There are hashcat tutorial guides and walkthroughs but actually good ones that are curated to provide a complete and practical use by ethical hackers are few and far between.
As an Amazon Associate I earn from qualifying purchases.
In this hashcat tutorial I am going to cover the best use cases for hashcat and explain how you can use it to crack password hashes quickly and effectively.
I highly recommend buying Georgia Wiedman’s Penetration Testing. Check the price on Amazon.
Table of Contents
What Is Hashcat?
Hashcat is a “password recovery” tool, although I am not sure of this is an accepted legal defense against using it inappropriately. While technically it is a password recovery tool, we are using it to crack the password hashes of our target in the ethical hacking lab.
So in a way we are recovering passwords, just in the sense that we never owned them to begin with. Unlike John Hashcat is not installed by default on Kali Linux.
There is also a large drain on the performance of using hashcat in a virtual machine since it is a tool that uses the GPU of your computer which in the case of a VM is limited.
With that in mind the passwords we are cracking are designed to be crackable even in this case, but the author highly recommends not cracking them in a VM. Instead you should install hashcat on your host computer and use it to crack the password hashes.
The -a flag represents the attack mode while the -m flag indicates what kind of hash you are trying to crack.
When using hashcat the cracked or partial is saved by default in a file hashcat.potfile. You can delete it and start again or use the -remove flag each time to not store any. This second option is not recommended since it will not help resume partial progress in the future for hash cracking.
Create Some Hashes To Crack
First thing you are going to do is make some NT hashes to crack using a tool called smbencrypt.
To get smbencrypt on Kali Linux you have to install a package named freeradius which includes the smbencrypt binary.
“smbencrypt – produce LM & NT password hashes from cleartext passwords” – from the freeradius manpage.
Now we can use the smbencrypt command to create hashes to crack.
smbencrypt Summer2020$ smbencrypt P@ssword123 smbencrypt P@ssword! smbencrypt Summer2020 smbencrypt Summer2019 A882591C875AE54533FC6F14FA6173CE 13B29964CC2480B4EF454C59562E675C CB8A428385459087A76793010D60F5DC 2B391DFC6690CC38547D74B8BD8A5B49 ACBFC03DF96E93CF7294A01A6ABBDA33 E62830DAED8DBEA4ACD0B99D682946BB
Here are all the hashcat flags explained.
Dictionary (-a 0) Mask (-a 3) Add mask after word (-a 6) e.g. 2020Summer Add mask before word (-a 7) e.g. Summer2020 NT (-m 1000)
Dictionary Attack
Let’s say you do know the password.
Dictionary Attack With Rules
Let’s say that you have the hash for “Fall2020”.
[kali@kali:] $ hashcat -a 0 -m 13100 hashes.txt rockyou.txt -r rules\d3ad0ne.rule -O
Using this type of attack the hash is finally cracked. We can see the password is Fall2020. It took hashcat on my machine a little over a minute to crack it.
Mask Attack
You can create or create multiple masks to cycle through each one. The only rule is the mask file you create has the ‘.hcmask’ extension.
Hashcat charsets ?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = 0123456789 ?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ?a = ?l?u?d?s ?b = 0x00 - 0xff
How to Use Hashcat Rules
So far we have cracked two passwords using the rockyou password file. That is 2/6 cracked not good enough eh? Using rules with hashcat can improve our chances.
The first password that the d3ad0ne.rule rule cracks is the P@ssword! hash. Our previous method failed to crack this one.
Using the one rule we end up cracking 3/6 hashes which really means we have cracked 5/6 if you count the knowledge of the first two hashes.
Hybrid Attack
A hybrid attack with hashcat will combine a mask attack and a dictionary attack. Unfortunately this means you can’t apply rules at the same time too.
Adding the ?d?d?d?d mask will help crack the passwords with the four digits at the end (remember -a 6). For example one password we created a hash for our hashes file was Summer2020.
Let’s say that you know the passwords you want to crack contain the string “2020” in all of them. How would you try to find a match using hashcat? The answer is using rules. To use rules versus a brute force password attack hashcat uses instructional flags. Ideally you should use rule files to strengthen the cracking process.
[kali@kali:] $ hashcat -m 13100 hashes.txt -a 6 rockyou.txt ?d?d?d?d
This cracks one of the hashes, “Summer2020” very quickly, but not the other account hash. To crack the next hash we will need to learn more hashcat tricks.
Hashcat Tricks
Sometimes you will see messages from hashcat such as “All passwords shown in the pot file.” and as a result you won’t get to run hashcat again.
You can either add or delete a hash to get it going again.
Recommended Reading
I highly recommend buying Georgia Wiedman’s Penetration Testing. Check the price on Amazon.
Note* As as an Amazon associate I may earn from qualifying purchases.