Hashcat manual: how to use the program for cracking passwords

In this manual, I highlighted the most basic steps of Hashcat using and detailed the main operating modes of the program. This instruction is designed for absolute beginners. I hope it will reduce the number of ‘children's’ questions.

How to run and use hashcat (an instruction for hacking passwords)

Hashcat is a program for hacking passwords, it's a powerful application with lots of features.

However, this is not the easiest to use program, therefore you need to spend time learning it. In this manual, the most typical situations with hashcat are described.

We will consider considered as very ‘childish’ questions, like ‘how to run hashcat’, and rather complex, like the correct composition of masks, custom character sets, program options, problem solving and so on.

The peculiarity of hashcat is the very high speed of brute-force passwords, which is achieved through the simultaneous use of all video cards, as well as central processors in the system. It is possible to work if several video cards or video adapters of different manufacturers are installed (for example, AMD and NVIDIA).

When I click on hashcat64.exe a black window flashes, and then disappears

Hashcat is a command-line utility. So it does not have a graphical interface in the form of a familiar window. Therefore, Windows users may think that the program is launched in an unusual way.

To start the program, open the command window (or PowerShell). To do this, press Win+x, and select Windows PowerShell:

Then you can act in two ways.

The first option: you can just drag-n-drop the executable file into the command window. The executable file is hashcat64.exe or hashcat32.exe depending on your system.

The second option: on the command line, you can change the current working directory to the one where executable hashcat files are located. For example, my program is located in the folder C:\Users\Alex\Downloads\hashcat-4.1.0\, to change the current working folder, use the cd command, after which the folder to which you specify the desired folder, in my case the command looks like this:

cd C:\Users\Alex\Downloads\hashcat-4.1.0\

As you can see from the screenshot, the folder C:\WINDOWS\system32 is changed to C:\Users\Alex\Downloads\hashcat-4.1.0.

Now to start the program it is enough to type the name of the executable file indicating the current folder. The current folder is indicated by a period (.), Then you need to put a backslash, it looks like this:

.\hashcat64.exe

Since we did not enter any options, nothing happens, only a brief hint is displayed.

Throughout the instruction, we will run the executable hashcat file with options. The simplest option is -h, if you write it, you will get a reference for using the program:

.\hashcat64.exe -h

Download hashcat

Download hashcat from the official site by the link: https://hashcat.net/hashcat/

You will see:

The site has hashcat binaries and hashcat sources. The first is binary (executable) files, the second is the source code. We need binaries, i.e. hashcat binaries.

How to install hashcat

Hashcat does not require installation, since it is a portable program. It is enough to unpack the downloaded archive. If you have problems with unpacking the .7z format, then use the program 7-Zip (archiver with a high compression ratio).

To run hashcat, it is necessary that the latest drivers for video cards are installed.

Drivers for hashcat

The following drivers are required for video cards:

  • AMD GPUs on Windows require "AMD Radeon Software Crimson Edition" (15.12 or later)
  • Intel CPUs require "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
  • Intel GPUs on Windows require "OpenCL Driver for Intel Iris and Intel HD Graphics"
  • NVIDIA GPUs require "NVIDIA Driver" (367.x or later)

Most likely, drivers for AMD and NVIDIA graphics cards in Windows are already installed, or you know how to do it.

Therefore, I will only talk about OpenCL Runtime and the OpenCL driver installation.

OpenCL Runtime includes driver the Windows driver, so you only need to download one file with OpenCL Runtime for Intel Coree, Intel Xeon Processors for Windows, for example, the latest version is now: ‘OpenCL ™ Runtime 16.1.2 for Intel® Core ™ and Intel® Xeon® Processors for Windows (64-bit & 32-bit)’.

The latest version of this package can be found on the official Intel website: https://software.intel.com/en-us/articles/opencl-drivers#latest_CPU_runtime

Hashcat options

Working with programs in the command-line interface is very different from working in the graphical user interface. In the GUI, we press different buttons, move switches, etc. This is not the case with programs with a command-line interface. But at the same time the command line utility can have even greater capabilities than a similar program with a window interface. In order to control the functionality of console utilities, options are used.

In the output of the help you probably noticed a lot of information. This information is mostly devoted to the options.

Options are specified after the file name separated by a space. Some options require specifying a certain value. Some are used without values ​​(such options are also called ‘flags’).

Options can be used one at a time or several at a time. With the help of options you can very accurately configure the program, use it at maximum capacity.

With one option we have already metб it is the -h option, which displays program help, then we'll get acquainted with even more options and their possible values.

The next one is the -b option.

