From 8926cd25884bdda909d907bc45c3ac8a3b10e721 Mon Sep 17 00:00:00 2001 From: dusoleil Date: Fri, 27 Aug 2021 03:33:29 -0400 Subject: Add hashcat doc Signed-off-by: dusoleil --- docs/crypto/hashcat.txt | 101 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 docs/crypto/hashcat.txt (limited to 'docs/crypto/hashcat.txt') diff --git a/docs/crypto/hashcat.txt b/docs/crypto/hashcat.txt new file mode 100644 index 0000000..7cf4b89 --- /dev/null +++ b/docs/crypto/hashcat.txt @@ -0,0 +1,101 @@ +hashcat is a hardware accelerated hash cracking tool + +useful one-liners mostly stolen from naive-hashcat: +https://github.com/Kr4ken-9/naive-hashcat/blob/master/naive-hashcat.sh +hashcat -I +# LIGHT DICTIONARY ATTACK +hashcat -w 3 -m -a 0 dicts/rockyou.txt +# DICTIONARY ATTACK WITH RULES +hashcat -w 3 -m -a 0 dicts/rockyou.txt -r hashcat/rules/d3ad0ne.rule +hashcat -w 3 -m -a 0 dicts/rockyou.txt -r hashcat/rules/rockyou-30000.rule +hashcat -w 3 -m -a 0 dicts/rockyou.txt -r hashcat/rules/dive.rule +# HEAVY MASK ATTACK (BRUTE-FORCE) +hashcat -w 3 -m -a 3 hashcat/masks/rockyou-1-60.hcmask +# COMBINATION ATTACK +hashcat -w 3 -m -a 1 dicts/rockyou.txt dicts/rockyou.txt + +general command structure: +hashcat [options] [wordlist, mask, or mask file] [-r rule file] + +useful options: +-I -- list all installed opencl platforms and devices +--identify -- try to detect what type of hash is in the file +--example-hashes -- print out an example hash for each hash type +-D -- specify a device type to use (1=CPU,2=GPU,3=FPGA) +-d -- specify a device to use +-w -- workload profile (1-4 where 1 is light on resources and 4 should be run headless) +-m -- hash type +-a -- attack type +-i -- enable increment mode for mask attacks +--increment-min -- minimum length for incrementing +--increment-max -- maximum length for incrementing +-1 -- custom charset 1 +-2 -- custom charset 2 +-3 -- custom charset 3 +-4 -- custom charset 4 +-r -- rules file +-j -- in combinator attack, use single rule for left dictionary +-k -- in combinator attack, use single rule for right dictionary +-o -- output file +--status -- automatic update of status screen +--show -- if a hash has already been cracked and saved, print it +--stdout -- don't crack, just print out candidates. useful to generate a wordlist for another program +-g -- randomly generate some number of rules + +Hash Type +You specify what is in your file (e.g. an MD5 hash, an /etc/passwd file, a WPA handshake, etc.) with -m +You can try to use the --identify and --example-hashes flags to figure out what to use. +There is also a list of all of the modes in the man page and help output. +short list of some useful ones: +0 - MD5 +500 - md5crypt ($1$) +1 - SHA1 +1400 - SHA256 +7400 - sha256crypt ($5$) +1700 - SHA512 +1800 - sha512crypt ($6$) +3200 - bcrypt/blowfish ($2*$) +11600 - 7zip ($7z$) +2500 - WPA handshake converted into a .hccapx file +400 - phpass/wordpress/phpbb3/joomla ($P$) +16500 - JSON Web Token (JWT) + +For WPA handshakes, you need to convert the .pcap into a .hccapx +This can be done with the hashcat-utils package (may be in package manager, otherwise git) +$ git clone https://github.com/hashcat/hashcat-utils.git +Or using aircrack-ng (which you probably used to get it in the first place) +$ aircrack-ng -j + +Attack Type +0 - "straight mode" or dictionary attack. you can also specify rule files - https://hashcat.net/wiki/doku.php?id=rule_based_attack +1 - "combinator