HOWTO: Using hashcat on Windows through an SSH session

Hashcat has the particularity to be able to run on various OS. If Linux/UNIX based operating systems provide an easy way to connect to a remote workstation using SSH, this is not the case for Windows.

Even if some solutions like Bash on Windows or OpenSSH by the PowerShell team seem to be able to address this need, they also have some major caveats (rendering problems, tty-based communications problems, etc.).

Cygwin and MSYS/MSYS2 also have some tty-based problems: the way Cygwin and MSYS/MSYS2 use mintty, which they rely on, don't provide unbuffering capabilities. The consequence is that 's', 'b', 'q', 'p' keystrokes are buffered while pressed, thus not treated as they should.

Another solution must be found to be able to use the cat through an SSH session: meet winpty.

The following is directly taken from winpty README and provides instructions for both Cygwin and MSYS/MSYS2.

Disclaimer

THIS GUIDE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. WE WILL NOT ACCEPT ANY LIABILITY FOR ANY SECURITY RISKS YOU INTRODUCE TO YOUR ENVIRONMENT UPON FOLLOWING THIS GUIDE.

At a minimum, you should ensure that all commands are executed in a trusted – and preferably isolated – environment.

Prerequisites

You need the following to build winpty:

  • A Cygwin, MSYS or MSYS2 installation
  • GNU make
  • A MinGW g++ toolchain capable of compiling C++11 code to build winpty.dll and winpty-agent.exe
  • A g++ toolchain targeting Cygwin or MSYS to build winpty.exe

Cygwin packages

The default g++ compiler for Cygwin targets Cygwin itself, but Cygwin also packages MinGW-w64 compilers. As of this writing, the necessary packages are:

  • Either mingw64-i686-gcc-g++ or mingw64-x86_64-gcc-g++. Select the appropriate compiler for your CPU architecture (x86 or x64).
  • gcc-g++
  • make

As of writing this tutorial, winpty over an SSH session using MSYS or MSYS2 has not been tested. Nevertheless, things should not been different from Cygwin case.

MSYS packages

For the original MSYS, use the mingw-get tool (MinGW Installation Manager), and select at least these components:

  • mingw-developer-toolkit
  • mingw32-base
  • mingw32-gcc-g++
  • msys-base
  • msys-system-builder

When running ./configure, make sure that mingw32-g++ is in your PATH. It will be in the C:\MinGW\bin directory.

MSYS2 packages

For MSYS2, use pacman and install at least these packages:

  • msys/gcc
  • mingw32/mingw-w64-i686-gcc or mingw64/mingw-w64-x86_64-gcc. Select the appropriate compiler for your CPU architecture (x86 or x64).
  • make

MSYS2 provides three start menu shortcuts for starting MSYS2:

  • MinGW-w64 Win32 Shell
  • MinGW-w64 Win64 Shell
  • MSYS2 Shell

To build winpty, use either MinGW-w64 Win32 shortcut or MinGW-w64 Win64 shortcut, depending of the architecture matching your MSYS2 installation.

These shortcuts will put the g++ compiler (from mingw32/mingw-w64-i686-gcc packages if your installation is 32bits or from mingw64/mingw-w64-x86_64-gcc packages if your installation is 64bits) into the PATH.

Alternatively, instead of installing mingw32/mingw-w64-i686-gcc or mingw64/mingw-w64-x86_64-gcc, install the mingw-w64-cross-gcc and mingw-w64-cross-crt-git packages.

These packages install cross-compilers into /opt/bin, and then any of the three shortcuts will work.

Build winpty

In the project directory, run:

$ ./configure
$ make
$ make install

By default, winpty is installed into /usr/local. Pass PREFIX=<path> to make install to override this default.

Use winpty with hashcat

To run a Windows console program in mintty or Cygwin/MSYS/MSYS2 sshd, prepend winpty to the command-line:

$ winpty hashcat64.exe -m 0 ....

Unbuffered-related problems should be resolved now!

As winpty is not aware of chroot'ed environment, all paths to files (like outputfile or wordlist) must be either relative to current directory or absolute regarding Windows filesystem (ie. '/opt/data/wordlists/MyWordlist' must be replaced by 'DRIVELETTER:/INSTALLATION_PATH/opt/data/wordlists/MyWordlist').

Example:

As connected with “sshd” account to my remote Windows workstation “TimmyStation”, if your Cygwin/MSYS/MSYS2 environnement is located in C:\INSTALL_PATH and your hashcat folder is in C:\INSTALL_PATH\opt\data\hashcat-3.20, a typical successful command line should look like this:

sshd@TimmyStation /opt/data/hashcat-3.20
$ winpty hashcat64.exe -m 0 -o C:/INSTALL_PATH/opt/data/hashcat_outputhashes C:/INSTALL_PATH/opt/data/RawMD5_test.dump -a 0 C:/INSTALL_PATH/opt/data/wordlists/MyWordlist -r rules/best64.rule