Hashcat is a password explosion artifact

2024-12-24 17:32:08

Hashcat is a password blasting artifact, one of the essential tools for information security, hereby collect this article record summary for future needs, and may also help netizens who read this article.

Brief introduction

Hashcat is the world's fastest password cracker and is an open-source, distributed tool that supports multiple platforms and algorithms.

Official: https://hashcat.net/hashcat/

Github：https://github.com/hashcat/hashcat

Installation

Windows

https://github.com/hashcat/hashcat/releases Download the latest version of the archive and unzip it to run hashcat64.exe or hashcat32.exe according to your platform

Commonly used parameters

-m 破解 hash 類型

Specify the type of hash to be cracked, followed by a number corresponding to the hash type

-a crack mode

Specify the cracking mode to be used, the value of which is followed by a reference to the parameter:

- [ Attack Modes ] -

  # | Mode
 ===+======
  0 | Straight                # 直接字典破解
  1 | Combination             # 組合破解
  3 | Brute-force             # 掩碼暴力破解
  6 | Hybrid Wordlist + Mask  # 字典+掩碼破解
  7 | Hybrid Mask + Wordlist  # 掩碼+字典破解

–increase

Enable incremental crack mode to have hashcat crack within the specified password length

–increment-min

The minimum length of the password, which is directly equal to an integer, can be used in increment mode

–increment-max

The maximum length of the password is directly equal to an integer, and the increment mode can be used together

–force

Ignore warnings during the cracking process

–remove

Delete hashes that have been cracked

–username

Ignore the specified username in the hash file, which will be used to crack the password hash of Linux users

–potfile-disable

Do not record the hash of successful cracks in the potfile

-I

--opencl-info shows information about the detected OpenCL platform/device, and if you have a good graphics card, it will be much faster to crack.

-or

--outfile specifies the location of the hash and the corresponding plaintext password after the crack is successful

-Or

--optimized-kernel-enable 啟用優化的內核（限制密碼長度）

-d

--opencl-devices 指定 opencl 的設備，我這里支持的設備列表如下：

Code

* Device #1: Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz, skipped.
* Device #2: Intel(R) UHD Graphics 630, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 555X Compute Engine, 1024/4096 MB allocatable, 12MCU

-D

--opencl-device-types 指定 opencl 的設備類型，Hashcat 支持如下設備類型：

bash

1 | CPU2 | GPU3 | FPGA, DSP, Co-Processor

General Routine -D 2 Specified GPU Breakdown

Mask cracking

Mask rules

bash

 ? | Charset===+=========
 l | abcdefghijklmnopqrstuvwxyz          # 小寫字母 a-z
 u | ABCDEFGHIJKLMNOPQRSTUVWXYZ          # 大寫字母 A-Z
 d | 0123456789                          # 數字 0-9
 h | 0123456789abcdef                    # 數字 + abcdef
 H | 0123456789ABCDEF                    # 數字 + ABCDEF
 s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~   # 特殊字符    
 a | ?l?u?d?s                            # 鍵盤上所有可見的字符
 b | 0x00 - 0xff                         # 可能是用來匹配像空格這種密碼的

Custom mask rules

bash

--custom-charset1 [chars]等價于 -1
--custom-charset2 [chars]等價于 -2
--custom-charset3 [chars]等價于 -3
--custom-charset4 [chars]等價于 -4

It is represented in the mask by ?1, ?2, ?3, ?4

Some cases:

bash

--custom-charset1 abcd123456!@-+

At this point? 1 means abcd123456!@-+

bash

--custom-charset2 ?l?d

At this point? 2 means ?l?d, i.e. ?h number + lowercase letter:

bash

-3 abcdef -4 123456

In this case, ?3?3?3?4?4?4?4 is represented as the first four digits may be abcdef, and the last four digits may be 123456

Dictionary cracking

Code

1q2w3e4r`的MD5值為`5416d7cd6ef195a0f7622a9c56b55e84

bash

hashcat -a 0 -m 0 '5416d7cd6ef195a0f7622a9c56b55e84' hashpass.txt -o success.txt

Delete the cracked password

Sometimes the following prompt will appear when cracking:

Code

INFO: All hashes found in potfile! Use --show to display them.