mode" cartesian product of two dictionaries. can also use a single rule on each side with -j/-k +3 - "mask mode" or brute force mode. uses a fixed length pattern with wildcards - https://hashcat.net/wiki/doku.php?id=mask_attack +6 - "hybrid" wordlist+mask +7 - "hybrid" mask+wordlist +hybrid - basically a combinator attack but one side is a brute force mask instead of another wordlist + +Workload Profiles +The docs claim that 3 and 4 would cause your system to be unusable, but I wasn't seeing that. +I also didn't see a very significant improvement from 3 to 4, though. +The default seems to be around 2, but there was a significant performance increase at 3. + +Getting Hardware to Work +Hashcat uses opencl most of the time. It can use CUDA directly as well. +We need to set up all of the drivers and opencl implementations to get it to use our hardware. +Even if we wanted to run on the CPU, we would need the opencl implementation that uses it. +Usually the CPU implementation would be through pocl (portable computing language). +$ apt install pocl-opencl-icd +There are mesa implementations for opencl, but they're kind of shit. +$ apt install mesa-opencl-icd +You can access CUDA through opencl, but it may still need CUDA libraries installed +A better option would be to have hashcat use CUDA directly since you'll be installing the libraries anyways. +https://developer.nvidia.com/cuda-downloads +And make sure hashcat is selecting the direct implementation instead of opencl. +On AMD, there is the ROCM API which is similar to CUDA. +With hashcat, we need an opencl implementation to ROCM. +https://rocmdocs.amd.com/en/latest/Installation_Guide/Installation-Guide.html +As it turns out, ROCM is only supported on dedicated GPUs. +There doesn't seem to be a proper solution for APUs. There is a 3rd party implementation of ROCM for APUs here: +https://apt.bruhnspace.com/ +But I couldn't get it working. + -- cgit v1.2.3 From 447fe814d452555822be55bc4cefb058f39f735d Mon Sep 17 00:00:00 2001 From: dusoleil Date: Fri, 27 Aug 2021 17:09:20 -0400 Subject: Remove "LIGHT"/"HEAVY" Descriptors from Examples Signed-off-by: dusoleil --- docs/crypto/hashcat.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs/crypto/hashcat.txt') diff --git a/docs/crypto/hashcat.txt b/docs/crypto/hashcat.txt index 7cf4b89..e44dd36 100644 --- a/docs/crypto/hashcat.txt +++ b/docs/crypto/hashcat.txt @@ -3,13 +3,13 @@ hashcat is a hardware accelerated hash cracking tool useful one-liners mostly stolen from naive-hashcat: https://github.com/Kr4ken-9/naive-hashcat/blob/master/naive-hashcat.sh hashcat -I -# LIGHT DICTIONARY ATTACK +# DICTIONARY ATTACK hashcat -w 3 -m -a 0 dicts/rockyou.txt # DICTIONARY ATTACK WITH RULES hashcat -w 3 -m -a 0 dicts/rockyou.txt -r hashcat/rules/d3ad0ne.rule hashcat -w 3 -m -a 0 dicts/rockyou.txt -r hashcat/rules/rockyou-30000.rule hashcat -w 3 -m -a 0 dicts/rockyou.txt -r hashcat/rules/dive.rule -# HEAVY MASK ATTACK (BRUTE-FORCE) +# MASK ATTACK (BRUTE-FORCE) hashcat -w 3 -m -a 3 hashcat/masks/rockyou-1-60.hcmask # COMBINATION ATTACK hashcat -w 3 -m -a 1 dicts/rockyou.txt dicts/rockyou.txt -- cgit v1.2.3 From 8769b67eba7013379396146c80d44cb068d18256 Mon Sep 17 00:00:00 2001 From: dusoleil Date: Fri, 27 Aug 2021 17:10:39 -0400 Subject: Fix Paths in Examples Signed-off-by: dusoleil --- docs/crypto/hashcat.