Running the hashcat benchmark

The -b option starts the hashcat benchmark. This benchmark measures the speed at which passwords are checked.

Running the benchmark will be successful only if the drivers are installed correctly and everything is all right. Therefore, a benchmark is also a way to do a system and hashcat check.

To run the brute-force speed check on the most popular algorithms on the command line type:

.\hashcat64.exe -b

To stop prematurely, press CTRL+c. This shortcut stops all command-line utilities immediately. Remember this combination!

Speed ​​is displayed for each device separately, as well as for all devices combined (line Speed.Dev.#*).

Example:

Hashmode: 2500 - WPA/WPA2 (Iterations: 4096)

Speed.Dev.#1.....:     5591 H/s (46.19ms) @ Accel:512 Loops:256 Thr:1 Vec:4
Speed.Dev.#2.....:    22374 H/s (69.23ms) @ Accel:128 Loops:32 Thr:256 Vec:1
Speed.Dev.#3.....:      171 H/s (1205.03ms) @ Accel:1024 Loops:128 Thr:1 Vec:4
Speed.Dev.#*.....:    28136 H/s

Which device exactly corresponds a number is written at the very beginning when the program is launched, for example:

OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz, 4085/16342 MB allocatable, 8MCU

OpenCL Platform #2: Advanced Micro Devices, Inc.
================================================
* Device #2: Capeverde, 1523/2048 MB allocatable, 10MCU
* Device #3: Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz, 4085/16342 MB allocatable, 8MCU

Warnings and errors when running hashcat

Immediately upon starting the benchmark, errors can start to be output. For example:

* Device #3: Not a native Intel OpenCL runtime. Expect massive speed loss.
             You can use --force to override, but do not report related errors.

The error says that it is not the native runtime environment of OpenCL that is used, and a significant speed loss is expected. For this reason, OpenCL devices will be skipped (in the screenshot below it is visible by the word ‘skipped’). If we want to use them anyway, we need to add the –force option.

Running a benchmark with two options:

.\hashcat64.exe -b –force

If you still miss some devices, then you can add one more option -D. After this option, you need to add a digit or digits indicating the type of device:

  # | Device Type
 ===+=============
  1 | CPU
  2 | GPU
  3 | FPGA, DSP, Co-Processor

Pay attention to a very important point: an uppercase letter is used for the option. Options are case sensitive. An uppercase letter may have another, even completely different meaning than lowercase letter.

So, 1 is the central processor, and 2 is the graphics processor, then the full command, along with the selection of all devices available for me, will look like this:

.\hashcat64.exe -b --force -D 1,2

The hashcat GUI

There are no official graphical interfaces for hashcat. Nevertheless, there are several interfaces that were created by enthusiasts. The most relevant is this: https://www.hashkiller.co.uk/hashcat-gui.aspx

To install the hashcat GUI, download the archive from the page to which the link above is linked.

Unzip the downloaded archive, it already includes:

  • hashcat-utils-1.0
  • cap2hccap

Requirements for the hashcat GUI:

  • only Windows operating system
  • dotNET Framework: v4
  • hashcat version 3.00 or later

Hashcat you need to download separately, as shown above. Also you need to have the necessary drivers installed.

After you unpack the Hashcat GUI and Hashcat itself, you need to move the Hashcat folder to the Hashcat GUI folder. It should look like the following folder structure:

The folder with Hashcat-hashcat-4.1.0 is highlighted. Note that you do not need to rename the directory with a hashcat.

Double-click the HashcatGUI.exe file to start the program. Look at the Hashcat GUI:

In my opinion, it is complicated. In my subjective sense, it is easier to achieve the desired result in the command line than in the graphical interface, in which, by the way, some features are missing.

Moreover, without understanding the concepts of Hashcat, it's unlikely that you will be able to do something even in the graphical interface. Therefore, continue reading this article, and we will return to the graphical interface later on the pages of the miloserdov.org web-site.

How to use hashcat

The program runs as follows:

hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...

Here hashcat is the name of the executable file, in my examples it is .\hashcat64.exe.

Divided by the space, options follow the executable file.

The symbol | (pipe) in this case means logical ‘OR’. Therefore, hash, OR file with a hash, OR file hccapx file follows after the options. And then dictionary OR mask OR directory follows the hash, depending on the chosen attack.

Consider the use of the program on specific examples. Suppose we have a hash of 53ab0dff8ecc7d5a18b4416d00568f02, which must be cracked. This hash is known to have been obtained with the MD5 hash algorithm (i.e. it is MD5 hash). It is also known that the encrypted string consists of only small letters of the English alphabet and has a length of six to ten characters.