This shows that the password has been cracked by us before, so Hashcat will no longer show it, you can add the parameter --show to show the password at the end:

bash

hashcat -a 0 -m 0 'cbc8f5435c87e13c5d14e6ce92358d68' hashpass.txt --show
cbc8f5435c87e13c5d14e6ce92358d68:123456@abc

Hashcat 存放已經成功破解的密碼文件位置為：~/.hashcat/hashcat.potfile

如果想要直接顯示破解的密碼的話，可以直接刪除掉該文件。

批量破解

bash

# 刪除之前破解成功的記錄rm ~/.hashcat/hashcat.potfile# hash.txt為要破解的密碼 hashpass.txt為字典 導出破解的結果到success.txt 并從hash.txt刪除掉破解成功的hashcat -a 0 -m 0 hash.txt hashpass.txt -o success.txt --remove

組合破解

多字典破解

bash

hashcat -a 1 -m 0 '5416d7cd6ef195a0f7622a9c56b55e84' hashpass1.txt hashpass1.txt

Dictionary + mask cracking

bash

echo -n admin888 |openssl md5
7fef6171469e80d32c0559f88b377245

Hack the MD5 value of admin888:

bash

hashcat -a 6 -m 0 '7fef6171469e80d32c0559f88b377245' hashpass.txt -O

Mask + dictionary crack

bash

hashcat -a 7 -m 0 '7fef6171469e80d32c0559f88b377245' 'admi?l?d?d?d' hashpass.txt  -O

Cracking the case

8-bit MD5 encrypted digital cracking

MD5 encryption for 23323323:

bash

$ echo -n 23323323 |openssl md5
5a745e31dbbd93f4c86d1ef82281688b

Use Hashcat to crack it:

bash

hashcat -a 3 -m 0 --force '5a745e31dbbd93f4c86d1ef82281688b' '?d?d?d?d?d?d?d?d' -O

8-bit MD5 encrypted uppercase and lowercase letter cracking

bash

$ echo -n PassWord |openssl md5
a9d402bfcde5792a8b531b3a82669585

Use Hashcat to crack it:

bash

hashcat -a 3 -m 0 -1 '?l?u' --force  'a9d402bfcde5792a8b531b3a82669585' '?1?1?1?1?1?1?1?1' -O

There is a custom rule -1 defined here, in which case ?1 means ?l?u, i.e., uppercase and lowercase letters.

5-7 digit MD5 encrypted uppercase and lowercase letters + numbers cracked

Admin88 的 MD5 值為 2792e40d60bac94b4b163b93566e65a9

bash

hashcat -a 3 -m 0 -1 '?l?u?d' --force  '2792e40d60bac94b4b163b93566e65a9' --increment --increment-min 5 --increment-max 7 '?1?1?1?1?1?1?1' -O

There is a custom rule -1 defined here, in which case ?1 means ?l?u?d, i.e. uppercase and lowercase letters + numbers.

admin starts with 10-digit MD5 encrypted uppercase and lowercase letters + numbers cracked

admin23323 的 MD5 值為 a9991129897a44e0d1c2855c3d7dccc4

bash

hashcat -a 3 -m 0 -1 '?l?u?d' --force  'a9991129897a44e0d1c2855c3d7dccc4' 'admin?1?1?1?1?1' -O

MySQL4.1/MySQL5

To view the password for MySQL:

mysql

mysql> select Password from mysql.user;
+-------------------------------------------+
| Password                                  |
+-------------------------------------------+
| *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
| *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
| *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
| *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
+-------------------------------------------+
4 rows in set (0.00 sec)

Then start using the dictionary to crack:

bash

hashcat -a 0 -m 300 --force '81F5E21E35407D884A6CD4A731AEBFB6AF209E1B' hashpass.txt -O

Linux /etc/shadow sha512crypt $6$, SHA512 (Unix)

