hashcat
Description
Hashcat is the world’s fastest CPU-based password recovery tool.
While it's not as fast as its GPU counterparts oclHashcat-plus and oclHashcat-lite, large lists can be easily split in half with a good dictionary and a bit of knowledge of the command switches.
Current Version
Current version is 0.39.
Resources
- Homepage: http://hashcat.net/hashcat/
- Support Forum: http://hashcat.net/forum/forum-20.html
Screenshot
Background
Hashcat was written somewhere in the middle of 2009. Yes, there were already close-to-perfect working tools supporting rule-based attacks like “PasswordsPro”, “John The Ripper”. However for some unknown reason, both of them did not support multi-threading. That was the only reason to write Hashcat: To make use of the multiple cores of modern CPUs.
Granted, that was not 100% correct. John the Ripper already supported MPI using a patch, but at that time it worked only for Brute-Force attack. There was no solution available to crack plain MD5 which supports MPI using rule-based attacks.
Hashcat, from its first version, v0.01, was called “atomcrack”. This version was very poor, but at least the MD5 kernel was written in assembler utilizing SSE2 instructions and of course it was multi-threaded. It was a simple dictionary cracker, nothing more. But it was fast. Really fast. Some guys from the scene become interested in it and after one week there were around 10 beta testers. Everything worked fine and so requests for more algorithm types, a rule-engine for mutation of dictionaries, a windows version and different attack modes were added. These developments took around half a year, and were completely non-public.
Then, with version 0.29, “atomcrack” was renamed to “Dr. Hash”. Then with the release of version 0.30 to “hashcat”.
The first official hashcat release was v0.30, released on 24.12.2009.
Options
Usage: ./hashcat-cli64.bin [options] hashfile [wordfiles|directories]
Startup:
-V, --version print version
-h, --help print help
--eula print eula
Logging and Files:
--remove enable remove of hash from hashlist once it is cracked
--quiet suppress output
--stdout stdout mode
--disable-potfile do not write potfile
-r, --rules-file=FILE rules-file for hybrid-attack
-o, --output-file=FILE output-file for recovered hashes
--output-format=NUM 0 = hash:pass
1 = hash:hex_pass
2 = hash:pass:hex_pass
-e, --salt-file=FILE salts-file for unsalted hashlists
--debug-file=FILE debug-file
--debug-mode=NUM 1 = save finding rule (hybrid only)
2 = save original word (hybrid only)
-p, --seperator-char=CHAR seperator-char for hashlists
Resources:
-n, --threads=NUM number of threads
-c, --segment-size=NUM number of mb to cache from wordfile
-s, --words-skip=NUM skip number of words (for resume)
-l, --words-limit=NUM limit number of words (for distributed)
Attacks:
-g, --generate-rules=NUM number of self-generating rules
--generate-rules-func-min=NUM force number of functions per rule min
--generate-rules-func-max=NUM force number of functions per rule max
-a, --attack-mode=NUM number of attack-mode
0 = Straight *
1 = Combination *
2 = Toggle-Case
3 = Brute-Force
4 = Permutation
5 = Table-Lookup
* = for Hybrid-Attack use -r or -g
-m, --hash-mode=NUM number of hash-mode
0 = MD5 200 = MySQL
1 = md5($pass.$salt) 300 = MySQL4.1/MySQL5
2 = md5($salt.$pass) 400 = MD5(Wordpress)
3 = md5(md5($pass)) 400 = MD5(phpBB3)
4 = md5(md5(md5($pass))) 500 = MD5(Unix)
5 = vBulletin < v3.8.5 600 = SHA-1(Base64)
6 = md5(md5($salt).$pass) 700 = SSHA-1(Base64)
7 = md5($salt.md5($pass)) 800 = SHA-1(Django)
8 = md5($salt.$pass.$salt) 900 = MD4
9 = md5(md5($salt).md5($pass)) 1000 = NTLM
10 = md5(md5($pass).md5($salt)) 1100 = Domain Cached Credentials
11 = md5($salt.md5($salt.$pass)) 1200 = MD5(Chap)
12 = md5($salt.md5($pass.$salt)) 1300 = MSSQL
15 = vBulletin > v3.8.5
30 = md5($username.0.$pass)
31 = md5(strtoupper(md5($pass)))
100 = SHA1 1400 = SHA256
101 = sha1($pass.$salt) 1600 = MD5(APR)
102 = sha1($salt.$pass) 1700 = SHA512
103 = sha1(sha1($pass)) 1800 = SHA-512(Unix)
104 = sha1(sha1(sha1($pass)))
105 = sha1(strtolower($username).$pass)
Toggle-Case specific:
--toggle-min=NUM number of alphas in plain minimum
--toggle-max=NUM number of alphas in plain maximum
Brute-Force specific:
--bf-pw-min=NUM password length minimum
--bf-pw-max=NUM password length maximum
--bf-cs-buf=CHARS charset for attack
Permutation specific:
--perm-min=NUM number of chars in plain minimum
--perm-max=NUM number of chars in plain maximum
Table-Lookup specific:
--table-min=NUM number of chars in plain minimum
--table-max=NUM number of chars in plain maximum
--table-file=FILE table file
Default Values
| Attribute | Value | Note |
|---|---|---|
| --version | false | |
| --help | false | |
| --eula | false | |
| --remove | false | |
| --quiet | false | |
| --disable-potfile | false | |
| --rules-file | NULL | |
| --outfile | NULL | |
| --outfile-format | 0 | |
| --salt-file | NULL | |
| --debug-file | NULL | |
| --debug-mode | 0 | |
| --seperator-char | : | |
| --threads | 8 | |
| --segment-size | 32 | |
| --words-skip | 0 | |
| --words-limit | 0 | |
| --generate-rules | 0 | |
| --generate-rules-func-min | 1 | |
| --generate-rules-func-max | 4 | |
| --attack-mode | 0 | |
| --hash-mode | 0 | |
| --toggle-min | 1 | |
| --toggle-max | 16 | |
| --pw-min | 1 | |
| --pw-max | 55 | |
| --perm-min | 2 | |
| --perm-max | 10 | |
| --table-min | 2 | |
| --table-max | 10 | |
| --table-file | NULL |
NOTE: A value “0” or “NULL” can mean undefined, unlimited or all.
Support attack modes, direct
Support attack modes, emulation
Performance
Please reference the homepage to get latest benchmarks.
Limitations
- None
Future Plans
- None