Table of Contents

hashcat-utils

Description

Hashcat-utils are a set of small utilities that are useful in advanced password cracking.

They all are packed into multiple stand-alone binaries.

All of these utils are designed to execute only one specific function.

Since they all work with STDIN and STDOUT you can group them into chains.

hashcat-utils is released as open source software under the MIT license.

Current Version

The current version is 1.8.

Download

The programs are available for Linux and Windows on both 32-bit and 64-bit architectures, as well as .app binaries for 64-bit OSX/macOS. The project is released as MIT-licensed open source software.

hashcat-utils does not have a dedicated homepage, but this download link always has the latest release:

List of Utilities

Each of them is described in detail in the following sections.

cap2hccapx

Tool used to generate .hccapx files from network capture files (.cap or .pcap) to crack WPA/WPA2 authentications. The .hccapx files are used as input by the hash type -m 2500 = WPA/WPA2.

The additional options allow you to specify a network name (ESSID) to filter out unwanted networks and to give cap2hccapx a hint about the name of a network (ESSID) and MAC address of the access point (BSSID) if no beacon was captured.

Syntax:

$ ./cap2hccapx.bin
usage: ./cap2hccapx.bin input.pcap output.hccapx [filter by essid] [additional network essid:bssid]

cleanup-rules

Strips rules from STDIN that are not compatible with a specified platform.

Syntax:

usage: ./cleanup-rules.bin mode

… where mode is 1 = CPU, 2 = GPU.

combinator

Syntax:

$ ./combinator.bin 
usage: ./combinator.bin file1 file2

This program is a stand-alone implementation of the Combinator Attack.

Each word from file2 is appended to each word from file1 and then printed to STDOUT.

Since the program is required to rewind the files multiple times it cannot work with STDIN and requires real files.

Another option would be to store all the content from both files in memory. However in hash-cracking we usually work with huge files, resulting in a requirement that the size of the files we use does matter.

See Combinator Attack for examples.

combinator3

Like combinator, but accepts three files as input, producing the combination of all three lists as output.

combipow

Produces all “unique combinations” from a short list of inputs.

$ cat wordlist
a
b
c
XYZ
123

$ combipow wordlist
a
b
ab
c
ac
bc
abc
XYZ
aXYZ
bXYZ
abXYZ
cXYZ
acXYZ
bcXYZ
abcXYZ
123
a123
b123
ab123
c123
ac123
bc123
abc123
XYZ123
aXYZ123
bXYZ123
abXYZ123
cXYZ123
acXYZ123
bcXYZ123
abcXYZ123

ct3_to_ntlm

Syntax:

usage: ./ct3_to_ntlm.bin 8-byte-ct3-in-hex 8-byte-salt-in-hex [24-byte-ESS-in-hex]

There are two different versions for NetNTLMv1 - one with ESS, and one without.

If you don't have an ESS:

NETNTLM_bs_fmt_plug.c:  {"$NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233", "cory21"},

You can use it like this:

./ct3_to_ntlm.bin C4A70D3BEBD70233 1122334455667788       
                                          
51ad

If you have ESS:

./ct3_to_ntlm.bin 7D01513435B36DCA 1122334455667788 
1FA1B9C4ED8E570200000000000000000000000000000000
34d5

Forum discussion here.

cutb

This program (new in hashcat-utils-0.6) is designed to cut up a wordlist (read from STDIN) to be used in Combinator attack. Suppose you notice that passwords in a particular dump tend to have a common padding length at the beginning or end of the plaintext, this program will cut the specific prefix or suffix length off the existing words in a list and pass it to STDOUT.

Syntax:

$ ./cutb.bin
usage: ./cutb.bin offset [length] < infile > outfile

Example wordlist file:

$ cat wordlist
apple1234
theman
fastcars

Example positive offset and fixed length (first 4 characters):

$ ./cutb.bin 0 4 < wordlist
appl
them
fast

Example positive offset, no length (returns remaining characters in string):

$ ./cutb.bin 4 < wordlist
e1234
an
cars

Example negative offset (last 4 characters in string):

$ ./cutb.bin -4 < wordlist
1234
eman
cars

Example negative offset, fixed length:

$ ./cutb.bin -5 3 < wordlist 
e12
hem
tca

Suggested uses:

  1. Hybrid attack (-a 6 or -a 7) with oclHashcat

Remember to run sort -u on the output before using it in an attack!

deskey_to_ntlm

TBD

Syntax:

usage: ./deskey_to_ntlm.pl 8-byte-key-in-hex

Forum announcement and discussion here.

expander

This program has no parameters to configure.

