crack-hashcat
Advanced password recovery and hash cracking tool supporting multiple algorithms and attack modes. Use when: (1) Performing authorized password auditing and security assessments, (2) Recovering passwords from captured hashes in forensic investigations, (3) Testing password policy strength and complexity, (4) Validating encryption implementations, (5) Conducting security research on cryptographic hash functions, (6) Demonstrating password weakness in penetration testing reports.
What this skill does
# Hashcat Password Recovery ## Overview Hashcat is the world's fastest password recovery tool, supporting over 300 hash algorithms and multiple attack modes. This skill covers authorized password auditing, forensic password recovery, and security research applications. **IMPORTANT**: Password cracking must only be performed on hashes you are authorized to crack. Unauthorized password cracking is illegal. Always ensure proper authorization and legal compliance. ## Quick Start Basic password cracking: ```bash # Identify hash type hashcat --example-hashes | grep -i md5 # Dictionary attack on MD5 hash hashcat -m 0 -a 0 hashes.txt wordlist.txt # Show cracked passwords hashcat -m 0 hashes.txt --show # Benchmark system performance hashcat -b ``` ## Core Workflow ### Password Cracking Workflow Progress: [ ] 1. Verify authorization for password cracking [ ] 2. Identify hash algorithm type [ ] 3. Prepare hash file and wordlists [ ] 4. Select appropriate attack mode [ ] 5. Execute cracking operation [ ] 6. Analyze cracked passwords [ ] 7. Document password policy weaknesses [ ] 8. Securely delete hash files and results Work through each step systematically. Check off completed items. ### 1. Authorization Verification **CRITICAL**: Before any password cracking: - Confirm written authorization from data owner - Verify legal right to crack captured hashes - Understand data handling and retention requirements - Document chain of custody for forensic cases - Ensure secure storage of cracked passwords ### 2. Hash Identification Identify hash algorithm: ```bash # Show all supported hash types hashcat --example-hashes # Common hash types hashcat --example-hashes | grep -i "MD5" hashcat --example-hashes | grep -i "SHA" hashcat --example-hashes | grep -i "NTLM" # Use hash-identifier (separate tool) hash-identifier # Paste hash when prompted # Hashcat mode numbers (common) # 0 = MD5 # 100 = SHA1 # 1000 = NTLM # 1400 = SHA256 # 1800 = sha512crypt # 3200 = bcrypt # 5600 = NetNTLMv2 # 13100 = Kerberos 5 TGS-REP ``` ### 3. Hash File Preparation Prepare hash files: ```bash # Simple hash file (one hash per line) echo "5f4dcc3b5aa765d61d8327deb882cf99" > hashes.txt # Hash with username (username:hash format) cat > hashes.txt <<EOF admin:5f4dcc3b5aa765d61d8327deb882cf99 user1:098f6bcd4621d373cade4e832627b4f6 EOF # Hash with salt (hash:salt format for some algorithms) echo "hash:salt" > hashes.txt # From /etc/shadow (Linux) sudo cat /etc/shadow | grep -v "^#" | grep -v ":\*:" | grep -v ":!:" > shadow_hashes.txt # From NTDS.dit (Active Directory) secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL > ad_hashes.txt ``` ### 4. Attack Modes Choose appropriate attack mode: **Dictionary Attack (Mode 0)**: ```bash # Basic dictionary attack hashcat -m 0 -a 0 hashes.txt rockyou.txt # Multiple wordlists hashcat -m 0 -a 0 hashes.txt wordlist1.txt wordlist2.txt # With rules hashcat -m 0 -a 0 hashes.txt rockyou.txt -r rules/best64.rule ``` **Combinator Attack (Mode 1)**: ```bash # Combine words from two wordlists hashcat -m 0 -a 1 hashes.txt wordlist1.txt wordlist2.txt ``` **Brute-Force Attack (Mode 3)**: ```bash # All lowercase letters, 8 characters hashcat -m 0 -a 3 hashes.txt ?l?l?l?l?l?l?l?l # Mixed case and numbers, 6 characters hashcat -m 0 -a 3 hashes.txt ?1?1?1?1?1?1 -1 ?l?u?d # Custom charset hashcat -m 0 -a 3 hashes.txt ?1?1?1?1?1?1?1?1 -1 abc123 ``` **Mask Attack (Mode 3 with patterns)**: ```bash # Password