HASHCAT

INSTALLATION

root@oco:~$ sudo apt search hashcat
 hashcat/parrot6,now 6.2.6+ds1-1+b1 amd64 [installed]
  World's fastest and most advanced password recovery utility
  
root@oco:~$ sudo apt install hashcat
 ...

CRACKING: MD5 HASHES

root@oco:~$ hash-identifier
 HASH: cc03e747a6afbbcbf8be7668acfebee5             
 Possible Hashs:
 [+] MD5
 [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

root@oco:~$ echo -n '{passwordHash}' > passwordHash
root@oco:~$ hashcat --help | grep -i md5
 0 | MD5                                                        | Raw Hash
 
root@oco:~$ hashcat -a 0 -m 0 passwordHash /usr/share/wordlists/rockyou.txt
 Dictionary cache hit:
 * Filename..: rockyou.txt
 * Passwords.: 14344384
 * Bytes.....: 139921497
 * Keyspace..: 14344384

 cc03e747a6afbbcbf8be7668acfebee5:test123                  
                                                          
 Session..........: hashcat
 Status...........: Cracked
 Hash.Mode........: 0 (MD5)
 Hash.Target......: cc03e747a6afbbcbf8be7668acfebee5
 Time.Started.....: Sun Oct 26 20:55:20 2025 (0 secs)
 Time.Estimated...: Sun Oct 26 20:55:20 2025 (0 secs)
 Kernel.Feature...: Pure Kernel
 Guess.Base.......: File (rockyou.txt)
 Guess.Queue......: 1/1 (100.00%)
 Speed.#1.........:  1914.9 kH/s (0.45ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
 Progress.........: 20480/14344384 (0.14%)
 Rejected.........: 0/20480 (0.00%)
 Restore.Point....: 16384/14344384 (0.11%)
 Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
 Candidate.Engine.: Device Generator
 Candidates.#1....: chatty -> michael!
 Hardware.Mon.#1..: Util: 27%

 Started: Sun Oct 26 20:55:19 2025
 Stopped: Sun Oct 26 20:55:22 2025

 * the "-a 0" specifies the attack mode. 0 means straight mode, which is the simplest 
   and most common mode where hashcat attempts to crack the hash by directly using 
   wordlist entries.

 * the "-m 0" specifies the hash type. 0 means MD5 hashes. So, hashcat will treat the 
   hashes in the hash file as MD5.

CRACKING: BLOWFISH (AKA BCRYPT) HASHES

#identify the hash type
root@oco:~$ hash-identifier
 ...
root@oco:~$ hashcat --help
 3200 | bcrypt $2*$, Blowfish (Unix) | Operating System

# basic dictionary attack
root@oco:~$ hashcat -a 0 -m 3200 '$2a$10$ZruXsBS5PeVeUz77d2fxJec3jOSCmmXB3TliE/iQ5tkgTmnpJDeZq' rockyou.txt
 * ALT: hashcat -m 3200 -a 0 hashes.txt /path/to/wordlist.txt --status --status-timer=10 --potfile-path=hashcat.pot
 
 * must use single quote to prevent the shell from interpreting the special characters

CRACKING: SHA1 HASHES

root@oco:~$ hash-identifier
 ...
root@oco:~$ hashcat --help
 100 | SHA1                                                       | Raw Hash
 
root@oco:~$ hashcat -a 0 -m 100 'pwHash' wordlist.txt

CRACKING: SHA512 HASHES

root@oco:~$ hash-identifier
 HASH: b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86
 Possible Hashs:
 [+] SHA-512
 [+] Whirlpool