Each word going into STDIN is parsed and split into all its single chars, mutated and reconstructed and then sent to STDOUT.

There are a couple of reconstructions generating all possible patterns of the input word by applying the following iterations:

Important: make sure you unique the output afterwards.

Example:

$ echo pass1 | ./expander.bin  | sort -u  
1
1p
1pas
a
as
ass
ass1
p
pa
pas
pass
s
s1
s1p
s1pa
ss
ss1
ss1p

This program is the heart of the Fingerprint Attack.

gate

Each wordlist going into STDIN is parsed and split into equal sections and then passed to STDOUT based on the amount you specify. The reason for splitting is to distribute the workload that gets generated.

For example if you have an i7 CPU and want to use your dictionary with a program that is unable to handle multiple cores, you can use gate to split your dictionary into multiple smaller pieces and then run that program in multiple instances.

Syntax:

$ ./gate.bin
usage: ./gate.bin mod offset < infile > outfile

The two important parameters are “mod” and “offset”.

Here is an example input dictionary:

$ cat numbers 
1
2
3
4
5
6
7
8
9
10
11
12
13
14

We want to split a dictionary into two equal dictionaries:

$ ./gate.bin 2 1 < numbers 
2
4
6
8
10
12
14
$ ./gate.bin 2 0 < numbers  
1
3
5
7
9
11
13

generate-rules

Stand-alone utility to generate random rules.

Usage: ./generate-rules.bin number [seed]

This command generates 10 random rules, using “42” as a seed:

./generate-rules.bin 10 42
$  $} z3
*61 t
l
o2*
L2
*6B *98 D1
x0A f x32
s^L
s[5 s'#
swU }

hcstatgen

A tool used to generate .hcstat files for use with the statsprocessor.

Syntax:

usage: ./hcstatgen.bin out.hcstat < infile

Nothing much else to say here. Each outfile will be exactly 32.1MB in size.

keyspace

Calculates keyspace in a hashcat-aware manner.

./keyspace.bin, keyspace utility for hashcat

Usage: ./keyspace.bin [options] mask

=======
Options
=======

  -m,  --hash-type=NUM           Hash-type
       --hex-charset             Assume charset is given in hex
       --markov-hcstat=FILE      Specify hcstat file to use, default is hashcat.hcstat
  -t,  --markov-threshold=NUM    Threshold for markov-chains
  -1,  --custom-charset1=CS      User-defined charsets
  -2,  --custom-charset2=CS      Examples:
  -3,  --custom-charset3=CS      --custom-charset3=?dabcdef : sets charset ?3 to 0123456789abcdef
  -4,  --custom-charset4=CS      --custom-charset4=?l?u : sets charset ?4 to all lower and upper case letters
  -h,  --help                    Print help

len

Each word going into STDIN is parsed for its length and passed to STDOUT if it matches a specified word-length range.

Syntax:

usage: ./len.bin min max < infile > outfile

Here is an example input dictionary:

$ cat dict
1
123
test
pass
hello
world

We want only these words that have the length 2, 3 or 4:

$ ./len.bin 2 4 < dict  
123
test
pass

mli2

Merges two lists.

Like rli2, the two lists must be sorted (in LC_ALL=C order).

Syntax:

Usage: ./mli2.bin infile mergefile

Example:

$ cat w1.txt
123
1234
999
aceofspades
cards
password
veryfast

$ cat w2.txt
123
1234
999
extra

$ mli2 w1.txt w2.txt
123
1234
999
aceofspades
cards
extra
password
veryfast

If you use mli2 on unsorted lists, you will get unmerged results.

If you use mli2 on sorted but non-uniq'd lists, you will get sorted but non-uniq'd results.

morph

Basically morph generates insertion rules for the most frequent chains of characters from the dictionary that you provide and that, per position.

Syntax:

usage: ./morph.bin dictionary depth width pos_min pos_max

- Dictionary = Wordlist used for frequency analysis.

- Depth = Determines what “top” chains that you want. For example 10 would give you the top 10 (in fact, it seems to start with value 0 so that 10 would give the top 11).

- Width = Max length of the chain. With 3 for example, you will get up to 3 rules per line for the most frequent 3 letter chains.

