If you are not familiar with Hashcat then you are in luck. Before I get started, Wikipedia states Hashcat is the self-proclaimed world’s fastest CPU-based password recovery tool. It is available free of charge, although it has a proprietary codebase. Versions are available for Linux, OSX, and Windows and can come in CPU-based or GPU-based variants. Hashcat currently supports a large range of hashing algorithms, including: Microsoft LM Hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, Cisco PIX, and many others.
The MD5 message-digest algorithm is a cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity.
Unfortunately many organizations use MD5 to hash customer’s passwords, which of course is not the correct way to protect a password, as you will gather as you work more with Hashcat. If you doubt this fact, then jump over to Have I been pwned and read about the organizations that were using MD5. If you are looking to encrypt a password or other sensitive data, be sure to read What can we learn from the 2013 Adobe database breach.
There is also a great deal to learn from the xkcd Password Strength comic.
Introduction to Hashcat
Hashcat is an extremely fast password recovery tool. It is available at no cost and the are versions are available for Linux, OSX, and Windows and often are found in both CPU-based or GPU-based variants.
I prefer Linux and the distro of choice for me is Kali Linux! If you are not familiar with this distro and interested either in security or forensics, then you really must give it a test drive.
When you consider GPU vs CPU hashing comparisons you may be surprised just how different the options are, but in either case, they are both impressive.
- Laptop: Averages about 100 million passwords per second. (6 characters)
- Desktop GPU: ATI Radeon) Averages about 2.2 billion passwords per second. (7 characters)
This is why recommendations are being made currently to have no less than 12 characters using uppercase, lowercase, digits, and special characters. In fact, if you are serious about your password, you should consider the use of a password manager and use as many characters as possible.
Password Lists
If you do not have a password list, I have one that I will provide to you in this article. You also may want to check out a previous article I wrote titled looking for a password or username cracking wordlist. If you are going to be performing any type of brute force attacks then you will want to build out your personal password inventory. Many individuals are willing to share their list and I for one believe in sharing information with like-minded people.
Download Password List – MD5: cb278b19e31c9b103162daedd520165a
MD5 Hash List
If you want to generate your very own MD5 hashes then you will find this MD5 hash generator very useful. For example, here is the hash list that I generated to demonstrate using Hashcat.
098f6bcd4621d373cade4e832627b4f6 1a1dc91c907325c69271ddf0c944bc72 106a6c241b8797f52e1e77317b96a201 e6d96502596d7e7887b76646c5f615d9 2ca63cddd54f9490efad22421891a9d1 69266c67e75c946ef9b4144b0554326d
Running Hashcat
When you start with Hashcat, be sure to review the help, as there is a great deal of direction that will be provided to you in order to help you be successful. For example, there are a number of attack modes and probably more importantly is the hash type that you will be working with.
hashcat -m 0 -a 0 -o cracked.txt hash_list.txt passwordlist001.txt
The example above is running hashcat on a md5 hash type using “-m 0″ and a straight attack mode using “-a 0″. As well, I am sending the result out to a text filed name cracked.txt. Next is the file that contains the hashes named “hash_list.txt” and finally the password list named “passwordlist001.txt”.
At the terminal upon executing the hashcat command and the appropriate switches, in short span of time you will have the clear text version of the MD5 hash value.
The cracked listing of the original MD5 has is as follows:
69266c67e75c946ef9b4144b0554326d:travel 098f6bcd4621d373cade4e832627b4f6:test 1a1dc91c907325c69271ddf0c944bc72:pass 106a6c241b8797f52e1e77317b96a201:home 2ca63cddd54f9490efad22421891a9d1:house
I realize the example used here is simple and basic in nature, but the point is MD5 is easily brute forced and while the amount of time may vary based upon the hash type, it is still just a matter of time.
Conclusion
What I want you to take away is the Hashcat provides a level of capability that you otherwise may not have had previously. Also, Hashcat may be used from a number of needs, this may include, hacking, penetration testing, or forensics. Be sure to visit the Hashcat wiki for more information as well reading more around the options provided by Hashcat.
There are several methods for password cracking available. Brute-force cracking, in which a computer tries every possible key or password until it succeeds. Dictionary attacks, pattern checking, word list substitution, etc., attempt to reduce the number of trials required and will usually be attempted before brute force.
One site that I highly recommend that you take the time to visit and bookmark is hashes.org, which allows you submit hashes as well as downloading the cracked hashes value. You may also be interested in taking on the challenge of cracking hashes that others have submitted.