- Great resource/course: https://in.security/technical-training/password-cracking/
- https://github.com/hashcat/hashcat
- Rules
- Wordlists
- https://github.com/openwall/john
- Extracing files
androidbackup2john.py
ethereum2john.py
keepass2john.py
office2john.py
pdf2john.pl
ssh2john.py
- Usefull hashcat flags:
--potfile-path
to supply where to save the potfile of cracked hashes--idenitfy
identify the hash--benchmark
run a benchmark--speed-only
Use for benchmarks to get a more acurate speed-O
Enable optimized kernels (limits password length) - Makes hashcat a bit faster for me-w3
Enable a specific workload profile High (1 = low, 2 = default, 3 = high, 4 = nightmare)--increment
Enable incremental attack when using masks. If supplied?a?a?a?a?a?a?a?a
it will bruteforce 1 till 8 characters.
- Hashcat supports over 300 hash modes.
- [ Hash modes ] -
======+===============================
900 | MD4
0 | MD5
3000 | LM
1000 | NTLM
5600 | NetNTLMv2
13100 | Kerberos 5, etype 23, TGS-REP
18200 | Kerberos 5, etype 23, AS-REP
2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2
- [ Built-in Charsets ] -
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz [a-z]
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ [A-Z]
d | 0123456789 [0-9]
h | 0123456789abcdef [0-9a-f]
H | 0123456789ABCDEF [0-9A-F]
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff
- Creates
?1
charset with UPPER and lower chars and?2
with digits and symbols.
hashcat -a 3 -m <HASH TYPE> <HASH FILE> -1 ?u?l -2 ?d?s ?1?1?1?1?1?1?2?2
- Hashcat has multiple attack modes which are used with the
-a
parameter. For example-a 0
.
- [ Attack Modes ] -
# | Mode
===+======
0 | Straight
1 | Combination
3 | Brute-force
6 | Hybrid Wordlist + Mask
7 | Hybrid Mask + Wordlist
9 | Association
hashcat -a 0 -m <HASH TYPE> <HASH FILE> <WORDLIST>
hashcat -a 0 -m <HASH TYPE> <HASH FILE> <WORDLIST> -r <RULE FILE>
- Will combine all rules of file 1 with rules of file 2. Will increase the cracking time significant. For example use dive + best64
hashcat -a 0 -m <HASH TYPE> <HASH FILE> <WORDLIST> -r <RULE FILE> -r <RULE FILE>
- Used when the minimum passwod length is not high and cracking of hashtype is fast or having a lot of cracking power!
- Bruteforces 1 till 8 characters. For more characters add an extra
?a
.
hashcat -a 3 -m <HASH TYPE> <HASH FILE> ?a?a?a?a?a?a?a?a --increment
- Use when password elements are known or for bruteforcing well known patterns
- For example: 1 capital letter, 7 lower, 1 digit.
- https://github.com/sean-t-smith/Extreme_Breach_Masks
hashcat -a 3 -m <HASH TYPE> <HASH FILE> ?u?l?l?l?l?l?l?l?d
hashcat -a 3 -m <HASH TYPE> <HASH FILE> <MASK FILE>
- Mix mask with a wordlist
6 Wordlist + Mask
7 Mask + Wordlist
hashcat -a 6 -m <HASH TYPE> <HASH FILE> <WORDLIST> <MASK>
hashcat -a 7 -m <HASH TYPE> <HASH FILE> <MASK> <WORDLIST>
hashcat -a 6 -m <HASH TYPE> <HASH FILE> <WORDLIST> ?a?a?a --increment
hashcat -a 7 -m <HASH TYPE> <HASH FILE> ?a?a?a <WORDLIST> --increment
- You can crack at
9.56
GH/s for a 95^8 keyspace.95^8 / 9.56 GH/s = 693,954 secs = ~8 days
- If you have only 8 hours for example, which is 28,800 seconds.
