Working efficiently with Hashcat
Hashcat (https://hashcat.net/hashcat/) is one of those tools you frequently see being used in tutorials and videos to crack password hashes, typically using a wordlist such as rockyou.txt or utilising other resources such as Daniel Miessler's excellent seclists repo: https://github.com/danielmiessler/SecLists/tree/master/Passwords
Cracking is typically done via a GPU on a dedicated machine or "cracking rig" which often contain multiple GPU's which obviously speeds up the computational effort and therefore reduces the time required to crack the hashes.
Whilst these are great resources, you are relying on the password to be present inside a wordlist in order for the crack to be successful. Sometimes, this just isn't the case so you need to think outside of the box and this where we can take advantage of the "Rules" feature of Hashcat.
Rules
Rules allows us to extend the words that we find in a wordlist in way that mimics real world users passwords. For example, we can add characters to either the start or the end of a word, or we can toggle character cases from lowercase to uppercase or even do character replacement.
Take the word "password" for example - we could do the following:
Replace the p
to be a capital P
so we now have: Password
Replace the a
to be an @
symbol so we now have: P@ssword
Append a character to the end of the word, changing P@ssword
to P@ssword!
- which adds an exclamation to the end of the word.
Using rules allows us to have smaller wordlists but comes with the drawback of slightly slower cracking times.
Creating your own rules
Creating your own rules is easy, you simply need to decide on what your custom rule will include and then create a .rule
file. Within your Hashcat directory you will find a rules folder which contains a whole heap of preconfigured rules which I encourage you to investigate further.
Fire up any text editor and then add your custom rule - which goes into the file as the format of: $2$0$2$2
which essentially reads as 2022
. Save the file as a .rule
inside the rules folder and then you can target it with the following command:
hashcat.exe -a 0 -m 1000 C:\Tools\hashcat\captured-ntlm.txt C:\Tools\hashcat\wordlist.txt -r rules\add-years.rule
So first off I have the captured-ntlm.txt file which contains my hash: 2BC9E69EC83C2938F64309686D603FC0
I then set the wordlist.txt which contains the following list of names:
Jim
Chris
Bob
Alice
Smithy
Finally, use the -r
flag to target the add-years.rule which we created previously.
Hashcat will then use the add-years.rule
file and append 2022 to the end of each of the words within the wordlist when its attempting to crack the hash:
Jim2022
Chris2022
Bob2022
Alice2022
Smithy2022
As you can see below, Hashcat is successful:
2bc9e69ec83c2938f64309686d603fc0:Chris2022
Session..........: hashcat
Status...........: Cracked
Hash.Type........: NTLM
Hash.Target......: 2bc9e69ec83c2938f64309686d603fc0
Time.Started.....: Thu Aug 25 17:37:37 2022 (0 secs)
Time.Estimated...: Thu Aug 25 17:37:37 2022 (0 secs)
Guess.Base.......: File (wordlist.txt)
Guess.Mod........: Rules (rules\add-years.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 325.0 kH/s (0.02ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 66/66 (100.00%)
Rejected.........: 0/66 (0.00%)
Restore.Point....: 0/66 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: Jim2022 -> GENESISoneONE!2022
Masks
Taking things one step further we can use masks to be more selective over the keyspace in certain positions within a word. For example its common for people to use a pattern in their passwords such as Capital Letter
, lowercase
and then follow the up with a number, say 1
.
Trying to brute force a password of nine characters including uppercase, lowercase and numbers is just not feasible unless you have a very high powered GPU. This is where masks come into play, as we can use them to attack password patterns in a more efficient way by limiting ourself to certain character sets in certain positions - for example, only using a capital letter for the first position and then lowercase for the rest of the positions and then using a number for the final position.
In order to see the charsets available we can use the command:
C:\Tools\hashcat>hashcat64.exe --help
- [ Built-in Charsets ] -
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff
We can then use these charsets in our command:
C:\Tools\hashcat>hashcat64.exe -a 3 -m 1000 C:\Tools\hashcat\new-ntlm.txt ?u?l?l?l?l?l?l?l?d
-a 3
specifies the mask attack -m 1000
specifies the hash mode for NTLM ?u?l?l?l?l?l?l?l?d
is the different character sets and length we are attempted to brute force.
So in this example we are saying:
1st Character - Try uppercase only
2nd Character - Try lowercase only
3rd Character - Try lowercase only
4th Character - Try lowercase only
5th Character - Try lowercase only
6th Character - Try lowercase only
7th Character - Try lowercase only
8th Character - Try lowercase only
9th Character - Try numbers 0-9 only
This quickly reveals the hash value of 64F12CDDAA88057E06A81B54E73B949B
to be Password1
If we want to try a special character on the end then we can add ?s
onto the end of our command like so:
C:\Tools\hashcat>hashcat64.exe -a 3 -m 1000 C:\Tools\hashcat\new-ntlm.txt ?u?l?l?l?l?l?l?l?d?s
Hashcat will then attempt each of the following characters: !"#$%&'()*+,-./:;<=>?@[]^_`{|}~
as the last character.
Using masks in this way certainly helps speed things along, however it's flaw is that we are having to define the number of characters that we are attempting to bruteforce. If the password is shorter or longer than nine characters then we aren't going to be able crack the hash without adjusting the mask and running it multiple times, right?
Actually the answer is that we don't need to run it over and over for each length we want to target, Hashcat has that covered by the use of Mask files.
We can take the syntax that we saw above and then add it into a Hashcat Mask file with the different lengths we would like to attempt to bruteforce. Our file name custom.hcmask
which we save in the Hashcat directory would have the following contents:
?d?s,?u?l?l?l?l?s
?d?s,?u?l?l?l?l?l?s
?d?s,?u?l?l?l?l?l?l?s
?d?s,?u?l?l?l?l?l?l?l?s
?d?s,?u?l?l?l?l?l?l?l?l?s
?d
defines that we are going to use a custom charset ?s
defines that we are going to use special characters ?u
use uppercase only ?l
use lowercase only
This would attempt to brute force words five to nine characters long including a special character on the end.
We then use the following command to use our custom mask file against our another-ntlm.txt file.
C:\Tools\hashcat>hashcat64.exe -a 3 -m 1000 C:\Tools\hashcat\another-ntlm.txt C:\Tools\hashcat\custom.hcmask
Another advantage of using masks is that you can you can define a static string and then use the charsets from above to add any other keywords or numbers, again this would be stored in a .hcmask file and used with the following command:
C:\Tools\hashcat>hashcat64.exe -a 3 -m 1000 C:\Tools\hashcat\another-ntlm.txt C:\Tools\hashcat\example2.hcmask
The contents of the hcmask file:
SuperSecurePassword?d
SuperSecurePassword?d?d
SuperSecurePassword?d?d?d
SuperSecurePassword?d?d?d?d
SuperSecurePassword?d?d?d?d?d
With ?d
being the values of 0123456789 - handy for if you think someone might be using a name and date of birth as password, ie SuperSecurePassword15612
Hopefully this post has given you some hints and tips to help speed up your hash cracking. Thanks for reading.
Photo by Dimitris Chapsoulas on Unsplash