Hashcat Notes

Unless otherwise noted these commands are for use with GPU hashcat (cudaHashcat64).

Edit: Added using --session sessionname to these so you can also use --restore and/or pause one window, open a new one, and start a new attack.

Example 1: Dictionary and rules attack

cudahashcat64 -m 1000 -a 0 --session rockyoubest64 -o ~/Desktop/audit/cracked_rockyou_best64.txt --username --remove -w 2 -r /usr/share/hashcat/rules/best64.rule ~/Desktop/audit/hc_hashes_removed.pwdump ~/Desktop/Wordlist/rockyou.txt
  • -m 1000 aka --hash-type=1000 - Hashtype 1000 is NTLM, see help file for other hash types.
  • -a 0 aka --attack-mode=0 - Attack mode 0 is "Stright" attack, i.e. dictionary/rules.
  • -o FILE aka --outfile=FILE- Outputs the results in the form of "HASH:PLAINTEXT" to the given file. I use a different file for each ruleset/dictionary I use so I can keep up with what I've done and what was cracked by which rules.
  • --username - Tells hashcat that the password file is in the form "USERNAME:HASH" and not just HASH.
  • --remove - Removes hashes from the list that have been cracked.
  • -w 2 aka --workload-profile=2 - Enables a specific workload profile for the GPU
  • -r FILE aka --rules-file=FILE - Uses the given rules file on the given dictionary. best64.rule used on rockyou.txt in this case.
  • hc_hashes_removed.pwdump - The file containing your hash dump in the format "USERNAME:HASH"
  • rockyou.txt - The dictionary file containing the passwords you wish to try.

Example 2: Mask attack

Update: Here's a great little tutorial on mask attacks: http://www.unix-ninja.com/p/Exploiting_masks_in_Hashcat_for_fun_and_profit/

cudahashcat64 -m 1000 -a 3 -o ~/Desktop/audit/cracked_mask.txt --username --remove -w 2 ~/Desktop/audit/hc_hashes_removed.pwdump ?u?l?l?l?l?l?l?d
  • -a 3 aka --attack-mode=3 - Brute Force attack mode (actually uses masks, but can emulate brute force)
  • ?u?l?l?l?l?l?l?d - Tries every 8 character combination in the form of beginning with an uppercase, 6 lowercase in the middle, and ending with a digit. The built-in character sets are...
?l = abcdefghijklmnopqrstuvwxyz
?d = 0123456789
?s =  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff

So to try every 6 character password, you would use ?a?a?a?a?a?a. Every 4 character pin would be ?d?d?d?d.

Example 3: combinator attack

cudahashcat64 -m 1000 -a 1 -o ~/Desktop/audit/cracked_apg_combinator.txt --username --remove -w 2 -j $\- -k $\! ~/Desktop/audit/hc_hashes_removed.pwdump ~/Desktop/Wordlist/APG1.txt ~/Desktop/Wordlist/APG2.txt
  • -a 1 - Attack mode 1, combinator attack. Iterates through every combination of two dictionaries (APG1.txt and APG2.txt)
  • -j $\- - Inserts the - character between two words (correct-horse)
  • -k $\! - Inserts the ! point at the end of the words (correcthorse!)
  • So in this case we are forming combinations like correct-horse!

Example 3.5: combinator.bin and hashcat-utils

Hashcat Utils are a collection of stand alone tools that can be used in conjunction with Hashcat. Lets say we want to find all 4 word passphrases (such as correct-horse-battery-staple).

  • We can start with a dictionary containing all words named APG1.txt.
  • Using vim we can add - to the beginning of every line. :%s/^/-/
  • We can add - to the end with :%s/$/-/g
  • Save this as APG2.txt
  • Combine these two files with combinator.
  • /usr/share/hashcat-utils/combinator.bin ~/Desktop/wordlist/APG1.txt ~/Desktop/wordlist/APG2.txt > ~/Desktop/wordlist/APG_twoword1.txt
  • This will create a new wordlist in the form of "correct-horse" ("correct" from APG1.txt and "-horse" from APG2.txt)
  • Copy this wordlist as APG_twoword2.txt
  • Now we can use the combinator attack to combine the two two-word dictionaries into every possible 4 word combination.

There is also a combinator3.bin which takes 3 dictionaries and outputs every combination of all 3.

Example 4: stdin mode/Combinator 2

/usr/share/hashcat-utils/combinator.bin ~/Desktop/wordlist/APG1.txt ~/Desktop/wordlist/APG2.txt | cudahashcat64 -m 1000 -o ~/Desktop/audit/cracked_APG_combinator.txt --remove -w 2 ~/Desktop/audit/hc_hashes_removed.pwdump

This is a sample of piping a dictionary into hashcat with stdin. This is an order of magnitude slower than the combinator attack (-a 1).

