Practical examples of Hashcat usage

Table of contents

1. Hashcat command structure

2. Examples of Hashcat masks

3. Frequently used Hashcat options

4. How to extract hashes and find out their numbers for cracking in Hashcat

5. How to hack Wi-Fi password in Hashcat

5.1 Capturing Wi-Fi handshake for password cracking

5.2 How to extract hash for Wi-Fi hacking

6. How to crack ZIP archive password

7. How to crack RAR archive password

8. How to crack the 7z archive password

9. How to crack MS Office password: Word (.DOCX file) and other office files

10. How to crack LibreOffice password (Wirter / .odt files and others)

11. How to crack PDF password

12. How to crack KeePass and KeePassXC password

13. How to crack GPG private key password

14. How to crack OpenSSH private key password (id_rsa)


While preparing the reference article “Practical examples of John the Ripper usage”, the idea came up to make a similar article on Hashcat.

Those who regularly use Hashcat, of course, will be able to draw up the necessary mask at a glance and even remember the number of the frequently used hash type. But remembering the name of the script for extracting a hash, or the number of a less commonly used hash type, or an infrequent option is no longer so easy. You can of course delve into the extensive documentation. But, first, it's good to have a cheat sheet handy like the one you are reading. And secondly, the official reference does not contain information about programs for extracting hashes.

All in all, I hope the man page you are reading is helpful.

But this article does not replace the very extensive Hashcat tutorials. Therefore, it is highly recommended to use this article as a cheat sheet after researching the following sources:

Hashcat command structure

In its most general form, the command to start Hashcat looks like (in it, the | symbol means “OR”):

hashcat [OPTIONS]... HASH|FILE-WITH-HASH [DICTIONARY|MASK|DIRECTORY]...

In subsequent commands, HASH, FILE-WITH-HASH and hccapxfile will be designated as simply “HASH” - remember that this can be either a hash string or the path to the file in which the hash is stored.

General form of the command for launching a dictionary attack:

hashcat -m TYPE -a 0 HASH DICTIONARY

If the hash is placed in a file, then the command:

hashcat -m TYPE -a 0 /PATH/TO/HASH/FILE /PATH/TO/DICTIONARY

General form of the command to launch a mask attack:

hashcat -m TYPE -a 3 HASH 'MASK'

If the hash is placed in a file, then the command:

hashcat -m TYPE -a 3 /PATH/TO/HASH/FILE 'MASK'

With the -m option, you need to specify the TYPE of the hash to crack, which is indicated by a number. The hash numbers are given below when describing the hash extraction process.

Examples of Hashcat masks

The following examples should give you an idea of the basics of using masks – you can easily edit them to suit your needs:

Passwords consist of six characters, each of which is a number:

hashcat -m TYPE -a 3 HASH '?d?d?d?d?d?d'

Passwords consist of eight characters, each of which is a number:

hashcat -m TYPE -a 3 HASH '?d?d?d?d?d?d?d?d'

Passwords consist of six characters and begin with “Pa”, the rest of the characters are numbers:

hashcat -m TYPE -a 3 HASH 'Pa?d?d?d?d'

Passwords consist of numbers and have a length of 1 to 4 characters:

hashcat -m TYPE -a 3 HASH -i --increment-min=1 --increment-max=4 '?d?d?d?d'

Passwords consist of numbers and have a length of 1 to 10 characters:

hashcat -m TYPE -a 3 HASH -i --increment-min=1 --increment-max=10 '?d?d?d?d?d?d?d?d?d?d'

Passwords consist of six characters, each of which is a small letter:

hashcat -m TYPE -a 3 HASH '?l?l?l?l?l?l'

Passwords consist of lowercase letters and are 1 to 6 characters long:

hashcat -m TYPE -a 3 HASH -i --increment-min=1 --increment-max=6 '?l?l?l?l?l?l'

