| name | crack-hashcat |
| description | Advanced password recovery and hash cracking tool supporting multiple algorithms and attack modes. Use when: (1) Performing authorized password auditing and security assessments, (2) Recovering passwords from captured hashes in forensic investigations, (3) Testing password policy strength and complexity, (4) Validating encryption implementations, (5) Conducting security research on cryptographic hash functions, (6) Demonstrating password weakness in penetration testing reports.
|
| version | 0.1.0 |
| maintainer | sirappsec@gmail.com |
| category | offsec |
| tags | ["password-cracking","hashcat","forensics","password-audit","cryptography"] |
| frameworks | ["MITRE-ATT&CK","NIST"] |
| dependencies | {"packages":["hashcat"],"tools":["opencl","cuda"]} |
| references | ["https://hashcat.net/wiki/","https://hashcat.net/hashcat/","https://attack.mitre.org/techniques/T1110/"] |
Hashcat Password Recovery
Overview
Hashcat is the world's fastest password recovery tool, supporting over 300 hash algorithms and multiple attack modes. This skill covers authorized password auditing, forensic password recovery, and security research applications.
IMPORTANT: Password cracking must only be performed on hashes you are authorized to crack. Unauthorized password cracking is illegal. Always ensure proper authorization and legal compliance.
Quick Start
Basic password cracking:
hashcat --example-hashes | grep -i md5
hashcat -m 0 -a 0 hashes.txt wordlist.txt
hashcat -m 0 hashes.txt --show
hashcat -b
Core Workflow
Password Cracking Workflow
Progress:
[ ] 1. Verify authorization for password cracking
[ ] 2. Identify hash algorithm type
[ ] 3. Prepare hash file and wordlists
[ ] 4. Select appropriate attack mode
[ ] 5. Execute cracking operation
[ ] 6. Analyze cracked passwords
[ ] 7. Document password policy weaknesses
[ ] 8. Securely delete hash files and results
Work through each step systematically. Check off completed items.
1. Authorization Verification
CRITICAL: Before any password cracking:
- Confirm written authorization from data owner
- Verify legal right to crack captured hashes
- Understand data handling and retention requirements
- Document chain of custody for forensic cases
- Ensure secure storage of cracked passwords
2. Hash Identification
Identify hash algorithm:
hashcat --example-hashes
hashcat --example-hashes | grep -i "MD5"
hashcat --example-hashes | grep -i "SHA"
hashcat --example-hashes | grep -i "NTLM"
hash-identifier
3. Hash File Preparation
Prepare hash files:
echo "5f4dcc3b5aa765d61d8327deb882cf99" > hashes.txt
cat > hashes.txt <<EOF
admin:5f4dcc3b5aa765d61d8327deb882cf99
user1:098f6bcd4621d373cade4e832627b4f6
EOF
echo "hash:salt" > hashes.txt
sudo cat /etc/shadow | grep -v "^#" | grep -v ":\*:" | grep -v ":!:" > shadow_hashes.txt
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL > ad_hashes.txt
4. Attack Modes
Choose appropriate attack mode:
Dictionary Attack (Mode 0):
hashcat -m 0 -a 0 hashes.txt rockyou.txt
hashcat -m 0 -a 0 hashes.txt wordlist1.txt wordlist2.txt
hashcat -m 0 -a 0 hashes.txt rockyou.txt -r rules/best64.rule
Combinator Attack (Mode 1):
hashcat -m 0 -a 1 hashes.txt wordlist1.txt wordlist2.txt
Brute-Force Attack (Mode 3):
hashcat -m 0 -a 3 hashes.txt ?l?l?l?l?l?l?l?l
hashcat -m 0 -a 3 hashes.txt ?1?1?1?1?1?1 -1 ?l?u?d
hashcat -m 0 -a 3 hashes.txt ?1?1?1?1?1?1?1?1 -1 abc123
Mask Attack (Mode 3 with patterns):
hashcat -m 0 -a 3 hashes.txt ?u?l?l?l?l?l?l?d?d
hashcat -m 0 -a 3 hashes.txt password?d?d?d?d
hashcat -m 0 -a 3 hashes.txt ?u?l?l?l?l?l?d?d?s
Hybrid Attacks (Modes 6 & 7):
hashcat -m 0 -a 6 hashes.txt wordlist.txt ?d?d?d?d
hashcat -m 0 -a 7 hashes.txt ?d?d?d?d wordlist.txt
Character Sets:
?l = lowercase (abcdefghijklmnopqrstuvwxyz)
?u = uppercase (ABCDEFGHIJKLMNOPQRSTUVWXYZ)
?d = digits (0123456789)
?s = special characters (!@#$%^&*...)
