Hashcat#

Hashcat is the world’s fastest password-recovery utility. The operator points it at captured NTDS hashes, MSSQL hash dumps, or any other artifact for credential access after foothold.

Attack modes#

# Dictionary attack
$ hashcat -a 0 -m #type hash.txt dict.txt

# Dictionary + rules attack
$ hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt

# Combination attack
$ hashcat -a 1 -m #type hash.txt dict1.txt dict2.txt

# Mask attack
$ hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a

# Hybrid dictionary + mask
$ hashcat -a 6 -m #type hash.txt dict.txt ?a?a?a?a

# Hybrid mask + dictionary
$ hashcat -a 7 -m #type hash.txt ?a?a?a?a dict.txt

Rules#

# Rulefile
$ hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt

# Manipulate left
$ hashcat -a 1 -m #type hash.txt left_dict.txt right_dict.txt -j <option>

# Manipulate right
$ hashcat -a 1 -m #type hash.txt left_dict.txt right_dict.txt -k <option>

Increment#

$ hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment
$ hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment-min=4
$ hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment-max=5

Misc#

# Benchmark
$ hashcat -b -m #type

# Show example hash
$ hashcat -m #type --example-hashes

# Optimized kernels (warning, decreases max password length)
$ hashcat -a 0 -m #type -O hash.txt dict.txt

# Slow candidates (fast hashes, small dict + rules)
$ hashcat -a 0 -m #type -S hash.txt dict.txt

# Session name and restore
$ hashcat -a 0 -m #type --session <name> hash.txt dict.txt
$ hashcat -a 0 -m #type --restore --session <name> hash.txt dict.txt

# Show keyspace
$ hashcat -a 0 -m #type --keyspace hash.txt dict.txt -r rule.txt

# Output results file
$ hashcat -a 0 -m #type -o results.txt hash.txt dict.txt

# Custom charset
$ hashcat -a 3 -m #type hash.txt -1 ?l?u -2 ?l?d?s ?1?2?a?d?u?l

# Adjust performance
$ hashcat -a 0 -m #type -w <1-4> hash.txt dict.txt

# Keyboard layout mapping
$ hashcat -a 0 -m #type --keyb=german.hckmap hash.txt dict.txt

# Hashcat Brain (local server + client)
$ hashcat --brain-server                              # terminal 1
$ hashcat -a 0 -m #type -z --brain-password <pwd> hash.txt dict.txt    # terminal 2

Basic methodology#

# 1. Dictionary
$ hashcat -a 0 -m #type hash.txt dict.txt
# 2. Dictionary + rules
$ hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt
# 3. Hybrid attack
$ hashcat -a 6 -m #type hash.txt dict.txt ?a?a?a?a
# 4. Brute force
$ hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a?a?a

References#