9.56 GH/s * 28,800 seconds = 275,328,000,000,000
needed in 8 hours 275,328,000,000,000 (1/8) = 64
- Then execute with hashcat with
-t 64
to use the top 64 chars (markov)
kwp -z basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes.route > keymap.txt
hashcat -a 0 -m <HASH TYPE> <HASH FILE> keymap.txt
hashcat -a 0 -m <HASH TYPE> <HASH FILE> keymap.txt -r dive.rule
cewl -d 2 -e -v -w wordlist.txt <URL TARGET>
hashcat -a 0 -m <HASH TYPE> <HASH FILE> wordlist.txt
- Passphrases, with for example Top 10k / 20k words https://github.com/first20hours/google-10000-english
hashcat -a 1 -m <HASH TYPE> <HASH FILE> 20k.txt 20k.txt
/usr/lib/hashcat-utils/combinator.bin 20k.txt 20k.txt > 20k-combined.txt
hashcat -a 1 -m <HASH TYPE> <HASH FILE> 20k-combined.txt 20k-combined.txt
awk '{print $0" "}' 20k.txt > 20k-space.txt
/usr/lib/hashcat-utils/combinator.bin 20k-space 20k.txt > 20k-combined-mid-space.txt
-j
apply single rule to the left.-k
apply single rule to the right
hashcat -a 1 -m <HASH TYPE> <HASH FILE> -a1 20k-combined-mid-space.txt -j '$ ' 20k.txt
hashcat -a 1 -m <HASH TYPE> <HASH FILE> -a1 20k-combined-mid-space.txt -j '$ ' 20k-combined-mid-space.txt
awk '{print $0" "}' 20k-combined-mid-space.txt > 20k-combined-mid-end-space.txt
/usr/lib/hashcat-utils/combinator.bin 20k-combined-mid-end-space.txt 20k-combined-mid-space.txt | hashcat -a 1 -m <HASH TYPE> <HASH FILE> -r dive.rule
- Generate a wordlist of the potfile and run them again. Prefarably with rules!
awk -F ":" '{print $NF}' < hashcat.potfile | sort -u > new_passwords.txt
hashcat -a 0 -m <HASH TYPE> <HASH FILE> new_passwords.txt --loopback
hashcat -a 0 -m <HASH TYPE> <HASH FILE> new_passwords.txt -r dive.rule -r best64.rule --loopback
- Split candidates into single chars, mutates & recondstructs
- Needs to be recompiled with LEN_MAX 8 and only use unique output
- https://github.com/hashcat/hashcat-utils
./expander < wordlist.txt | sort -u > wordlist_expander.txt
- https://hashcat.net/wiki/doku.php?id=fingerprint_attack
- Expand previously cracked passwords, combo the resulting file with itself, update (expand) wordlist, rinse and repeat
awk -F ":" '{print $NF}' < hashcat.potfile | ./expander | sort -u > word.list
hashcat -m <HASH TYPE> <HASH FILE> --remve -a 1 word.list word.list -o word.list2
awk -F ":" '{print $NF}' < word.list2 | ./expander | sort -u > word.list3
hashcat -m <HASH TYPE> <HASH FILE> --remve -a 1 word.list3 word.list3 -o word.list4
./pp.bin word.list --pw-min=8 | hashcat -m <HASH TYPE> hashes.txt
./pp.bin word.list --pw-min=8 | ./pp.bin word.list --pw-min=8 | hashcat -m <HASH TYPE> hashes.txt -g 300000
Below is my methodology to reach high percentages cracked. Will add new things once I tested more of the attakcs above. The methodology is ordered in effectiveness but also how long it will take to run. Quick things will be at the top!
- Use
--username
if the hashes.txt file contains usernames - Use
-w3
and-O
to up the workload en performance.
Run the dutch_merged.txt, weakpass_3 and rockyou.txt with the dive ruleset - https://weakpass.com/wordlist/1947
.\hashcat.exe -a 0 -m <HASH MODE> .\hashes.txt .\wordlists\dutch_merged.txt -r .\rules\dive.rule -w3 -O
.\hashcat.exe -a 0 -m <HASH MODE> .\hashes.txt .\wordlists\rockyou.txt -r .\rules\dive.rule -w3 -O
.\hashcat.exe -a 0 -m <HASH MODE> .\hashes.txt .\wordlists\weakpass_3 -r .\rules\dive.rule -w3 -O
Extract the usernames from the hashdump and crack them using double rules, dive and best64. This will combine all rules from dive with each rule in best64.
cat hashes.txt | awk -F ":" '{print $1}' | awk -F '\' '{print $1 "\n" $2}' | sort -u > user_computer_domain.txt
.\hashcat.exe -a 0 -m <HASH MODE> .\hashes.txt .\user_computer_domain.txt -r .\rules\dive.rule -r .\rules\best64.rule -w3 -O
Spray common keyboard walk patterns.
