you do know the password.

hashcat -a 0 -m 1000 crackme /usr/share/wordlists/rockyou.txt –force

Dictionary Attack With Rules

Let’s say that you have the hash for “Fall2020”.

[kali@kali:] $ hashcat -a 0 -m 13100 hashes.txt rockyou.txt -r rules\d3ad0ne.rule -O

Using this type of attack the hash is finally cracked. We can see the password is Fall2020. It took hashcat on my machine a little over a minute to crack it.

Mask Attack

You can create or create multiple masks to cycle through each one. The only rule is the mask file you create has the ‘.hcmask’ extension.

Hashcat charsets
   ?l = abcdefghijklmnopqrstuvwxyz

   ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ

   ?d = 0123456789

   ?s =  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

   ?a = ?l?u?d?s

   ?b = 0x00 - 0xff

How to Use Hashcat Rules

So far we have cracked two passwords using the rockyou password file. That is 2/6 cracked not good enough eh? Using rules with hashcat can improve our chances.

[kali@kali:] $ hashcat -a 0 -m 1000 crackme /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/d3ad0ne.rule –force

The first password that the d3ad0ne.rule rule cracks is the P@ssword! hash. Our previous method failed to crack this one.

Using the one rule we end up cracking 3/6 hashes which really means we have cracked 5/6 if you count the knowledge of the first two hashes.

e62830daed8dbea4acd0b99d682946bb:Summer2019 acbfc03df96e93cf7294a01a6abbda33:Summer2020

Hybrid Attack

A hybrid attack with hashcat will combine a mask attack and a dictionary attack. Unfortunately this means you can’t apply rules at the same time too.

hashcat -a 6 -m 1000 crackme /usr/share/wordlists/rockyou.txt ?d?d?d?d?s –force

Adding the ?d?d?d?d mask will help crack the passwords with the four digits at the end (remember -a 6). For example one password we created a hash for our hashes file was Summer2020.

Let’s say that you know the passwords you want to crack contain the string “2020” in all of them. How would you try to find a match using hashcat? The answer is using rules. To use rules versus a brute force password attack hashcat uses instructional flags. Ideally you should use rule files to strengthen the cracking process.

[kali@kali:] $ hashcat -m 13100 hashes.txt -a 6 rockyou.txt ?d?d?d?d

This cracks one of the hashes, “Summer2020” very quickly, but not the other account hash. To crack the next hash we will need to learn more hashcat tricks.

Hashcat Tricks

Sometimes you will see messages from hashcat such as “All passwords shown in the pot file.” and as a result you won’t get to run hashcat again.

You can either add or delete a hash to get it going again.

Recommended Reading

I highly recommend buying Georgia Wiedman’s Penetration Testing. Check the price on Amazon.

Note* As as an Amazon associate I may earn from qualifying purchases.