Next, we will show you how to launch a password attack using a variety of tricks.

Specifying the hash type

Different hashes are computed using different algorithms. Similarly, their cracking is performed using different algorithms. In order to correctly launch an attack in Hashcat, you must specify the type of attacked hash. To do this, use the -m option, after which you must specify a number corresponding to the selected hash type.

In the baseline, we are given that the provided hash is MD5. So on the page https://en.kali.tools/?p=155 we are looking for ‘MD5’:

Opposite the found hash, look at the column ‘#’, i.e. number. In this case, this number is ‘0’.

So, to the Hashcat launch command, you need to add -m 0, it is the option and its value.

If we were given a SHA1 hash, then its number would be 100 and to the Hashcat launch command we would add -m 100 and similarly for any other algorithm.

Typically, a hash type is known from the source where this hash was obtained. In case the type of attacked hash is not known reliably, you can try to guess it with the help of specialized tools.

Hashcat Attack Modes

Hashcat supports various attack modes, the most common are:

  • Dictionary attack when a list of words is used as password candidates
  • Mask attack (brut-force), when candidates in passwords are generated based on the described criteria.

Use the -a option to specify the attack mode. With it, you can specify any type of attack supported in Hashcat, the most popular is a dictionary attack which is indicated by the number 0, and a mask attack (brute force) which is indicated by the number 3.

So if we run a dictionary attack, then we specify -a 0, and if we run mask attack, then we specify -a 3.

Dictionary Attack in Hashcat

The attack starts with the dictionary as follows:

hashcat [options] hash|hashfile|hccapxfile path_to_dictionary

To crack our hash, create a small dictionary: an ordinary text file named dictionary.txt and copy into it:

Note: By the way, with Hashcat comes with an example of a dictionary, it's called example.dict.

So, at this stage we have everything you need to launch an dictionary attack. We collect everything together:

.\hashcat64.exe -m 0 -a 0 53ab0dff8ecc7d5a18b4416d00568f02 dictionary.txt

Here:

  • .\hashcat64.exe is a executable file
  • -m 0 is an option that sets the MD5 hash type
  • -a 0 is an option, which value triggers a dictionary attack
  • 53ab0dff8ecc7d5a18b4416d00568f02 is a hash to be cracked
  • dictionary.txt is a path to the dictionary file.

Since the dictionary is very small, the program will finish its work very quickly:

The result of the program:

53ab0dff8ecc7d5a18b4416d00568f02:hackware
 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: MD5
Hash.Target......: 53ab0dff8ecc7d5a18b4416d00568f02
Time.Started.....: Mon Mar 05 07:23:25 2018 (0 secs)
Time.Estimated...: Mon Mar 05 07:23:25 2018 (0 secs)
Guess.Base.......: File (dictionary.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:    17783 H/s (0.04ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Speed.Dev.#2.....:        0 H/s (0.00ms) @ Accel:256 Loops:1 Thr:256 Vec:1
Speed.Dev.#3.....:    12530 H/s (0.03ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Speed.Dev.#*.....:    30313 H/s
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 24/48 (50.00%)
Rejected.........: 0/24 (0.00%)
Restore.Point....: 0/48 (0.00%)
Candidates.#1....: aaaaaaaaaa -> dancing2009
Candidates.#2....: [Copying]
Candidates.#3....: danciotu -> hackware
HWMon.Dev.#1.....: N/A
HWMon.Dev.#2.....: Util: 37% Core: 800MHz Mem:1000MHz Bus:16
HWMon.Dev.#3.....: N/A

The first line is 53ab0dff8ecc7d5a18b4416d00568f02: hackware contains the attacked hash and after the colon the hacked password, in this case it is hackware.

On the successful hacking says the Status ………..: Cracked line

Hash does not need to be specified in the command line, it can be written to a file, then when the attack is launched, the path to the file containing the hash is specified. For example, create a hashmd5.txt file and copy into it 53ab0dff8ecc7d5a18b4416d00568f02.

Then the command to run will be:

.\hashcat64.exe -m 0 -a 0 hashmd5.txt dictionary.txt

The command contains the same options as the previous one, but instead of directly hash, we specified the path to the file containing the hash to crack.

Note: since for educational purposes we crack the same hash in different ways, in case you repeat the examples, you will see the message:

INFO: All hashes found in potfile! Use --show to display them.

It means that the hash that you are trying to crack has already been cracked before. All compromised hashes are stored in the hashcat.potfile file in the same directory as Hashcat. This is a plain text file, you can open it and see the contents, in my case it's:

53ab0dff8ecc7d5a18b4416d00568f02:hackware

This file can be deleted to start attack anew on the same hash in different ways.

