Practical examples of Hashcat usage
Table of contents
3. Frequently used Hashcat options
4. How to extract hashes and find out their numbers for cracking in Hashcat
5. How to hack Wi-Fi password in Hashcat
5.1 Capturing Wi-Fi handshake for password cracking
5.2 How to extract hash for Wi-Fi hacking
6. How to crack ZIP archive password
7. How to crack RAR archive password
8. How to crack the 7z archive password
9. How to crack MS Office password: Word (.DOCX file) and other office files
10. How to crack LibreOffice password (Wirter / .odt files and others)
12. How to crack KeePass and KeePassXC password
13. How to crack GPG private key password
14. How to crack OpenSSH private key password (id_rsa)
While preparing the reference article “Practical examples of John the Ripper usage”, the idea came up to make a similar article on Hashcat.
Those who regularly use Hashcat, of course, will be able to draw up the necessary mask at a glance and even remember the number of the frequently used hash type. But remembering the name of the script for extracting a hash, or the number of a less commonly used hash type, or an infrequent option is no longer so easy. You can of course delve into the extensive documentation. But, first, it's good to have a cheat sheet handy like the one you are reading. And secondly, the official reference does not contain information about programs for extracting hashes.
All in all, I hope the man page you are reading is helpful.
But this article does not replace the very extensive Hashcat tutorials. Therefore, it is highly recommended to use this article as a cheat sheet after researching the following sources:
- Hashcat manual: how to use the program for cracking passwords
- How to brute-force passwords using GPU and CPU in Linux
Hashcat command structure
In its most general form, the command to start Hashcat looks like (in it, the | symbol means “OR”):
hashcat [OPTIONS]... HASH|FILE-WITH-HASH [DICTIONARY|MASK|DIRECTORY]...
In subsequent commands, HASH, FILE-WITH-HASH and hccapxfile will be designated as simply “HASH” - remember that this can be either a hash string or the path to the file in which the hash is stored.
General form of the command for launching a dictionary attack:
hashcat -m TYPE -a 0 HASH DICTIONARY
If the hash is placed in a file, then the command:
hashcat -m TYPE -a 0 /PATH/TO/HASH/FILE /PATH/TO/DICTIONARY
General form of the command to launch a mask attack:
hashcat -m TYPE -a 3 HASH 'MASK'
If the hash is placed in a file, then the command:
hashcat -m TYPE -a 3 /PATH/TO/HASH/FILE 'MASK'
With the -m option, you need to specify the TYPE of the hash to crack, which is indicated by a number. The hash numbers are given below when describing the hash extraction process.
Examples of Hashcat masks
The following examples should give you an idea of the basics of using masks – you can easily edit them to suit your needs:
Passwords consist of six characters, each of which is a number:
hashcat -m TYPE -a 3 HASH '?d?d?d?d?d?d'
Passwords consist of eight characters, each of which is a number:
hashcat -m TYPE -a 3 HASH '?d?d?d?d?d?d?d?d'
Passwords consist of six characters and begin with “Pa”, the rest of the characters are numbers:
hashcat -m TYPE -a 3 HASH 'Pa?d?d?d?d'
Passwords consist of numbers and have a length of 1 to 4 characters:
hashcat -m TYPE -a 3 HASH -i --increment-min=1 --increment-max=4 '?d?d?d?d'
Passwords consist of numbers and have a length of 1 to 10 characters:
hashcat -m TYPE -a 3 HASH -i --increment-min=1 --increment-max=10 '?d?d?d?d?d?d?d?d?d?d'
Passwords consist of six characters, each of which is a small letter:
hashcat -m TYPE -a 3 HASH '?l?l?l?l?l?l'
Passwords consist of lowercase letters and are 1 to 6 characters long:
hashcat -m TYPE -a 3 HASH -i --increment-min=1 --increment-max=6 '?l?l?l?l?l?l'
Passwords consist of six characters, each with a capital letter:
hashcat -m TYPE -a 3 HASH '?u?u?u?u?u?u'
Passwords consist of six characters, at the beginning there is always a fixed string “No”, then a capital letter, then an uppercase letter and then two numbers.
hashcat -m TYPE -a 3 HASH 'No?u?l?d?d'
Passwords are composed of upper and lower case letters and numbers, which can be anywhere, and are 1 to 8 characters long.
hashcat -m TYPE -a 3 HASH -i --increment-min=1 --increment-max=8 -1 ?l?u?d '?1?1?1?1?1?1?1?1'
Frequently used Hashcat options
You can supplement any hashcat launch command with other options.