- pos_min = Minimum position where the insertion rule will be generated. For example 5 would mean that it will make rule to insert the string only from position 5 and up.

-pos_max = Maximum position where the insertion rule will be generated. For example 10 would mean that it will make rule to insert the string so that it's end finishes at a maximum of position 10.

permute

This program is a stand-alone implementation of the Permutation Attack.

It has no parameters to configure.

Each word going into STDIN is parsed and run through “The Countdown QuickPerm Algorithm” by Phillip Paul Fuchs (see: https://permuteweb.tchs.info (Internet Archive)

See Permutation Attack for examples.

permute_exist

TBD

Syntax:

Usage: ./permute_exist.bin word < infile > outfile

prepare

This program is made as an dictionary optimizer for the Permutation Attack.

Due to the nature of the permutation algorithm itself, the input words “BCA” and “CAB” would produce exactly the same password candidates.

$ echo BCA | ./permute.bin
BCA
CBA
ABC
BAC
CAB
ACB

$ echo CAB | ./permute.bin
CAB
ACB
BCA
CBA
ABC
BAC

The best way to sort out these “dupes” is to reconstruct the input word reordered by the ASCII value of each char of the word:

Input:

  1. B ⇒ 0x42
  2. C ⇒ 0x43
  3. A ⇒ 0x41

Output: ABC

Input:

  1. C ⇒ 0x43
  2. A ⇒ 0x41
  3. B ⇒ 0x42

Output: ABC

Now we can safely sort -u afterwards:

$ wc -l rockyou.txt 
14344391 rockyou.txt

$ ./prepare.bin < rockyou.txt | sort -u > rockyou.txt.prep

$ wc -l rockyou.txt.prep 
9375751 rockyou.txt.prep

Sorted out 4968640 words (34.6%) which would produce dupes in permutation attack.

remaining

TBD

Syntax:

use: ./remaining.pl wordlist_base.txt wordlist_search.txt

req

req has been replaced by req-include and req-exclude, below.

req-exclude

Like req-include, but it excludes words that match specific criteria.

req-include

Each word going into STDIN is parsed and passed to STDOUT if it matches an specified password group criteria.

Sometimes you know that some password must include a lower-case char, a upper-case char and a digit to pass a specific password policy.

That means checking passwords that do not match this policy will definitely not result in a cracked password. So we should skip it.

This program is not very complex and it cannot fully match all the common password policy criteria, but it does provide a little help.

The following password groups are defined:

Name Item Chars
LOWER 1 abcdefghijklmnoprstuvwxyz
UPPER 2 ABCDEFGHIJKLMNOPRSTUVWXYZ
DIGIT 4 0123465789
SYMBOL 8 0x20 to 0x7e NOT IN lower, upper, digit
OTHER 16 All others, not matching the above

To configure a password group out of the single entries you just add the item numbers of all the single entries together.

For example if you want to pass to STDOUT only the words that match at least one lower and at least one digit, you would just lookup the table and search for “lower”, which is “1” and then “digit”, which is “4” and add them together so it makes “5”.

$ echo hello | ./req.bin 5
$ echo hello1 | ./req.bin 5
hello1
$ echo Hello1 | ./req.bin 5 
Hello1

rli

rli compares a single file against another file(s) and removes all duplicates:

rli
usage: rli infile outfile removefiles...

Let's say we have two files w1.txt:

password
123
cards
999
aceofspades
1234
veryfast

And w2.txt:

123
999
1234

If we run the following command:

rli w1.txt OUT_FiLE.txt w2.txt

OUT_FiLE.txt will have:

password
cards
aceofspades
veryfast

It also supports multiple files: w3.txt has “password” in it, we run:

rli w1.txt OUT_FiLE.txt w2.txt w3.txt

OUT_FiLE.txt:

cards
aceofspades
veryfast

rli can be very useful to clean your dicts and to have one unique set of dictionaries.

But the dictionary size cannot exceed host memory size. Read rli2 below for large files.

rli2

Unlike rli, rli2 is not limited. But it requires infile and removefile to be sorted and uniqued before, otherwise it won't work as it should.

For example using w1.txt and w2.txt files from above, if we run:

rli2 w1.txt w2.txt

This will output:

password
123
cards
999
aceofspades
1234
veryfast

No change. But if we sort and unique w1.txt and w2.txt as:

sort w1.txt > w1su.txt
sort w1.txt > w1su.txt

And running:

rli2 w1su.txt w2su.txt

Will do it accurately:

aceofspades
cards
password
veryfast

Note that rli2 can't do multiple files. And if you haven't already notice, rli2 outputs to STDOUT not a file. You can always pipe to a file to work-around that.

rules_optimize

TBD

seprule

TBD

splitlen

This program is designed to be a dictionary optimizer for the now-deprecated oclHashcat.

