How to Crack Password Hashes with Hashcat — a Practical Guide

Hashing is like a strong foundation for keeping things safe in cybersecurity. It’s used to protect stuff like passwords and important information by turning them into jumbled-up codes that are hard to crack.

Hashing and encryption are sometimes mixed up, but they’re different. One big difference is that when data is hashed, you can’t turn it back into its original form. However, encrypted data can be reversed using a special key. That’s why apps like Telegram use encryption, while passwords are hashed for security.

Let’s start with the installation of Hashcat

Linux:

Hashcat comes pre-installed in Kali and Parrot OS. To install it in Ubuntu / Debian-based systems, use the following command:

$ apt install hashcat

2.Download Hashcat: You can download Hashcat from the official website or use Git to clone the repository:

git clone https://github.com/hashcat/hashcat.git

Once the installation is done, we can check Hashcat’s help menu using this command:

$ hashcat -h

Windows:

1. Download Hashcat: Visit the official Hashcat website and download the Windows binaries.
2. Extract Files: Once downloaded, extract the contents of the ZIP file to a location of your choice.
3. Set Path (Optional): You can optionally add the Hashcat directory to your system’s PATH environment variable for easier access from the command line. This step is not necessary but can be helpful.
4. Verify Installation: Open Command Prompt and navigate to the Hashcat directory. Run hashcat --version to verify that Hashcat is installed correctly.

These steps should help you install Hashcat on both Linux and Windows systems. Make sure to follow any specific instructions or requirements mentioned in the Hashcat documentation or release notes for the version you are installing.

What is Password Hashing?

Hashing is like a special math trick that turns any word or number into a specific length code. This code is created by a function called a hash function, which takes the original word or number and changes it into another set of letters and numbers.

Various hashing methods, such as MD5, SHA1, and others, exist. These algorithms are like different ways of transforming information into fixed-length codes. Each algorithm has its own approach and characteristics, providing unique ways to secure data and perform various tasks in computer science and cybersecurity.

The length of a hash is always a constant, irrespective of the length of the input. For example, if we use the MD5 algorithm and hash two strings like “ABCD1234” and “passwd1234”, the final hash will have a fixed length.

Hashing algorithms and their hash lengths:

MD5: A 128-bit hash, usually represented as a 32-character hexadecimal string.

SHA-1: A 160-bit hash, usually represented as a 40-character hexadecimal string.

SHA-256: A 256-bit hash, usually represented as a 64-character hexadecimal string.

SHA-512: A 512-bit hash, usually represented as a 128-character hexadecimal string.

It’s important to note that the length of a hash does not necessarily indicate its security. For example, MD5 and SHA-1 are considered insecure for certain applications due to vulnerabilities that have been discovered, even though they produce longer hashes than more secure algorithms like SHA-256 and SHA-512.

you can use openssl command or online generator to generate hashes

Here is the MD5 hash for “ABCD123”.

$1$PnhQtOci$UYQVC5eW6XEyV9xL9XlW/0

Here is the MD5 hash for “passwd1234”.

$1$gG5buseH$FaebuMrGYmNvdj5RWXnOF0

Now, there’s another method called encoding. A well-known encoding algorithm is Base64. Here’s how the string “ABCD123” would appear if we encoded it using Base64.

QUJDRDEyMwo=

The main difference between hashing and encoding lies in reversibility. When we encode a string, it can be easily decoded to retrieve the original string. However, when we hash a string, it’s not possible to retrieve the original string from the hash value. Hashing is a one-way process, meaning once hashed, it’s extremely difficult to reverse the process and recover the original data.

WHAT IS HASHCAT?

Hashcat is a rapid password recovery tool designed to crack complex password hashes. It’s known for its versatility and wide range of features, offering multiple methods for recovering passwords from hashes.

One notable advantage of Hashcat is its compatibility with GPUs. Unlike CPUs, which excel at sequential tasks, GPUs boast robust parallel processing capabilities. GPUs are commonly utilized in various fields like gaming and artificial intelligence, and they can significantly accelerate the process of password cracking.

Besides Hashcat, another essential component for password cracking is a wordlist. A wordlist is essentially a collection of frequently used terms, which can include passwords, usernames, subdomains, and more.

One well-known password wordlist is “rockyou.txt.” It contains a compilation of commonly used passwords and is widely utilized by penetration testers. In Kali Linux, you can locate the Rockyou wordlist at /usr/share/wordlists.