format: Uppercase + 6 lowercase + 2 digits hashcat -m 0 -a 3 hashes.txt ?u?l?l?l?l?l?l?d?d # Year pattern: word + 4 digits (2019-2024) hashcat -m 0 -a 3 hashes.txt password?d?d?d?d # Common patterns hashcat -m 0 -a 3 hashes.txt ?u?l?l?l?l?l?d?d?s # Capital + word + numbers + special ``` **Hybrid Attacks (Modes 6 & 7)**: ```bash # Wordlist + mask (append) hashcat -m 0 -a 6 hashes.txt wordlist.txt ?d?d?d?d # Mask + wordlist (prepend) hashcat -m 0 -a 7 hashes.txt ?d?d?d?d wordlist.txt ``` **Character Sets**: - `?l` = lowercase (abcdefghijklmnopqrstuvwxyz) - `?u` = uppercase (ABCDEFGHIJKLMNOPQRSTUVWXYZ) - `?d` = digits (0123456789) - `?s` = special characters (!@#$%^&*...) - `?a` = all characters (l+u+d+s) - `?b` = all printable ASCII ### 5. Performance Optimization Optimize cracking performance: ```bash # Use GPU acceleration hashcat -m 0 -a 0 hashes.txt wordlist.txt -w 3 # Workload profiles # -w 1 = Low (desktop usable) # -w 2 = Default # -w 3 = High (dedicated cracking) # -w 4 = Nightmare (max performance) # Specify GPU device hashcat -m 0 -a 0 hashes.txt wordlist.txt -d 1 # Show performance benchmark hashcat -b # Optimize kernel hashcat -m 0 -a 0 hashes.txt wordlist.txt -O # Show estimated time hashcat -m 0 -a 0 hashes.txt wordlist.txt --runtime=3600 ``` ### 6. Rules and Mutations Apply password mutation rules: ```bash # Use rule file hashcat -m 0 -a 0 hashes.txt wordlist.txt -r rules/best64.rule # Multiple rule files hashcat -m 0 -a 0 hashes.txt wordlist.txt -r rules/best64.rule -r rules/leetspeak.rule # Common Hashcat rules # best64.rule - Best 64 rules for speed/coverage # dive.rule - Deep mutations # toggles1.rule - Case toggles # generated2.rule - Complex mutations # Custom rule examples # : = do nothing # l = lowercase all # u = uppercase all # c = capitalize first, lowercase rest # $1 = append "1" # ^2 = prepend "2" # sa@ = replace 'a' with '@' ``` ### 7. Session Management Manage cracking sessions: ```bash # Save session hashcat -m 0 -a 0 hashes.txt wordlist.txt --session=mysession # Restore session hashcat --session=mysession --restore # Show status hashcat --session=mysession --status # Remove session hashcat --session=mysession --remove # Auto-checkpoint every 60 seconds hashcat -m 0 -a 0 hashes.txt wordlist.txt --session=mysession --restore-file-path=/path/to/checkpoint ``` ### 8. Results and Reporting View and export results: ```bash # Show cracked passwords hashcat -m 0 hashes.txt --show # Show only usernames and passwords hashcat -m 0 hashes.txt --show --username # Export to file hashcat -m 0 hashes.txt --show > cracked.txt # Show cracking statistics hashcat -m 0 hashes.txt --show --status # Left side (uncracked hashes) hashcat -m 0 hashes.txt --left ``` ## Security Considerations ### Authorization & Legal Compliance - **Explicit Authorization**: Written permission required for all password cracking - **Forensic Chain of Custody**: Maintain evidence integrity - **Data Protection**: Securely handle cracked passwords - **Scope Limitation**: Only crack specifically authorized hashes - **Legal Jurisdiction**: Understand applicable laws (CFAA, GDPR, etc.) ### Operational Security - **Secure Storage**: Encrypt hash files and results - **Offline Cracking**: Perform on air-gapped systems when possible - **Resource Management**: Monitor system resources during cracking - **Temperature**: Ensure adequate cooling for extended GPU usage - **Power**: Use surge protection for hardware safety ### Audit Logging Document all password cracking activities: - Hash source and acquisition method - Authorization documentation - Hash algorithm and attack mode used - Cracking start and end timestamps - Success rate and crack time - Wordlists and rules applied - Password complexity analysis - Secure deletion of artifacts ### Compliance - **MITRE ATT&CK**: T1110 (Brute Force) - T1110.002 (Password Cracking) - **NIST SP 800-63B**: Digital Identity Guidelines for passwords - **PCI-DSS**: Password security requirements - **ISO 27001**: A.9.4 Secret authentication information management ## Common Patterns ### Pattern 1: Windows Domain Password Audit ```bash # Extract NTLM hashes from NTDS.dit secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL > ad_hashes.txt # Crack NTLM hashes hashcat -m 1000 -a 0 ad_hashes.txt rockyou.txt -r rules/best64.rule # Show cracked Domain Admin accounts hashcat -m 1000 ad_hashes.txt --show | grep -i "domain admins" ``` ### Pattern 2: Linux Password Audit ``
Related in offsec
