hashcat Forum
Migrating from Passware to Hashcat (need guidance and opinion of experts here) - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Migrating from Passware to Hashcat (need guidance and opinion of experts here) (/thread-8129.html)



Migrating from Passware to Hashcat (need guidance and opinion of experts here) - vipereasy - 02-06-2019

Greetings everybody, I have a 6 workstation with GPUs running on high speed network, I do Distributed network attack running passware software on one of my devices and agents on the others, recently some friends recommended using hashcat as they said it was much faster and powerful than passware, I just couldn't have the same DNA on my network, after a bit of searching and implementing I was able to install hashtopolis (A hashcat wrapper for distributed hashcracking)
I have some issues regarding the use of hashcat that I can't find solutions for online which are :
1- I can't detect file version or run brute force attack like I used to do in passware on some file types ( winrar) 
2- I can't detect or run attacks on encrypted volumes like truecrypt or veracrypt

Based on tutorials that I watched I think I must have a list containing all possible hashes to be able to match with the generated hash out of the attack that I run which seems pretty hard to get.

how do I run different attacks (Brute force, xieve, dictionary, .... ) I can't find videos or examples to this, all I find is a lot of types listed with corresponding hashes.


RE: Migrating from Passware to Hashcat (need guidance and opinion of experts here) - royce - 02-06-2019

Switching to hashcat, you will definitely be able to get a lot more performance out of your hardware for a number of hash types, but it comes at a price: less point-and-click automation. You'll need to think of this as moving from an automatic to a stick shift (at least at first, until you get up to speed).

Good call with Hashtopolis for distributed work.

Fortunately, it's a lot easier than trying to get a list of all hashes. Using hashcat for attacks with a dictionary, a mask, a list of masks, or a combination of words + rules is all pretty easy once you get the syntax down.

You'll need to check out some hashcat tutorials, and maybe start with learning the command line and using hashcat directly for some basic attacks, before trying to do them at scale with Hashtopolis.

This walkthrough by m3g9tr0n is from an older version of hashcat, but the syntax is mostly the same:

http://blog.thireus.com/cracking-story-how-i-cracked-over-122-million-sha1-and-md5-hashed-passwords

... though you should now add "-O" if most of your candidates will be 15 chars or less and you're attacking a fast hash. (This will get you top speeds. If you need longer candidates, you drop the -O, but you pay a speed penalty in exchange for being able to handle longer passwords) If the -O isn't applicable, it will be ignored.

You'll also want to use the highest -w value that you can tolerate; since it's a farm situation, you'll probably be fine with the max (-w 4) once you get things going.

You'll also want to read through the wiki:

https://hashcat.net/wiki/

... and the FAQ therein.

Also, the bottom of hashcat --help has some basic examples:

Code:
 Wordlist         | $P$   | hashcat -a 0 -m 400 example400.hash example.dict
 Wordlist + Rules | MD5   | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
 Brute-Force      | MD5   | hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a
 Combinator       | MD5   | hashcat -a 1 -m 0 example0.hash example.dict example.dict

As for automatically detecting hash types, that's more complex than it might appear. Passware may be able to detect a few, but there are some hash types (especially nested and/or truncated types) that you literally can't detect the actual hash type until you actually crack at least one hash. Most crackers work up to knowing many types by sight, and there is also https://github.com/psypanda/hashID, which a lot of folks use to do the heavy lifiting if they're trying to sort a big mixed pile of hashes.  hashID will definitely get the ones that are easily differentiated, but you then must pick the right "mode" number in hashcat (-m) and supply that on the command line. If it's an obvious mismatch, hashcat will complain and reject all hashes in the list that aren't of the specified type ... but if it's not an obvious mismatch, hashcat will happily try the wrong algorithm. So you do need to keep in mind that hash identification is more of a manual/human process in the hashcat space right now.


RE: Migrating from Passware to Hashcat (need guidance and opinion of experts here) - vipereasy - 02-06-2019

(02-06-2019, 07:40 AM)royce Wrote: Switching to hashcat, you will definitely be able to get a lot more performance out of your hardware for a number of hash types, but it comes at a price: less point-and-click automation. You'll need to think of this as moving from an automatic to a stick shift (at least at first, until you get up to speed).

Good call with Hashtopolis for distributed work.

Fortunately, it's a lot easier than trying to get a list of all hashes. Using hashcat for attacks with a dictionary, a mask, a list of masks, or a combination of words + rules is all pretty easy once you get the syntax down.

You'll need to check out some hashcat tutorials, and maybe start with learning the command line and using hashcat directly for some basic attacks, before trying to do them at scale with Hashtopolis.

This walkthrough by m3g9tr0n is from an older version of hashcat, but the syntax is mostly the same:

http://blog.thireus.com/cracking-story-how-i-cracked-over-122-million-sha1-and-md5-hashed-passwords

... though you should now add "-O" if most of your candidates will be 15 chars or less and you're attacking a fast hash. (This will get you top speeds. If you need longer candidates, you drop the -O, but you pay a speed penalty in exchange for being able to handle longer passwords) If the -O isn't applicable, it will be ignored.

You'll also want to use the highest -w value that you can tolerate; since it's a farm situation, you'll probably be fine with the max (-w 4) once you get things going.

You'll also want to read through the wiki:

https://hashcat.net/wiki/

... and the FAQ therein.

Also, the bottom of hashcat --help has some basic examples:

Code:
 Wordlist         | $P$   | hashcat -a 0 -m 400 example400.hash example.dict
 Wordlist + Rules | MD5   | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
 Brute-Force      | MD5   | hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a
 Combinator       | MD5   | hashcat -a 1 -m 0 example0.hash example.dict example.dict

As for automatically detecting hash types, that's more complex than it might appear. Passware may be able to detect a few, but there are some hash types (especially nested and/or truncated types) that you literally can't detect the actual hash type until you actually crack at least one hash. Most crackers work up to knowing many types by sight, and there is also https://github.com/psypanda/hashID, which a lot of folks use to do the heavy lifiting if they're trying to sort a big mixed pile of hashes.  hashID will definitely get the ones that are easily differentiated, but you then must pick the right "mode" number in hashcat (-m) and supply that on the command line. If it's an obvious mismatch, hashcat will complain and reject all hashes in the list that aren't of the specified type ... but if it's not an obvious mismatch, hashcat will happily try the wrong algorithm. So you do need to keep in mind that hash identification is more of a manual/human process in the hashcat space right now.

Thank you so much for help I appreciate it, I will follow your guidelines and I hope to learn it as quickly as possible.