Passwords consist of six characters, each with a capital letter:

hashcat -m TYPE -a 3 HASH '?u?u?u?u?u?u'

Passwords consist of six characters, at the beginning there is always a fixed string “No”, then a capital letter, then an uppercase letter and then two numbers.

hashcat -m TYPE -a 3 HASH 'No?u?l?d?d'

Passwords are composed of upper and lower case letters and numbers, which can be anywhere, and are 1 to 8 characters long.

hashcat -m TYPE -a 3 HASH -i --increment-min=1 --increment-max=8 -1 ?l?u?d '?1?1?1?1?1?1?1?1'

Frequently used Hashcat options

You can supplement any hashcat launch command with other options.

For example, usually Hashcat uses only video cards and does not use CPU to compute, even if the necessary drivers and runtime are installed. You can change this behavior by adding the following two options:

--force -D 1,2

When a video card or CPU reaches a certain temperature, Hashcat interrupts its work. You can set the temperature at which brute-force will be interrupted by decreasing or increasing the default value (90 ℃). You use too high values at your own risk!!!

--hwmon-temp-abort=100

While Hashcat is running, if you press the s button, information about the current hacking process will be updated, that is, its status is shown. You can enable automatic status update with the --status option, and with the --status-timer option you can configure the automatic update time (for example, --status-timer=1).

Non-brute force options

The -b option will run the benchmark:

hashcat -b

Or:

hashcat -b --force -D 1,2

A command of the form:

hashcat -m TYPE -b --force -D 1,2

you can run a benchmark only for a specific algorithm. You can use this if you want to know how fast the password of a Word document or archive will be cracked on your computer. For example, a benchmark for the speed of cracking a Wi-Fi password.

hashcat -m 2500 -b --force -D 1,2

The -I option will show information about the detected devices, on which it is possible to perform calculations for brute-force:

hashcat -I

With the --example-hashes option, you can display examples of all hashes:

hashcat --example-hashes

You can show an example of only the hash you need by specifying its number with the -m option:

hashcat -m 400 --example-hashes
hashcat -m 9600 --example-hashes

The --stdout option will make it so that hashcat will not crack the hash, but only show the candidates for passwords – this can be used to generate dictionaries by masks.

How to extract hashes and find out their numbers for cracking in Hashcat

The following shows how to extract hashes from encrypted files and their number (Hashcat mode) is given. This number must be specified instead of the word TYPE, and the path to the file with the calculated hash must be specified instead of the word HASH. Let me remind you the general view of the commands.

General view of the command for launching a dictionary attack:

hashcat -m TYPE -a 0 HASH DICTIONARY

General view of the command to launch a mask attack:

hashcat -m TYPE -a 3 HASH 'MASK'

To extract hashes, use the tools that come with John the Ripper, which are installed by default in Kali Linux and BlackArch.

If John the Ripper is not in your distribution's repositories, or if you want to install the latest version from source, follow the instructions in the “How to compile John the Ripper on Linux from source code” section.

In general, Hashcat is more sensitive to the exact format of hash, and the hash generation tools for John the Ripper tend to add extra data like the filename. For this reason, the generated hashes usually need to be slightly modified to be accepted by Hashcat to initiate brute-force.

How to hack Wi-Fi password in Hashcat

Capturing Wi-Fi handshake for password cracking

Here we will not dwell on the basics of testing the security of wireless Wi-Fi networks, so if you have gaps in your knowledge, then refer to the Wireless Attacks section.

Let's see the name of the wireless interface:

sudo iw dev

My wireless interface named wlp0s20f0u1. To automatically capture handshakes, run a command like this:

sudo besside-ng INTERFACE

In my case, this is:

sudo besside-ng wlp0s20f0u1

To see which handshakes were captured, run the command:

aircrack-ng wpa.cap

How to extract hash for Wi-Fi hacking

If you want to hack all handshakes at once, then run the command:

cap2hccapx wpa.cap wi-fi.hash

The cap2hccapx utility is included in hashcat-utils package.

