Embedded Files
It is a fast password recovery tool that helps break complex password hashes.
General hashcat syntax:
hashcat -a (attack mode) -m (hash mode) path/to/hashfile path/to/wordlist
It supports the following attack modes that determine the attack type:
-a 0 Dictionary Attack (default)
-a 1 Combinator - try different word combos from the wordlist
-a 3 Mask/Bruteforce
-a 6 Hybrid + Mask
-a 7 Mask + Hybrid -a 9 Association
Dictionary Attack is the default attack and is a good choice most of the time. The other attacks are tailored to different situations and develop their strengths there.
Hash Mode - specifies which hash type should be cracked and is specified using the m flag. List of supported modes.
Use the -force flag option to force CPU use instead of GPU; the latter is recommended and performs better.
Use the hashcat -h help menu to view the list of available options.
# Output to file (MD5)
hashcat -m0 -o found.txt hash.txt rockyou.txt
# Hashcat using the external rules (MySQL)
hashcat -m300 --status -o found.txt -r rules\OneRuleToRuleThemAll.rule hash.txt rockyou.txt
# Do not write to potfile & remove hashes once cracked
hashcat -m300 --remove --potfile-disable hash.txt rockyou.txt
Cracking NTLM Hashes
Cracking NTLM Hashes
Microsoft Windows NTLM hashes can be obtained by dumping the NTDS.dit and SYSTEM registry hive or dumping LSASS memory.
NTLM Hashes can be obtained from the SAM file as well.
Use impacket to dump the hashes:
impacket-secretsdump -system SYSTEM -ntds ntds.dit -hashes lmhash:nthash LOCAL -outputfile ntlm-extract
Use hashcat to crack the NTLM hash dump:
hashcat -m 1000 -a 0 hashsample.hash rockyou.txt -r OneRuleToRuleThemAll.rule
Crack Kerboroasting Hashes (KRB5TGS)
Crack Kerboroasting Hashes (KRB5TGS)
Service Principal Name (SPN - service instance unique identifier) is used by Kerberos authentication to associate a service instance with a service logon account, allowing the client application to request that the service authenticate an account even if the client does not have the account name.
After identifying Kerberoastable service accounts (Bloodhound), any AD user can request a KRB5TGS hash from which the password can be cracked; KRB5TGS cracking is 28 times slower than NTLM.
Hashcat supports multiple versions of the KRB5TGS hash (easily identified by the number between the $ symbols):
13100 - Type 23 - $krb5tgs$23$
19600 - Type 17 - $krb5tgs$17$
19700 - Type 18 - $krb5tgs$18$
18200 - ASREP Type 23 - $krb5asrep$23$
hashcat64 -m 13100 -a 0 krb5tgs.hash rockyou.txt -r OneRuleToRuleThemAll.rule
Cracking NTLMv2 (NetNTLMv2) Hashes
Cracking NTLMv2 (NetNTLMv2) Hashes
Obtain the NTLM hash during the NTLM authentication process to perform several attacks, including 'Pass the Hash' or attempt to recover the password.
After recovering the NTLMv2 hash, use hashcat to recover the password:
Save the hash to an independent file: ntlm_hash.txt
Execute hashcat: hashcat -m 5600 --force ntlm_hash.txt rockyou.txt
Cracking Linux Hashes
Cracking Linux Hashes
We require access to the /etc/passwdand /etc/shadowfiles.
Use unshadowto 'combine' these files: unshadow /etc/passwd /etc/shadow > unshadowed.txt
Use hashcat to recover the password: hashcat -m 1800 -a 0 --force unshadaw.txt rockyou.txt
Additional Resources
Additional Resources
Hashcat Cheatsheet - GitHub Resource
Awesome Password Cracking - GitHub Resource
Stealing and Cracking NTLMv2 Hashes - YouTube
Recovering Complex Passwords with Rules & Munging - John Hammond (YouTube)
OneRuleToRuleThemStill - Stealthsploit (GitHub)
Password Munging - Th3S3cr3tAg3nt (GitHub)
Common Hashcat Modes
Common Hashcat Modes
Cracking Linux Hashes (/etc/shadow file)
Cracking Windows Hashes
Cracking Common Application Hashes
Cracking Common File Password Protections
Cracking Common Database Hashes
Google Sites
Report abuse