Step 1: Fire Up Kali & Open Hashcat
Let’s start by firing up Kali and opening hashcat. Go to Applications -> Kali Linux -> Password Attacks -> Offline Attacks -> hashcat.
When we click on the hashcat menu item, it opens the help screen.
At the top of the screen, you can see the basic hashcat syntax:
kali > hashcat options hashfile mask|wordfiles|directories
We can see some of the options for hashcat displayed below the basic syntax. Some of the most important of these are -m (the hashtype) and -a (attack mode). In general, we will need to use both of these options in most password cracking attempts with hashcat.
Step 2: More Extensive Options
If we scan a bit further down this hashcat help screen, we can see more options. The first two below are some of the key options that hashcat enables.
First, hashcat enables rules that allow us to apply specifically designed rules to use on our wordlist file. These rules can take our wordlist file and apply capitalization rules, special characters, word combinations, appended and prepended numbers, and so on. Each of these will help us to break passwords that have been made more complex to avoid dictionary attacks.
The next stanza shows us custom character sets. This enables us to set the character set that we want to use to crack the passwords. If we know the company’s or institution’s password policy, we can choose a subset of all characters to meet their policy and speed up our cracking. For instance, if a company allows an all-numeric character set, choose to crack the hashes with just numbers. These types of passwords are VERY easy to crack.
The next screen includes some of the more obscure options, including the output file type, the debug mode and the built-in character sets.
Finally, we have to chose the type of hash we are trying to crack. Hashcat gives us numerous options. When we get ready to crack the hash, we need to designate in our command what type of hash we are working with by giving hashcat the number associated with the hash type. Here we can see a list of some of the hash types hashcat can work with.
* Hash types: 0 = MD5 10 = md5($pass.$salt) 20 = md5($salt.$pass) 30 = md5(unicode($pass).$salt) 40 = md5($salt.unicode($pass)) 50 = HMAC-MD5 (key = $pass) 60 = HMAC-MD5 (key = $salt) 100 = SHA1 110 = sha1($pass.$salt) 120 = sha1($salt.$pass) 130 = sha1(unicode($pass).$salt) 140 = sha1($salt.unicode($pass)) 150 = HMAC-SHA1 (key = $pass) 160 = HMAC-SHA1 (key = $salt) 200 = MySQL323 300 = MySQL4.1/MySQL5 400 = phpass, MD5(WordPress), MD5(phpBB3), MD5(Joomla) 500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5 900 = MD4 1000 = NTLM 1100 = Domain Cached Credentials (DCC), MS Cache 1400 = SHA256 1410 = sha256($pass.$salt) 1420 = sha256($salt.$pass) 1430 = sha256(unicode($pass).$salt) 1431 = base64(sha256(unicode($pass))) 1440 = sha256($salt.unicode($pass)) 1450 = HMAC-SHA256 (key = $pass) 1460 = HMAC-SHA256 (key = $salt) 1600 = md5apr1, MD5(APR), Apache MD5 1700 = SHA512 1710 = sha512($pass.$salt) 1720 = sha512($salt.$pass) 1730 = sha512(unicode($pass).$salt) 1740 = sha512($salt.unicode($pass)) 1750 = HMAC-SHA512 (key = $pass) 1760 = HMAC-SHA512 (key = $salt) 1800 = SHA-512(Unix) 2400 = Cisco-PIX MD5 2410 = Cisco-ASA MD5 2500 = WPA/WPA2 2600 = Double MD5
Step 3: Choose Your Wordlist
In this tutorial, we will be using a simple dictionary attack on some Linux hashes. To do so, we need a wordlist to work from. There are literally thousands of wordlists available on the web, but Kali has numerous wordlists built right in, so let’s try using one of those.
To find the built in wordlists in Kali, we can type:
kali > locate wordlist
When we do, we can see that there are dozens of wordlists available.
Step 4: Grab the Hashes
In the next step, we need to grab the hashes on our Kali system. If we are logged in as root, we can see and grab the hashes. In Linux, the hashes are stored in the /etc/shadow file, so if we type:
kali > tail /etc/shadow
We can see the shadow file with the hashes, as below.
Next, we need to know what type of hashing the system is using. In Linux, we go to the /etc/login.defs to view what encryption type the system is using. We open that file by typing:
kali > more /etc/login.defs
When we navigate about 85% down the file, we can see that Kali is using SHA512 encryption. This is important, as we will need to tell hashcat this information when we are ready to crack the hashes.
Step 5: Crack the Hashes!
Now, that we know the basics of hashcat, where the hashes are located and the type of encryption, we are ready to begin cracking the hashes.
Let’s first put those hashes into a separate file we will name hash.lst.
kali > cp /etc/shadow hash.lst
To make sure that they were copied over, let’s check by typing:
more hash.lst
As we can see, the hashes have been copied over to the hash.lst file.
To prepare this file for cracking, we need to remove all of the information in this file, except the hashes. The /etc/shadow file includes the username, then the salted hash, and then information about the applicable user policy. We need to remove all that information leaving just the hash.
We can see that this file starts with the username, i.e., “user1”, “user2”, etc. Open this file in your favorite text editor (vim, vi, leafpad) and delete the username and the following colon. Then, go to the end of the line and remove the information after the hash that starts with a colon (:). Now we will have a file with just the hashes and nothing else.
In the final step, we can now start cracking the hashes. Here’s the command I used.
kali > hashcat -m 1800 -a 0 -o cracked.txt –remove hash.lst /usr/share/sqlmap/txt/wordlist.txt
- -m 1800 designates the type of hash we are cracking (SHA-512)
- -a 0 designates a dictionary attack
- -o cracked.txt is the output file for the cracked passwords
- –remove tells hashcat to remove the hash after it has been cracked
- hash.lst is our input file of hashes
- /usr/share/sqlmap/txt/wordlist.txt is the absolute path to our wordlist for this dictionary attack
Once the cracking process starts, we can hit <enter> to get an update on the process. When hashcat has completed its work, you will see a screen like below where hashcat announces that it has recovered all my hashes after 9 :47:16 of work.
Now, we only need to open the cracked.txt file to view our cracked passwords!
Hashcat may be the world’s best password cracking tool right now, so take some time to get to know it. It has many more features that we have not yet touched on, and a version that uses your GPU that can crack passwords many times faster than your CPU can.