Working efficiently with Hashcat

Hashcat (https://hashcat.net/hashcat/) is one of those tools you frequently see being used in tutorials and videos to crack password hashes, typically using a wordlist such as rockyou.txt or utilising other resources such as Daniel Miessler's excellent seclists repo: https://github.com/danielmiessler/SecLists/tree/master/Passwords

Cracking is typically done via a GPU on a dedicated machine or "cracking rig" which often contain multiple GPU's which obviously speeds up the computational effort and therefore reduces the time required to crack the hashes.

Whilst these are great resources, you are relying on the password to be present inside a wordlist in order for the crack to be successful.  Sometimes, this just isn't the case so you need to think outside of the box and this where we can take advantage of the "Rules" feature of Hashcat.

Rules

Rules allows us to extend the words that we find in a wordlist in way that mimics real world users passwords.  For example, we can add characters to either the start or the end of a word, or we can toggle character cases from lowercase to uppercase or even do character replacement.

Take the word "password" for example - we could do the following:

Replace the p to be a capital P so we now have: Password

Replace the a to be an @ symbol so we now have: P@ssword

Append a character to the end of the word, changing P@ssword to P@ssword! - which adds an exclamation to the end of the word.

Using rules allows us to have smaller wordlists but comes with the drawback of slightly slower cracking times.

Creating your own rules

Creating your own rules is easy, you simply need to decide on what your custom rule will include and then create a .rule file.  Within your Hashcat directory you will find a rules folder which contains a whole heap of preconfigured rules which I encourage you to investigate further.

Fire up any text editor and then add your custom rule - which goes into the file as the format of: $2$0$2$2 which essentially reads as 2022. Save the file as a  .rule inside the rules folder and then you can target it with the following command:

hashcat.exe -a 0 -m 1000 C:\Tools\hashcat\captured-ntlm.txt C:\Tools\hashcat\wordlist.txt -r rules\add-years.rule  

So first off I have the captured-ntlm.txt file which contains my hash:
2BC9E69EC83C2938F64309686D603FC0

I then set the wordlist.txt which contains the following list of names:

Jim  
Chris  
Bob  
Alice  
Smithy  

Finally, use the -r flag to target the add-years.rule which we created previously.

Hashcat will then use the add-years.rule file and append 2022 to the end of each of the words within the wordlist when its attempting to crack the hash:

Jim2022  
Chris2022  
Bob2022  
Alice2022  
Smithy2022  

As you can see below, Hashcat is successful:

2bc9e69ec83c2938f64309686d603fc0:Chris2022

Session..........: hashcat  
Status...........: Cracked  
Hash.Type........: NTLM  
Hash.Target......: 2bc9e69ec83c2938f64309686d603fc0  
Time.Started.....: Thu Aug 25 17:37:37 2022 (0 secs)  
Time.Estimated...: Thu Aug 25 17:37:37 2022 (0 secs)  
Guess.Base.......: File (wordlist.txt)  
Guess.Mod........: Rules (rules\add-years.rule)  
Guess.Queue......: 1/1 (100.00%)  
Speed.#1.........:   325.0 kH/s (0.02ms) @ Accel:1024 Loops:1 Thr:1 Vec:8  
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts  
Progress.........: 66/66 (100.00%)  
Rejected.........: 0/66 (0.00%)  
Restore.Point....: 0/66 (0.00%)  
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1  
Candidates.#1....: Jim2022 -> GENESISoneONE!2022  

Masks

Taking things one step further we can use masks to be more selective over the keyspace in certain positions within a word. For example its common for people to use a pattern in their passwords such as Capital Letter, lowercase and then follow the up with a number, say 1.

Trying to brute force a password of nine characters including uppercase, lowercase and numbers is just not feasible unless you have a very high powered GPU.  This is where masks come into play, as we can use them to attack password patterns in a more efficient way by limiting ourself to certain character sets in certain positions - for example, only using a capital letter for the first position and then lowercase for the rest of the positions and then using a number for the final position.

In order to see the charsets available we can use the command:

C:\Tools\hashcat>hashcat64.exe --help  
- [ Built-in Charsets ] -

  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  d | 0123456789
  h | 0123456789abcdef
  H | 0123456789ABCDEF
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff

We can then use these charsets in our command:

C:\Tools\hashcat>hashcat64.exe -a 3 -m 1000 C:\Tools\hashcat\new-ntlm.txt ?u?l?l?l?l?l?l?l?d  

-a 3 specifies the mask attack
-m 1000 specifies the hash mode for NTLM
?u?l?l?l?l?l?l?l?d is the different character sets and length we are attempted to brute force.

So in this example we are saying:
1st Character - Try uppercase only
2nd Character - Try lowercase only
3rd Character - Try lowercase only
4th Character - Try lowercase only
5th Character - Try lowercase only
6th Character - Try lowercase only
7th Character - Try lowercase only
8th Character - Try lowercase only
9th Character - Try numbers 0-9 only

This quickly reveals the hash value of 64F12CDDAA88057E06A81B54E73B949B to be Password1

If we want to try a special character on the end then we can add ?s onto the end of our command like so:

C:\Tools\hashcat>hashcat64.exe -a 3 -m 1000 C:\Tools\hashcat\new-ntlm.txt ?u?l?l?l?l?l?l?l?d?s  

Hashcat will then attempt each of the following characters: !"#$%&'()*+,-./:;<=>?@[]^_`{|}~ as the last character.

Using masks in this way certainly helps speed things along, however it's flaw is that we are having to define the number of characters that we are attempting to bruteforce. If the password is shorter or longer than nine characters then we aren't going to be able crack the hash without adjusting the mask and running it multiple times, right?

Actually the answer is that we don't need to run it over and over for each length we want to target, Hashcat has that covered by the use of Mask files.

We can take the syntax that we saw above and then add it into a Hashcat Mask file with the different lengths we would like to attempt to bruteforce.  Our file name custom.hcmask which we save in the Hashcat directory would have the following contents:

?d?s,?u?l?l?l?l?s
?d?s,?u?l?l?l?l?l?s
?d?s,?u?l?l?l?l?l?l?s
?d?s,?u?l?l?l?l?l?l?l?s
?d?s,?u?l?l?l?l?l?l?l?l?s

?d defines that we are going to use a custom charset
?s defines that we are going to use special characters
?u use uppercase only
?l use lowercase only

This would attempt to brute force words five to nine characters long including a special character on the end.

We then use the following command to use our custom mask file against our another-ntlm.txt file.

C:\Tools\hashcat>hashcat64.exe -a 3 -m 1000 C:\Tools\hashcat\another-ntlm.txt C:\Tools\hashcat\custom.hcmask  

Another advantage of using masks is that you can you can define a static string and then use the charsets from above to add any other keywords or numbers, again this would be stored in a .hcmask file and used with the following command:

C:\Tools\hashcat>hashcat64.exe -a 3 -m 1000 C:\Tools\hashcat\another-ntlm.txt C:\Tools\hashcat\example2.hcmask

The contents of the hcmask file:

SuperSecurePassword?d  
SuperSecurePassword?d?d  
SuperSecurePassword?d?d?d  
SuperSecurePassword?d?d?d?d  
SuperSecurePassword?d?d?d?d?d  

With ?d being the values of 0123456789 - handy for if you think someone might be using a name and date of birth as password, ie SuperSecurePassword15612

Hopefully this post has given you some hints and tips to help speed up your hash cracking. Thanks for reading.

Photo by Dimitris Chapsoulas on Unsplash