Hashcat-utils are a set of small utilities that are useful in advanced password cracking.
They all are packed into multiple stand-alone binaries.
All of these utils are designed to execute only one specific function.
Since they all work with STDIN and STDOUT you can group them into chains.
hashcat-utils is released as open source software under the MIT license.
The current version is 1.9.
The programs are available for Linux and Windows on both 32-bit and 64-bit architectures, as well as .app binaries for 64-bit OSX/macOS. The project is released as MIT-licensed open source software.
hashcat-utils does not have a dedicated homepage, but this download link always has the latest release:
Each of them is described in detail in the following sections.
Tool used to generate .hccapx files from network capture files (.cap or .pcap) to crack WPA/WPA2 authentications. The .hccapx files are used as input by the hash type -m 2500 = WPA/WPA2.
The additional options allow you to specify a network name (ESSID) to filter out unwanted networks and to give cap2hccapx a hint about the name of a network (ESSID) and MAC address of the access point (BSSID) if no beacon was captured.
Syntax:
$ ./cap2hccapx.bin usage: ./cap2hccapx.bin input.pcap output.hccapx [filter by essid] [additional network essid:bssid]
Strips rules from STDIN that are not compatible with a specified platform.
Syntax:
usage: ./cleanup-rules.bin mode
… where mode is 1 = CPU, 2 = GPU.
Example ('<' is a rules directive that only works with legacy CPU hashcat):
$ cat dirty.rules l <3 $ cleanup-rules 1 < dirty.rules l <3 $ cleanup-rules 2 < dirty.rules l $
Syntax:
$ ./combinator.bin usage: ./combinator.bin file1 file2
This program is a stand-alone implementation of the Combinator Attack.
Each word from file2 is appended to each word from file1 and then printed to STDOUT.
Since the program is required to rewind the files multiple times it cannot work with STDIN and requires real files.
Another option would be to store all the content from both files in memory. However in hash-cracking we usually work with huge files, resulting in a requirement that the size of the files we use does matter.
$ cat two.list nes tor $ combinator two.list two.list nesnes nestor tornes tortor
See Combinator Attack for more examples.
Like combinator, but accepts three files as input, producing the combination of all three lists as output.
$ cat three.list nes tor $ combinator3 three.list three.list three.list nesnesnes nesnestor nestornes nestortor tornesnes tornestor tortornes tortortor
An expanded combinator tool that can combine up to eight elements, with custom separators between each element, and with session / restore support and other useful flags.
Note that combinatorX cannot use the same direct file on disk for more than two lists. This is due to how the files are read from disk at a low level. A workaround for this is to copy the lists to separate files.
Simple example:
$ cat list1.txt the quick $ cat list2.txt brown fox $ cat list3.txt jumped over $ combinatorX -1 list1.txt -2 list2.txt -3 list3.txt thebrownjumped thebrownover thefoxjumped thefoxover quickbrownjumped quickbrownover quickfoxjumped quickfoxover
Produces all “unique combinations” from a short list of inputs.
$ cat wordlist a b c XYZ 123 $ combipow wordlist a b ab c ac bc abc XYZ aXYZ bXYZ abXYZ cXYZ acXYZ bcXYZ abcXYZ 123 a123 b123 ab123 c123 ac123 bc123 abc123 XYZ123 aXYZ123 bXYZ123 abXYZ123 cXYZ123 acXYZ123 bcXYZ123 abcXYZ123
TBD
Syntax:
usage: ./ct3_to_ntlm.bin 8-byte-ct3-in-hex 8-byte-salt-in-hex [24-byte-ESS-in-hex]
There are two different versions for NetNTLMv1 - one with ESS, and one without.
If you don't have an ESS:
NETNTLM_bs_fmt_plug.c: {"$NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233", "cory21"},
You can use it like this:
./ct3_to_ntlm.bin C4A70D3BEBD70233 1122334455667788 51ad
If you have ESS:
./ct3_to_ntlm.bin 7D01513435B36DCA 1122334455667788 1FA1B9C4ED8E570200000000000000000000000000000000 34d5
Forum discussion here.