?a = all characters (l+u+d+s)
?b = all printable ASCII
5. Performance Optimization
Optimize cracking performance:
hashcat -m 0 -a 0 hashes.txt wordlist.txt -w 3
hashcat -m 0 -a 0 hashes.txt wordlist.txt -d 1
hashcat -b
hashcat -m 0 -a 0 hashes.txt wordlist.txt -O
hashcat -m 0 -a 0 hashes.txt wordlist.txt --runtime=3600
6. Rules and Mutations
Apply password mutation rules:
hashcat -m 0 -a 0 hashes.txt wordlist.txt -r rules/best64.rule
hashcat -m 0 -a 0 hashes.txt wordlist.txt -r rules/best64.rule -r rules/leetspeak.rule
7. Session Management
Manage cracking sessions:
hashcat -m 0 -a 0 hashes.txt wordlist.txt --session=mysession
hashcat --session=mysession --restore
hashcat --session=mysession --status
hashcat --session=mysession --remove
hashcat -m 0 -a 0 hashes.txt wordlist.txt --session=mysession --restore-file-path=/path/to/checkpoint
8. Results and Reporting
View and export results:
hashcat -m 0 hashes.txt --show
hashcat -m 0 hashes.txt --show --username
hashcat -m 0 hashes.txt --show > cracked.txt
hashcat -m 0 hashes.txt --show --status
hashcat -m 0 hashes.txt --left
Security Considerations
Authorization & Legal Compliance
- Explicit Authorization: Written permission required for all password cracking
- Forensic Chain of Custody: Maintain evidence integrity
- Data Protection: Securely handle cracked passwords
- Scope Limitation: Only crack specifically authorized hashes
- Legal Jurisdiction: Understand applicable laws (CFAA, GDPR, etc.)
Operational Security
- Secure Storage: Encrypt hash files and results
- Offline Cracking: Perform on air-gapped systems when possible
- Resource Management: Monitor system resources during cracking
- Temperature: Ensure adequate cooling for extended GPU usage
- Power: Use surge protection for hardware safety
Audit Logging
Document all password cracking activities:
- Hash source and acquisition method
- Authorization documentation
- Hash algorithm and attack mode used
- Cracking start and end timestamps
- Success rate and crack time
- Wordlists and rules applied
- Password complexity analysis
- Secure deletion of artifacts
Compliance
- MITRE ATT&CK: T1110 (Brute Force)
- T1110.002 (Password Cracking)
- NIST SP 800-63B: Digital Identity Guidelines for passwords
- PCI-DSS: Password security requirements
- ISO 27001: A.9.4 Secret authentication information management
Common Patterns
Pattern 1: Windows Domain Password Audit
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL > ad_hashes.txt
hashcat -m 1000 -a 0 ad_hashes.txt rockyou.txt -r rules/best64.rule
hashcat -m 1000 ad_hashes.txt --show | grep -i "domain admins"
Pattern 2: Linux Password Audit
sudo unshadow /etc/passwd /etc/shadow > linux_hashes.txt
hashcat -m 1800 -a 0 linux_hashes.txt rockyou.txt
hashcat -m 1800 linux_hashes.txt --show | awk -F: '{print length($2), $2}'
Pattern 3: Wi-Fi WPA2 Cracking
cap2hccapx capture.cap wpa.hccapx
hashcat -m 22000 -a 0 wpa.hccapx rockyou.txt
