HOWTO: Using hashcat on Windows through an SSH session

Hashcat can run on multiple operating systems. While Linux/UNIX operating systems provide an easy way to connect to a remote workstation using SSH, this is not the case for Windows.

Solutions like Bash on Windows or OpenSSH by the PowerShell team attempt to address this need, but they also have some major caveats (rendering problems, tty-based communications problems, etc.).

Cygwin and MSYS/MSYS2 also have some tty-based problems. Cygwin and MSYS/MSYS2 rely on mintty, but don't provide unbuffering capabilities. The consequence is that the 's', 'b', 'q', 'p' keystrokes used by hashcat are buffered wshen pressed, causing them to not function as intended.

Another solution must be found to use hashcat through an SSH session on Windows. One solution is winpty.

The following is directly taken from the winpty README, and provides instructions for both Cygwin and MSYS/MSYS2.

Disclaimer

THIS GUIDE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. WE WILL NOT ACCEPT ANY LIABILITY FOR ANY SECURITY RISKS YOU INTRODUCE TO YOUR ENVIRONMENT UPON FOLLOWING THIS GUIDE.

At a minimum, you should ensure that all commands are executed in a trusted – and preferably isolated – environment.

Prerequisites

You need the following to build winpty:

  • A Cygwin, MSYS or MSYS2 installation
  • GNU make
  • A MinGW g++ toolchain capable of compiling C++11 code to build winpty.dll and winpty-agent.exe
  • A g++ toolchain targeting Cygwin or MSYS to build winpty.exe

Cygwin packages

The default g++ compiler for Cygwin targets Cygwin itself, but Cygwin also packages MinGW-w64 compilers. As of this writing, the necessary packages are:

  • Either mingw64-i686-gcc-g++ or mingw64-x86_64-gcc-g++. Select the appropriate compiler for your CPU architecture (x86 or x64).
  • gcc-g++
  • make

As of writing this tutorial, winpty over an SSH session using MSYS or MSYS2 has not been tested. Nevertheless, things should not been different from Cygwin case.

MSYS packages

For the original MSYS, use the mingw-get tool (MinGW Installation Manager), and select at least these components:

  • mingw-developer-toolkit
  • mingw32-base
  • mingw32-gcc-g++
  • msys-base
  • msys-system-builder

When running ./configure, make sure that mingw32-g++ is in your PATH. It will be in the C:\MinGW\bin directory.

MSYS2 packages

For MSYS2, use pacman and install at least these packages:

  • msys/gcc
  • mingw32/mingw-w64-i686-gcc or mingw64/mingw-w64-x86_64-gcc. Select the appropriate compiler for your CPU architecture (x86 or x64).
  • make

MSYS2 provides three start menu shortcuts for starting MSYS2:

  • MinGW-w64 Win32 Shell
  • MinGW-w64 Win64 Shell
  • MSYS2 Shell

To build winpty, use either MinGW-w64 Win32 shortcut or MinGW-w64 Win64 shortcut, depending of the architecture matching your MSYS2 installation.

These shortcuts will put the g++ compiler (from mingw32/mingw-w64-i686-gcc packages if your installation is 32bits or from mingw64/mingw-w64-x86_64-gcc packages if your installation is 64bits) into the PATH.

Alternatively, instead of installing mingw32/mingw-w64-i686-gcc or mingw64/mingw-w64-x86_64-gcc, install the mingw-w64-cross-gcc and mingw-w64-cross-crt-git packages.

These packages install cross-compilers into /opt/bin, and then any of the three shortcuts will work.

Build winpty

In the project directory, run:

$ ./configure
$ make
$ make install

By default, winpty is installed into /usr/local. Pass PREFIX=<path> to make install to override this default.

Use winpty with hashcat

To run a Windows console program in mintty or Cygwin/MSYS/MSYS2 sshd, prepend winpty to the command line:

$ winpty hashcat64.exe -m 0 ....

Unbuffered-related problems should now be resolved.

Because winpty is not aware of chroot'ed environments, all paths to files (like output files or wordlists) must either be relative to the current directory, or absolute within the Windows filesystem (ie. '/opt/data/wordlists/MyWordlist' must be replaced by 'DRIVELETTER:/INSTALLATION_PATH/opt/data/wordlists/MyWordlist').

Example:

When connected with the “sshd” account to your remote Windows workstation “TimmyStation”, if your Cygwin/MSYS/MSYS2 environnement is located in C:\INSTALL_PATH, and your hashcat folder is in C:\INSTALL_PATH\opt\data\hashcat-3.20, a typical successful command line should look like this:

sshd@TimmyStation /opt/data/hashcat-3.20
$ winpty hashcat64.exe -m 0 -o C:/INSTALL_PATH/opt/data/hashcat_outputhashes C:/INSTALL_PATH/opt/data/RawMD5_test.dump -a 0 C:/INSTALL_PATH/opt/data/wordlists/MyWordlist -r rules/best64.rule