Login
Login

Hashcat

{{Short description|Open-source password recovery tool}}

{{Infobox software

| name = Hashcat

| logo =

| screenshot =

| caption =

| author =

| developer = Jens 'atom' Steube, Gabriele 'matrix' Gristina

| released =

| latest release version = {{wikidata|property|edit|reference|P348}}

| latest release date = {{start date and age|{{wikidata|qualifier|P348|P577}}}}

| repo = {{URL|github.com/hashcat/hashcat}}

| operating system = Cross-platform

| genre = Password cracking

| license = MIT License

| website = {{official URL}}

}}

Hashcat is a password recovery tool. It had a proprietary code base until 2015, but was then released as open source software. Versions are available for Linux, macOS, and Windows. Examples of hashcat-supported hashing algorithms are LM hashes, MD4, MD5, SHA-family and Unix Crypt formats as well as algorithms used in MySQL and Cisco PIX.

Hashcat has received publicity because it is partly based on flaws in other software discovered by its creator. An example was a flaw in 1Password's password manager hashing scheme.{{cite web|title= On hashcat and strong Master Passwords as your best protection | url=https://blog.agilebits.com/2013/04/16/1password-hashcat-strong-master-passwords/ |work=Passwords| publisher=Agile Bits| date=2013-04-16}} It has also been compared to similar software in a Usenix publication{{Cite journal|last=Ur|first=Blase|date=2015-08-12|title=Measuring Real-World Accuracies and Biases in Modeling Password Guessability|url=https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-ur.pdf|journal=Proceedings of the 24th USENIX Security Symposium}} and been described on Ars Technica.{{Cite web|last=Goodin|first=Dan|date=2013-08-26|title="thereisnofatebutwhatwemake" - Turbo-charged cracking comes to long passwords|url=https://arstechnica.com/information-technology/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/|access-date=2020-07-21|website=Ars Technica|language=en-us}}

Variants

Previously, two variants of hashcat existed:

  • hashcat - CPU-based password recovery tool
  • oclHashcat/cudaHashcat - GPU-accelerated tool (OpenCL or CUDA)

With the release of hashcat v3.00, the GPU and CPU tools were merged into a single tool called hashcat. The CPU-only version became hashcat-legacy.{{cite web|title=hashcat v3.00|url=https://hashcat.net/forum/thread-5559.html|work=Hashcat|publisher=Hashcat project|date=2016-06-29}} Both CPU and GPU now require OpenCL.

Many of the algorithms supported by hashcat-legacy (such as MD5, SHA1, and others) can be cracked in a shorter time with the GPU-based hashcat.{{cite web|title= Recent Developments in Password Cracking | url=https://www.schneier.com/blog/archives/2012/09/recent_developm_1.html |work=Passwords| publisher=Bruce Schneier| date=2012-09-19}} However, not all algorithms can be accelerated by GPUs. Bcrypt is an example of this. Due to factors such as data-dependent branching, serialization, and memory (and more), oclHashcat/cudaHashcat weren't catchall replacements for hashcat-legacy.

hashcat-legacy is available for Linux, OSX and Windows.

hashcat is available for macOS, Windows, and Linux with GPU, CPU and generic OpenCL support which allows for FPGAs and other accelerator cards.

Sample output

$ hashcat -d 2 -a 0 -m 400 -O -w 4

hashcat (v5.1.0) starting...

OpenCL Platform #1: Intel(R) Corporation

====================================

  • Device #1: Intel(R) Core(TM) i5-2500K CPU @ 3.30GHz, skipped.

OpenCL Platform #2: NVIDIA Corporation

==================================

  • Device #2: M1 chip, 1010/4041 MB allocatable, 13MCU
  • Device #3: Redmi note 11, skipped.

Hashes: 1 digests; 1 unique digests, 1 unique salts

Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Rules: 1

Applicable optimizers:

  • Optimized-Kernel
  • Zero-Byte
  • Single-Hash
  • Single-Salt

Minimum password length supported by kernel: 0

Maximum password length supported by kernel: 55

Watchdog: Temperature abort trigger set to 90c

Dictionary cache hit:

  • Filename..: example.dict
  • Passwords.: 128416
  • Bytes.....: 1069601
  • Keyspace..: 128416

The wordlist or mask that you are using is too small.