For example, usually Hashcat uses only video cards and does not use CPU to compute, even if the necessary drivers and runtime are installed. You can change this behavior by adding the following two options:
--force -D 1,2
When a video card or CPU reaches a certain temperature, Hashcat interrupts its work. You can set the temperature at which brute-force will be interrupted by decreasing or increasing the default value (90 ℃). You use too high values at your own risk!!!
--hwmon-temp-abort=100
While Hashcat is running, if you press the s button, information about the current hacking process will be updated, that is, its status is shown. You can enable automatic status update with the --status option, and with the --status-timer option you can configure the automatic update time (for example, --status-timer=1).
Non-brute force options
The -b option will run the benchmark:
hashcat -b
Or:
hashcat -b --force -D 1,2
A command of the form:
hashcat -m TYPE -b --force -D 1,2
you can run a benchmark only for a specific algorithm. You can use this if you want to know how fast the password of a Word document or archive will be cracked on your computer. For example, a benchmark for the speed of cracking a Wi-Fi password.
hashcat -m 2500 -b --force -D 1,2
The -I option will show information about the detected devices, on which it is possible to perform calculations for brute-force:
hashcat -I
With the --example-hashes option, you can display examples of all hashes:
hashcat --example-hashes
You can show an example of only the hash you need by specifying its number with the -m option:
hashcat -m 400 --example-hashes hashcat -m 9600 --example-hashes
The --stdout option will make it so that hashcat will not crack the hash, but only show the candidates for passwords – this can be used to generate dictionaries by masks.
How to extract hashes and find out their numbers for cracking in Hashcat
The following shows how to extract hashes from encrypted files and their number (Hashcat mode) is given. This number must be specified instead of the word TYPE, and the path to the file with the calculated hash must be specified instead of the word HASH. Let me remind you the general view of the commands.
General view of the command for launching a dictionary attack:
hashcat -m TYPE -a 0 HASH DICTIONARY
General view of the command to launch a mask attack:
hashcat -m TYPE -a 3 HASH 'MASK'
To extract hashes, use the tools that come with John the Ripper, which are installed by default in Kali Linux and BlackArch.
If John the Ripper is not in your distribution's repositories, or if you want to install the latest version from source, follow the instructions in the “How to compile John the Ripper on Linux from source code” section.
In general, Hashcat is more sensitive to the exact format of hash, and the hash generation tools for John the Ripper tend to add extra data like the filename. For this reason, the generated hashes usually need to be slightly modified to be accepted by Hashcat to initiate brute-force.
How to hack Wi-Fi password in Hashcat
Capturing Wi-Fi handshake for password cracking
Here we will not dwell on the basics of testing the security of wireless Wi-Fi networks, so if you have gaps in your knowledge, then refer to the Wireless Attacks section.
Let's see the name of the wireless interface:
sudo iw dev
My wireless interface named wlp0s20f0u1. To automatically capture handshakes, run a command like this:
sudo besside-ng INTERFACE
In my case, this is:
sudo besside-ng wlp0s20f0u1
To see which handshakes were captured, run the command:
aircrack-ng wpa.cap
How to extract hash for Wi-Fi hacking
If you want to hack all handshakes at once, then run the command:
cap2hccapx wpa.cap wi-fi.hash
The cap2hccapx utility is included in hashcat-utils package.
This will generate hashes for all captured handshakes.
The output says 10 APs were found.