This will generate hashes for all captured handshakes.

The output says 10 APs were found.

You can save the handshake for a specific access point, you need to specify its name. To save the handshake only for a specific AP, run a command like this:

cap2hccapx wpa.cap wi-fi.hash NAME-AP

I'm interested in an AP named FTTX772802, then in my case the command is as follows:

cap2hccapx wpa.cap wi-fi.hash FTTX772802

Hash number: 2500

That is, to launch a dictionary attack, you need to run the command:

hashcat -m 2500 -a 0 /PATH/TO/wi-fi.hash /PATH/TO/DICTIONARY

To launch a mask attack, you need to run the command:

hashcat -m 2500 -a 3 /PATH/TO/wi-fi.hash 'MASK'

An example of a successful hack:

hashcat -m 2500 -a 3 ~/wi-fi.hash 'Yss?l?u?u?d?l'

How to crack ZIP archive password

To extract the hash, run a command like this:

zip2john ФАЙЛ > zip.tmp

For example, the path to the file /mnt/disk_d/Share/test/file.zip, then the command is as follows:

zip2john /mnt/disk_d/Share/test/file.zip > zip.tmp

The hash will be extracted in the John format, this format is unsuitable for Hashcat, so run the following command:

cat zip.tmp | grep -E -o '(\$pkzip2\$.*\$/pkzip2\$)|(\$zip2\$.*\$/zip2\$)' > zip.hash

It will clear the hash of unnecessary lines and save the hash in Hashcat format to the zip.hash file.

But that's not all – there are many types of ZIP archives. Therefore, we need to correctly determine the type of your hash. You can open the zip.hash file with any text editor, or run the following command to print the first 20 characters of the hash:

head -c 20 zip.hash
  • If the hash string starts with:
$zip2$*0*3*0*

So this is WinZip, hash number: 13600

  • If the line starts with:
$pkzip2$1*1*2*0*

So this is PKZIP (Compressed), hash number: 17200

  • If the line starts with:
$pkzip2$1*1*2*0*

So this is PKZIP (Uncompressed), hash number: 17210

ATTENTION: PKZIP (Compressed) and PKZIP (Uncompressed) have the SAME beginning of hashes, I don't know how to distinguish them. The only way I found is to try to run the hashcat command specifying the hash type 17200, and then 17210. If you specified the hash type incorrectly, an error will be displayed immediately. An example of an error:

Hashfile '/home/mial/zip.hash' on line 1 ($pkzip...7e95f2294c0fd53fd7fc53*$/pkzip2$): Hash contains unsupported compression type for current mode
No hashes loaded.
  • If the line starts with:
$pkzip2$3*1*1*0*8*24

So this is PKZIP (Compressed Multi-File), hash number: 17220

  • If the line starts with:
$pkzip2$3*1*1*0*0*24

So this is PKZIP (Mixed Multi-File), hash number: 17225

  • If the line starts with:
$pkzip2$8*1*1*0*8*24

So this is PKZIP (Compressed Multi-File Checksum-Only), hash number: 17230

How to crack RAR archive password

To extract the hash, run a command like this:

rar2john ФАЙЛ > rar.tmp

For example, the path to the file /mnt/disk_d/Share/test/file.rar, then the command is as follows:

rar2john /mnt/disk_d/Share/test/file.rar > rar.tmp

The hash will be extracted in the John format, this format is unsuitable for Hashcat, so run the following command:

cat rar.tmp | grep -E -o '(\$RAR3\$[^:]+)|(\$rar5\$.*)' > rar.hash

It will clear the hash of unnecessary lines and save the hash in Hashcat format to the rar.hash file.

