Digg Del.icio.us Reddit Facebook Stumble Upon Twitter
 

hashcat

Description

Hashcat is the world’s fastest CPU-based password recovery tool.

While it's not as fast as its GPU counterpart oclHashcat, large lists can be easily split in half with a good dictionary and a bit of knowledge of the command switches.

Current Version

Current version is 0.48.

Resources

Screenshot

Background

Hashcat was written somewhere in the middle of 2009. Yes, there were already close-to-perfect working tools supporting rule-based attacks like “PasswordsPro”, “John The Ripper”. However for some unknown reason, both of them did not support multi-threading. That was the only reason to write Hashcat: To make use of the multiple cores of modern CPUs.

Granted, that was not 100% correct. John the Ripper already supported MPI using a patch, but at that time it worked only for Brute-Force attack. There was no solution available to crack plain MD5 which supports MPI using rule-based attacks.

Hashcat, from its first version, v0.01, was called “atomcrack”. This version was very poor, but at least the MD5 kernel was written in assembler utilizing SSE2 instructions and of course it was multi-threaded. It was a simple dictionary cracker, nothing more. But it was fast. Really fast. Some guys from the scene become interested in it and after one week there were around 10 beta testers. Everything worked fine and so requests for more algorithm types, a rule-engine for mutation of dictionaries, a windows version and different attack modes were added. These developments took around half a year, and were completely non-public.

Then, with version 0.29, “atomcrack” was renamed to “Dr. Hash”. Then with the release of version 0.30 to “hashcat”.

The first official hashcat release was v0.30, released on 24.12.2009.

Starting with hashcat release v0.40, released on 05.08.2012, binaries for Mac OSX are added.

Options

hashcat, advanced password recovery

Usage: hashcat [options] hashfile [mask|wordfiles|directories]

=======
Options
=======

* General:

  -m,  --hash-type=NUM               Hash-type, see references below
  -a,  --attack-mode=NUM             Attack-mode, see references below
  -V,  --version                     Print version
  -h,  --help                        Print help
       --eula                        Print EULA
       --expire                      Print expiration date
       --quiet                       Suppress output

* Misc:

       --hex-salt                    Assume salt is given in hex
       --hex-charset                 Assume charset is given in hex

* Files:

  -o,  --outfile=FILE                Define outfile for recovered hash
       --outfile-format=NUM          Define outfile-format for recovered hash, see references below
  -p,  --separator=CHAR              Define separator char for hashlists/outfile
       --show                        Show cracked passwords only (see also --username)
       --left                        Show un-cracked passwords only (see also --username)
       --username                    Enable ignoring of usernames in hashfile (recommended: also use --show)
       --remove                      Enable remove of hash once it is cracked
       --stdout                      stdout mode
       --disable-potfile             do not write potfile
       --debug-file=FILE             debug-file
       --debug-mode=NUM              Defines the debug mode (hybrid only by using rules), see references below
  -e,  --salt-file=FILE              salts-file for unsalted hashlists

* Resources:

  -c,  --segment-size=NUM            Size in MB to cache from the wordfile
  -n,  --threads=NUM                 number of threads
  -s,  --words-skip=NUM              skip number of words (for resume)
  -l,  --words-limit=NUM             limit number of words (for distributed)

* Rules:

  -r,  --rules-file=FILE             Rules-file use: -r 1.rule
  -g,  --generate-rules=NUM          Generate NUM random rules
       --generate-rules-func-min=NUM Force NUM functions per random rule min
       --generate-rules-func-max=NUM Force NUM functions per random rule max

* Custom charsets:

  -1,  --custom-charset1=CS          User-defined charsets
  -2,  --custom-charset2=CS          Example:
  -3,  --custom-charset3=CS          --custom-charset1=?dabcdef
  -4,  --custom-charset4=CS          Sets charset ?1 to 0123456789abcdef

* Toggle-Case attack-mode specific:

       --toggle-min=NUM              number of alphas in dictionary minimum
       --toggle-max=NUM              number of alphas in dictionary maximum

* Mask-attack attack-mode specific:

       --pw-min=NUM                  Password-length minimum
       --pw-max=NUM                  Password-length maximum

* Permutation attack-mode specific:

       --perm-min=NUM                Filter words shorter than NUM
       --perm-max=NUM                Filter words larger than NUM

* Table-Lookup attack-mode specific:

  -t,  --table-file=FILE             table file
       --table-min=NUM               number of chars in dictionary minimum
       --table-max=NUM               number of chars in dictionary maximum

==========
References
==========

* Outfile formats:

    1 = hash[:salt]
    2 = plain
    3 = hash[:salt]:plain
    4 = hex_plain
    5 = hash[:salt]:hex_plain
    6 = plain:hex_plain
    7 = hash[:salt]:plain:hex_plain

* Debug mode output formats (for hybrid mode only, by using rules):

    1 = save finding rule
    2 = save original word
    3 = save original word and finding rule

* Built-in charsets:

   ?l = abcdefghijklmnopqrstuvwxyz
   ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
   ?d = 0123456789
   ?s =  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
   ?a = ?l?u?d?s

* Attack modes:

    0 = Straight
    1 = Combination
    2 = Toggle-Case
    3 = Brute-force
    4 = Permutation
    5 = Table-Lookup

* Hash types:

