Hashcat LAB

-

 Hashcat 

Hashcat is a high-performance, open-source password-recovery / password-cracking framework designed to generate candidate passwords, compute their hashes with many algorithms, and compare those results to target hashes very quickly. It combines CPU and GPU acceleration, a powerful rule/mutation engine, multiple attack modes, utilities for large-scale cracking, and features for resuming/organizing work. Hashcat is widely used by security professionals for password auditing, forensic recovery of legitimately owned credentials, and research and it’s also a dual-use tool that can be abused if used without explicit authorization.

  1. When a system stores passwords it usually stores a hash (and often a salt) rather than the plaintext password. Hashcat’s job is to attempt to discover the original plaintext that produced that stored hash by:

    1. Generating candidate passwords according to an attack strategy (wordlists, rules, masks, combinatorics, PRINCE generator, etc.).

    2. Hashing each candidate with the same algorithm and parameters as the stored hash (for example MD5, NTLM, bcrypt, Argon2, etc.).

    3. Comparing the produced hash to the target hash — if they match, the candidate is a match and the password is recovered.

    Hashcat implements many optimized kernels so those three steps — generation, hashing, comparison — run at extremely high throughput on CPUs and GPUs. GPU acceleration (OpenCL/CUDA) is a major reason Hashcat is so fast; GPUs can evaluate millions (or billions) of candidates per second for fast hash types. 

Some hashcat design elements and featured capabilities: 

  • Multi-platform, multi-accelerator: runs on Linux, Windows, macOS; supports CPUs, NVIDIA/AMD GPUs, and other OpenCL/CUDA accelerators. GitHub

  • Wide algorithm coverage: supports hundreds of hash types / formats (classic MD5/SHA, NTLM, UNIX crypt variants, MySQL, WPA/WPA2, bcrypt, scrypt, Argon2, and many others). You select the mode with -m <mode>; the hash mode table is maintained in the docs.

  • Multiple attack modes: dictionary (straight), combinator, mask (optimized brute force), hybrid (dictionary+mask), rule-based, PRINCE, permutation, toggle-case, and more. Hashcat’s documentation explains the tradeoffs; the project recommends mask attacks over classic blunt brute force when possible because masks let you express structure and drastically reduce keyspace. Hashcat

  • Rule engine: a fast, in-kernel mutation system that transforms dictionary words on the fly (append digits, substitutions, capitalization, leetspeak, etc.) without creating huge intermediate wordlists on disk. This massively multiplies a base wordlist’s effectiveness. 

  • Potfile & session management: cracked results are stored in a potfile so you won’t re-crack the same hash; --session and --restore allow pausing/resuming long jobs.

  • Utilities & ecosystem: companion utilities (hashcat-utils, Hashtopolis for distribution, large curated rule & wordlist projects) to assist with preprocessing, rule creation, distributed tasks, and scaling.

Attack modes — what they are and when to use them

(brief but detailed descriptions)

  • Dictionary attack (aka straight, -a 0)
    Try every entry in a wordlist. Fast, the first step in nearly every audit. Combine with rules for high yield. 

  • Combinator attack (-a 1)
    Concatenate words from two lists (useful for two-word passphrases like bluefish + !23).

  • Mask attack (-a 3)
    Structured brute force. You describe the pattern (e.g., ?u?l?l?l?d?d = Upper + lower×3 + digit×2). Mask attacks are far better than naive full-space brute force because you narrow search by expected structure. Hashcat team recommends mask over blunt brute force.

  • Hybrid attacks (-a 6 / -a 7)
    Combine a dictionary with a mask (append/prepend brute portions to words), useful when users append digits to memorable words.

  • Rule-based attacks
    Apply rule files (e.g., best64.rule) to mutate dictionary words — this is often the single most productive strategy after a raw dictionary.

  • PRINCE, permutation, toggle-case, etc.
    Specialized generation methods (PRINCE generates password candidates by recombining wordlist fragments; permutation tries permutations of characters). These are advanced strategies for targeted guessing.