You can save the handshake for a specific access point, you need to specify its name. To save the handshake only for a specific AP, run a command like this:
cap2hccapx wpa.cap wi-fi.hash NAME-AP
I'm interested in an AP named FTTX772802, then in my case the command is as follows:
cap2hccapx wpa.cap wi-fi.hash FTTX772802
Hash number: 2500
That is, to launch a dictionary attack, you need to run the command:
hashcat -m 2500 -a 0 /PATH/TO/wi-fi.hash /PATH/TO/DICTIONARY
To launch a mask attack, you need to run the command:
hashcat -m 2500 -a 3 /PATH/TO/wi-fi.hash 'MASK'
An example of a successful hack:
hashcat -m 2500 -a 3 ~/wi-fi.hash 'Yss?l?u?u?d?l'
How to crack ZIP archive password
To extract the hash, run a command like this:
zip2john ФАЙЛ > zip.tmp
For example, the path to the file /mnt/disk_d/Share/test/file.zip, then the command is as follows:
zip2john /mnt/disk_d/Share/test/file.zip > zip.tmp
The hash will be extracted in the John format, this format is unsuitable for Hashcat, so run the following command:
cat zip.tmp | grep -E -o '(\$pkzip2\$.*\$/pkzip2\$)|(\$zip2\$.*\$/zip2\$)' > zip.hash
It will clear the hash of unnecessary lines and save the hash in Hashcat format to the zip.hash file.
But that's not all – there are many types of ZIP archives. Therefore, we need to correctly determine the type of your hash. You can open the zip.hash file with any text editor, or run the following command to print the first 20 characters of the hash:
head -c 20 zip.hash
- If the hash string starts with:
$zip2$*0*3*0*
So this is WinZip, hash number: 13600
- If the line starts with:
$pkzip2$1*1*2*0*
So this is PKZIP (Compressed), hash number: 17200
- If the line starts with:
$pkzip2$1*1*2*0*
So this is PKZIP (Uncompressed), hash number: 17210
ATTENTION: PKZIP (Compressed) and PKZIP (Uncompressed) have the SAME beginning of hashes, I don't know how to distinguish them. The only way I found is to try to run the hashcat command specifying the hash type 17200, and then 17210. If you specified the hash type incorrectly, an error will be displayed immediately. An example of an error:
Hashfile '/home/mial/zip.hash' on line 1 ($pkzip...7e95f2294c0fd53fd7fc53*$/pkzip2$): Hash contains unsupported compression type for current mode No hashes loaded.
- If the line starts with:
$pkzip2$3*1*1*0*8*24
So this is PKZIP (Compressed Multi-File), hash number: 17220
- If the line starts with:
$pkzip2$3*1*1*0*0*24
So this is PKZIP (Mixed Multi-File), hash number: 17225
- If the line starts with:
$pkzip2$8*1*1*0*8*24
So this is PKZIP (Compressed Multi-File Checksum-Only), hash number: 17230
How to crack RAR archive password
To extract the hash, run a command like this:
rar2john ФАЙЛ > rar.tmp
For example, the path to the file /mnt/disk_d/Share/test/file.rar, then the command is as follows:
rar2john /mnt/disk_d/Share/test/file.rar > rar.tmp
The hash will be extracted in the John format, this format is unsuitable for Hashcat, so run the following command:
cat rar.tmp | grep -E -o '(\$RAR3\$[^:]+)|(\$rar5\$.*)' > rar.hash
It will clear the hash of unnecessary lines and save the hash in Hashcat format to the rar.hash file.
But that's not all – there are several versions of RAR. Therefore, we need to correctly determine the type of your hash. You can open the rar.hash file with any text editor, or run the following command to print the first 8 characters of the hash:
head -c 8 rar.hash
- If the hash string starts with:
$RAR3$*0*
So this is RAR3-hp, hash number: 12500
- If the hash string starts with:
$rar5$16$
So this is RAR5, hash number: 13000
- If the hash string starts with:
$RAR3$*1*
So this is RAR3-p (Uncompressed), hash number: 23700
- If the hash string starts with:
$RAR3$*1*
So this is RAR3-p (Compressed), hash number: 23800
ATTENTION: RAR3-p (Uncompressed) and RAR3-p (Compressed) have the same hash beginnings, I don't know how to distinguish them. The only option is to try to run the hashcat command specifying the hash type 23700, and then 23800. If you specified the hash type incorrectly, an error will be displayed immediately. An example of an error:
Hashfile '/home/mial/rar.hash' on line 1 ($RAR3$...91201eb0007c76714cbb328b2acfc*33): Salt-value exception No hashes loaded.