Now Lets Understand How Hashcat Works:

Now that we understand hashing and Hashcat, let’s begin cracking some passwords.

Before diving into cracking a hash, let’s first create a couple of hashes to work with. We can utilize online tools like Browserling to generate hashes for given strings. or use openssl tool to generate in terminal.

We’ll create two hashes: an MD5 hash and a SHA1 hash for the string “ABCD123”. I’m deliberately using a weak password to illustrate how easily such passwords can be cracked.

MD5-c1a14d6139aee67b520c766321bd894d
SHA1-d0e39c3301bb59be6aac1044cb18eef89c6e360e

To crack a password using Hashcat, you can use the following general syntax:

$ hashcat -m value -a value hashfile wordlist

• Replace [options] with any specific options or flags you want to use with Hashcat.
• hash_file refers to the file containing the hashes you want to crack.
• wordlist is the path to the wordlist file containing potential passwords to try.

We can store these hashes under the names md5.txt and sha1.txt to use them when working with Hashcat.

hashcat -m 0 -a 0 md5.txt /usr/share/wordlists/rockyou.txt 

Hashcat will quickly find the value for the hash, in this case, “ABCD123”

MD5 hachcat

Now with SHA1:-

hashcat -m 100 -a 0 sha1.txt /usr/share/wordlists/rockyou.txt 

Hashcat offers extensive support for nearly all hashing algorithms, along with a range of attack modes to suit different cracking scenarios.

Dictionary attack(-a 0);-

As demonstrated in our previous example, a dictionary attack involves using a wordlist to crack passwords. This type of attack is the default choice in Hashcat. The effectiveness of the dictionary attack heavily depends on the quality and comprehensiveness of the wordlist used, as a better wordlist increases the likelihood of successfully cracking the password.

Combinator attack (-a 1);-

in a combinator attack, Hashcat generates combinations of words from the provided wordlist. For instance, if our wordlist includes “ABCD”, “123”, and “passwd”, Hashcat will generate combinations like:

• ABCD123
• ABCDpasswd
• 123ABCD
• 123passwd
• passwdABCD
• passwd123

and so on, trying different combinations to crack the password.
As demonstrated, even a basic wordlist can generate numerous combinations, making the combinator attack effective, especially when some terms used in the password are known. However, it’s important to note that as the initial wordlist grows larger, the resulting combinations become more complex, enhancing the effectiveness of the attack.

Mask attack (-a 3);-

The mask attack, invoked with the -a 3 flag in Hashcat, is a more targeted version of the dictionary attack. While brute-force methods like dictionary attacks can be time-consuming, the mask attack speeds up the process by leveraging known information about the password.

For instance, if we have insights into the password’s length and certain characters it may contain, we can create a customized wordlist based on that information.

To defend against Hashcat;-

you can take the following measures:

1. Use strong passwords: Implement a strong password policy that requires users to create complex passwords with a minimum length and a mix of characters, including uppercase and lowercase letters, numbers, and symbols.
2. Salt passwords: Add a random string of characters, called a salt, to each password before hashing. This makes it more difficult for attackers to use precomputed hash tables, such as rainbow tables, to crack passwords.
3. Limit password attempts: Implement a password lockout policy that limits the number of failed login attempts within a certain time frame. This can prevent brute-force attacks using Hashcat.
4. Use account lockout policies: Implement an account lockout policy that locks out user accounts after a certain number of failed login attempts. This can prevent attackers from using Hashcat to crack passwords.
5. Monitor system logs: Regularly monitor system logs for any suspicious activity, such as multiple failed login attempts or unusual network traffic.
6. Use multi-factor authentication (MFA): Implement MFA to add an extra layer of security to user accounts. MFA requires users to provide at least two forms of authentication, such as a password and a fingerprint or a one-time passcode.
7. Keep software up-to-date: Regularly update your operating system, applications, and security software to ensure that you have the latest security patches and fixes.

Remember, always use your hacking skills responsibly and with proper authorization. Happy hacking!

I hope you have learned something from this blog. So, Let’s meet in the next blog with new blog. Happy hacking!

Stay tuned for similar walkthroughs and much more coming up in the near future!

Disclaimer:

We believe that these Practices will educate everyone about ethical hacking, and We do not promote, encourage, support, or excite any illegal activity or hacking.

We will not be responsible for your illegal actions.