Hashcat#
Hashcat is the world’s fastest password-recovery utility. The operator points it at captured NTDS hashes, MSSQL hash dumps, or any other artifact for credential access after foothold.
Attack modes#
# Dictionary attack
$ hashcat -a 0 -m #type hash.txt dict.txt
# Dictionary + rules attack
$ hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt
# Combination attack
$ hashcat -a 1 -m #type hash.txt dict1.txt dict2.txt
# Mask attack
$ hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a
# Hybrid dictionary + mask
$ hashcat -a 6 -m #type hash.txt dict.txt ?a?a?a?a
# Hybrid mask + dictionary
$ hashcat -a 7 -m #type hash.txt ?a?a?a?a dict.txt
Rules#
# Rulefile
$ hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt
# Manipulate left
$ hashcat -a 1 -m #type hash.txt left_dict.txt right_dict.txt -j <option>
# Manipulate right
$ hashcat -a 1 -m #type hash.txt left_dict.txt right_dict.txt -k <option>
Increment#
$ hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment
$ hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment-min=4
$ hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment-max=5
Misc#
# Benchmark
$ hashcat -b -m #type
# Show example hash
$ hashcat -m #type --example-hashes
# Optimized kernels (warning, decreases max password length)
$ hashcat -a 0 -m #type -O hash.txt dict.txt
# Slow candidates (fast hashes, small dict + rules)
$ hashcat -a 0 -m #type -S hash.txt dict.txt
# Session name and restore
$ hashcat -a 0 -m #type --session <name> hash.txt dict.txt
$ hashcat -a 0 -m #type --restore --session <name> hash.txt dict.txt
# Show keyspace
$ hashcat -a 0 -m #type --keyspace hash.txt dict.txt -r rule.txt
# Output results file
$ hashcat -a 0 -m #type -o results.txt hash.txt dict.txt
# Custom charset
$ hashcat -a 3 -m #type hash.txt -1 ?l?u -2 ?l?d?s ?1?2?a?d?u?l
# Adjust performance
$ hashcat -a 0 -m #type -w <1-4> hash.txt dict.txt
# Keyboard layout mapping
$ hashcat -a 0 -m #type --keyb=german.hckmap hash.txt dict.txt
# Hashcat Brain (local server + client)
$ hashcat --brain-server # terminal 1
$ hashcat -a 0 -m #type -z --brain-password <pwd> hash.txt dict.txt # terminal 2
Basic methodology#
# 1. Dictionary
$ hashcat -a 0 -m #type hash.txt dict.txt
# 2. Dictionary + rules
$ hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt
# 3. Hybrid attack
$ hashcat -a 6 -m #type hash.txt dict.txt ?a?a?a?a
# 4. Brute force
$ hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a?a?a