This program (new in hashcat-utils-0.6) is designed to cut up a wordlist (read from STDIN) to be used in Combinator attack. Suppose you notice that passwords in a particular dump tend to have a common padding length at the beginning or end of the plaintext, this program will cut the specific prefix or suffix length off the existing words in a list and pass it to STDOUT.
Syntax:
$ ./cutb.bin usage: ./cutb.bin offset [length] < infile > outfile
Example wordlist file:
$ cat wordlist apple1234 theman fastcars
Example positive offset and fixed length (first 4 characters):
$ ./cutb.bin 0 4 < wordlist appl them fast
Example positive offset, no length (returns remaining characters in string):
$ ./cutb.bin 4 < wordlist e1234 an cars
Example negative offset (last 4 characters in string):
$ ./cutb.bin -4 < wordlist 1234 eman cars
Example negative offset, fixed length:
$ ./cutb.bin -5 3 < wordlist e12 hem tca
Suggested uses:
Remember to run sort -u on the output before using it in an attack!
This program has no parameters to configure.
Each word going into STDIN is parsed and split into all its single chars, mutated and reconstructed and then sent to STDOUT.
There are a couple of reconstructions generating all possible patterns of the input word by applying the following iterations:
Important: make sure you unique the output afterwards.
Example:
$ echo pass1 | ./expander.bin | sort -u 1 1p 1pas a as ass ass1 p pa pas pass s s1 s1p s1pa ss ss1 ss1p
This program is the heart of the Fingerprint Attack.
Attempt to extract plaintexts from potfile records containing mixed hash types. Operates on stdin. Assumes last colon-separated string is the plaintext and that any plaintexts containing colons are HEX-encoded.
Each wordlist going into STDIN is parsed and split into equal sections and then passed to STDOUT based on the amount you specify. The reason for splitting is to distribute the workload that gets generated.
For example if you have an i7 CPU and want to use your dictionary with a program that is unable to handle multiple cores, you can use gate to split your dictionary into multiple smaller pieces and then run that program in multiple instances.
Syntax:
$ ./gate.bin usage: ./gate.bin mod offset < infile > outfile
The two important parameters are “mod” and “offset”.
Here is an example input dictionary:
$ cat numbers 1 2 3 4 5 6 7 8 9 10 11 12 13 14
We want to split a dictionary into two equal dictionaries:
$ ./gate.bin 2 1 < numbers 2 4 6 8 10 12 14
$ ./gate.bin 2 0 < numbers 1 3 5 7 9 11 13
Stand-alone utility to generate random rules.
Usage: ./generate-rules.bin number [seed]
This command generates 10 random rules, using “42” as a seed:
./generate-rules.bin 10 42 $ $} z3 *61 t l o2* L2 *6B *98 D1 x0A f x32 s^L s[5 s'# swU }
A tool used to generate .hcstat files for use with older hashcat's –markov-hcstat
parameter, and with the statsprocessor.
NOTE: The output generated by hcstatgen is no longer supported by current hashcat and does not support longer passwords (up to length 256). Use hcstat2gen instead.
Syntax:
usage: ./hcstatgen.bin out.hcstat < infile
Nothing much else to say here. Each outfile will be exactly 32.1MB in size.
See also hcstat2gen.
A tool for generating custom Markov statistics, for use (after LZMA compression) with hashcat's --markov-hcstat
(soon to be --markov-hcstat2
) parameter.
hcstat2gen
is like its predecessor hcstatgen
, but updated in sync with hashcat 4.0 to support a maximum password length up to 256 (and also added a filetype header).
To conserve space, hashcat now expects hcstat2 files to be compressed as LZMA. If the file is not compressed, you will see a “Could not uncompress data
” error.