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'docs/crypto/hashcat.txt') diff --git a/docs/crypto/hashcat.txt b/docs/crypto/hashcat.txt index e44dd36..280f4a9 100644 --- a/docs/crypto/hashcat.txt +++ b/docs/crypto/hashcat.txt @@ -6,11 +6,11 @@ hashcat -I # DICTIONARY ATTACK hashcat -w 3 -m -a 0 dicts/rockyou.txt # DICTIONARY ATTACK WITH RULES -hashcat -w 3 -m -a 0 dicts/rockyou.txt -r hashcat/rules/d3ad0ne.rule -hashcat -w 3 -m -a 0 dicts/rockyou.txt -r hashcat/rules/rockyou-30000.rule -hashcat -w 3 -m -a 0 dicts/rockyou.txt -r hashcat/rules/dive.rule +hashcat -w 3 -m -a 0 dicts/rockyou.txt -r rules/d3ad0ne.rule +hashcat -w 3 -m -a 0 dicts/rockyou.txt -r rules/rockyou-30000.rule +hashcat -w 3 -m -a 0 dicts/rockyou.txt -r rules/dive.rule # MASK ATTACK (BRUTE-FORCE) -hashcat -w 3 -m -a 3 hashcat/masks/rockyou-1-60.hcmask +hashcat -w 3 -m -a 3 masks/rockyou-1-60.hcmask # COMBINATION ATTACK hashcat -w 3 -m -a 1 dicts/rockyou.txt dicts/rockyou.txt -- cgit v1.2.3 From 2ccf4674ee3dfca6181b598edb1602b396de8f13 Mon Sep 17 00:00:00 2001 From: dusoleil Date: Fri, 27 Aug 2021 17:18:08 -0400 Subject: Add --status Flag to Examples Signed-off-by: dusoleil --- docs/crypto/hashcat.txt | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'docs/crypto/hashcat.txt') diff --git a/docs/crypto/hashcat.txt b/docs/crypto/hashcat.txt index 280f4a9..2e68637 100644 --- a/docs/crypto/hashcat.txt +++ b/docs/crypto/hashcat.txt @@ -4,15 +4,15 @@ useful one-liners mostly stolen from naive-hashcat: https://github.com/Kr4ken-9/naive-hashcat/blob/master/naive-hashcat.sh hashcat -I # DICTIONARY ATTACK -hashcat -w 3 -m -a 0 dicts/rockyou.txt +hashcat --status -w 3 -m -a 0 dicts/rockyou.txt # DICTIONARY ATTACK WITH RULES -hashcat -w 3 -m -a 0 dicts/rockyou.txt -r rules/d3ad0ne.rule -hashcat -w 3 -m -a 0 dicts/rockyou.txt -r rules/rockyou-30000.rule -hashcat -w 3 -m -a 0 dicts/rockyou.txt -r rules/dive.rule +hashcat --status -w 3 -m -a 0 dicts/rockyou.txt -r rules/d3ad0ne.rule +hashcat --status -w 3 -m -a 0 dicts/rockyou.txt -r rules/rockyou-30000.rule +hashcat --status -w 3 -m -a 0 dicts/rockyou.txt -r rules/dive.rule # MASK ATTACK (BRUTE-FORCE) -hashcat -w 3 -m -a 3 masks/rockyou-1-60.hcmask +hashcat --status -w 3 -m -a 3 masks/rockyou-1-60.hcmask # COMBINATION ATTACK -hashcat -w 3 -m -a 1 dicts/rockyou.txt dicts/rockyou.txt +hashcat --status -w 3 -m -a 1 dicts/rockyou.txt dicts/rockyou.txt general command structure: hashcat [options] [wordlist, mask, or mask file] [-r rule file] -- cgit v1.2.3 From de3310f002bbb8eeb4be39a4d8cac29b4c0aabd0 Mon Sep 17 00:00:00 2001 From: dusoleil Date: Fri, 27 Aug 2021 17:18:47 -0400 Subject: Add Examples for Showing Cracks/Identifying Type Signed-off-by: dusoleil --- docs/crypto/hashcat.txt | 2 ++ 1 file changed, 2 insertions(+) (limited to 'docs/crypto/hashcat.txt') diff --git a/docs/crypto/hashcat.txt b/docs/crypto/hashcat.txt index 2e68637..96d2f19 100644 --- a/docs/crypto/hashcat.txt +++ b/docs/crypto/hashcat.txt @@ -3,6 +3,8 @@ hashcat is a hardware accelerated hash cracking tool useful one-liners mostly stolen from naive-hashcat: https://github.com/Kr4ken-9/naive-hashcat/blob/master/naive-hashcat.sh hashcat -I +hashcat --example-hashes | grep -A2 '\$5\$' +hashcat --show -m # DICTIONARY ATTACK hashcat --status -w 3 -m -a 0 dicts/rockyou.txt # DICTIONARY ATTACK WITH RULES -- cgit v1.2.3 From 60ee99493498babe93c75e39c24c9063df5170f8 Mon Sep 17 00:00:00 2001 From: dusoleil Date: Fri, 27 Aug 2021 17:25:30 -0400 Subject: Add More Mask/Hybrid Attacks to Examples Signed-off-by: