Hashcat Command Examples (hash cracking with John the Ripper and Hashcat)

1. Hashcat & John the Ripper Command cheatsheet (crack the hashes)
2.  
3. ***************************************************************
4. Telegram private video: https://t.me/c/1480784123/2223/2861
5. Full command list and : https://t.me/c/1480784123/2509/2860
6. Join our telegram channel : https://t.me/efxtv
7. ***************************************************************
8.  
9. - Hashcat is a powerful password recovery tool used for cracking passwords. It is mainly designed to help security professionals and penetration testers assess the strength of the passwords by attempting to crack them by trying out various attack methods. It might be quite confusing at first since there are over 300 hashing algorithms so we might not know which one to use.
10.  
11. - World's fastest password crackers
12.  
13. Q. What are the hash?
14. Ans. Hashes are the output of a hashing algorithm that takes your plaintext, scrambles it up, and aims to produce a hashed value for a given plaintext or word.
15.  
16. - Create a hash
17. $ echo -n "efxtv" | openssl md5
18. $ for i in $(cat wordlist.txt); do echo -n "$i"| md5sum | tr -d " -" >> hashes; done
19.  
20. - Syntax:
21. Hashcat Attack mode Hasht type Hash Wordlist
22.  
23. - Attack modes:
24. Wordlist -a 0
25. Wordlist + rule -a 0
26. Combinator -a 1
27. Bruiteforde -a 3
28.  
29. - Check the supported system and device list
30. hashcat --benchmark
31.  
32. - Dictionary attack (-a 0)
33. As we saw in our example above, a dictionary attack is performed by using a wordlist. A dictionary attack is also the default option in Hashcat. The better the wordlist is, the greater the chances of cracking the password.
34.  
35. - Combinator attack (-a 1)
36. The combinator attack will try different combinations of words from our wordlist. For example, if our wordlist contains the words “pass”, ”123", and ”hello”, Hashcat will generate the following wordlist.
37. passpass
38. pass123
39. passhello
40. 123pass
41. 123123
42. 123hello
43. hellopass
44. hello123
45. hellohello
46.  
47. - Mask attack (-a 3)
48. The mask attack is similar to the dictionary attack but more specific. Brute-force approaches like dictionary attacks can take a long time to crack a password. But if we have information regarding the password, we can use that to speed up the time it takes to crack the password.
49.  
50. - For example, if we know the length of the password and a few characters that might be in the password, we can generate a custom wordlist with those characters.
51.  
52. - Hashcat supports a wide range of hashing algorithms such as :
53. - MD5
54. - SHA1
55. - SHA265
56. - bycrypt and many others…
57.  
58. This tool is used for various scenarios such as:
59. - Recovering lost passwords
60. - Testing the security of password-protected systems
61. - Auditing the strength of user passwords
62.  
63. Features of Hashcat
64. - Its free
65. - Fully open source
66. - Supports over 300 highly-optimized hashing algorithms!
67. - Supports Windows, Linux, and Mac.
68. - Supports cracking multiple hashes in parallel
69. - Built- in benchmarking system.
70.  
71. 1. How to install Hashcat ?
72. $ sudo apt install hashcat
73.  
74. 2. Help options
75. $ hashcat -h/--help
76.  
77. 3. Locate wordlist
78. $ ls /usr/share/wordlists
79.  
80. 4. Straight Attack
81. - The first attack we are going to perform is a straight attack or dictionary attack.
82. - It’s the default method that Hashcat uses.
83. - This attack is faster on simple passwords.
84. - The hash type I and using is MD5 and in the command, I have specified the hash type
85.  
86. $ hashcat -m 0 -a 0 ./target_hashes.txt /usr/share/wordlists/rockyou.txt.gz
87.  
88. -m 0 is for MD5 hash type
89. -a 0 is for a straight attack
90.  
91. - Attack with device type D1 D2 D3
92. $ hashcat -m 100 -a 0 sha1 ~/Downloads/rockyou.txt -D1
93.  
94.  
95. 5. View previously cracked passwords
96. $ hashcat -a 0 -m 0 ./target_hashes.txt /usr/share/wordlists/rockyou.txt.gz --show
97.  
98. 6. SHA1 hash using the same attack mode
99. $ hashcat -m 100 -a 0 sha1 ~/Downloads/rockyou.txt
100. -m 100 is for SHA1 hash type
101. -a 0 for a straight attack
102.  
103. 7. Combination Attack
104. This attack is used to crack passwords that are two words joined together. Such as ‘passpass’ or ‘blue-bike’.
105.  
106. Hashcat exploits this using the combination attack that takes two wordlists (dictionaries).
107.  
108. So the two wordlists we will be using must contain the left and right parts of passwords.
109.  
110. The word list I’m using contains both the words from the password so I’ll be using the same for left and right side.
111.  
112. $ hashcat -m 0 -a 1 ./target_hashes.txt ./wordlist1 ./wordlist2
113. -m 0 for MD5 hash type
114. -a 1 for a combination attack
115.  
116. SHA1
117. $ hashcat -m 100 -a 1 ./target_hashes.txt ./wordlist1 ./wordlist2
118.  
119. 8. Rule Based Attack (watch the video to know more)
120. This type of attack is used to form patterns in passwords using certain rules. This will help to generate new passwords in our present wordlist instead of manually adding them.