If you get errors about missing modules like:
/usr/share/hashcat/modules/module_23700.so: cannot open shared object file: No such file or directory /usr/share/hashcat/modules/module_23800.so: cannot open shared object file: No such file or directory
This means that your version of Hashcat does not yet support hashes with numbers 23700 and 23800 and you need to update the program to the latest version. Currently, this support is only present in the beta version of Hashcat, which you can download from the official website: https://hashcat.net/beta/
How to crack the 7z archive password
To extract the hash, run a command like this:
7z2john ФАЙЛ > 7z.tmp
The hash will be extracted in the John format, this format is unsuitable for Hashcat, so run the following command:
cat 7z.tmp | grep -E -o '\$7z\$.*' > 7z.hash
It will clear the hash of unnecessary lines and save the hash in Hashcat format to the 7z.hash file.
Hash number: 11600
How to crack MS Office password: Word (.DOCX file) and other office files
To extract the hash, run a command like this:
office2john ФАЙЛ > office.tmp
To prepare the hash, run the command:
cat office.tmp | grep -E -o '\$office\$.*' > office.hash
There are several versions of MS Office documents. Therefore, we need to correctly determine the type of your hash. You can open the office.hash file with any text editor, or run the following command to print the first 14 characters of the hash:
head -c 14 office.hash
- If the hash string starts with:
$office$*2007*
So this is MS Office 2007, hash number: 9400
- If the hash string starts with:
$office$*2010*
So this is MS Office 2010, hash number: 9500
- If the hash string starts with:
$office$*2013*
So this is MS Office 2013, hash number: 9600
An example of a successful password cracking of a Word file:
How to crack LibreOffice password (Wirter / .odt files and others)
To extract the hash, run a command like this:
libreoffice2john ФАЙЛ > odf.tmp
To prepare the hash, run the command:
cat odf.tmp | grep -E -o '\$odf\$[^:]+' > odf.hash
There are several versions of LibreOffice office documents. Therefore, we need to correctly determine the type of your hash. You can open the odf.hash file with any text editor, or run the following command to print the first 10 characters of the hash:
head -c 10 odf.hash
- If the hash string starts with:
$odf$*1*1*
So this is Open Document Format (ODF) 1.2 (SHA-256, AES), hash number: 18400
- If the hash string starts with:
$odf$*0*0*
So this is Open Document Format (ODF) 1.1 (SHA-1, Blowfish), hash number: 18600
How to crack PDF password
To extract the hash, run a command like this:
pdf2john ФАЙЛ > pdf.tmp
To prepare the hash, run the command:
cat pdf.tmp | grep -E -o '\$pdf\$.*' > pdf.hash
There are several versions of PDF files. Therefore, we need to correctly determine the type of your hash. You can open the pdf.hash file with any text editor, or run the following command to print the first 13 characters of the hash:
head -c 13 pdf.hash
- If the hash string starts with:
$pdf$1*2*40*-
So this is PDF 1.1 - 1.3 (Acrobat 2 - 4), hash number: 10400
- If the hash string starts with:
$pdf$1*2*40*-
So this is PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1, hash number: 10410
- If the hash string starts with:
$pdf$1*2*40*-
So this is PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2, hash number: 10420
ATTENTION: all the listed types of files have the SAME beginning of hashes, I do not know how they can be distinguished. The only way I found is to try to run the hashcat command specifying the hash type 10400, and then 10410 and finally 10420. In this case, if you specified the hash type incorrectly, an error will be displayed immediately. An example of an error:
Hashfile '/home/mial/pdf.hash' on line 1 ($pdf$4...c5ba427b1b9102da468e77127f1e69d6): Separator unmatched No hashes loaded.