dusoleil --- docs/crypto/hashcat.txt | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'docs/crypto/hashcat.txt') diff --git a/docs/crypto/hashcat.txt b/docs/crypto/hashcat.txt index 96d2f19..32b2967 100644 --- a/docs/crypto/hashcat.txt +++ b/docs/crypto/hashcat.txt @@ -12,7 +12,13 @@ hashcat --status -w 3 -m -a 0 dicts/rockyou.txt -r rules/d3ad0ne.r hashcat --status -w 3 -m -a 0 dicts/rockyou.txt -r rules/rockyou-30000.rule hashcat --status -w 3 -m -a 0 dicts/rockyou.txt -r rules/dive.rule # MASK ATTACK (BRUTE-FORCE) +hashcat --status -w 3 -m -a 3 --increment ?a?a?a?a?a?a?a?a?a?a?a hashcat --status -w 3 -m -a 3 masks/rockyou-1-60.hcmask +# HYBRID ATTACK (DICTIONARY + BRUTE-FORCE) +hashcat --status -w 3 -m -a 6 --increment dicts/rockyou.txt ?a?a?a?a?a?a?a?a?a?a?a +hashcat --status -w 3 -m -a 6 dicts/rockyou.txt masks/rockyou-1-60.hcmask +hashcat --status -w 3 -m -a 7 --increment ?a?a?a?a?a?a?a?a?a?a?a dicts/rockyou.txt +hashcat --status -w 3 -m -a 7 masks/rockyou-1-60.hcmask dicts/rockyou.txt # COMBINATION ATTACK hashcat --status -w 3 -m -a 1 dicts/rockyou.txt dicts/rockyou.txt -- cgit v1.2.3 From 5070d2db16b531eeb69f50397ccafb3a0a8fbb89 Mon Sep 17 00:00:00 2001 From: dusoleil Date: Fri, 27 Aug 2021 18:17:10 -0400 Subject: Add Info About Issues with Small Workload Signed-off-by: dusoleil --- docs/crypto/hashcat.txt | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'docs/crypto/hashcat.txt') diff --git a/docs/crypto/hashcat.txt b/docs/crypto/hashcat.txt index 32b2967..31904c0 100644 --- a/docs/crypto/hashcat.txt +++ b/docs/crypto/hashcat.txt @@ -21,6 +21,8 @@ hashcat --status -w 3 -m -a 7 --increment ?a?a?a?a?a?a?a?a?a?a?a d hashcat --status -w 3 -m -a 7 masks/rockyou-1-60.hcmask dicts/rockyou.txt # COMBINATION ATTACK hashcat --status -w 3 -m -a 1 dicts/rockyou.txt dicts/rockyou.txt +# STDOUT/STDIN (for workload issues) +hashcat --stdout -w 3 -a 6 dicts/rockyou.txt masks/rockyou-1-60.hcmask | hashcat --status -w 3 -m general command structure: hashcat [options] [wordlist, mask, or mask file] [-r rule file] @@ -87,6 +89,28 @@ The docs claim that 3 and 4 would cause your system to be unusable, but I wasn't I also didn't see a very significant improvement from 3 to 4, though. The default seems to be around 2, but there was a significant performance increase at 3. +Tweaking Keyspace for Performance +Straight dictionary attacks will generally be pretty fast, but as you add rules and masks, things grow quickly. +In fact, just a single long mask on its own is often infeasible. +Generally, you don't want to run against rockyou and a huge collection of rules (or even just one complex one). +It's better to either use rockyou with a simple rule or have a limited wordlist and a large collection of rules. +If you're brute forcing, generally you don't want a huge mask. +If you're hybrid brute forcing, you also don't want a huge wordlist with tons of different masks. +Again, you want to pick a limited word list and a collection of simple masks. +One weird gotcha, though, is that hashcat will produce a "base" list of candidates on the CPU +that then gets blown up into more candidates with an amplifier on the GPU. +If, after this amplification, the candidate list is too short, the GPU's parallelization can't be taken advantage of. +For instance, in a hybrid attack with a small wordlist and large list of masks, but some of the masks are very short. +Each mask in the list will generate a