root@oco:~$ hashcat --help | grep -i sha512                                         
  1770 | sha512(utf16le($pass))                                     | Raw Hash
  1710 | sha512($pass.$salt)                                        | Raw Hash salted and/or iterated
  1720 | sha512($salt.$pass)                                        | Raw Hash salted and/or iterated
  1740 | sha512($salt.utf16le($pass))                               | Raw Hash salted and/or iterated
  1730 | sha512(utf16le($pass).$salt)                               | Raw Hash salted and/or iterated
  1750 | HMAC-SHA512 (key = $pass)                                  | Raw Hash authenticated
  1760 | HMAC-SHA512 (key = $salt)                                  | Raw Hash authenticated
 12100 | PBKDF2-HMAC-SHA512                                         | Generic KDF
 27300 | SNMPv3 HMAC-SHA512-384                                     | Network Protocol
  6500 | AIX {ssha512}                                              | Operating System
 19200 | QNX /etc/shadow (SHA512)                                   | Operating System
 22200 | Citrix NetScaler (SHA512)                                  | Operating System
  7100 | macOS v10.8+ (PBKDF2-SHA512)                               | Operating System
  1800 | sha512crypt $6$, SHA512 (Unix)                             | Operating System
  1711 | SSHA-512(Base64), LDAP {SSHA512}                           | FTP, HTTP, SMTP, LDAP Server
 13721 | VeraCrypt SHA512 + XTS 512 bit (legacy)                    | Full-Disk Encryption (FDE)
 13722 | VeraCrypt SHA512 + XTS 1024 bit (legacy)                   | Full-Disk Encryption (FDE)
 13723 | VeraCrypt SHA512 + XTS 1536 bit (legacy)                   | Full-Disk Encryption (FDE)
 29421 | VeraCrypt SHA512 + XTS 512 bit                             | Full-Disk Encryption (FDE)
 29422 | VeraCrypt SHA512 + XTS 1024 bit                            | Full-Disk Encryption (FDE)
 29423 | VeraCrypt SHA512 + XTS 1536 bit                            | Full-Disk Encryption (FDE)
 20011 | DiskCryptor SHA512 + XTS 512 bit                           | Full-Disk Encryption (FDE)
 20012 | DiskCryptor SHA512 + XTS 1024 bit                          | Full-Disk Encryption (FDE)
 20013 | DiskCryptor SHA512 + XTS 1536 bit                          | Full-Disk Encryption (FDE)
  6221 | TrueCrypt SHA512 + XTS 512 bit (legacy)                    | Full-Disk Encryption (FDE)
  6222 | TrueCrypt SHA512 + XTS 1024 bit (legacy)                   | Full-Disk Encryption (FDE)
  6223 | TrueCrypt SHA512 + XTS 1536 bit (legacy)                   | Full-Disk Encryption (FDE)
 29321 | TrueCrypt SHA512 + XTS 512 bit                             | Full-Disk Encryption (FDE)
 29322 | TrueCrypt SHA512 + XTS 1024 bit                            | Full-Disk Encryption (FDE)
 29323 | TrueCrypt SHA512 + XTS 1536 bit                            | Full-Disk Encryption (FDE)
 28400 | bcrypt(sha512($pass)) / bcryptsha512                       | Forums, CMS, E-Commerce
 21600 | Web2py pbkdf2-sha512                                       | Framework
 20200 | Python passlib pbkdf2-sha512                               | Framework
 24500 | Telegram Desktop >= v2.1.14 (PBKDF2-HMAC-SHA512)           | Instant Messaging Service
 21000 | BitShares v0.x - sha512(sha512_bin(pass))                  | Cryptocurrency Wallet

root@oco:~$ hashcat -m 1700 -a 0 hashes.txt rockyou.txt
 Dictionary cache hit:
 * Filename..: rockyou.txt
 * Passwords.: 14344384
 * Bytes.....: 139921497
 * Keyspace..: 14344384

 b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86:password
                                                          
 Session..........: hashcat
 Status...........: Cracked
 Hash.Mode........: 1700 (SHA2-512)
 Hash.Target......: b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e0...acbc86
 Time.Started.....: Sun Oct 26 21:22:41 2025 (0 secs)
 Time.Estimated...: Sun Oct 26 21:22:41 2025 (0 secs)
 Kernel.Feature...: Pure Kernel
 Guess.Base.......: File (rockyou.txt)
 Guess.Queue......: 1/1 (100.00%)
 Speed.#1.........:  1510.1 kH/s (1.07ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
 Progress.........: 4096/14344384 (0.03%)
 Rejected.........: 0/4096 (0.00%)
 Restore.Point....: 0/14344384 (0.00%)
 Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
 Candidate.Engine.: Device Generator
 Candidates.#1....: 123456 -> oooooo
 Hardware.Mon.#1..: Util: 27%

 Started: Sun Oct 26 21:22:12 2025
 Stopped: Sun Oct 26 21:22:43 2025

CRACKING: MYSQL 160BIT

Use John the Ripper when cracking this type of hash or any hashes that starts with *

root@oco:~$ hash-identifier
 HASH: *6B4F89A54E2D27ECD7E8DA05B4AB8FD9D1D8B119
 Possible Hashs:
 [+] MySQL 160bit - SHA-1(SHA-1($pass))

root@oco:~$ ashcat --help | grep -i mysql                                
   7401 | MySQL $A$ (sha256crypt)                                    | Database Server
  11200 | MySQL CRAM (SHA1)                                          | Database Server
    200 | MySQL323                                                   | Database Server
    300 | MySQL4.1/MySQL5                                            | Database Server

root@oco:~$ ...