https://github.com/Karmaz95/crimson_cracking/blob/main/Keyboard-Combinations.txt
.\hashcat.exe -a 0 -m <HASH MODE> .\hashes.txt .\wordlists\Keyboard-Combinations.txt -r .\rules\best64.rule -w3 -O
Use custom masks which brute-forces characters around the name of the company. Save the following masks in Custommasks.txt and change the all lowercase and all uppercase to the company name. Lower the amount of ?a
if it takes to long!
companyname?a?a?a?a?a
companyname?a?a?a?a
companyname?a?a?a
companyname?a?a
companyname?a
Bakker?a?a?a?a?a
Bakker?a?a?a?a
Bakker?a?a?a
Bakker?a?a
Bakker?a
?a?a?a?a?acompanyname
?a?a?a?acompanyname
?a?a?acompanyname
?a?acompanyname
?acompanyname
?a?a?a?a?aCompanyname
?a?a?a?aCompanyname
?a?a?aCompanyname
?a?aCompanyname
?aCompanyname
?acompanyname?a
?a?acompanyname?a?a
?a?a?acompanyname?a?a?a
?aCompanyname?a
?a?aCompanyname?a?a
?a?a?aCompanyname?a?a?a
?acompanyname?a?a
?acompanyname?a?a?a
?acompanyname?a?a?a?a
?a?acompanyname?a?a?a?a
?a?acompanyname?a
?a?a?acompanyname?a
?a?a?a?acompanyname?a
?a?a?a?a?acompanyname?a
?aCompanyname?a?a
?aCompanyname?a?a?a
?aCompanyname?a?a?a?a
?a?aCompanyname?a?a?a?a
?a?aCompanyname?a
?a?a?aCompanyname?a
?a?a?a?aCompanyname?a
?a?a?a?a?aCompanyname?a
.\hashcat.exe -a 3 -m <HASH MODE> .\hashes.txt .\wordlists\Custommasks.txt -w3 -O
Run dutch_merged and rockyou using double rules, dive and best64. This will combine all rules from dive with each rule in best64.
.\hashcat.exe -a 0 -m <HAST MODE> .\hashes.txt .\wordlists\dutch_merged.txt -r .\rules\dive.rule -r .\rules\best64.rule -w3 -O
.\hashcat.exe -a 0 -m <HAST MODE> .\hashes.txt .\wordlists\rockyou.txt -r .\rules\dive.rule -r .\rules\best64.rule -w3 -O
Bruteforce up to 4 characters before and after each word in the wordlists. Lower the amount of ?a
if it takes to long!
.\hashcat.exe -a 6 -m <HASH MODE> .\hashes.txt .\wordlists\dutch_merged.txt ?a?a?a?a --increment -w3 -O
.\hashcat.exe -a 6 -m <HASH MODE> .\hashes.txt .\wordlists\rockyou ?a?a?a?a --increment -w3 -O
.\hashcat.exe -a 7 -m <HASH MODE> .\hashes.txt ?a?a?a?a .\wordlists\dutch_merged.txt --increment -w3 -O
.\hashcat.exe -a 7 -m <HASH MODE> .\hashes.txt ?a?a?a?a .\wordlists\rockyou.txt --increment -w3 -O
Bruteforce up to 8 characters.
hashcat -a 3 -m <HASH MODE> .\hashes.txt ?a?a?a?a?a?a?a?a --increment
Bruteforce with common masks and password patterns.
https://raw.githubusercontent.com/sean-t-smith/Extreme_Breach_Masks/main/08%201-day/1-day_8-14.hcmask
Removed all with a length of 16 (for 8 characters) since we already bruteforced them
cat 1-day_8-14.hcmask | grep -v -x '.\{16,16\}' > 1-day_9-14.hcmask
.\hashcat.exe -a 3 -m <HASH MODE> .\hashes.txt .\masks\1-day_9-14.hcmask -w3 -O
Create a list of all the cracked passwords and rerun them using both rulesets.
awk -F ":" '{print $NF}' < hashcat.potfile | sort -u > new_passwords.txt
.\hashcat.exe -a 0 -m <HASH TYPE> <HASH FILE> .\new_passwords.txt -r .\rules\dive.rule -r .\rules\best64.rule --loopback -w3 -O