- If the hash string starts with:
$pdf$2*3*128*
So this is PDF 1.4 - 1.6 (Acrobat 5 - 8), hash number: 10500
- If the hash string starts with:
$pdf$5*5*256*
So this is PDF 1.7 Level 3 (Acrobat 9), hash number: 10600
- If the hash string starts with:
$pdf$5*6*256*
So this is PDF 1.7 Level 8 (Acrobat 10 - 11), hash number: 10700
- If the hash string starts with:
$pdf$4*4*128*
So this is a PDF document created using MS Word, hash number is suitable for it: 10500
How to crack KeePass and KeePassXC password
To extract the hash, run a command like this:
keepass2john ФАЙЛ > keepass.tmp
The FILE must be a .kdbx password database.
Or if you have a key file, then run a command like this:
keepass2john -k KEY FILE DATABASE.kdbx > keepass.tmp
You can see the message:
! Passwords.kdbx : File version '40000' is currently not supported!
It means that the Passwords.kdbx FILE uses the KDBX version 4.0 database, and the keepass2john program only supports the KDBX version of KDBX 3.1. That is, it is currently not possible to crack a KeePass password with a KDBX version 4.0 database in John the Ripper.
To prepare the hash, run the command:
cat keepass.tmp | grep -E -o '\$keepass\$[^:]+' > keepass.hash
Hash number: 13400
How to crack GPG private key password
Hashcat's GPG cracking is not currently supported (but supported by John the Ripper). When support is added, the private key hash needs to be retrieved as follows.
The gpg password can be cracked from the private key file obtained from the export command:
gpg --export-secret-key -a "NAME SURNAME" > private.key
After export, from this private key file, you need to extract the hash to crack the password:
gpg2john private.key > gpg.tmp
To prepare the hash, run the command:
cat gpg.tmp | grep -E -o '\$gpg\$[^:]+' > gpg.hash
How to crack OpenSSH private key password (id_rsa)
To extract the hash, run a command like this:
python2 ./ssh2john.py ФАЙЛ > ssh.tmp
To prepare the hash, run the command:
cat ssh.tmp | grep -E -o '\$sshng\$[^:]+' > ssh.hash
Note that ssh2john requires Python 2 to run. If you are using Python 3, you will receive the following error:
/usr/bin/ssh2john:103: DeprecationWarning: decodestring() is a deprecated alias since Python 3.1, use decodebytes() data = base64.decodestring(data) Traceback (most recent call last): File "/usr/bin/ssh2john", line 193, in <module> read_private_key(filename) File "/usr/bin/ssh2john", line 153, in read_private_key saltstr = data[salt_offset:salt_offset+salt_length].encode("hex") AttributeError: 'bytes' object has no attribute 'encode'
As a FILE, you need to specify the private SSH key, the path to it can be ~/.ssh/id_rsa.
This key is generated by the command:
ssh-keygen -t rsa
There are several versions of OpenSSH private key files. Therefore, we need to correctly determine the type of your hash. You can open the ssh.hash file with any text editor, or run the following command to print the first 11 characters of the hash:
head -c 11 ssh.hash
- If the hash string starts with:
$sshng$0$8$
So this is RSA/DSA/EC/OpenSSH Private Keys ($0$), hash number: 22911
- If the hash string starts with:
$sshng$6$8$
So this is RSA/DSA/EC/OpenSSH Private Keys ($6$), hash number: 22921
- If the hash string starts with:
$sshng$1$16
So this is RSA/DSA/EC/OpenSSH Private Keys ($1, $3$), hash number: 22931
- If the hash string starts with:
$sshng$4$16
So this is RSA/DSA/EC/OpenSSH Private Keys ($4$), hash number: 22941
- If the hash string starts with:
$sshng$5$16
So this is RSA/DSA/EC/OpenSSH Private Keys ($5$), hash number: 22951
If the hash string starts with:
$sshng$6$16$
So this is ????????????, hash number: ???????? [apparently not yet implemented]
If you get errors about missing modules like:
/usr/share/hashcat/modules/module_22951.so: cannot open shared object file: No such file or directory
This means that your version of Hashcat does not yet support hashes with numbers 22951, 22941 and others, and you need to update the program to the latest version. Currently, this support is only present in the beta version of Hashcat, which you can download from the official website: https://hashcat.net/beta/
Related articles:
- Hashcat doesn't detect AMD CPUs (SOLVED) (100%)
- How to Install Drivers for Hashcat on Windows (100%)
- Advanced wordlist generating techniques (96%)
- How to hack HTTP Basic and Digest Authentication (89.4%)
- Comprehensive Guide to John the Ripper. Part 5: Rule-based attack (89.4%)
- How to hack Wi-Fi (RANDOM - 10.2%)
Hi.