Hash types & “slow” vs “fast” hashes

  • Fast hashes (MD5, SHA-1, NTLM, etc.) are designed to be fast — GPUs can try massive candidate counts per second, so these are easy to crack if passwords are weak.

  • Slow / memory-hard KDFs (bcrypt, scrypt, Argon2, PBKDF2 with high iteration counts) are intentionally slow or memory intensive to thwart high throughput cracking and are much more resistant to GPU acceleration. Good defensive choices use salts + a slow KDF with conservative parameters. Hashcat supports many of these algorithms but cracking them costs much more computationally, making long/complex passwords and proper KDF parameters critical defense.

Practical command examples (realistic patterns)

  • Simple dictionary (NTLM example):

hashcat -m 1000 -a 0 hashes.txt rockyou.txt

  • Dictionary + rule:

hashcat -m 0 -a 0 hashes.txt wordlist.txt -r rules/best64.rule

  • Mask (6-char: Upper + 4 lower + 1 digit):

hashcat -m 0 -a 3 hashes.txt ?u?l?l?l?l?d

  • Show cracked passwords from potfile (after a run):

hashcat --show -m 1000 hashes.txt

  • Benchmark available kernels:

hashcat -b

(Use -m hash-mode table from docs to map algorithm names to numbers.)

Performance tuning & hardware notes

  • GPUs are usually orders of magnitude faster than CPUs for hash types that map well to parallel compute. Keep GPU drivers and CUDA/OpenCL runtimes up to date.

  • Tune masks & rules first — focused strategies defeat brute force by reducing keyspace to likely candidates.

  • Thermals & stability: long GPU runs generate heat — use device selection, watchdog and OpenCL flags wisely to protect hardware. LabEx

  • Distributed cracking: tools like Hashtopolis or custom orchestration can spread workload across multiple machines; Hashcat itself supports multi-device operation on a single host.

Operational workflow for a security audit (recommended)

  1. Scope & authorization: get written permission and define scope (systems, data, retention). Never test without explicit authorization.

  2. Identify hash format & mode: verify the algorithm and format (-m value). A wrong mode wastes time.

  3. Start targeted: curated wordlists + sensible rules + masks informed by target user population (organizational conventions, languages, known password policies).

  4. Measure & escalate: benchmark, iterate — move to combinator/hybrid and then to more exhaustive masks only if needed.

  5. Document & report: log everything, include evidence, and give clear remediation steps (use salts, slow KDFs, MFA, banned password lists, and password length requirements).

Defenses you should test and recommend

  • Unique salts per password — prevents reuse of precomputed tables.

  • Memory-hard KDFs with conservative parameters (Argon2id, scrypt, bcrypt with adequate cost) — greatly slows cracking.

  • Minimum length and encouraging passphrases (long passphrases defeat many mutation/rule strategies).

  • Password blacklists / banned lists (prevent common reused passwords).

  • Multi-factor authentication (MFA) — even if a password is cracked, MFA prevents easy account takeover.

  • Rate limiting & monitoring of auth attempts — protect online systems from rapid guessing; offline hash cracking still requires strong storage defenses.

Where to learn more / authoritative references

  • Hashcat official wiki and docs (detailed attack descriptions, mode tables, rules): hashcat.net/wiki.

  • Official GitHub repository (source, releases, issues): github.com/hashcat/hashcat.

  • Hashcat utilities and community projects (wordlists, rules, distribution tools like Hashtopolis).

Demo

If you do not have the hashcat tool installed, you know the drill.


We will create a user, with a weak password for demonstration purpose. The password is going to be 1 to 9, we will have to create a wordlist.txt file and include random words with the password, demonstrating how hashcat can hash these words and compare it to the system's hashed password to give us the correct credential for the user. 