121.  
122. For this method, we only need our original wordlist and a file containing the rules to form patterns.
123.  
124. A rule-based attack allows us to form patterns that are applied to existing passwords to quickly generate new passwords to use.
125. Create hashes
126. echo -n "efxtv" | openssl sha1
127. echo -n "efxtv" | openssl md5
128.  
129. $ hashcat -a 0 -m 0 hash.txt wordlist/wordlist.txt -r /usr/share/hashcat/rules/rockyourockyou-30000.rule
130. -r rules
131.  
132.  
133. 9. Bruiteforce mode (Mask Attack)
134. Mask attacks are similar to brute-force attacks since they try out all possible combinations from a set of characters.
135.  
136. In brute-force attack, all possible characters that exist are tried out but Mask attacks are more specific as the set of characters you try is reduced based on the information you know.
137.  
138. For example, if you know the last character in a password is a number, you can configure your mask only to try numbers at the end.
139.  
140. We know about humans and how they design passwords. For example, the password I’m going to use: ‘zaq123’ is a name and a 3 digit number which is commonly used. Mostly lower-case letters will be used as the first letter in many passwords.
141.  
142. We will be using the built-in charsets (character sets) to specify what our password is like.
143.  
144. Hashcat -h
145. l | abcdefghijklmnopqrstuvwxyz [a-z]
146. u | ABCDEFGHIJKLMNOPQRSTUVWXYZ [A-Z]
147. d | 0123456789 [0-9]
148. h | 0123456789abcdef [0-9a-f]
149. H | 0123456789ABCDEF [0-9A-F]
150. s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
151. a | ?l?u?d?s
152. b | 0x00 - 0xff
153.  
154. ?l?u?d
155. a A 0
156. z Z 9
157.  
158. ?l?l?l?l?l?l?l?l (all the passwords are in lower case)
159. first pass set: aaaaaaaa
160. baaaaaaa
161. caaaaaaa
162. daaaaaaa
163. eaaaaaaa
164. zaaaaaaa
165. abaaaaaa
166. acaaaaaa
167.  
168. These custom charsets are equal to:
169.  
170. -1 abcdefghijklmnopqrstuvwxyz
171.  
172. -2 abcdefghijklmnopqrstuvwxyz
173.  
174. ABCDEFGHIJKLMNOPQRSTUVWXYZ
175.  
176. 0123456789
177.  
178. -3 0123456789
179.  
180. $ hashcat -a 3 -m 0 ./hash "?d?d?d?d"
181. -a 3 bruiteforce mode
182.  
183. Increment-min Increment-max
184. It will check for password minimum of 2 characters up to 3 characters
185. 00
186. 01
187. 100
188. 200
189. .
190. .
191. 300
192. hashcat -a 3 -m 0 --increment --increment-min 2 --increment-max 3 hash ?d?d?d?d
193.  
194. -How Crack Windows 10
195. hashcat -m 1000 -a 0 ./samfile /usr/share/wordlists/rockyou.txt.gz
196.  
197. - Crack zip password
198. zip2john zipfile_having_password.zip >hashes
199. hashcat -m 17200 -a 0 -o found.txt ./ziphashes ~/Downloads/rockyou.txt
200. -o save output as
201. -m 17200 PKZIP (Compressed)
202.  
203. - Crack RAR password
204. rar2john rarfile_with_password.rar >hashes
205. hashcat -m 12500 -a 0 -o found.txt hashes.txt ~/Downloads/rockyou.txt
206.  
207. - Crack ssh password from rsa_key
208. ssh2john rsakeys >hashes.txt
209. john --wordlist=~/Downloads/rockyou.txt hashes
210.  
211. - Crack almost any hashes you can use John the Ripper tool
212. eg to extract hashes:
213. $ zip2john file_with_password.zip >hashes
214.  
215. Crack the hashes
216. $ john --wordlist=~/pathto/rockyou.txt ./hashes
217.  
218. John supports a list of hash generators:
219.  
220. john 1password2john
221. 7z2john adxcsouf2john
222. aem2john aix2john
223. andotp2john androidbackup2john
224. androidfde2john ansible2john
225. apex2john applenotes2john
226. aruba2john atmail2john
227. axcrypt2john bestcrypt2john
228. bitcoin2john bitshares2john
229. bitwarden2john bks2john
230. blockchain2john ccache2john
231. cisco2john cracf2john
232. dashlane2john deepsound2john
233. diskcryptor2john dmg2john
234. DPAPImk2john ecryptfs2john
235. ejabberd2john electrum2john
236. encfs2john enpass2john
237. enpass5tojohn ethereum2john
238. filezilla2john geli2john
239. hccapx2john htdigest2john
240. ibmiscanner2john ikescan2john
241. ios7tojohn itunes_backup2john
242. iwork2john kdcdump2john
243. keychain2john keyring2john
244. keystore2john kirbi2john
245. known_hosts2john krb2john
246. kwallet2john lastpass2john
247. ldif2john libreoffice2john
248. lion2john lotus2john
249. luks2john mac2john
250. mcafee_epo2john monero2john
251. money2john mosquitto2john
252. mozilla2john multibit2john
253. neo2john office2john
254. openbsd_softraid2john openssl2john
255. padlock2john pcap2john
256. pdf2john pem2john
257. pfx2john pgpdisk2john
258.  
259.