Uses combinator.bin to combine every word from APG1.txt with every word from APG2.txt. Pipes this into hashcat. Rules can be used with this attack. There is also a combinator3.bin in the same directory that will do the same thing, but every combination from 3 dictionaries.

Example 5: Statsprocessor

Use statprocessor to create educated guesses on password combinations, "ingelligent bruteforce". Read up on the hashcat statprocessor and markov chains.

/usr/share/hashcat-utils/hcstatgen.bin ~/Desktop/audit/pw_stats.hcstat < ~/Desktop/wordlist/cracked_passwords.txt

We are reading in the passwords that we have cracked so far (cracked_passwords.txt) and creating a file called pw_stats.hcstat. We now have a stats file built from our own password combinations. Hashcat comes with a default .hcstat file built from the rockyou dump.

Now we use that with statsprocessor to ingelligently guess passwords.

statsprocessor --pw-min=12 --pw-max=14 --threshold=5 ~/Desktop/audit/pw_stats.hcstat | cudahashcat64 -m 1000 -o ~/Desktop/audit/cracked_markov.txt --username --remove -w 2 ~/Desktop/audit/hc_hashes_removed.pwdump
  • --pw-min=12 - The minimim password length that will be tried is 12 characters
  • --pw-max=14 - The maximum password length that will be tried is 14 characters
  • --threshold=5 - "Filter out char after NUM chars added, set to 0 to disable" The best explination I can give here is that it limits the number of attemps to the most probable 5 before moving on, instead of exahusting all attempts. Lower numbers mean less combinations.

You can use --combinations to view the number of combinations created by statsprocessor and extimate the time it will take to complete the attack.
statsprocessor --pw-min=12 --pw-max=14 --threshold=5 --combinations

Example 6: Attack modes 6 & 7

cudahashcat64 -m 1000 -a 6 -o ~/Desktop/audit/cracked_attack6.txt --usernam e--remove -w 2 ~/Desktop/audit/hc_hashes_removed.pwdump ~/Desktop/wordlist/passwords.txt ?d?d?d?d
cudahashcat64 -m 1000 -a 7 -o ~/Desktop/audit/cracked_attack6.txt --usernam e--remove -w 2 ~/Desktop/audit/hc_hashes_removed.pwdump ?d?d?d?d ~/Desktop/wordlist/passwords.txt

-a 6 or -a 7 uses hybrid dictionary + mask or mask + dictionary. In the first example, appends 4 digits to the end of a word (Hello1984). In the second example, appends 4 digits to the beginning of a word (1984Hello)

The hashcat wiki page for hybrid attack says you can just use the mask and dictionary in the order you want and not specify a certain attack mode. I'm really not sure how this should work...


Some of the Hashcat-Utils are written for 32-bit processors and will return an error saying that the file does not exist if you try to run them on a 64-bit system. Fix this by installing the necessary libraries. I can't remember which of these are necessary, but looking through my bash history its some combination of the following.

apt-get install ia32-libs
apt-get install ia32-libs-i386
dpkg --add-architecture i386
apt-get install libc6:i386  libncurses5:i386 libstdc++6:i386

I seem to be having good luck using the Hashcat Util splitlen to split my largest dictionary up, which helps a lot with performance anyway, and then using a combin attack to join two lists that total my password lenggggth. There's a bit more about it on this page.

The Hashcat Utility cutb and len can also be used to manipulate text files in a similar fashon.

You can get brutish with the rules set by running them all into one giant rule list and running them against everything.

cd /usr/share/cudahashcat/rules
cat * > temp.rule
sort -u temp.rule > allrules.rule
rm temp.rule

You'll get a lot of errors for rules that aren't compatible with GPU processing, these can be ignored.

The same theory can be applied to combining several dictionaries into one large one, and running that. For optomization look into the Hashcat Util "splitlen".

When dumping your hashes you'll probably get them in PWDump form. Hashcat requires just username:hash, or just the hash. You can easily fix this with awk -F: '{print $1 ":" $4}' hashes.pwdump > hc_hashes.pwdump

Good Dictionaries:

Top 10 million passwords - https://mega.co.nz/#!SdYnkJRJ!HmD04LH8Gk8JtlNG6O2NnF2yH9qWJPWtSXbLU2ZR9Q8
rockyou and others - https://wiki.skullsecurity.org/Passwords
Crackstation - https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm

Related Tools:

pipal/passpat: Password analyzer - https://github.com/digininja/pipal
PACK (Passowrd analysis and cracking kit) - https://thesprawl.org/projects/pack/
CeWL: Scrapes websites for possible passwords - https://digi.ninja/projects/cewl.php