separate candidate list via amplification on the GPU. +For the short masks, this candidate list will be very short. This causes a HUGE bottleneck where the GPU can't parallelize. +Fortunately, hashcat will print out a warning when this happens to let you know. +It can be somewhat mitigated by tweaking your lists or by running STDOUT/STDIN mode. +This will generate the candidates as one big batch and pipe them into the main hashcat instance. +Since we're effectively combining the different amplified candidate lists into one, +we have a better chance of have a long enough candidate list for the GPU to be properly utilized. +The main downside is that the main hashcat instance has no idea how long our keyspace is and can't estimate the run time. +https://hashcat.net/faq/morework + Getting Hardware to Work Hashcat uses opencl most of the time. It can use CUDA directly as well. We need to set up all of the drivers and opencl implementations to get it to use our hardware. -- cgit v1.2.3 From af22ce5c1bf7765129aaa3a78e3a633abcf3c599 Mon Sep 17 00:00:00 2001 From: dusoleil Date: Fri, 27 Aug 2021 18:32:23 -0400 Subject: Update Incremental Examples to Use Short Flag Signed-off-by: dusoleil --- docs/crypto/hashcat.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'docs/crypto/hashcat.txt') diff --git a/docs/crypto/hashcat.txt b/docs/crypto/hashcat.txt index 31904c0..00d7704 100644 --- a/docs/crypto/hashcat.txt +++ b/docs/crypto/hashcat.txt @@ -12,12 +12,12 @@ hashcat --status -w 3 -m -a 0 dicts/rockyou.txt -r rules/d3ad0ne.r hashcat --status -w 3 -m -a 0 dicts/rockyou.txt -r rules/rockyou-30000.rule hashcat --status -w 3 -m -a 0 dicts/rockyou.txt -r rules/dive.rule # MASK ATTACK (BRUTE-FORCE) -hashcat --status -w 3 -m -a 3 --increment ?a?a?a?a?a?a?a?a?a?a?a +hashcat --status -w 3 -m -a 3 -i ?a?a?a?a?a?a?a?a?a?a?a hashcat --status -w 3 -m -a 3 masks/rockyou-1-60.hcmask # HYBRID ATTACK (DICTIONARY + BRUTE-FORCE) -hashcat --status -w 3 -m -a 6 --increment dicts/rockyou.txt ?a?a?a?a?a?a?a?a?a?a?a +hashcat --status -w 3 -m -a 6 -i dicts/rockyou.txt ?a?a?a?a?a?a?a?a?a?a?a hashcat --status -w 3 -m -a 6 dicts/rockyou.txt masks/rockyou-1-60.hcmask -hashcat --status -w 3 -m -a 7 --increment ?a?a?a?a?a?a?a?a?a?a?a dicts/rockyou.txt +hashcat --status -w 3 -m -a 7 -i ?a?a?a?a?a?a?a?a?a?a?a dicts/rockyou.txt hashcat --status -w 3 -m -a 7 masks/rockyou-1-60.hcmask dicts/rockyou.txt # COMBINATION ATTACK hashcat --status -w 3 -m -a 1 dicts/rockyou.txt dicts/rockyou.txt -- cgit v1.2.3 From f5851f63f1ea27c9deb35475c4d00398026bbe63 Mon Sep 17 00:00:00 2001 From: dusoleil Date: Fri, 27 Aug 2021 18:33:04 -0400 Subject: Add Example that Uses Custom Charset Signed-off-by: dusoleil --- docs/crypto/hashcat.txt | 1 + 1 file changed, 1 insertion(+) (limited to 'docs/crypto/hashcat.txt') diff --git a/docs/crypto/hashcat.txt b/docs/crypto/hashcat.txt index 00d7704..2f969aa 100644 --- a/docs/crypto/hashcat.txt +++ b/docs/crypto/hashcat.txt @@ -12,6 +12,7 @@ hashcat --status -w 3 -m -a 0 dicts/rockyou.txt -r rules/d3ad0ne.r hashcat --status -w 3 -m -a 0 dicts/rockyou.txt -r rules/rockyou-30000.rule hashcat --status -w 3 -m -a 0 dicts/rockyou.txt -r rules/dive.rule # MASK ATTACK (BRUTE-FORCE) +hashcat --status -w 3 -m -a 3 -i -1 ?l?d ?1?1?1?1?1?1?1?1?1?1?1 hashcat --status -w 3 -m -a 3 -i ?a?a?a?a?a?a?a?a?a?a?a hashcat --status -w 3 -m -a 3 masks/rockyou-1-60.hcmask # HYBRID ATTACK (DICTIONARY + BRUTE-FORCE) -- cgit v1.2.3