    0 = MD5
   10 = md5($pass.$salt)
   20 = md5($salt.$pass)
   30 = md5(unicode($pass).$salt)
   40 = md5(unicode($pass).$salt)
   50 = HMAC-MD5 (key = $pass)
   60 = HMAC-MD5 (key = $salt)
  100 = SHA1
  110 = sha1($pass.$salt)
  120 = sha1($salt.$pass)
  130 = sha1(unicode($pass).$salt)
  140 = sha1($salt.unicode($pass))
  150 = HMAC-SHA1 (key = $pass)
  160 = HMAC-SHA1 (key = $salt)
  200 = MySQL
  300 = MySQL4.1/MySQL5
  400 = phpass, MD5(Wordpress), MD5(phpBB3)
  500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
  800 = SHA-1(Django)
  900 = MD4
 1000 = NTLM
 1100 = Domain Cached Credentials, mscash
 1400 = SHA256
 1410 = sha256($pass.$salt)
 1420 = sha256($salt.$pass)
 1450 = HMAC-SHA256 (key = $pass)
 1460 = HMAC-SHA256 (key = $salt)
 1600 = md5apr1, MD5(APR), Apache MD5
 1700 = SHA512
 1710 = sha512($pass.$salt)
 1720 = sha512($salt.$pass)
 1750 = HMAC-SHA512 (key = $pass)
 1760 = HMAC-SHA512 (key = $salt)
 1800 = SHA-512(Unix)
 2400 = Cisco-PIX MD5
 2500 = WPA/WPA2
 2600 = Double MD5
 3200 = bcrypt, Blowfish(OpenBSD)
 3300 = MD5(Sun)
 3500 = md5(md5(md5($pass)))
 3610 = md5(md5($salt).$pass)
 3710 = md5($salt.md5($pass))
 3720 = md5($pass.md5($salt))
 3810 = md5($salt.$pass.$salt)
 3910 = md5(md5($pass).md5($salt))
 4010 = md5($salt.md5($salt.$pass))
 4110 = md5($salt.md5($pass.$salt))
 4210 = md5($username.0.$pass)
 4300 = md5(strtoupper(md5($pass)))
 4400 = md5(sha1($pass))
 4500 = sha1(sha1($pass))
 4600 = sha1(sha1(sha1($pass)))
 4700 = sha1(md5($pass))
 4800 = MD5(Chap)
 5000 = SHA-3(Keccak)
 5100 = Half MD5
 5200 = Password Safe SHA-256
 5300 = IKE-PSK MD5
 5400 = IKE-PSK SHA1
 5500 = NetNTLMv1-VANILLA / NetNTLMv1-ESS
 5600 = NetNTLMv2
 5700 = Cisco-IOS SHA256
 5800 = Samsung Android Password/PIN
 6300 = AIX {smd5}
 6400 = AIX {ssha256}
 6500 = AIX {ssha512}
 6700 = AIX {ssha1}
 6900 = GOST, GOST R 34.11-94
 7000 = Fortigate (FortiOS)
 7100 = OS X v10.8
 7200 = GRUB 2
 7300 = IPMI2 RAKP HMAC-SHA1
 9999 = Plaintext

* Specific hash types:

   11 = Joomla
   21 = osCommerce, xt:Commerce
  101 = nsldap, SHA-1(Base64), Netscape LDAP SHA
  111 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
  112 = Oracle 11g
  121 = SMF > v1.1
  122 = OS X v10.4, v10.5, v10.6
  131 = MSSQL(2000)
  132 = MSSQL(2005)
  141 = EPiServer 6.x
 1722 = OS X v10.7
 1731 = MSSQL(2012)
 2611 = vBulletin < v3.8.5
 2711 = vBulletin > v3.8.5
 2811 = IPB2+, MyBB1.2+
 3721 = WebEdition CMS

Default Values

TBD Update values

Attribute Value Note
--version false
--help false
--eula false
--remove false
--quiet false
--disable-potfile false
--rules-file NULL
--outfile NULL
--outfile-format 0
--salt-file NULL
--debug-file NULL
--debug-mode 0
--seperator-char :
--threads 8
--segment-size 32
--words-skip 0
--words-limit 0
--generate-rules 0
--generate-rules-func-min 1
--generate-rules-func-max 4
--attack-mode 0
--hash-mode 0
--toggle-min 1
--toggle-max 16
--pw-min 1
--pw-max 55
--perm-min 2
--perm-max 10
--table-min 2
--table-max 10
--table-file NULL

NOTE: A value “0” or “NULL” can mean undefined, unlimited or all.

Supported algorithms and supported password plaintext lengths

TBD Update values

Hash-Type minimum length maximum length Note
MD5 1
md5($pass.$salt) 1
md5($salt.$pass) 1
HMAC-MD5 (key = $pass) 1
HMAC-MD5 (key = $salt) 1
SHA1 1
nsldap, SHA-1(Base64), Netscape LDAP SHA 1
sha1($pass.$salt) 1
nsldaps, SSHA-1(Base64), Netscape LDAP SSHA 1
Oracle 11G 1
MSSQL(2000) 1
MSSQL(2005) 1
MySQL > v4.1 1
MD4 1
md4($pass.$salt) 1
NTLM 1
Domain Cached Credentials, mscash 1
SHA256 1
sha256 ($pass.$salt) 1
descrypt, DES(Unix), Traditional DES 1
SHA512 1
sha512 ($pass.$salt) 1
Cisco-PIX MD5 1
Double MD5 1
vBulletin < v3.8.5 1
vBulletin > v3.8.5 1
IPB2+, MyBB1.2+ 1
LM 1
Oracle 7-10g, DES(Oracle) 1
  • + Indicates that the --hex-charset flag is automatically enabled.
  • - Indicates that the --hex-salt flag is automatically enabled.
  • * Indicates that the salt/username is part of the plaintext and thus its length have to be subtracted from the maximum length.

Support attack modes, direct

Support attack modes, emulation

Performance

Please reference the homepage to get latest benchmarks.

Limitations

  • None

Future Plans

  • None