There is also the option –show, after which you need to specify the hash of interest:

.\hashcat64.exe --show 53ab0dff8ecc7d5a18b4416d00568f02

and if it is found in the hashcat.potfile file, then information about the cracked password will be displayed.

Mask attack in hashcat (brute-force attack in hashcat)

In Hashcat there is no such mode as brut-force. He was assimilated by the mask attack. This is a more flexible type of attack, which allows you to implement brut-force through finely tuned criteria.

In general, the mask attack has the following form:

hashcat [options]... hash|hashfile|hccapxfile mask

Therefore, it is similar to the previous one, but instead of the dictionary a mask is indicated.

How to make masks in Hashcat

For composing masks, character sets are used. The character sets in Hashcat come in two flavors:

  • Built-in Charsets
  • User-defined Charsets

Let's begin our acquaintance with the built-in charsets, for many cases, they are enough.

  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  d | 0123456789
  h | 0123456789abcdef
  H | 0123456789ABCDEF
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff

The first column denotes a symbolic symbol set. For use in masks, a question mark must be placed before this designation. For example, ?u means all uppercase letters, ?d means all digits.

Suppose we know that the password consists of four characters, the first two characters are uppercase letters, and the third and fourth characters are digits, then the mask will be as follows:

?l?l?h?h

To crack the password from our hash given as an example, we need to create a mask consisting of eight characters, each of which is a small letter. This is the mask: ?l?l?l?l?l?l?l?l

.\hashcat64.exe -m 0 -a 3 53ab0dff8ecc7d5a18b4416d00568f02 ?l?l?l?l?l?l?l?l

Here:

  • .\hashcat64.exe is an executable file
  • -m 0 is an option that sets the MD5 hash type
  • -a 3 is an option, which value triggers the mask attack
  • 53ab0dff8ecc7d5a18b4416d00568f02 is a hash to be cracked
  • ?l?l?l?l?l?l?l?l is a mask that specifies the generation of eight-character passwords consisting of small letters.

Less than a minute later the password was successfully cracked:

Pay attention to the line:

Progress.........: 15724838912/208827064576 (7.53%)

That is, 15724838912 variants of passwords from 208827064576 of the total number of variants were tested.

Mask for unknown password length

The password length is not always known exactly. Even by the condition of our task, the password has a length of six to ten characters.

In order to generate passwords of different lengths, the following options are available:

Options Short / Long           | Type | Description                         | Example
-i,  --increment               |      | Enable mask increment mode          |
     --increment-min           | Num  | Start mask incrementing at X        | --increment-min=4
     --increment-max           | Num  | Stop mask incrementing at X         | --increment-max=8

The -i option is optional. If it is used, it means that the length of candidates for passwords should not be fixed, it should increase by the number of characters.

The –increment-min option is also optional. It determines the minimum length of candidates for passwords. If the -i option is used, the –increment-min value is 1 by default.

And the –increment-max option is optional. It determines the maximum length of candidates for passwords. If the -i option is specified, but the –increment-max option is omitted, then its default value is the mask length.

Rules for using mask increment options:

  • Before using –increment-min and –increment-max, you must specify the -i option
  • the value of the –increment-min option can be less than or equal to the value of the –increment-max option, but can not exceed it
  • the length of the mask can be larger in the number of characters or equal to the number of characters specified by the –increment-max option, but the mask length can not be less than the character length set by –increment-max.

So, we will correct the launch command for our task (the password has a length of six to ten characters):

.\hashcat64.exe -m 0 -a 3 -i --increment-min=6 --increment-max=10 53ab0dff8ecc7d5a18b4416d00568f02 ?l?l?l?l?l?l?l?l?l?l

This command is similar to the previous one, but three new options have been added (explained just above):

  • -i
  • –increment-min=6
  • –increment-max=10

And also the mask length is increased to 10 characters: ?l?l?l?l?l?l?l?l?l?l (as required by the rules for using increment options).

It took a bit more time to complete the search, as candidates in passwords of 6 (+1 seconds on my gland) and 7 symbols (+22 seconds) were tested in addition:

Note the new value of the Status line:

Status...........: Exhausted

It means that all the password candidates was tested, but none proved true.

