1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
hashcat is a hardware accelerated hash cracking tool
useful one-liners mostly stolen from naive-hashcat:
https://github.com/Kr4ken-9/naive-hashcat/blob/master/naive-hashcat.sh
hashcat -I
# DICTIONARY ATTACK
hashcat -w 3 -m <type> -a 0 <file> dicts/rockyou.txt
# DICTIONARY ATTACK WITH RULES
hashcat -w 3 -m <type> -a 0 <file> dicts/rockyou.txt -r rules/d3ad0ne.rule
hashcat -w 3 -m <type> -a 0 <file> dicts/rockyou.txt -r rules/rockyou-30000.rule
hashcat -w 3 -m <type> -a 0 <file> dicts/rockyou.txt -r rules/dive.rule
# MASK ATTACK (BRUTE-FORCE)
hashcat -w 3 -m <type> -a 3 <file> masks/rockyou-1-60.hcmask
# COMBINATION ATTACK
hashcat -w 3 -m <type> -a 1 <file> dicts/rockyou.txt dicts/rockyou.txt
general command structure:
hashcat [options] <file with hashes> [wordlist, mask, or mask file] [-r rule file]
useful options:
-I -- list all installed opencl platforms and devices
--identify -- try to detect what type of hash is in the file
--example-hashes -- print out an example hash for each hash type
-D <num> -- specify a device type to use (1=CPU,2=GPU,3=FPGA)
-d <num> -- specify a device to use
-w <num> -- workload profile (1-4 where 1 is light on resources and 4 should be run headless)
-m <num> -- hash type
-a <num> -- attack type
-i -- enable increment mode for mask attacks
--increment-min <num> -- minimum length for incrementing
--increment-max <num> -- maximum length for incrementing
-1 <charset> -- custom charset 1
-2 <charset> -- custom charset 2
-3 <charset> -- custom charset 3
-4 <charset> -- custom charset 4
-r <file> -- rules file
-j <rule> -- in combinator attack, use single rule for left dictionary
-k <rule> -- in combinator attack, use single rule for right dictionary
-o <file> -- output file
--status -- automatic update of status screen
--show -- if a hash has already been cracked and saved, print it
--stdout -- don't crack, just print out candidates. useful to generate a wordlist for another program
-g <num> -- randomly generate some number of rules
Hash Type
You specify what is in your file (e.g. an MD5 hash, an /etc/passwd file, a WPA handshake, etc.) with -m
You can try to use the --identify and --example-hashes flags to figure out what to use.
There is also a list of all of the modes in the man page and help output.
short list of some useful ones:
0 - MD5
500 - md5crypt ($1$)
1 - SHA1
1400 - SHA256
7400 - sha256crypt ($5$)
1700 - SHA512
1800 - sha512crypt ($6$)
3200 - bcrypt/blowfish ($2*$)
11600 - 7zip ($7z$)
2500 - WPA handshake converted into a .hccapx file
400 - phpass/wordpress/phpbb3/joomla ($P$)
16500 - JSON Web Token (JWT)
For WPA handshakes, you need to convert the .pcap into a .hccapx
This can be done with the hashcat-utils package (may be in package manager, otherwise git)
$ git clone https://github.com/hashcat/hashcat-utils.git
Or using aircrack-ng (which you probably used to get it in the first place)
$ aircrack-ng -j <out-file> <pcap-file>
Attack Type
0 - "straight mode" or dictionary attack. you can also specify rule files - https://hashcat.net/wiki/doku.php?id=rule_based_attack
1 - "combinator mode" cartesian product of two dictionaries. can also use a single rule on each side with -j/-k
3 - "mask mode" or brute force mode. uses a fixed length pattern with wildcards - https://hashcat.net/wiki/doku.php?id=mask_attack
6 - "hybrid" wordlist+mask
7 - "hybrid" mask+wordlist
hybrid - basically a combinator attack but one side is a brute force mask instead of another wordlist
Workload Profiles
The docs claim that 3 and 4 would cause your system to be unusable, but I wasn't seeing that.
I also didn't see a very significant improvement from 3 to 4, though.
The default seems to be around 2, but there was a significant performance increase at 3.
Getting Hardware to Work
Hashcat uses opencl most of the time. It can use CUDA directly as well.
We need to set up all of the drivers and opencl implementations to get it to use our hardware.
Even if we wanted to run on the CPU, we would need the opencl implementation that uses it.
Usually the CPU implementation would be through pocl (portable computing language).
$ apt install pocl-opencl-icd
There are mesa implementations for opencl, but they're kind of shit.
$ apt install mesa-opencl-icd
You can access CUDA through opencl, but it may still need CUDA libraries installed
A better option would be to have hashcat use CUDA directly since you'll be installing the libraries anyways.
https://developer.nvidia.com/cuda-downloads
And make sure hashcat is selecting the direct implementation instead of opencl.
On AMD, there is the ROCM API which is similar to CUDA.
With hashcat, we need an opencl implementation to ROCM.
https://rocmdocs.amd.com/en/latest/Installation_Guide/Installation-Guide.html
As it turns out, ROCM is only supported on dedicated GPUs.
There doesn't seem to be a proper solution for APUs. There is a 3rd party implementation of ROCM for APUs here:
https://apt.bruhnspace.com/
But I couldn't get it working.
|
