Review of the Hashcat Password Cracker
A necessary tool for password strength checks and penetration testers
Introduction
Hashcat is a well-known and reliable password breaker that is used by sysadmins, criminals, penetration testers, and spies alike.
Cracking passwords differs from guessing online login credentials, which often only lets a limited amount of attempts before locking your account. Instead, a person who has acquired access to a system that uses encrypted passwords (or “hashes”) will often attempt to retrieve those passwords by deciphering the hashes.
Plaintext password storage is no longer used (or shouldn’t be, anyhow). Instead, a one-way function known as a hash is used to encrypt passwords. Hashing a password like “Password1” takes just a few seconds. What if the hash is all you have? It could be computationally impossible to use a brute-force assault to retrieve the password by reversing the hash algorithm. like, impractical up to the universe’s heat death.
None of us are likely to live that long, which is either fortunate or unfortunate depending on your perspective, but there are several techniques to reverse a hash in order to get the original password without using a likely futile brute-force approach.
Hashcat utilizes
In addition to the obvious criminal and espionage purposes, password cracking has numerous respectable applications. An administrator may want to validate the confidentiality of user credentials in advance. An attacker could break them if hashcat could.
Cracking stolen password hashes is a common task for penetration testers on engagement when they want to go laterally inside a network or elevate credentials to an admin account. This is another totally acceptable use case since penetration testers are hired specifically to uncover security gaps so that their client’s security may be improved.
The key insight is that hashcat is used by both legitimate and unlawful attackers and defenders. Testing your own defenses first to make sure any such attack cannot succeed is the best approach to stop an attacker from employing hashcat against you.
How does Hashcat function?
Hashcat works by guessing a password, hashing it, and then comparing the output to the password it’s attempting to break. We know the password if the hashes match. If not, continue speculating. Dictionary attacks, combinator assaults, mask attacks, and rule-based attacks are just a few of the many alternatives to a complete brute-force effort. If you have the computational power and time for it, Hashcat can also use the GPU’s brute force capabilities.
Examples of Hashcat
Dictionary attack with Hashcat
A dictionary attack is the first and most logical place to begin since people have a tendency to use extremely poor passwords. Popular word lists include rockyou.txt. It has over 14 million passwords and is organized by how often people use them, starting with the most popular ones like “123456”, “123456789”, “password”, “iloveyou”, “princess”, and “1234567,” and moving on to less popular ones like “xCvBnM”, “ie168”, “abygurl69”, “a6 123,” and “*7Vamos!”
On the internet, there are other different free wordlists, many of which are focused on particular languages. You may provide the wordlist of your choosing using Hashcat.
Using the Hashcat Combinator
Passwords made of two words together are often created by people. Hashcat takes advantage of this by utilizing a combinator attack to construct new word lists of all the words joined with all the other words from two-word lists, sometimes referred to as “dictionaries.”
The following example of two dictionaries is provided in the hashcat documentation:
yellowgreenblackblue
and:
carbike
Following that, Hashcat combines every word with every other word before testing the following passwords:
yellowcargreencarblackcarbluecaryellowbikegreenbikeblackbikebluebike
The final word list may optionally include punctuation, such as hyphens (-), exclamation marks (! ), and other special characters, to produce passwords like “yellow-car!” and “blue-bike!” and so forth.
mask attack by hashcat
Many individuals have a tendency to employ passwords in a certain format. Older passwords, like “Bananas1,” often consist of one capital letter, six other characters, and a number at the end. If the password in question is in that format, you may use hashcat to search for all passwords in that format rather than attempting to brute-force every potential password, thus reducing the number of attempts that must be made.
Why a mask attack is often many orders of magnitude quicker than a brute-force assault is described in the hashcat documentation:
For a typical brute-force assault, we need a charset that is “mixalpha-numeric,” or all uppercase letters, all lowercase letters, and all numbers. We must cycle over 629 (13.537.086.546.263.552) options since the password is 9 characters long. If we crack at a pace of 100 M/s, it will take longer than four years to finish.
We are aware of how people create passwords because of the mask attack. The password mentioned above fits a basic but typical pattern. added a name and the year. Additionally, we can set up the attack to only try uppercase letters in the first position. Only using an uppercase letter in the second or third position is extremely rare. In summary, we can reduce the keyspace to 52*26*26*26*26*10*10*10 (237.627.520.000) combinations using the mask attack. This can be finished in 40 minutes using the same 100M/s cracking rate.
Attack using the Hashcat rules
Hashcat provides a programming-like vocabulary for a rule-based attack, in which you may define what kinds of passwords to use if other, simpler choices don’t work and you know exactly how your target creates passwords.
The rule-based assault is one of the most difficult attack techniques, according to the hashcat website. “The rule-based approach resembles a computer language created for the purpose of generating password candidates. It provides functions to change, shorten, or expand words and conditional operators to skip some, among other things. It is thus the most adaptable, precise, and effective approach.”
Hashcat has a fairly low learning curve when you first start using it, however mastering the syntax for its rules will dramatically increase that learning curve.
brute-force attack with hashcat
Throw a hail Mary if everything else fails and pray that hashcat’s brute-force assault succeeds before our sun goes nova and swallows the Earth. You never know when luck will strike.
Hashcat user satisfaction overall
One of the preferred tools for password cracking by pen testers and red team members is hashcat. It is quicker than similar programs like John the Ripper thanks to GPU support. There is no need to attempt to bring in more tools since it supports every hash format I’ve seen. It’s an unofficial release, but when I don’t feel like using the command line, I appreciate some of the GUIs that others have created for it.
Pros of HashCat
- accelerated password cracking on the GPU
- Rule-based offenses
- complies with all hash formats
Cons of HashCat
- It might be incredibly irritating to begin when drivers for your GPU aren’t functioning.
- Hashcat does have several third-party GUIs, however having an official one would be excellent.
References
Bug Zero is a bug bounty, crowdsourcing platform for security testing. The platform is the intermediatory entity that enables client organizations to publish their service endpoints so that bug hunters (security researchers / ethical hackers) registered in the platform can start testing the endpoints without any upfront charge. Bug hunters can start testing as soon as a client organization publishes a new program. Bug Zero also offers private bug bounty programs for organizations with high-security requirements.
Bug Zero is available for both hackers and organizations.
For organizations and hackers, register with Bug Zero for free, and let’s make cyberspace safe.