hashcat -m 22000 -a 3 wpa.hccapx ?d?d?d?d?d?d?d?d
Pattern 4: Web Application Hash Cracking
hashcat -m 0 -a 0 webapp_hashes.txt rockyou.txt -r rules/best64.rule
hashcat -m 3200 -a 0 bcrypt_hashes.txt wordlist.txt -w 3
hashcat -m 1400 -a 0 salted_hashes.txt wordlist.txt
Pattern 5: Kerberos TGT Cracking (Kerberoasting)
hashcat -m 13100 -a 0 kerberos_tickets.txt rockyou.txt -r rules/best64.rule
hashcat -m 13100 -a 0 kerberos_tickets.txt wordlist.txt --username
Integration Points
Password Policy Analysis
#!/bin/bash
CRACKED_FILE="$1"
echo "Password Length Distribution:"
awk -F: '{print length($2)}' "$CRACKED_FILE" | sort -n | uniq -c
echo -e "\nPasswords with Dictionary Words:"
grep -f /usr/share/dict/words "$CRACKED_FILE" | wc -l
echo -e "\nPasswords without Special Characters:"
grep -v "[!@#$%^&*]" "$CRACKED_FILE" | wc -l
echo -e "\nCommon Password Patterns:"
grep -E "^password|123456|qwerty" "$CRACKED_FILE" | wc -l
Reporting
cat > audit_report.sh <<'EOF'
TOTAL=$(wc -l < hashes.txt)
CRACKED=$(hashcat -m 1000 hashes.txt --show | wc -l)
PERCENT=$((CRACKED * 100 / TOTAL))
echo "Password Audit Report"
echo "===================="
echo "Total Hashes: $TOTAL"
echo "Cracked: $CRACKED"
echo "Success Rate: $PERCENT%"
echo ""
echo "Recommendations:"
echo "- Implement minimum password length of 12 characters"
echo "- Require complex passwords (upper, lower, digit, special)"
echo "- Enable multi-factor authentication"
echo "- Implement password history and rotation"
EOF
chmod +x audit_report.sh
Troubleshooting
Issue: Slow Cracking Speed
Solutions:
hashcat -m 0 -a 0 hashes.txt wordlist.txt -O
hashcat -m 0 -a 0 hashes.txt wordlist.txt -w 3
hashcat -m 0 -a 0 hashes.txt wordlist.txt --status
nvidia-smi
rocm-smi
Issue: Out of Memory
Solutions:
head -n 1000000 large_wordlist.txt > smaller_wordlist.txt
hashcat -m 0 -a 0 hashes.txt wordlist.txt (remove -O flag)
split -l 1000 hashes.txt hash_chunk_
Issue: Hash Format Errors
Solutions:
- Verify hash mode (-m) matches hash type
- Check hash file format (remove extra spaces, newlines)
- Ensure proper salt format for salted hashes
- Use --username flag if hashes include usernames
Defensive Considerations
Protect against password cracking:
Strong Password Policies:
- Minimum length: 12+ characters
- Complexity requirements (mixed case, numbers, special)
- Prohibit common passwords
- Implement password history
- Regular password rotation for privileged accounts
Technical Controls:
- Use strong hashing algorithms (bcrypt, scrypt, Argon2)
- Implement salting and key stretching
- Use adaptive hash functions
- Enable multi-factor authentication
- Implement account lockout policies
- Monitor for brute-force attempts
Hash Storage Best Practices:
- Never store plaintext passwords
- Use strong, modern hashing algorithms
- Implement per-password unique salts
- Use appropriate iteration counts (bcrypt cost, PBKDF2 rounds)
- Regularly update hashing parameters
References