I'm using cygwin on Windows. I tried to do the steps in zip cracking. Currently stuck in this step
1
cat
zip.tmp |
grep
-E -o
'(\$pkzip2\$.*\$/pkzip2\$)|(\$zip2\$.*\$/zip2\$)'
> zip.
hash
After I run the command, the zip.hash file is created, but the size is 0 bytes. Then I open it in text editor and there is no line in there. Is there any ways to solve it?
Thank you
Hello! I'm assuming that the zip.tmp file is also empty, or contains insignificant data.
Are you sure that running the zip2john utility did not produce an error? For example, this: “zip2john: command not found”.
The zip2john utility is contained in the John the Ripper package. See “How to install John the Ripper on Windows” for how to install this package on Cygwin.
In fact, it seems to me that you have not chosen a very good starting point: Cygwin is not the best way to start learning password brute-force using the GPU.
For the simplest option, you can burn the Kali Linux ISO image to a flash drive, boot from it, and run the commands shown in this article.
But to begin brute-forcing passwords, you will need to install drivers for the GPU. If you plan to brute-force passwords on Windows, then see the article “Hashcat manual: how to use the program for cracking passwords”.
To extract the hash from a ZIP file, you can use the Kali Linux installation in WSL2, see the article “How to install Kali Linux with Win-KeX (GUI) in WSL2 (Windows Subsystem for Linux)” for details.
To avoid all the headaches of installing programs in Cygwin or WSL2, you can use Kali Linux. In addition to the classic installation option with replacing the main OS, or dual boot, you can install Kali Linux on a USB flash drive or on an external HDD/SSD, see the links for details:
Hi.
No, the zip.tmp has 5.86 MB size, and zip2john didn't produce an error message. I opened the zip.tmp and the first line contains $pkzip$8*1*1*0* instead of $pkzip2$.
According to your recommendation, I should use Kali Linux to convert the hash from zip2john to hash suitable for hashcat. After I get the zip.hash file correctly, should I brute-force it with hashcat from Kali Linux bootable or can I run the hashcat in Windows?
Hello! You can go to the Hashcat Example hashes page and see there is no such hash type: https://hashcat.net/wiki/doku.php?id=example_hashes
However, you can try feeding this hash to Hashcat.
Try the following command to extract the hash:
If the command does not work, then you can cut the desired line manually, you need the part between the first and last “$pkzip$”, that is, you need to remove the file names from the line in zip.tmp at the beginning and at the end of the hash.
To check the hash type you can also run the following command:
You don't have to wait for it to complete, just see what the hash information will say, for example, I have the following:
If this is a hash of a test file, not confidential, then you can copy it here as a comment and I'll try to figure out what the format is.
You can use both Windows and Linux. Everything is especially simple if your tests have enough CPU and you do not need GPU support.
My guess was that the zip2john command didn't work, and you need to follow the not-so-simple procedure to install John the Ripper on Cygwin. If the zip2john command in Cygwin worked for you, it means that you have already installed the John the Ripper package in Cygwin.
Since you have already installed John the Ripper in Cygwin, you can continue in Cygwin with John the Ripper. Or if you want to use Hashcat on Windows, run Hashcat without Cygwin.