CRACKING: WORDLIST & LEET SPEAK MANGLING (BUILT-IN RULE)

root@oco:~$ hash-identifier
 HASH: 073158933d0377d419cd1e5dfcb4eafde8d1dd8a
 Possible Hashs:
 [+] SHA-1
 [+] MySQL5 - SHA-1(SHA-1($pass))

//create a hash file to avoid quoting or globbing
root@oco:~$ printf '%s\n' '073158933d0377d419cd1e5dfcb4eafde8d1dd8a' > hashes.txt
root@oco:~$ hashcat -m 100 -a 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule --status --status-timer=10
 ...basic mangling failed

CRACKING: WORDLIST & LEET SPEAK MANGLING (CUSTOM RULE)

root@oco:~$ hash-identifier
 HASH: 073158933d0377d419cd1e5dfcb4eafde8d1dd8a
 Possible Hashs:
 [+] SHA-1
 [+] MySQL5 - SHA-1(SHA-1($pass))
 
root@oco:~$ printf '%s\n' '073158933d0377d419cd1e5dfcb4eafde8d1dd8a' > hashes.txt

root@oco:~$ hashcat --help | grep -i sha1
 100 | SHA1                                                       | Raw Hash
 170 | sha1(utf16le($pass))                                       | Raw Hash
 
//perform common manual
root@oco:~$ hashcat -m 100 -a 6 hashes.txt rockyou.txt ?d?d --status
 ...manual mangling failed
 
//create common l33t mangling rule file
root@oco:~$ nano l33t.rule
 # single substitutions
 sa4
 se3
 si1
 so0
 ss5

 # chain all substitutions at once (replace all applicable chars)
 sa4se3si1so0ss5

 # append common suffixes
 $1
 $123
 $01
 $!

 # prepend common prefixes
 ^1
 ^123

root@oco:~$ hashcat -a 0 -m 100 hashes.txt rockyou.txt -r leet.rule --status
 Dictionary cache hit:
 * Filename..: rockyou.txt
 * Passwords.: 14344384
 * Bytes.....: 139921497
 * Keyspace..: 129099456

 073158933d0377d419cd1e5dfcb4eafde8d1dd8a:P@ssw0rd1!       
 Session..........: hashcat                                
 Status...........: Cracked
 Hash.Mode........: 100 (SHA1)
 Hash.Target......: 073158933d0377d419cd1e5dfcb4eafde8d1dd8a
 Time.Started.....: Sun Oct 26 21:32:01 2025 (1 sec)
 Time.Estimated...: Sun Oct 26 21:32:02 2025 (0 secs)
 Kernel.Feature...: Pure Kernel
 Guess.Base.......: File (rockyou.txt)
 Guess.Mod........: Rules (leet.rule)
 Guess.Queue......: 1/1 (100.00%)
 Speed.#1.........: 10478.8 kH/s (2.34ms) @ Accel:1024 Loops:9 Thr:1 Vec:8
 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
 Progress.........: 2875392/129099456 (2.23%)
 Rejected.........: 0/2875392 (0.00%)
 Restore.Point....: 315392/14344384 (2.20%)
 Restore.Sub.#1...: Salt:0 Amplifier:0-9 Iteration:0-9
 Candidate.Engine.: Device Generator
 Candidates.#1....: biteme07 -> 1LAVIDA
 Hardware.Mon.#1..: Util: 38%
 Started: Sun Oct 26 21:32:00 2025
 Stopped: Sun Oct 26 21:32:03 2025

CRACKING: IPMI HASHES

#MASK
root@htb:~$ hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u
 ...
 
#WORDLIST
root@htb:~$ hashcat -m 7300 ipmi.txt rockyou.txt
 ...

CRACKING: KERBEROS HASHES

#verify file type
root@oco:~$ file {filename.ext}
 ...
 
 * depending on the output, pick a tool to use based on the file type
    - PDF: pdfcrack, john (via pdf2john)
    - ZIP: fcrackzip, john (via zip2john

root@oco:~$ hashcat --example-hashes | grep -i {hashKeyword}
 Example.Hash...: [email protected]:3e156ada591263b8a...102ac...

PreviousJOHN THE RIPPER NextPDFCRACK

Last updated 6 days ago