Syntax:
usage: ./hcstat2gen.bin outfile < dictionary
Common usage example:
./hcstat2gen.bin hcstat2_output_raw.bin </path/to/dict.txt lzma --compress --format=raw --stdout -9e hcstat2_output_raw.bin > output.hcstat2
If your lzma
does not support –stdout
, try:
lzma --compress --format=raw hcstat2_output_raw.bin --suffix=hcstat2
Each raw outfile should be about 132MB in size (with variable size after compression).
Note that this newer format is not yet supported by statsprocessor.
See also hcstatgen.
Calculates keyspace in a hashcat-aware manner.
./keyspace.bin, keyspace utility for hashcat Usage: ./keyspace.bin [options] mask ======= Options ======= -m, --hash-type=NUM Hash-type --hex-charset Assume charset is given in hex --markov-hcstat=FILE Specify hcstat file to use, default is hashcat.hcstat -t, --markov-threshold=NUM Threshold for markov-chains -1, --custom-charset1=CS User-defined charsets -2, --custom-charset2=CS Examples: -3, --custom-charset3=CS --custom-charset3=?dabcdef : sets charset ?3 to 0123456789abcdef -4, --custom-charset4=CS --custom-charset4=?l?u : sets charset ?4 to all lower and upper case letters -h, --help Print help
Each word going into STDIN is parsed for its length and passed to STDOUT if it matches a specified word-length range.
Syntax:
usage: ./len.bin min max < infile > outfile
Here is an example input dictionary:
$ cat dict 1 123 test pass hello world
We want only these words that have the length 2, 3 or 4:
$ ./len.bin 2 4 < dict 123 test pass
Merges two lists.
Like rli2, the two lists must be sorted (in LC_ALL=C order).
Syntax:
Usage: ./mli2.bin infile mergefile
Example:
$ cat w1.txt 123 1234 999 aceofspades cards password veryfast $ cat w2.txt 123 1234 999 extra $ mli2 w1.txt w2.txt 123 1234 999 aceofspades cards extra password veryfast
If you use mli2 on unsorted lists, you will get unmerged results.
If you use mli2 on sorted but non-uniq'd lists, you will get sorted but non-uniq'd results.
Basically morph generates insertion rules for the most frequent chains of characters from the dictionary that you provide and that, per position.
Syntax:
usage: ./morph.bin dictionary depth width pos_min pos_max
- Dictionary = Wordlist used for frequency analysis.
- Depth = Determines what “top” chains that you want. For example 10 would give you the top 10 (in fact, it seems to start with value 0 so that 10 would give the top 11).
- Width = Max length of the chain. With 3 for example, you will get up to 3 rules per line for the most frequent 3 letter chains.
- pos_min = Minimum position where the insertion rule will be generated. For example 5 would mean that it will make rule to insert the string only from position 5 and up.
-pos_max = Maximum position where the insertion rule will be generated. For example 10 would mean that it will make rule to insert the string so that it's end finishes at a maximum of position 10.
This program is a stand-alone implementation of the Permutation Attack.
It has no parameters to configure.
Each word going into STDIN is parsed and run through “The Countdown QuickPerm Algorithm” by Phillip Paul Fuchs (see: https://permuteweb.tchs.info (Internet Archive)
See Permutation Attack for examples.
TBD
Syntax:
Usage: ./permute_exist.bin word < infile > outfile
This program is made as an dictionary optimizer for the Permutation Attack.
Due to the nature of the permutation algorithm itself, the input words “BCA” and “CAB” would produce exactly the same password candidates.
