Does hashcat use passwords from it's potfile as a wordlist?
#1
Hi,
Does hashcat use passwords from it's potfile as a wordlist?

Scenario:
hashcat is used to crack a user's password, user is asked to change their password to something better.
user updates their password to some variation of the existing password, something this isn't cracked by the same wordlist and rule again, but still a weak variation.


I can write a script that parses the pot file for passwords and dumps them to a wordlist for each run. Just not sure if this is something that's already built in / worth doing?

thanks
Reply
#2
hashcat does only what you tell it to do. There is no such automation as pulling words out of the pot file.
Reply
#3
Indeed.

The closest easy tool that understands both salted and unsalted variants is 'getpass' from the Cynosure Prime GitHub distro of 'rling':

https://github.com/Cynosureprime/rling

The one quirk is that it will skip files ending in '.txt' because in Waffle's world, .txt is reserved for specific password-cracking inputs/outputs. You can override this with the '-n' flag.

And yes, it's definitely worth doing. See also --loopback, which does the same thing (feed cracks back into the existing attack), but just for that specific run.
~
Reply