To view the /etc/shadow password file:

bash

root@kali-linux:~# cat /etc/shadowroot:$6$4ojiBMDPrehqrLkX$d2T7Cn8LKkLk4SDXgCh1IEqjhnsUekXaNUXSxiZIwUTndSqyd.9sEcu80sX9DuEHGmHOeoMev2O0ACYtjMett1:18201:0:99999:7:::
daemon:*:18024:0:99999:7:::
bin:*:18024:0:99999:7:::
sys:*:18024:0:99999:7:::
sync:*:18024:0:99999:7:::
games:*:18024:0:99999:7:::
man:*:18024:0:99999:7:::
lp:*:18024:0:99999:7:::
mail:*:18024:0:99999:7:::
news:*:18024:0:99999:7:::
uucp:*:18024:0:99999:7:::
proxy:*:18024:0:99999:7:::
www-data:*:18024:0:99999:7:::
backup:*:18024:0:99999:7:::
list:*:18024:0:99999:7:::
irc:*:18024:0:99999:7:::
gnats:*:18024:0:99999:7:::
nobody:*:18024:0:99999:7:::
_apt:*:18024:0:99999:7:::
systemd-timesync:*:18024:0:99999:7:::
systemd-network:*:18024:0:99999:7:::
systemd-resolve:*:18024:0:99999:7:::
mysql:!:18024:0:99999:7:::
ntp:*:18024:0:99999:7:::
messagebus:*:18024:0:99999:7:::
arpwatch:!:18024:0:99999:7:::
Debian-exim:!:18024:0:99999:7:::
uuidd:*:18024:0:99999:7:::
redsocks:!:18024:0:99999:7:::
tss:*:18024:0:99999:7:::
rwhod:*:18024:0:99999:7:::
iodine:*:18024:0:99999:7:::
miredo:*:18024:0:99999:7:::
dnsmasq:*:18024:0:99999:7:::
postgres:*:18024:0:99999:7:::
usbmux:*:18024:0:99999:7:::
rtkit:*:18024:0:99999:7:::
stunnel4:!:18024:0:99999:7:::
sshd:*:18024:0:99999:7:::
Debian-snmp:!:18024:0:99999:7:::
sslh:!:18024:0:99999:7:::
pulse:*:18024:0:99999:7:::
speech-dispatcher:!:18024:0:99999:7:::
avahi:*:18024:0:99999:7:::
saned:*:18024:0:99999:7:::
inetsim:*:18024:0:99999:7:::
colord:*:18024:0:99999:7:::
geoclue:*:18024:0:99999:7:::
king-phisher:*:18024:0:99999:7:::
Debian-gdm:*:18024:0:99999:7:::
dradis:*:18024:0:99999:7:::
beef-xss:*:18024:0:99999:7:::
systemd-coredump:!!:18082::::::

You can see that root has a password, and the encryption method used in front of the $6 surface hash is: sha512crypt $6$, SHA512 (Unix).

bash

# 掩碼破解root密碼 不在potfile中記錄破解成功的hash 指定設備2（核顯）來跑密碼 并開啟優化hashcat -a 3 -m 1800 --force  '$6$4ojiBMDPrehqrLkX$d2T7Cn8LKkLk4SDXgCh1IEqjhnsUekXaNUXSxiZIwUTndSqyd.9sEcu80sX9DuEHGmHOeoMev2O0ACYtjMett1' '?l?l?l?l' -O -d 2 --potfile-disable# 掩碼破解root密碼 忽略用戶名 不在potfile中記錄破解成功的hash 指定設備2（核顯）來跑密碼 并開啟優化hashcat -a 3 -m 1800 --force  'root:$6$4ojiBMDPrehqrLkX$d2T7Cn8LKkLk4SDXgCh1IEqjhnsUekXaNUXSxiZIwUTndSqyd.9sEcu80sX9DuEHGmHOeoMev2O0ACYtjMett1' '?l?l?l?l' -O -d 2 --username --potfile-disable

The built-in CPU and independent graphics card under macOS can't be cracked, and here Guoguang himself manually switched -d 2 with the core graphics to successfully run out:

字典破解 Windows LM Hash

bash

hashcat -a 0 -m 3000 --force '921988ba001dc8e14a3b108f3fa6cb6d' password.txt

字典破解 Windows NTLM Hash

bash

hashcat -a 0 -m 1000 --force 'e19ccf75ee54e06b06a5907af13cef42' password.txt

Distributed cracking

Client features

bash

- [ Brain Client Features ] -  # | Features
 ===+========
  1 | Send hashed passwords                       # 發送已破解的密碼
  2 | Send attack positions                       # 發送已破解的位置
  3 | Send hashed passwords and attack positions  # 發送已破解的密碼和已破解的位置