Before You Start Cracking
Hashing is different from encryption in that hashing is not reversible by design. When we encrypt a piece of text,
with the correct key, the process can be undone. However, hashing is a one way function. Because is no way as of now to
mathematically undo the hashing process, the job of a hash cracking tool is to try as many different inputs as quickly
as computationally possible to try to guess the right input. Hashes are BY DESIGN COMPUTATIONALLY INTENSIVE
and therefore to crack a hash in a timely manner, your computer WILL HEAT UP if you choose to push the
tool to its limits. Doing so will generate heat possibly faster than you computer, especially laptops, can exhaust and
CAN SHORTEN THE DEVICE'S LIFESPAN due to heat-related damage if the device gets too hot.
Command Line Interface VS Graphical User Interface
A Graphical User Interface (GUI) is, like its name implies, graphical. An example of such interfaces would be the browser
you are likely reading this from. However, older and simpler tools do not use such graphical interfaces, but instead use
Command Line Interfaces (CLI), which can only be interacted via a terminal window or command prompt as lines of text output
and input. However, as you use them more often, you can and will eventually get accustomed to them and they are not as daunting
or unfriendly as they may initially appear.
Hashcat
This section will cover the installation and usage of Hashcat for Linux, macOS, and Windows. Hashcat is a highly optimized
open-source tool for cracking hashes at high rates.
Installing Hashcat
Instructions to install Hashcat for Linux, macOS, and Windows.
Installing Hashcat for Linux
-
Go to https://hashcat.net/hashcat/
-
At the top of the page, you should see a chart under Download. Click on the download link for "hashcat binaries" and
download the .7z file.
-
Once the file is downloaded, extract the files inside the archive using your favorite tool or
using p7zip like this guide.
In the extracted directory, a binary called
hashcat.bin can be found.
-
Open a terminal window at that directory. If you are on a Debian-based system, you can probably do that by
right-clicking on the file manager window and select "Open in Terminal".
-
Run the following command in terminal to add the current directory into your $PATH variable
for the duration of the current terminal session.
export PATH=$PATH:$(pwd)
-
Use the following command in terminal to add the current directory to your $PATH variable so you can use Hashcat from any directory
in the future. It is recommended to do this step to avoid having to set add the directory to the $PATH variable each time when using Hashcat.
You can skip this step if you do not want to make changes to your ~/.bashrc file.
echo "export PATH=\$PATH:$(pwd)" >> ~/.bashrc
-
You are now done and ready to move on to the next section.
Installing Hashcat for macOS
A word of warning for MacBook users. MacBooks are notorious for cooling-related problems. Using hashcat at high hash
rates will cause your fans to scream. This is a bad sign and it is recommended to do this for short stints if not avoid
doing this altogether if possible, because it can lead to damaged components. And newer MacBooks are not only costly
to repair, but also have every component fused together on the motherboard, including the SSD drives.
Thus a single damaged component may require the entire device internals, including your drives, to be replaced, potentially
leading to file losses if you do not back up your files (the technicians may be able to help you do that after the device is broken).
It is important to note that upon replacing, you old device internals WILL BE SHREDDED and VERY GONE. So please be careful.
-
Go to https://hashcat.net/hashcat/
-
At the top of the page, you should see a chart under Download. Click on the download link for "hashcat sources" and
download the archive file.
-
Once the file is downloaded, extract the files inside the archive.
In the extracted directory, a file called Makefile should be found.
-
Open a terminal window. To open terminal on macOS, use Command+Space, and then
type in terminal and hit Enter. A terminal window should appear.
-
Open a Finder window at the folder that contains the extracted Hashcat folder.
-
Type in "cd " (make sure you have a Space at the end) and drag the Folder containing the Hashcat Makefile
from the Finder window you have opened and drop it on the terminal window. The window should now have automatically
filled out the directory of that folder.
-
Hit Enter to run that command and Change Directory (CD) to that folder.
-
Now paste the following command into terminal and hit Enter.
make
-
If the previous step fails, try reinstalling Xcode tools with the following terminal command.
xcode-select --install
-
Once Hashcat has been compiled properly, run the following command in terminal to add the current directory into your $PATH variable
for the duration of the current terminal session.
export PATH=$PATH:$(pwd)
-
Use the following command in terminal to add the current directory to your $PATH variable so you can use Hashcat from any directory
in the future. It is recommended to do this step to avoid having to set add the directory to the $PATH variable each time when using Hashcat.
You can skip this step if you do not want to make changes to your ~/.bashrc file.
echo "export PATH=\$PATH:$(pwd)" >> ~/.bashrc
-
You are now done and ready to move on to the next section.
Installing Hashcat for Windows
-
Go to https://hashcat.net/hashcat/
-
At the top of the page, you should see a chart under Download. Click on the download link for "hashcat binaries" and
download the .7z file.
-
Once the file is downloaded, extract the files inside the archive using your favorite tool. Inside the extracted files
there should be an executable called hashcat.exe Because it is not an GUI executable, it will not work when you double click it.
-
Open a command prompt. Use the hotkeys WinKey+R, then enter
cmd into the box
and hit Enter to spawn a command prompt.
-
Open a File Explorer window at the folder that contains the extracted Hashcat folder.
-
Type in "cd " (make sure you have a Space at the end) and drag the folder containing the hashcat.exe
from the File Explorer window you have opened and drop it on the terminal window. The window should now have automatically
filled out the directory of that folder.
-
Hit Enter to run that command and Change Directory (CD) to that folder.
-
If you want to add the current folder to your PATH for future use, you can refer to
this tutorial.
-
You are now done and ready to move on to the next section.