Don't worry about the alert of bad password, because it's a weak one, just for demo. ( Absolutely we should never use this password)

if you run this command "sudo cat /etc/shadow" and the hashed password for the "user1" starts with " $y$ ", this is a yescrypt hashing algorithm, ubuntu has implemented it for their latest update. for this demo we will make use of sha512. Therefore, the hash should start with " $6$ "

We will need to access the password module inside /etc/ to change it. 



Inside this configuration file, we need to change line 26, replace yescrypt with sha512.

To find out the hashcat mod that we need to use: 




Now we can do the actual cracking. 




Command explanation:

1 - getent shadow user1 ๐Ÿ‘‰Queries the system database for the shadow entry of user1.

This prints the user1 line from /etc/shadow (format: username:password:...).

2- | cut -d: -f2 ๐Ÿ‘‰ Pipes the getent output into cut, using : as delimiter and selecting field 2 — which is the hash field.

3- > hash.txt ๐Ÿ‘‰ Redirects that extracted hashed password into the file hash.txt after it creates it.

Then we merge it with the hashcat command.

  • -m 1800 — hash mode 1800, which is sha512crypt $6$.

  • -a 0 — attack mode 0 = straight wordlist attack.

  • --force — force-run even if hashcat detects issues (e.g., driver warnings).

  • --potfile-disable — disable the potfile (hashcat’s file that stores already-cracked hashes). 

  • This prevents reuse/resume and prevents storing results in the global potfile.

  • hash.txt — the input file containing the hash to crack.

  • wordlist.txt — the wordlist used for candidates.

  • -o cracked.txt — write the cracked password pairs to cracked.txt (format: <hash>:<password>).


Thanks for reading.

Comments

Post a Comment

Popular posts from this blog

Common Network Commands: IP R

-
IP R Command Overview The `ip r` command is part of the `iproute2` package in Linux systems. It is used for displaying and manipulating the routing table, which determines how network packets are directed to their destinations. This command is vital for network configuration, management, and troubleshooting. Origin and Development The `iproute2` package was created to replace the older `net-tools` package, which included commands like `ifconfig` and `route`. The `ip` command provides a more unified interface for network management, supporting advanced features and modern networking protocols. It offers better capabilities for managing complex networking scenarios, making it a crucial tool for system and network administrators. Basic Functionality The `ip r` command serves several functions: - Displays current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Di...
Read more

Junior Security Analyst Intro

-
Why SOC Analyst L1 is Considered a Triage Specialist. A Level 1 Security Operations Center (SOC) Analyst is often regarded as a triage specialist because they are the first responders to cybersecurity alerts. Much like how a triage nurse assesses patients' conditions in a hospital, a Level 1 SOC Analyst evaluates and categorizes alerts generated by security tools to determine their severity and prioritize response efforts. Their primary focus is to: Filter Noise: Modern networks generate massive amounts of data, with many false positives. SOC L1 analysts must sift through this data to identify real threats. Categorize Alerts: Assign severity levels to incidents, such as low, medium, or high priority. Initial Response: Perform basic investigations (e.g., checking IP addresses, scanning logs) and decide whether to escalate incidents to Level 2 or 3 analysts. This role is vital because it ensures that high-priority threats are addressed quickly and resources are allocated ...
Read more

Example of A Day in the Life of a Junior (Associate) Security Analyst

-
The day begins early for the Junior Security Analyst, stepping into the office or logging into their remote workstation. The quiet hum of servers and the glow of multiple screens set the stage for another day at the heart of the cybersecurity battlefield. Their first task is to review the handover notes from the previous shift or the daily briefing. This update includes summaries of unresolved incidents, ongoing investigations, and any notable changes in the organization’s threat landscape. Equipped with this crucial information, the analyst prepares to navigate a world where even the smallest anomaly could signify a major threat. Logging into the array of tools—a Security Information and Event Management (SIEM) platform, endpoint detection systems, firewalls, and intrusion detection/prevention systems (IDS/IPS)—the analyst is immediately immersed in the flow of alerts. Every beep, flash, and log entry represents a potential threat. The first challenge is triage. Like a digital detecti...
Read more