This means that hashcat cannot use the full parallel power of your device(s).

Unless you supply more work, your cracking speed will drop.

For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

$H$9y5boZ2wsUlgl2tI6b5PrRoADzYfXD1:hash234

Session..........: hashcat

Status...........: Cracked

Hash.Type........: phpass, WordPress (MD5), phpBB3 (MD5), Joomla (MD5)

Hash.Target......: $H$9y5boZ2wsUlgl2tI6b5PrRoADzYfXD1

Time.Started.....: Thu Apr 25 05:10:35 2019 (0 secs)

Time.Estimated...: Thu Apr 25 05:10:35 2019 (0 secs)

Guess.Base.......: File (example.dict)

Guess.Queue......: 1/1 (100.00%)

Speed.#2.........: 2654.9 kH/s (22.24ms) @ Accel:128 Loops:1024 Thr:1024 Vec:1

Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts

Progress.........: 128416/128416 (100.00%)

Rejected.........: 0/128416 (0.00%)

Restore.Point....: 0/128416 (0.00%)

Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:1024-2048

Candidates.#2....: 0 -> zzzzzzzzzzz

Hardware.Mon.#2..: Temp: 44c Fan: 40% Util: 50% Core:1265MHz Mem:3004MHz Bus:8

Started: Thu Apr 25 05:10:32 2019

Stopped: Thu Apr 25 05:10:37 2019

Attack types

Hashcat offers multiple attack modes for obtaining effective and complex coverage over a hash's keyspace. These modes are:

  • Brute-force attack{{Cite web|url=https://hashcat.net/wiki/doku.php?id=hashcat#supported_attack_modes|title = Hashcat [hashcat wiki]}}
  • Combinator attack
  • Dictionary attack
  • Fingerprint attack
  • Hybrid attack
  • Mask attack
  • Permutation attack
  • Rule-based attack
  • Table-Lookup attack (CPU only)
  • Toggle-Case attack
  • PRINCE attack{{cite web|title= PRINCE: modern password guessing algorithm | url=https://hashcat.net/events/p14-trondheim/prince-attack.pdf |work=Hashcat site| publisher=Hashcat| date=2014-12-08}} (in CPU version 0.48 and higher only)

The traditional bruteforce attack is considered outdated, and the Hashcat core team recommends the Mask-Attack as a full replacement.

Competitions

Team Hashcat[https://github.com/hashcat/team-hashcat Team Hashcat] (the official team of the Hashcat software composed of core Hashcat members) won first place in the KoreLogic "Crack Me If you Can" Competitions at DefCon in 2010,{{Cite web|title="Crack Me If You Can" - DEFCON 2010|url=http://contest-2010.korelogic.com/team_hashcat.html|access-date=2020-07-21|website=contest-2010.korelogic.com}} 2012, 2014,{{cite web| url=http://contest-2014.korelogic.com/| title=Crack Me If You Can 2014 Contest| publisher=KoreLogic Security}} 2015,{{Cite web|title=Another trophy in the Pocket! Win @ CMIYC contest 2015|url=https://hashcat.net/forum/thread-4595.html|access-date=2020-07-21|website=hashcat.net}} and 2018, and at DerbyCon in 2017.

See also

{{Portal|Free and open-source software}}

References

{{reflist}}

External links

  • {{Official website}}
  • [http://www.unix-ninja.com/p/A_guide_to_password_cracking_with_Hashcat/ A guide to password cracking with Hashcat]
  • [http://www.irongeek.com/i.php?page=videos/derbycon5/the-3-way21-confessions-of-a-crypto-cluster-operator-dustin-heywood Talk: Confessions of a crypto cluster operator] based on oclHashcat at Derbycon 2015
  • [http://www.irongeek.com/i.php?page=videos/derbycon6/521-hashcat-state-of-the-union-evilmog Talk: Hashcat state of the union] at Derbycon 2016

{{Password Cracking Software}}

{{Use dmy dates|date=September 2017}}

Category:Password cracking software

Category:Free security software

Category:Formerly proprietary software