Hashcat explained: Why you might need this password cracker

A must-have tool for penetration testers and to check password strength

A conceptual representation of accessing username and password credentials.
Weedezign / Getty Images

What is Hashcat?

Hashcat is a popular and effective password cracker widely used by both penetration testers and sysadmins as well as criminals and spies.

Cracking passwords is different from guessing a web login password, which typically only allows a small number of guesses before locking your account. Instead, someone who has gained access to a system with encrypted passwords ("hashes") will often try to crack those hashes to recover those passwords.

Passwords are no longer stored in plaintext (or shouldn't be, anyway). Instead, passwords are encrypted using a one-way function called a hash. Calculating a password like "Password1" into a hash is lightning quick. What if all you've got is the hash? A brute-force attack to reverse the hash function and recover the password could be computationally infeasible. Like, until the heat death of the universe infeasible.

Luckily, or unluckily depending on your point of view, none of us is likely to live that long, but there are many ways to reverse a hash to recover the original password without resorting to a probably fruitless brute-force attack.

Enter hashcat.

It turns out humans are so predictable in their password choices that hashcat can often recover a password.

Hashcat uses

Cracking passwords has many legitimate uses, besides the obvious criminal and espionage ones. A sysadmin may wish to pre-emptively check the security of user passwords. If hashcat can crack them, so can an attacker.

Penetration testers on engagement will frequently find themselves cracking stolen password hashes to move laterally inside a network, or to escalate privileges to an admin user. Since penetration testers work to find security holes on purpose, under contract, so that their customer can improve their security, this is also a perfectly legitimate use case.

is a popular option. Containing more than 14 million passwords sorted by frequency of use, it begins with common passwords such as “123456”, “12345”, “123456789”, “password”, “iloveyou”, “princess”, “1234567”, and “rockyou”, all the way to less common passwords such as “xCvBnM”, “ie168”, “abygurl69”, “a6_123”, and “*7¡Vamos!”.

Many other free wordlists exist on the internet, especially targeted at specific languages. Hashcat lets you specify the wordlist of your choice.

gives the following example of two dictionaries:

yellow
green
black
blue

and:

car
bike

Hashcat then smushes up every word with every other word, and then test the following passwords:

yellowcar
greencar
blackcar
bluecar
yellowbike
greenbike
blackbike
bluebike

Punctuation such as hyphens (-), exclamation points (!) and other special characters can also be added to create a final word list that has passwords like "yellow-car!" and "blue-bike!" and so forth.

Hashcat mask attack
Lots of users tend to use passwords in a certain format. One uppercase letter followed by six letters plus a digit on the end is common for older passwords -- "Bananas1", for example. Instead of trying to brute-force every possible password, you can use hashcat to search for all passwords in that format, which drastically reduces the number of possible guesses necessary -- if, indeed, the password in question is in that format.

The hashcat documentation explains why a mask attack is often orders of magnitude faster than a brute-force attack:

In traditional brute-force attack we require a charset that contains all uppercase letters, all lowercase letters and all digits (a.k.a. “mixalpha-numeric”). The password length is 9, so we have to iterate through 62^9 (13.537.086.546.263.552) combinations. Let’s say we crack with a rate of 100M/s, this requires more than four years to complete.
In mask attack we know about humans and how they design passwords. The above password matches a simple but common pattern. A name and year appended to it. We can also configure the attack to try the uppercase letters only on the first position. It is very uncommon to see an uppercase letter only in the second or the third position. To make it short, with mask attack we can reduce the keyspace to 52*26*26*26*26*10*10*10*10 (237.627.520.000) combinations. With the same cracking rate of 100M/s, this requires just 40 minutes to complete.

Hashcat rule-based attack
If other, easier, options fail, and you've got a specific sense of how your target constructs a password, hashcat offers a programming language-like syntax for a rule-based attack, in which you can specify what kind of passwords to try.

"The rule-based attack is one of the most complicated of all the attack modes," the . "The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack."

The learning curve to get started with hashcat is very low but learning the hashcat rule syntax will spike that learning curve sharply.

Hashcat brute-force attack
If all else fails, throw a hail Mary and hope hashcat's brute-force attack succeeds before our sun goes nova and engulfs the Earth. You never know, you might get lucky.

购彩信誉平台 © 彩票信誉平台 IDG Communications, Inc.

The 10 most powerful cybersecurity companies