Hashcat

Usage

hashcat64.exe --session <name> -a <ATTACK> -m <HASH FORMAT> -O --potfile-path <POT PATH> <HASH PATH> <WORDLIST PATH> -r <RULE PATH>

Additional Options:

Option Description
--username The hash file also contains username using format <USER>:<HASH>
-O Drasticly increases performance but can only crack passwords with less than 32 chars

Use --session <name> --restore to restore the session corresponding to the <name>.restore file of the current directory.

Attack Types

Attack Option Description
Wordlist -a 0 use with derivation rules to increase efficiency
Combination -a 1 concatenate words from multiple wordlists
Mask (brute-force) -a 3 try all combination matching the mask

Hash Formats

Hash Number Format Example
SHA1 100 <SHA1> b89eaac7e61417341b710b727768294d0e6a277b
NTLM 1000 <NT> (NTLM = <LM>:<NT>) b4b9b02e6f09a9bd760f388b67351e2b
MSCACHEv1 1100 <HASH>:<USERNAME> a093d194cfd1ee709bb4faf7309bdb58:bobby
MSCACHEv2 2100 $DCC2$10240#<USERNAME>#<HASH> $DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f
WPA/WPA2 2500 <binary file>.hccapx (generated with hcxtools) N/A
NetNTLMv1, MSCHAPv2 5500 <USERNAME>::::<RESPONSE>:<CHALLENGE> jdoe::::e053ca2d9ef6bdae24a99f486c7d1c03feaafe674976294a:9486addefe0dabc0
Unix SHA256 ($5) 7400 $5$<SALT>$<HASH> $5$GX7BopJZJxPc/KEK$le16UF8I2Anb.rOrn22AUPWvzUETDGefUmAV8AZkGcD
WPA-PMKID-PBKDF2 16800 <HASH> (captured with hcxtools) 2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a

Tip

Quickly find hash format number: hashcat --example-hashes | grep -i -B1 <hash>

See https://hashcat.net/wiki/doku.php?id=example_hashes for complete list.

Masks

Wildcard Charset
?l Lowercase: [a-z]
?u Uppercase: [A-Z]
?d Digits: [0-9]
?s Specials: <space>!"#$%&'()*+,-./:;<=>@[]+ ...
?a All the aboves
?b Binaries: [0x00-0xff]
Increment

Add --increment to also match shorter password with the mask.

Example: ?d?d?d?d is equivalent to ?d, ?d?d, ?d?d?d and ?d?d?d?d

Groups

Create group of wildcards by using numerical placeholders.

Example: -1 ?l?u -2 ?d?s ?1?1?1?1?d?d?d?d?2

Methodology

hashcat64.exe -a 0 -m <HASH FORMAT> -O --potfile-path results\<mission.pot> --username hashes\<mission.hash> wordlists\rockyou.txt -r rules\efensive.rule
hashcat64.exe -a 0 -m <HASH FORMAT> -O --potfile-path results\<mission.pot> --username hashes\<mission.hash> wordlists\cities.dict -r rules\efensive.rule
hashcat64.exe -a 0 -m <HASH FORMAT> -O --potfile-path results\<mission.pot> --username hashes\<mission.hash> wordlists\realuniq.lst -r rules\best64.rule
hashcat64.exe -a 0 -m <HASH FORMAT> -O --potfile-path results\<mission.pot> --username hashes\<mission.hash> wordlists\realuniq.lst -r rules\T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
hashcat64.exe -a 0 -m <HASH FORMAT> -O --potfile-path results\<mission.pot> --username hashes\<mission.hash> wordlists\realuniq.lst -r rules\T0XlC-insert_top_100_passwords_1_G.rule
hashcat64.exe -a 0 -m <HASH FORMAT> -O --potfile-path results\<mission.pot> --username hashes\<mission.hash> wordlists\<mission.lst> -r rules\efensive.rule
hashcat64.exe -a 3 -m <HASH FORMAT> -O --potfile-path results\<mission.pot> --username hashes\<mission.hash> ?u?l?l?l?l?l?d?d?d
hashcat64.exe -a 3 -m <HASH FORMAT> -O --potfile-path results\<mission.pot> --username hashes\<mission.hash> ?u?l?l?l?l?d?d?d
hashcat64.exe -a 3 -m <HASH FORMAT> -O --potfile-path results\<mission.pot> --username hashes\<mission.hash> ?u?l?l?l?l?d?d?d?d
hashcat64.exe -a 3 -m <HASH FORMAT> -O --potfile-path results\<mission.pot> --username hashes\<mission.hash> ?u?l?l?l?d?d?d?d
hashcat64.exe -a 3 -m <HASH FORMAT> -O --potfile-path results\<mission.pot> --username hashes\<mission.hash> ?u?l?l?l?l?l?l?d?d
hashcat64.exe -a 3 -m <HASH FORMAT> -O --potfile-path results\<mission.pot> --username hashes\<mission.hash> ?u?l?l?l?l?l?d?s