$ echo BCA | ./permute.bin BCA CBA ABC BAC CAB ACB $ echo CAB | ./permute.bin CAB ACB BCA CBA ABC BAC
The best way to sort out these “dupes” is to reconstruct the input word reordered by the ASCII value of each char of the word:
Input:
Output: ABC
Input:
Output: ABC
Now we can safely sort -u afterwards:
$ wc -l rockyou.txt 14344391 rockyou.txt $ ./prepare.bin < rockyou.txt | sort -u > rockyou.txt.prep $ wc -l rockyou.txt.prep 9375751 rockyou.txt.prep
Sorted out 4968640 words (34.6%) which would produce dupes in permutation attack.
Syntax:
use: ./remaining.pl wordlist_base.txt wordlist_search.txt
This program takes 2 wordlists:
There's high chances to create duplicates, you need to sort -u the result yourself.
Result is ideal for using in -a 1 combinator attack mode. You may want to do two attacks:
Example:
Content wordlist (base):
isajack3935 jackysch_5131 HBjackas5 mom1jackhopes
Content wordlist (search):
jack jacky
… produces candidates:
isa 3935 ysch_5131 HB as5 mom1 hopes sch_5131
req has been replaced by req-include and req-exclude, below.
Like req-include, but it excludes words that match specific criteria.
Each word going into STDIN is parsed and passed to STDOUT if it matches an specified password group criteria.
Sometimes you know that some password must include a lower-case char, a upper-case char and a digit to pass a specific password policy.
That means checking passwords that do not match this policy will definitely not result in a cracked password. So we should skip it.
This program is not very complex and it cannot fully match all the common password policy criteria, but it does provide a little help.
The following password groups are defined:
Name | Item | Chars |
---|---|---|
LOWER | 1 | abcdefghijklmnoprstuvwxyz |
UPPER | 2 | ABCDEFGHIJKLMNOPRSTUVWXYZ |
DIGIT | 4 | 0123465789 |
SYMBOL | 8 | 0x20 to 0x7e NOT IN lower, upper, digit |
OTHER | 16 | All others, not matching the above |
To configure a password group out of the single entries you just add the item numbers of all the single entries together.
For example if you want to pass to STDOUT only the words that match at least one lower and at least one digit, you would just lookup the table and search for “lower”, which is “1” and then “digit”, which is “4” and add them together so it makes “5”.
$ echo hello | ./req.bin 5 $ echo hello1 | ./req.bin 5 hello1 $ echo Hello1 | ./req.bin 5 Hello1
rli compares a single file against another file(s) and removes all duplicates:
rli usage: rli infile outfile removefiles...
Let's say we have two files w1.txt
:
password 123 cards 999 aceofspades 1234 veryfast
And w2.txt
:
123 999 1234
If we run the following command:
rli w1.txt OUT_FiLE.txt w2.txt
OUT_FiLE.txt
will have:
password cards aceofspades veryfast
It also supports multiple files:
w3.txt
has “password
” in it, we run:
rli w1.txt OUT_FiLE.txt w2.txt w3.txt
OUT_FiLE.txt
:
cards aceofspades veryfast
rli can be very useful to clean your dicts and to have one unique set of dictionaries.
But the dictionary size cannot exceed host memory size. Read rli2 below for large files.
Unlike rli, rli2 is not limited. But it requires infile
and removefile
to be sorted (in LC_ALL=C order) and uniqued before, otherwise it won't work as it should.
For example using w1.txt
and w2.txt
files from above, if we run:
rli2 w1.txt w2.txt
This will output:
password 123 cards 999 aceofspades 1234 veryfast
No change. But if we sort and unique w1.txt
and w2.txt
as:
sort w1.txt > w1su.txt sort w2.txt > w2su.txt
And running:
rli2 w1su.txt w2su.txt
Will do it accurately:
aceofspades cards password veryfast
Note that rli2 can't do multiple files. And if you haven't already notice, rli2 outputs to STDOUT not a file. You can always pipe to a file to work-around that.
TBD
TBD
This program is designed to be a dictionary optimizer for the now-deprecated oclHashcat.