privesc-linpeas
IncludedLinux privilege escalation enumeration and attack surface analysis using LinPEAS (Linux Privilege Escalation Awesome Script). Automates post-exploitation discovery of escalation vectors, misconfigurations, and credential exposure on Linux targets. Use when: (1) Enumerating privilege escalation vectors after initial access on a Linux system, (2) Identifying SUID/SGID binaries, sudo misconfigurations, and capability abuses, (3) Hunting for credentials in config files, history, and logs, (4) Detecting container breakout opportunities and writable service files, (5) Mapping kernel exploits and CVE exposure for a target system, (6) Conducting authorized CTF, red team, or penetration test post-exploitation phases.
analysis-tshark
IncludedNetwork protocol analyzer and packet capture tool for traffic analysis, security investigations, and forensic examination using Wireshark's command-line interface. Use when: (1) Analyzing network traffic for security incidents and malware detection, (2) Capturing and filtering packets for forensic analysis, (3) Extracting credentials and sensitive data from network captures, (4) Investigating network anomalies and attack patterns, (5) Validating encryption and security controls, (6) Performing protocol analysis for vulnerability research.
analysis-tshark
IncludedNetwork protocol analyzer and packet capture tool for traffic analysis, security investigations, and forensic examination using Wireshark's command-line interface. Use when: (1) Analyzing network traffic for security incidents and malware detection, (2) Capturing and filtering packets for forensic analysis, (3) Extracting credentials and sensitive data from network captures, (4) Investigating network anomalies and attack patterns, (5) Validating encryption and security controls, (6) Performing protocol analysis for vulnerability research.
network-netcat
IncludedNetwork utility for reading and writing data across TCP/UDP connections, port scanning, file transfers, and backdoor communication channels. Use when: (1) Testing network connectivity and port availability, (2) Creating reverse shells and bind shells for authorized penetration testing, (3) Transferring files between systems in restricted environments, (4) Banner grabbing and service enumeration, (5) Establishing covert communication channels, (6) Testing firewall rules and network segmentation.
pentest-metasploit
IncludedPenetration testing framework for exploit development, vulnerability validation, and authorized security assessments using Metasploit Framework. Use when: (1) Validating vulnerabilities in authorized security assessments, (2) Demonstrating exploit impact for security research, (3) Testing defensive controls in controlled environments, (4) Conducting authorized penetration tests with proper scoping and authorization, (5) Developing post-exploitation workflows for red team operations.
recon-nmap
IncludedNetwork reconnaissance and security auditing using Nmap for port scanning, service enumeration, and vulnerability detection. Use when: (1) Conducting authorized network reconnaissance and asset discovery, (2) Enumerating network services and identifying running versions, (3) Detecting security vulnerabilities through NSE scripts, (4) Mapping network topology and firewall rules, (5) Performing compliance scanning for security assessments, (6) Validating network segmentation and access controls.