But that's not all – there are several versions of RAR. Therefore, we need to correctly determine the type of your hash. You can open the rar.hash file with any text editor, or run the following command to print the first 8 characters of the hash:

head -c 8 rar.hash
  • If the hash string starts with:
$RAR3$*0*

So this is RAR3-hp, hash number: 12500

  • If the hash string starts with:
$rar5$16$

So this is RAR5, hash number: 13000

  • If the hash string starts with:
$RAR3$*1*

So this is RAR3-p (Uncompressed), hash number: 23700

  • If the hash string starts with:
$RAR3$*1*

So this is RAR3-p (Compressed), hash number: 23800

ATTENTION: RAR3-p (Uncompressed) and RAR3-p (Compressed) have the same hash beginnings, I don't know how to distinguish them. The only option is to try to run the hashcat command specifying the hash type 23700, and then 23800. If you specified the hash type incorrectly, an error will be displayed immediately. An example of an error:

Hashfile '/home/mial/rar.hash' on line 1 ($RAR3$...91201eb0007c76714cbb328b2acfc*33): Salt-value exception
No hashes loaded.

If you get errors about missing modules like:

/usr/share/hashcat/modules/module_23700.so: cannot open shared object file: No such file or directory

/usr/share/hashcat/modules/module_23800.so: cannot open shared object file: No such file or directory

This means that your version of Hashcat does not yet support hashes with numbers 23700 and 23800 and you need to update the program to the latest version. Currently, this support is only present in the beta version of Hashcat, which you can download from the official website: https://hashcat.net/beta/

How to crack the 7z archive password

To extract the hash, run a command like this:

7z2john ФАЙЛ > 7z.tmp

The hash will be extracted in the John format, this format is unsuitable for Hashcat, so run the following command:

cat 7z.tmp | grep -E -o '\$7z\$.*' > 7z.hash

It will clear the hash of unnecessary lines and save the hash in Hashcat format to the 7z.hash file.

Hash number: 11600

How to crack MS Office password: Word (.DOCX file) and other office files

To extract the hash, run a command like this:

office2john ФАЙЛ > office.tmp

To prepare the hash, run the command:

cat office.tmp | grep -E -o '\$office\$.*' > office.hash

There are several versions of MS Office documents. Therefore, we need to correctly determine the type of your hash. You can open the office.hash file with any text editor, or run the following command to print the first 14 characters of the hash:

head -c 14 office.hash
  • If the hash string starts with:
$office$*2007*

So this is MS Office 2007, hash number: 9400

  • If the hash string starts with:
$office$*2010*

So this is MS Office 2010, hash number: 9500

  • If the hash string starts with:
$office$*2013*

So this is MS Office 2013, hash number: 9600

An example of a successful password cracking of a Word file:

How to crack LibreOffice password (Wirter / .odt files and others)

To extract the hash, run a command like this:

libreoffice2john ФАЙЛ > odf.tmp

To prepare the hash, run the command:

cat odf.tmp | grep -E -o '\$odf\$[^:]+' > odf.hash

There are several versions of LibreOffice office documents. Therefore, we need to correctly determine the type of your hash. You can open the odf.hash file with any text editor, or run the following command to print the first 10 characters of the hash:

head -c 10 odf.hash
  • If the hash string starts with:
$odf$*1*1*

So this is Open Document Format (ODF) 1.2 (SHA-256, AES), hash number: 18400

  • If the hash string starts with:
$odf$*0*0*

So this is Open Document Format (ODF) 1.1 (SHA-1, Blowfish), hash number: 18600

How to crack PDF password

To extract the hash, run a command like this:

pdf2john ФАЙЛ > pdf.tmp

To prepare the hash, run the command:

cat pdf.tmp | grep -E -o '\$pdf\$.*' > pdf.hash

There are several versions of PDF files. Therefore, we need to correctly determine the type of your hash. You can open the pdf.hash file with any text editor, or run the following command to print the first 13 characters of the hash:

head -c 13 pdf.hash
  • If the hash string starts with:
$pdf$1*2*40*-

So this is PDF 1.1 - 1.3 (Acrobat 2 - 4), hash number: 10400

  • If the hash string starts with:
$pdf$1*2*40*-

So this is PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1, hash number: 10410