Note: this optimization is no longer needed by modern hashcat.
oclHashcat has a very specific way of loading dictionaries, unlike CPU hashcat. The best way to organize your dictionaries for use with oclHashcat is to sort each word in your dictionary by its length into specific files, into a specific directory, and then to run oclHashcat in directory mode.
Syntax:
$ ./splitlen.bin usage: ./splitlen.bin outdir < infile
All you need to do is to create a new directory, for example “ldicts”.
$ mkdir ldicts $ ./splitlen.bin ldicts < rockyou.txt
Results in:
$ ls -l ldicts/ total 129460 -rw-r--r-- 1 root root 90 Oct 12 15:54 01 -rw-r--r-- 1 root root 1005 Oct 12 15:54 02 -rw-r--r-- 1 root root 9844 Oct 12 15:54 03 -rw-r--r-- 1 root root 89495 Oct 12 15:54 04 -rw-r--r-- 1 root root 1555014 Oct 12 15:54 05 -rw-r--r-- 1 root root 13634586 Oct 12 15:54 06 -rw-r--r-- 1 root root 20050168 Oct 12 15:54 07 -rw-r--r-- 1 root root 26694333 Oct 12 15:54 08 -rw-r--r-- 1 root root 21910390 Oct 12 15:54 09 -rw-r--r-- 1 root root 22150645 Oct 12 15:54 10 -rw-r--r-- 1 root root 10392420 Oct 12 15:54 11 -rw-r--r-- 1 root root 7219550 Oct 12 15:54 12 -rw-r--r-- 1 root root 5098436 Oct 12 15:54 13 -rw-r--r-- 1 root root 3727905 Oct 12 15:54 14 -rw-r--r-- 1 root root 0 Oct 12 15:54 15
NOTE: splitlen does not append, it overwrites the files in the outdir. Thats why you should use empty directories.
Strips all \0 bytes from stdin.
Strips all \r bytes from stdin.
tmesis will take a wordlist and produce insertion rules that would insert each word of the wordlist to preset positions.
For example, the word ‘password’ will create insertion rules that would insert ‘password’ from position 0 to position F (15), and will mutate the string ‘123456’ as follows:
password123456
1password23456
12password3456
123password456
1234password56
12345password6
123456password
Hints:
* Use tmesis to create rules to attack hashlists that came from the source. Run initial analysis on the cracked passwords, collect the top 10-20 words that appear on the passwords, and use tmesis to generate rules from them.
* Use tmesis generated rules in combination with best64.rule.
* tmesis does not handle multibyte unicode characters as single characters, but rather as individual bytes. This means that it can be used to insert multibyte characters as well.
Syntax:
Usage: ./tmesis-dynamic.pl substring wordlist1.txt wordlist2.txt
tmesis-dynamic will take 2 wordlists and produces a new one, using a user-defined substring as a “key”.
Each word of wordlist 1 which matches that user-defined substring substitutes that substring with each word of wordlist 2.
For example, these wordlists:
$ cat wordlist1.txt isajack3935 jackysch_5131 HBjackas5 mom1jackhopes
$ cat wordlist2.txt 123456 password jill hashcat
… produce the following candidates when supplied with the key “jack”:
$ ./tmesis-dynamic.pl jack wordlist1.txt wordlist2.txt isa1234563935 isapassword3935 isajill3935 isahashcat3935 123456ysch_5131 passwordysch_5131 jillysch_5131 hashcatysch_5131 HB123456as5 HBpasswordas5 HBjillas5 HBhashcatas5 mom1123456hopes mom1passwordhopes mom1jillhopes mom1hashcathopes
TBD
Syntax:
Usage: ./topmorph.pl dictionary depth width pos_min pos_max
Some programs from hashcat-utils have a minimum and maximum allowed word-length range (like in “len” example).
E.g. see splitlen.c:
#define LEN_MIN 1 #define LEN_MAX 64
You can change them and then recompile the hashcat-utils. However we usually do not need plain words of greater length in password cracking.