Hashcat

World’s fastest password cracker World’s first and only in-kernel rule engine

Feature:

Free
Open-Source (MIT License)
Multi-OS (Linux, Windows and OSX)

Refer
https://hashcat.net/hashcat/

Main parameter

-a: Attack Modes

0 = Straight
1 = Combination
2 = Toggle case
3 = Brute Force
ps:
https://hashcat.net/wiki/doku.php?id=combinator_attack
https://hashcat.net/wiki/doku.php?id=toggle_case_attack

-m : Hash Type

0 = MD5
50 = HMAC-MD5
1000 = NTLM
1400 = sha256

Straight attack

The dictionary attack, or “straight mode,” is a very simple attack mode. It is also known as a “Wordlist attack”.

hashcat -a 0 -m < hash type> < hash_encrypt_file > < password directory file>

password directory file

in Network
https://samsclass.info/123/proj10/500_passwords.txt
in KALI
gzip -d /usr/share/wordlists/rockyou.txt.gz
Rockyou contains 14 million unique passwords.

-r：Rule-based Attack

用來指定一組規則來變換字典中的單詞。這種方式會基於一個現有的字典，然後應用規則來生成更多的候選密碼。運作方式：Hashcat 會從字典文件中提取每一個單詞，然後應用指定的規則進行轉換。例如：

把所有字母變成大寫或小寫。
在單詞末尾添加數字或符號。
反轉單詞的順序。

ex: 從字典 /path/to/wordlist.txt 中讀取單詞，並依照 rockyou-30000.rule 中的規則進行變換，嘗試更多變體來破解密碼。

#hashcat -m 0 -a 0 -r /usr/share/hashcat/rules/rockyou-30000.rule hashes.txt /path/to/wordlist.txt

refer
https://uwnthesis.wordpress.com/2013/08/07/kali-how-to-crack-passwords-using-hashcat/

brute-force attack

Tries all combinations from a given Keyspace. It is the easiest of all the attacks.

hashcat -m 0 -a 3 --increment [other parameter] < hash_encrypt_file> < mask>

-i –increment (optional):

specifies that the length of the password candidates shouldn’t be fixed, but increase in length

mask (required):/brute-force Built-in charsets

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = «space»!"#$%&'()*+,-./:;<=>?@[]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 – 0xff

other parameter
–increment-min 4: set the minimum length of the password candidates to 4 (in this case)
–increment-max 6: set the maximum length of the password candidates to 6 (in this case)

ex:
if md5(123456) is e10adc3949ba59abbe56e057f20f883e
# echo e10adc3949ba59abbe56e057f20f883e > hash.txt
# hashcat -m 0 -a 3 -i hash.txt ?d?d?d?d?d?d
...omit...
e10adc3949ba59abbe56e057f20f883e:123456
All hashes have been recovered
Input.Mode: Mask (?d?d?d?d?d?d) [6]
Index.....: 0/1 (segment), 1000000 (words), 0 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 662.08k words
Progress..: 654324/1000000 (65.43%)
Running...: 00:00:00:01
Estimated.: --:--:--:--

ex:
try md5(abcd12) 
# hashcat -m 0 -a 3 hashes.txt ?l?l?l?l?d?d
...omit...

ex:
if md5(123456) is e10adc3949ba59abbe56e057f20f883e
# echo e10adc3949ba59abbe56e057f20f883e > hash.txt
#hashcat -n 2 -m 0 -a 3 --pw-min 9 hash.txt ?d?d?d?d?d?d?d?d?d
ps:
-n = 2 threads
-pw-min 9 = minimal 9 digitals

refer
https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#why_should_i_use_a_mask_attack_i_just_want_to_brute_these_hashes