Using Hashcat
This section will finally cover how to use Hashcat. Remember that Hashcat is a Command Line Interface tool, so you can
only interact with it directly via a terminal or command prompt. For macOS, you can use the hashcat in the
terminal window to use the Hashcat binary. For Linux, you can use hashcat.bin in the
terminal window to use the Hashcat binary. For Windows, you can use hashcat.exe in the command prompt to
use Hashcat. If you did not add Hashcat to your PATH variable, you should use the terminal or command prompt window open
at the hashcat folder and use ./hashcat, ./hashcat.bin, or ./hashcat.exe instead.
For the remainder of the tutorial, the hashcat executable will be invoked as hashcat for simplicity.
It is assumed that the user has hashcat in the current directory and will substitute hashcat for the right
command format as necessary. And for simplicity sake, command prompts will also be referred to as terminals for the remainder
of the tutorial.
Before you start, it is helpful to know how to access the verbose help section that comes with Hashcat. Use the following
command to print help.
hashcat --help
Something like the following should print out
livelycarpet87@livelycarpet87-desktop:~/infosecClubResources$ hashcat --help
hashcat - advanced password recovery
Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...
- [ Options ] -
Options Short / Long | Type | Description | Example
================================+======+======================================================+=======================
-m, --hash-type | Num | Hash-type, see references below | -m 1000
-a, --attack-mode | Num | Attack-mode, see references below | -a 3
-V, --version | | Print version |
-h, --help | | Print help |
--quiet | | Suppress output |
--hex-charset | | Assume charset is given in hex |
--hex-salt | | Assume salt is given in hex |
--hex-wordlist | | Assume words in wordlist are given in hex |
--force | | Ignore warnings |
--status | | Enable automatic update of the status screen |
--status-timer | Num | Sets seconds between status screen updates to X | --status-timer=1
--stdin-timeout-abort | Num | Abort if there is no input from stdin for X seconds | --stdin-timeout-abort=300
--machine-readable | | Display the status view in a machine-readable format |
--keep-guessing | | Keep guessing the hash after it has been cracked |
This is the manual for hashcat and tells you how to use the command.
For this tutorial, we will use the MD5 hash 5f4dcc3b5aa765d61d8327deb882cf99. The first step is to select
correct hash mode. You can refer to the helpful chart printed by hashcat --help. As shown by the excerpt
below, the hash mode for MD5 hashes is 0. For other hashes, such as SHA1, look up the corresponding
hash mode (100) according to the table.
- [ Hash modes ] -
# | Name | Category
======+==================================================+======================================
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
5100 | Half MD5 | Raw Hash
100 | SHA1 | Raw Hash
1300 | SHA2-224 | Raw Hash
1400 | SHA2-256 | Raw Hash
10800 | SHA2-384 | Raw Hash
1700 | SHA2-512 | Raw Hash
17300 | SHA3-224 | Raw Hash
17400 | SHA3-256 | Raw Hash
17500 | SHA3-384 | Raw Hash
17600 | SHA3-512 | Raw Hash
17700 | Keccak-224 | Raw Hash
17800 | Keccak-256 | Raw Hash
17900 | Keccak-384 | Raw Hash
18000 | Keccak-512 | Raw Hash
Then create a text file with the hash using the following command. Replace the hash in the example with the hash you
want to crack when cracking other hashes.
echo "5f4dcc3b5aa765d61d8327deb882cf99" > ./hash.txt
The next step is to find a dictionary. For most CTF games, the
rockyou wordlist
is usually enough. For simplicity, move the wordlist to the folder that you are using hashcat in.
Use the following command to run a dictionary attack on the hash. -a 0 specifies a dictionary attack.
-m 0 specifies the hash mode to be 0, which is the hash mode for MD5 we found previously.
Replace hash.txt for the text file containing the hash and wordlist.txt for the text file containing the wordlist if
you are using different filenames or locations.
hashcat -a 0 -m 0 ./hash.txt ./rockyou.txt
Once hashcat starts running, something like the following should appear:
livelycarpet87@livelycarpet87-desktop:~$ hashcat -a 0 -m 0 ./hash.txt /home/livelycarpet87/Documents/rockyou.txt
hashcat (v5.1.0) starting...
* Device #1: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce RTX 2070 SUPER, 1993/7974 MB allocatable, 40MCU
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Temperature abort trigger set to 90c
* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=1 -D VENDOR_ID=32 -D CUDA_ARCH=705 -D AMD_ROCM=0 -D VECT_SIZE=1 -D DEVICE_TYPE=4 -D DGST_R0=0 -D DGST_R1=3 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=4 -D KERN_TYPE=0 -D _unroll'
* Device #1: Kernel m00000_a0-pure.5fbc4c79.kernel not found in cache! Building may take a while...
Dictionary cache hit:
* Filename..: /home/livelycarpet87/Documents/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
5f4dcc3b5aa765d61d8327deb882cf99:password
Session..........: hashcat
Status...........: Cracked
Hash.Type........: MD5
Hash.Target......: 5f4dcc3b5aa765d61d8327deb882cf99
Time.Started.....: Sun Jul 25 00:20:43 2021 (1 sec)
Time.Estimated...: Sun Jul 25 00:20:44 2021 (0 secs)
Guess.Base.......: File (/home/livelycarpet87/Documents/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 145.3 MH/s (3.33ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 2621440/14344384 (18.28%)
Rejected.........: 0/2621440 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 123456 -> yayolin247
Hardware.Mon.#1..: Temp: 42c Fan: 44% Util: 1% Core:1920MHz Mem:6801MHz Bus:16
Started: Sun Jul 25 00:20:40 2021
Stopped: Sun Jul 25 00:20:44 2021
As you can see on the line of output 5f4dcc3b5aa765d61d8327deb882cf99:password hashcat tried
password from our wordlist file and found that it matched our target hash, thus cracking it. Success!
Hope this helps and happy cracking!