Note: this optimization is no longer needed by modern hashcat.

oclHashcat has a very specific way of loading dictionaries, unlike CPU hashcat. The best way to organize your dictionaries for use with oclHashcat is to sort each word in your dictionary by its length into specific files, into a specific directory, and then to run oclHashcat in directory mode.

Syntax:

$ ./splitlen.bin
usage: ./splitlen.bin outdir < infile

All you need to do is to create a new directory, for example “ldicts”.

$ mkdir ldicts
$ ./splitlen.bin ldicts < rockyou.txt

Results in:

$ ls -l ldicts/
total 129460
-rw-r--r-- 1 root root       90 Oct 12 15:54 01
-rw-r--r-- 1 root root     1005 Oct 12 15:54 02
-rw-r--r-- 1 root root     9844 Oct 12 15:54 03
-rw-r--r-- 1 root root    89495 Oct 12 15:54 04
-rw-r--r-- 1 root root  1555014 Oct 12 15:54 05
-rw-r--r-- 1 root root 13634586 Oct 12 15:54 06
-rw-r--r-- 1 root root 20050168 Oct 12 15:54 07
-rw-r--r-- 1 root root 26694333 Oct 12 15:54 08
-rw-r--r-- 1 root root 21910390 Oct 12 15:54 09
-rw-r--r-- 1 root root 22150645 Oct 12 15:54 10
-rw-r--r-- 1 root root 10392420 Oct 12 15:54 11
-rw-r--r-- 1 root root  7219550 Oct 12 15:54 12
-rw-r--r-- 1 root root  5098436 Oct 12 15:54 13
-rw-r--r-- 1 root root  3727905 Oct 12 15:54 14
-rw-r--r-- 1 root root        0 Oct 12 15:54 15

NOTE: splitlen does not append, it overwrites the files in the outdir. Thats why you should use empty directories.

strip-bsn

Strips all \0 bytes from stdin.

strip-bsr

Strips all \r bytes from stdin.

tmesis

tmesis will take a wordlist and produce insertion rules that would insert each word of the wordlist to preset positions.

For example, the word ‘password’ will create insertion rules that would insert ‘password’ from position 0 to position F (15), and will mutate the string ‘123456’ as follows:

password123456
1password23456
12password3456
123password456
1234password56
12345password6
123456password

Hints:

* Use tmesis to create rules to attack hashlists that came from the source. Run initial analysis on the cracked passwords, collect the top 10-20 words that appear on the passwords, and use tmesis to generate rules from them.

* Use tmesis generated rules in combination with best64.rule.

* tmesis does not handle multibyte unicode characters as single characters, but rather as individual bytes. This means that it can be used to insert multibyte characters as well.

tmesis-dynamic

Syntax:

Usage: ./tmesis-dynamic.pl substring wordlist1.txt wordlist2.txt

tmesis-dynamic will take 2 wordlists and produces a new one, using a user-defined substring as a “key”.

Each word of wordlist 1 which matches that user-defined substring substitutes that substring with each word of wordlist 2.

For example, these wordlists:

$ cat wordlist1.txt
isajack3935
jackysch_5131
HBjackas5
mom1jackhopes
$ cat wordlist2.txt
123456
password
jill
hashcat

… produce the following candidates when supplied with the key “jack”:

$ ./tmesis-dynamic.pl jack wordlist1.txt wordlist2.txt
isa1234563935
isapassword3935
isajill3935
isahashcat3935
123456ysch_5131
passwordysch_5131
jillysch_5131
hashcatysch_5131
HB123456as5
HBpasswordas5
HBjillas5
HBhashcatas5
mom1123456hopes
mom1passwordhopes
mom1jillhopes
mom1hashcathopes

topmorph

TBD

Syntax:

Usage: ./topmorph.pl dictionary depth width pos_min pos_max

Limitations

Some programs from hashcat-utils have a minimum and maximum allowed word-length range (like in “len” example).

E.g. see splitlen.c:

#define LEN_MIN 1
#define LEN_MAX 64

You can change them and then recompile the hashcat-utils. However we usually do not need plain words of greater length in password cracking.