hashcat cheat sheet

Guri Bee

3 min read

·

22-10-2024

1

0

Share

Hashcat Cheat Sheet: A Comprehensive Guide for Password Cracking

Hashcat is a powerful and popular password cracking tool, widely used by security professionals and ethical hackers. It offers a vast array of features and algorithms for cracking various hash types, making it a powerful tool for password recovery and security audits.

This article serves as a comprehensive Hashcat cheat sheet, providing a concise overview of its key features, common attack modes, and practical examples.

Understanding Hashcat

Hashcat is a command-line tool that uses various algorithms to crack password hashes. These algorithms are specifically designed to attempt different combinations of characters, patterns, and dictionary words to match the original password.

How Hashcat Works:

1. Hash Input: You provide Hashcat with a list of password hashes to crack.
2. Algorithm Selection: You specify the hashing algorithm used to generate the hashes (e.g., MD5, SHA1, bcrypt).
3. Attack Mode: You choose the attack mode (e.g., dictionary attack, brute force, rule-based attack).
4. Wordlist/Mask: You provide a wordlist or mask for Hashcat to use in its attacks.
5. Hashcat Processing: Hashcat compares the hashes generated from the wordlist or mask against the input hashes.
6. Result Output: Hashcat outputs the cracked passwords and corresponding hashes.

Key Features and Components

1. Attack Modes: Hashcat supports various attack modes for different cracking scenarios:

• Dictionary Attack: Uses a pre-compiled wordlist of common passwords and phrases. (e.g., -a 0)
• Brute-force Attack: Tries all possible combinations of characters, patterns, and numbers within a specified range. (e.g., -a 1)
• Hybrid Attack: Combines dictionary words with brute-force combinations. (e.g., -a 3)
• Rule-based Attack: Applies rules to modify dictionary words to generate new password variations. (e.g., -a 6)
• Combinator Attack: Generates combinations of characters, numbers, and symbols based on defined rules. (e.g., -a 7)

2. Hashing Algorithms: Hashcat supports a wide array of hashing algorithms, including:

• MD5
• SHA1
• SHA256
• bcrypt
• scrypt
• PBKDF2
• And many more...

3. Wordlists: You can use pre-built wordlists or create your own tailored wordlists for specific scenarios.

4. Masks: Masks define character sets and lengths for brute-force attacks, allowing you to target specific password patterns.

5. Rules: Rules are used to modify dictionary words and generate new password variations based on specific patterns.

Practical Examples

Example 1: Cracking MD5 hashes using a dictionary attack:

hashcat -m 0 -a 0 hashes.txt wordlist.txt

• -m 0: Specifies the MD5 hash algorithm.
• -a 0: Selects the dictionary attack mode.
• hashes.txt: File containing the MD5 hashes to crack.
• wordlist.txt: Wordlist file to use for the attack.

Example 2: Cracking SHA256 hashes using a brute-force attack with a custom mask:

hashcat -m 1400 -a 1 hashes.txt ?l?l?l?d?d?d?d?d

• -m 1400: Specifies the SHA256 hash algorithm.
• -a 1: Selects the brute-force attack mode.
• hashes.txt: File containing the SHA256 hashes to crack.
• ?l?l?l?d?d?d?d?d: A mask defining the password structure: three lowercase letters, followed by five digits.

Example 3: Cracking bcrypt hashes using a hybrid attack with a rule:

hashcat -m 3200 -a 3 hashes.txt wordlist.txt --rules rules.txt

• -m 3200: Specifies the bcrypt hash algorithm.
• -a 3: Selects the hybrid attack mode.
• hashes.txt: File containing the bcrypt hashes to crack.
• wordlist.txt: Wordlist file to use for the attack.
• --rules rules.txt: Specifies a rule file to modify the dictionary words.

Finding the Right Approach

The choice of attack mode, wordlist, and rules depends entirely on the target hash type and the expected password complexity. For stronger passwords, brute-force attacks might be necessary, while dictionary attacks may be sufficient for weaker passwords.

Ethical Considerations

Hashcat is a powerful tool, but its use should always be ethical and responsible. Only use it for legitimate purposes, such as password recovery for your own accounts or security audits with proper authorization. Avoid targeting systems or individuals without consent, as this can be considered illegal and unethical.

Resources and Further Learning

• Hashcat Official Website: https://hashcat.net/
• Hashcat Documentation: https://hashcat.net/wiki/doku.php
• Hashcat GitHub Repository: https://github.com/hashcat/hashcat
• Hashcat Forum: https://hashcat.net/forum/

Conclusion

This cheat sheet provides a basic introduction to Hashcat and its essential features. Remember, password cracking is a complex field, and success depends on understanding the target system, password complexity, and choosing the right tools and techniques. By mastering Hashcat's features and utilizing resources like the official documentation, you can effectively crack passwords and improve your security knowledge.