in Resources

How to Crack Passwords Using Hashcat [Complete Guide]

Password cracking is an essential skill in cybersecurity, especially for penetration testers. When testing the security of a system, being able to break hashed passwords allows deeper access for analyzing vulnerabilities.

Hashcat is one of the most powerful password recovery tools available. This comprehensive guide will teach you how to install Hashcat and use it to crack password hashes quickly and efficiently.

What is Password Hashing?

Most systems do not store passwords in plain text. Instead, passwords are hashed using cryptographic hash functions before being stored.

Common hashing algorithms include:

  • MD5
  • SHA-1
  • SHA-256
  • SHA-512

These hash functions are designed to be one-way, meaning it‘s virtually impossible to reverse the hashing process to reveal the original password.

Hashing enables secure password storage. Even if hashed passwords are compromised, attackers must crack the hashes to reveal passwords.

Introducing Hashcat

Hashcat is an advanced password recovery tool designed for high-speed cracking of hashed passwords. Key features include:

  • GPU acceleration – Leverages GPUs for faster hash cracking compared to CPU-only tools.

  • Distributed cracking – Supports cracking networks through the use of hashcat "masks" for sharing workload.

  • Hash types – Supports cracking of many common hash types including MD5, SHA-1, SHA-2, NTLM, and more.

  • Wordlists – Ability to use custom wordlists for dictionary and brute force attacks.

  • Rules – Apply "rules" to mutate wordlists and create more password guesses.

  • Benchmarking – Compare cracking speeds across systems to identify optimal setups.

Hashcat is free and open source software available for Linux, Windows, and macOS. For optimal performance, using the GPU version on Linux is recommended.

Installing Hashcat in Kali Linux

For this guide, we will install Hashcat in Kali Linux, a penetration testing distro which comes pre-installed with many useful security tools.

First, update the package lists and upgrade installed packages:

sudo apt update && sudo apt upgrade

Hashcat is included in Kali by default, but can also be installed manually:

sudo apt install hashcat

This installs the CPU version. For GPU acceleration, install the hashcat-cuda or hashcat-opencl packages instead.

With Hashcat installed, you‘re ready to start cracking hashes!

Generating Password Hashes

To demonstrate Hashcat, we first need some password hashes to crack.

Here is an example of generating an MD5 hash for the password password123:

echo -n "password123" | md5sum | tr -d "-"

This pipes the password into the md5sum tool, hashes it with MD5, and outputs just the hash digest.

You can generate hashes for additional passwords and save them to a file like hashes.txt to create a list of hashes.

Basic Usage

The basic syntax for Hashcat is:

hashcat -a [attack mode] -m [hash type] [hash file] [wordlist file]

For example, to perform a dictionary attack on an MD5 hash using rockyou.txt wordlist:

hashcat -a 0 -m 0 hashes.txt rockyou.txt

The attack mode -a defines the cracking mode, while -m specifies the hash type.

Attack Modes

Hashcat supports multiple attack modes including:

  • 0 = Straight dictionary attack
  • 1 = Combination attack
  • 3 = Brute-force attack
  • 6 = Hybrid dictionary + mask attack
  • 7 = Hybrid mask + dictionary attack

Hash Types

Supported hash types include:

  • 0 = MD5
  • 100 = SHA1
  • 1400 = SHA2-256
  • 1700 = SHA2-512
  • 1000 = NTLM

And many more.

Cracking Session

Let‘s walk through a full password cracking session using a hashes file and the Rockyou wordlist:

hashcat -a 0 -m 0 hashes.txt /usr/share/wordlists/rockyou.txt

Hashcat will first benchmark the system to estimate cracking speed. Then it will start cracking through the wordlist to identify matches.

The output will show progress, cracked passwords, speed, and other statistics. Any errors will also be displayed.

At the end of the session, the successfully cracked hashes and their associated passwords will be shown.

Tips for Better Performance

To improve Hashcat performance, here are some tips:

  • Use word mangling rules to generate additional password guesses from wordlists.

  • Optimize hardware by using GPUs and systems with fast CPUs.

  • Benchmark different GPUs to identify the best options for your budget.

  • Try a hybrid attack mode like mask + dictionary to add more password permutations.

  • Use a larger dictionary size and generate customized wordlists for the target.

  • Take advantage of distributed cracking by running Hashcat on multiple systems.

  • Enable optimizations like bitmap acceleration to increase speed.

Hashcat vs. John the Ripper

John the Ripper is likely Hashcat‘s closest competitor for password cracking.

Compared to John, Hashcat generally has better performance thanks to its GPU acceleration and other optimizations. Hashcat also supports more hash types.

However, John is easier to use, especially for beginners. It also runs on more platforms including mobile devices.

In summary, Hashcat has superior cracking speeds, while John offers greater usability and flexibility.

Ethical Considerations

Password cracking carries some ethical risks. Only use these tools against authorized systems like your own accounts or when permitted during pentesting engagements.

Cracking passwords without permission is highly unethical and may be illegal depending on the circumstances. Please exercise good judgement when using Hashcat or other password recovery software.

Conclusion

Hashcat is one of the most advanced password cracking tools available today. Proper use requires an understanding of password hashing, Hashcat‘s capabilities, and techniques to optimize performance.

This guide covers the basics of installing Hashcat, generating password hashes, executing dictionary and brute force attacks, interpreting output, and achieving better speeds.

There is still much more to learn about Hashcat‘s advanced functionality. For further reading, the Hashcat wiki provides excellent documentation and references.

With practice, Hashcat can become an invaluable asset for your penetration testing and ethical hacking toolbox. Use it legally and ethically to evaluate password security.

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.