Password cracking when some characters are known

There are situations when some of the password symbols are known. For example, we are given the same hash 53ab0dff8ecc7d5a18b4416d00568f02 and somehow we got to know that the first three characters in the password are ‘hac’. Then you can specify these characters directly in the mask:

hac?l?l?l?l?l?l?l

The command is:

.\hashcat64.exe -m 0 -a 3 -i --increment-min=6 --increment-max=10 53ab0dff8ecc7d5a18b4416d00568f02 hac?l?l?l?l?l?l?l

Known symbols can be placed anywhere in the mask: in the beginning, in the middle, in the end; these can be single characters or groups of characters.

User-defined Charsets in Hashcat

Above, already listed are built-in character sets, which are usually enough. However, you can specify up to four of your own custom sets.

Suppose we know that the first three characters in the password are digits, and not all, but only numbers from 0 to 4, the fourth character is only uppercase letters, and the fifth and sixth characters are the letters from a to h, as well as the numbers from 5 up to 9.

If in the mask for the first three characters we just indicate the numbers, then obviously not suitable candidates for passwords (containing in the first three positions the numbers that are not in the range from 0 to 4) will be also tested. We must exclude obviously inappropriate passwords. This can be done using custom character sets.

There are four user-defined character sets in total. They are specified in options and denoted by numbers. But in the options, a hyphen is placed before the digit (for example, the first user set is -1), and a question mark is placed in the mask before the digit (for example, the use of symbols from the first user set is ?1).

So, to solve the problem, we start by setting the required number of user sets in the options. These sets can consist of directly listed characters, you can also use built-in character sets, for example ?l or ?d or ?u (in any combination).

The first custom character set for our task (only numbers from 0 to 4):

-1 01234

The second user-defined character set (letters from a to h, as well as numbers from 5 to 9)

-2 abcdefgh56789

Let me remind you – custom character sets are written among the options (before the mask and before the hash).

Now create a mask (the first three characters in the password are numbers, not all, but only the numbers from 0 to 4, the fourth character is only uppercase letters, and the fifth and sixth characters are the letters from a to h, as well as the numbers from 5 to 9):

?1?1?1?u?2?2

We will disassemble the mask:- the first three characters are designated as ?1?1?1 (these are units, and not a lowercase letter L, they are digits ‘1’) are symbols from the first user set. Next goes ?u, this is a built-in character set, denoting only capital letters. The next two characters are designated as ?2?2, these are symbols from the second user set.

When specifying custom sets, you can use the notation of built-in character sets, for example:

-1 ?l?u

denotes the first user set consisting only of large and small Latin letters.

And

-1 ?l?u?d

means the first user set consisting only of large and small Latin letters, as well as numbers.

As already shown above, you can use custom and built-in character sets in any combination in the mask.

How to show passwords (create a dictionary) in Hashcat without launching a cracking

After creating complex masks, especially with the use of custom character sets, we would like to check whether we did everything correctly. Also, thanks to the flexibility of the Hashcat syntax, it is convenient to use it for generating dictionaries by any criteria.

In order to only show passwords without starting cracking, the –stdout option is used. This option requires -a 3 (masd attack mode). Since cracking does not start in this case, you do not need to specify any hashes.

An example of generating passwords for the above-mentioned task (it is known that the first three characters in the password are numbers, not all, but only numbers from 0 to 4, the fourth character is only uppercase letters, and the fifth and sixth characters are the letters from a to h, as well as numbers from 5 to 9):

.\hashcat64.exe --stdout -a 3 -1 01234 -2 abcdefgh56789 ?1?1?1?u?2?2

Since many passwords will be created (more than half a million), instead of displaying on the screen, they can be saved to a file. To do this, after the main command, you need to put the symbol > (means redirecting the output to a file) and write the file name. For example, to save all passwords to the lab1.dic file, which will be created in the same folder as the executable hashcat64.exe:

.\hashcat64.exe --stdout -a 3 -1 01234 -2 abcdefgh56789 ?1?1?1?u?2?2 > lab1.dic

Samples of hashes

The Hashcat program includes not only help, but also hash examples. They can be useful if you have difficulty in correctly writing the hash format.

To display all examples of hashes at once, run the program with the option –example-hashes:

.\hashcat64.exe --example-hashes

You can see a sample of one particular hash. For example, I need to find out what a hash looks like to crack the RAR5 password; then I turn to the help page of the program https://en.kali.tools/?p=1558 and search for RAR5 (use CTRL+f). I find that the number of this hash is 13000; Next, I run the program with the option –example-hashes and the already-known option -m (after which the hash mode number is specified)

.\hashcat64.exe --example-hashes -m 13000

So, to crack passwords from RAR5 archives, the hash should look like:

$rar5$16$38466361001011015181344360681307$15$00000000000000000000000000000000$8$cc7a30583e62676a

Recommended for you:

Leave a Reply

Your email address will not be published.