  • If the hash string starts with:
$pdf$1*2*40*-

So this is PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2, hash number: 10420

ATTENTION: all the listed types of files have the SAME beginning of hashes, I do not know how they can be distinguished. The only way I found is to try to run the hashcat command specifying the hash type 10400, and then 10410 and finally 10420. In this case, if you specified the hash type incorrectly, an error will be displayed immediately. An example of an error:

Hashfile '/home/mial/pdf.hash' on line 1 ($pdf$4...c5ba427b1b9102da468e77127f1e69d6): Separator unmatched
No hashes loaded.
  • If the hash string starts with:
$pdf$2*3*128*

So this is PDF 1.4 - 1.6 (Acrobat 5 - 8), hash number: 10500

  • If the hash string starts with:
$pdf$5*5*256*

So this is PDF 1.7 Level 3 (Acrobat 9), hash number: 10600

  • If the hash string starts with:
$pdf$5*6*256*

So this is PDF 1.7 Level 8 (Acrobat 10 - 11), hash number: 10700

  • If the hash string starts with:
$pdf$4*4*128*

So this is a PDF document created using MS Word, hash number is suitable for it: 10500

How to crack KeePass and KeePassXC password

To extract the hash, run a command like this:

keepass2john ФАЙЛ > keepass.tmp

The FILE must be a .kdbx password database.

Or if you have a key file, then run a command like this:

keepass2john -k KEY FILE DATABASE.kdbx > keepass.tmp

You can see the message:

! Passwords.kdbx : File version '40000' is currently not supported!

It means that the Passwords.kdbx FILE uses the KDBX version 4.0 database, and the keepass2john program only supports the KDBX version of KDBX 3.1. That is, it is currently not possible to crack a KeePass password with a KDBX version 4.0 database in John the Ripper.

To prepare the hash, run the command:

cat keepass.tmp | grep -E -o '\$keepass\$[^:]+' > keepass.hash

Hash number: 13400

How to crack GPG private key password

Hashcat's GPG cracking is not currently supported (but supported by John the Ripper). When support is added, the private key hash needs to be retrieved as follows.

The gpg password can be cracked from the private key file obtained from the export command:

gpg --export-secret-key -a "NAME SURNAME" > private.key

After export, from this private key file, you need to extract the hash to crack the password:

gpg2john private.key > gpg.tmp

To prepare the hash, run the command:

cat gpg.tmp | grep -E -o '\$gpg\$[^:]+' > gpg.hash

How to crack OpenSSH private key password (id_rsa)

To extract the hash, run a command like this:

python2 ./ssh2john.py ФАЙЛ > ssh.tmp

To prepare the hash, run the command:

cat ssh.tmp | grep -E -o '\$sshng\$[^:]+' > ssh.hash

Note that ssh2john requires Python 2 to run. If you are using Python 3, you will receive the following error:

/usr/bin/ssh2john:103: DeprecationWarning: decodestring() is a deprecated alias since Python 3.1, use decodebytes()
  data = base64.decodestring(data)
Traceback (most recent call last):
  File "/usr/bin/ssh2john", line 193, in <module>
    read_private_key(filename)
  File "/usr/bin/ssh2john", line 153, in read_private_key
    saltstr = data[salt_offset:salt_offset+salt_length].encode("hex")
AttributeError: 'bytes' object has no attribute 'encode'

As a FILE, you need to specify the private SSH key, the path to it can be ~/.ssh/id_rsa.

