Hashcat is an advanced CPU-based password recovery utility available for Windows, Mac and Linux. It provides 7 unique modes of attack (like Brute-force, Dictionary, Permutation, Prince, Table-Lookup, Combination etc., ) for over 100 optimized hashing algorithms (like md5, sha256, sha512 etc.,). Hashcat is considered to be world’s fastest CPU-based password recovery tool. Meanwhile Hashcat’s counterpart oclHashcat runs on GPU much faster than Hashcat. Hashcat’s current version is 2.00 and can be obtained from its website.
How passwords are stored?
If an application or service is storing your password – like Google, SSH on Linux the password is generally stored in the form of hash. A hash is basically a secure way of storing passwords based upon mathematical algorithm which is not reversible. Once you have a hash, it is theoretically impossible to get the original password from it.
How to crack hashed passwords ?
Consider an attacker gets the password hash. To crack a password from the hash, he need to start generating various combinations of hashes from the known dictionary based passwords until he eventually matches with the hash.
Essentially, the attacker has to be very patient as he has to try thousands, millions, billions and sometimes trillions of passwords before he finds the right one!
Alright, but how do you make so many guesses to find a matching hash?
Here, the Hashcat tool comes to your rescue. Hashcat automates the guessing process and compare the results for you.
In this tutorial, I would be explaining how to use the CPU version of Hashcat. Additionally, As my system is 64-bit, I would be using 64-bit version of Hashcat.
Lets Begin the journey of Cracking Passwords…..
Download the latest Hashcat on your Linux distribution (My Distribution is Ubuntu) from the Hashcat website.
$ wget https://hashcat.net/files/hashcat-2.00.7z
To extract the archive, you need to have 7zip utility installed. If you don’t have it on your system, install it:
$ yum install p7zip
In case, if yum install didn’t work for you, then you need to setup YUM repository that contains p7zip package.
$ apt-get install p7zip
Extract the archive using the installed 7zip utility
$ 7za x hashcat-2.00.7z
$ p7zip -d hashcat-2.00.7z
Now change to the Hashcat directory:
$ cd hashcat-2.00
You can see the binary executable as shown below:
$ ls -l hashcat-cli*.bin
Based on your Hardware & OS installation, choose either 32bit or 64 bit binary. You can find out using the command:
$uname -a Linux ubuntu 3.13.0-65-generic #106-Ubuntu SMP Fri Oct 2 22:08:27 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Since my OS is 64 bit, I would use Hashcat binary compiled on 64bit (hashcat-cli64.bin). Just to make our lives easier, lets copy the binary to the standard binary locations like : /usr/bin/
$ cp hashcat-cli64.bin /usr/bin/
Link to a shorter form :
ln -s /usr/bin/hashcat-cli64.bin /usr/bin/hashcat
Great! From now on you can use the command hashcat whenever you want to use Hashcat as shown below:
$ hashcat --help
Exited to start it, then first thing is to jump to examples directory to see how does the password cracking works:
$ ls examples/
The examples are arranged based on Attack Mode (A) and the hash type (M). Lets try the simple cracking of MD5 hash type using dictionary attack mode. Pass the Hash file and the corresponding password dictionary file as arguments to the executable hashcat as shown below:
$ hashcat A0.M0.hash A0.M0.word Initializing hashcat v2.00 with 2 threads and 32mb segment-size...
Added hashes from file A0.M0.hash: 102 (1 salts)
b19cdd8f0b55cb888c97ec77ab1ad402:rQ-Vv2&kog_p+CMyI;/VFDD.|MQe0/eV6bi9i^"yWP('iT 73ff3971460e3d4490049086207e4a1e:$<-+1Jz?dPL)[;)mg<so'R 5Ri0':.m^Rfv?,x[G 7718d0884dcdd356c77de6ff4c0ad58e:>RHc ::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::: All hashes have been recovered
Input.Mode: Dict (A0.M0.word) Index.....: 1/1 (segment), 102 (words), 2769 (bytes) Recovered.: 102/102 hashes, 1/1 salts Speed/sec.: - plains, 101 words Progress..: 102/102 (100.00%) Running...: 00:00:00:01 Estimated.: --:--:--:--
Started: Wed Dec 16 04:41:18 2015 Stopped: Wed Dec 16 04:41:20 2015
The above execution could successfully recover 102 hashes! Fantastic isn’t it? Of course, cracking hashes on the real world won’t be this simple, but this is of a great first step.