This key is generated by the command:

ssh-keygen -t rsa

There are several versions of OpenSSH private key files. Therefore, we need to correctly determine the type of your hash. You can open the ssh.hash file with any text editor, or run the following command to print the first 11 characters of the hash:

head -c 11 ssh.hash
  • If the hash string starts with:
$sshng$0$8$

So this is RSA/DSA/EC/OpenSSH Private Keys ($0$), hash number: 22911

  • If the hash string starts with:
$sshng$6$8$

So this is RSA/DSA/EC/OpenSSH Private Keys ($6$), hash number: 22921

  • If the hash string starts with:
$sshng$1$16

So this is RSA/DSA/EC/OpenSSH Private Keys ($1, $3$), hash number: 22931

  • If the hash string starts with:
$sshng$4$16

So this is RSA/DSA/EC/OpenSSH Private Keys ($4$), hash number: 22941

  • If the hash string starts with:
$sshng$5$16

So this is RSA/DSA/EC/OpenSSH Private Keys ($5$), hash number: 22951

If the hash string starts with:

$sshng$6$16$

So this is ????????????, hash number: ???????? [apparently not yet implemented]

If you get errors about missing modules like:

/usr/share/hashcat/modules/module_22951.so: cannot open shared object file: No such file or directory

This means that your version of Hashcat does not yet support hashes with numbers 22951, 22941 and others, and you need to update the program to the latest version. Currently, this support is only present in the beta version of Hashcat, which you can download from the official website: https://hashcat.net/beta/

Recommended for you:

4 Comments to Practical examples of Hashcat usage

  1. Manyma says:

    Hi.

    I'm using cygwin on Windows. I tried to do the steps in zip cracking. Currently stuck in this step

    1

    cat zip.tmp | grep -E -o '(\$pkzip2\$.*\$/pkzip2\$)|(\$zip2\$.*\$/zip2\$)' > zip.hash

    After I run the command, the zip.hash file is created, but the size is 0 bytes. Then I open it in text editor and there is no line in there. Is there any ways to solve it?

    Thank you

  2. Manyma says:

    Hi.

    No, the zip.tmp has 5.86 MB size, and zip2john didn't produce an error message. I opened the zip.tmp and the first line contains $pkzip$8*1*1*0* instead of $pkzip2$.

    According to your recommendation, I should use Kali Linux to convert the hash from zip2john to hash suitable for hashcat. After I get the zip.hash file correctly, should I brute-force it with hashcat from Kali Linux bootable or can I run the hashcat in Windows?

     

    • Alex says:

      Hello! You can go to the Hashcat Example hashes page and see there is no such hash type: https://hashcat.net/wiki/doku.php?id=example_hashes

      However, you can try feeding this hash to Hashcat.

      Try the following command to extract the hash:

      cat zip.tmp | grep -E -o '(\$pkzip\$.*\$/pkzip\$)' > zip.hash

      If the command does not work, then you can cut the desired line manually, you need the part between the first and last “$pkzip$”, that is, you need to remove the file names from the line in zip.tmp at the beginning and at the end of the hash.

      To check the hash type you can also run the following command:

      john zip.tmp

      You don't have to wait for it to complete, just see what the hash information will say, for example, I have the following:

      Loaded 1 password hash (PKZIP [32/64])

      If this is a hash of a test file, not confidential, then you can copy it here as a comment and I'll try to figure out what the format is.

      According to your recommendation, I should use Kali Linux to convert the hash from zip2john to hash suitable for hashcat. After I get the zip.hash file correctly, should I brute-force it with hashcat from Kali Linux bootable or can I run the hashcat in Windows?

      You can use both Windows and Linux. Everything is especially simple if your tests have enough CPU and you do not need GPU support.

      My guess was that the zip2john command didn't work, and you need to follow the not-so-simple procedure to install John the Ripper on Cygwin. If the zip2john command in Cygwin worked for you, it means that you have already installed the John the Ripper package in Cygwin.

      Since you have already installed John the Ripper in Cygwin, you can continue in Cygwin with John the Ripper. Or if you want to use Hashcat on Windows, run Hashcat without Cygwin.

Leave a Reply

Your email address will not be published. Required fields are marked *