Hashcat is an open-source password recovery tool that is currently considered the most powerful. You can visit the Hashcat.net website to learn more about this tool. Essentially, Hashcat 3.0 is an advanced password recovery tool that can utilize CPU or GPU resources to attack over 160 different types of password hashes. The HashCat software series supports CPU, NVIDIA GPU, and ATI GPU for password cracking. It is compatible with Windows and Linux platforms, but requires the installation of the officially specified version of the graphics card driver. Incorrect driver versions may cause the program to fail.
HashCat is mainly divided into three versions: Hashcat, oclHashcat-plus, and oclHashcat-lite. The main differences between these three versions are as follows: HashCat only supports CPU cracking. oclHashcat-plus supports GPU cracking of multiple hashes and supports up to 77 different algorithms. oclHashcat-lite only supports GPU cracking of a single hash and supports only 32 types of hashes. However, it is optimized for algorithms and can achieve the highest speed for GPU cracking. If you are cracking a single ciphertext, it is recommended to use oclHashCat-lite.
For Windows installation, you can download the binary file from the official website and use it directly after entering the directory.
git clone https://github.com/hashcat/hashcat.git
cd hashcat //进入目录
sudo make
sudo make install //安装hashcat
l | abcdefghijklmnopqrstuvwxyz 纯小写字母
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ 纯大写字母
d | 0123456789 纯数字
h | 0123456789abcdef 常见小写子目录和数字
H | 0123456789ABCDEF 常见大写字母和数字
s | !"#$%&'()*+,-./:;?@[]^_`{|}~ 特殊字符
a | ?l?u?d?s 键盘上所有可见的字符
b | 0x00 - 0xff 可能是用来匹配像空格这种密码的
For Linux installation, download the source code from GitHub to your local machine, then enter the directory and compile and install it. If the installation is successful, you can type “hashcat” in the command line to see the help documentation.
Common parameters include:
- -m –hash-type=NUM: Specifies the hash type, with NUM referring to the hash category value as mentioned in the help information. If no m value is specified, it defaults to md5. For example, -m 1800 represents sha512 Linux encryption.
- -a –attack-mode: Specifies the attack mode, e.g., -a 3.
- -V –version: Displays version information.
- -h –help: Displays help information.
- –quiet: Enables quiet mode, suppressing output.
- -b –benchmark: Tests the computer’s cracking speed and displays hardware-related information.
In HashCat, the –attack-mode ? parameter can be used to specify the cracking mode.
Other mask settings include:
- ?l: Represents lowercase letters (a-z).
- ?u: Represents uppercase letters (A-Z).
- ?d: Represents digits (0-9).
- ?a: Represents all special characters on the keyboard.
- ?s: Represents all visible characters on the keyboard.
- ?h: Represents 8-bit hexadecimal characters from 0xc0 to 0xff.
- ?D: Represents 8-bit German characters.
- ?F: Represents 8-bit French characters.
- ?R: Represents 8-bit Russian characters.
八位数字密码:?d?d?d?d?d?d?d?d
八位未知密码:?a?a?a?a?a?a?a?a
前四位为大写字母,后面四位为数字:?u?u?u?u?d?d?d?d
前四位为数字或者是小写字母,后四位为大写字母或者数字:?h?h?h?h?H?H?H?H
前三个字符未知,中间为admin,后三位未知:?a?a?aadmin?a?a?a
6-8位数字密码:--increment --increment-min 6 --increment-max 8 ?l?l?l?l?l?l?l?l
6-8位数字+小写字母密码:--increment --increment-min 6 --increment-max 8 ?h?h?h?h?h?h?h?h
比如说我要设置自定义字符集1为小写+数字,那么就加上
-- custom-charset1 ?l?d
如果要设置自定义字符集2为abcd1234,那么就加上
--custom-charset2 abcd1234
如果要破解8位的小写+数字,那么需要设置自定义字符集1为
--custom-charset1 ?l?d
设置掩码为?1?1?1?1?1?1?1?1。 如果已知密码的第一位为数字,长度为8位,后几位为大写+小写,那么需要设置自定义字符集1为
--custom-charset1 ?l?u
设置掩码为?d?1?1?1?1?1?1?1
$ aircrack-ng -J
hashcat -m 2500 out.hccap.hccap dics.txt
For example, to crack a WPA/PSK password, convert the cap file captured by airodump to hccap format. You can use online converters or aircrack-ng for conversion. The parameter commands are as follows:
- The first parameter: -m 2500 specifies the cracking mode as WPA/PSK.
- The second parameter: The hccap format file is the converted file.
- The third parameter: dics.txt is the dictionary file.
hashcat -m 2500 -a 3 handshake.hccap ?d?d?d?d?d?d?d?d
oclHashcat-plus64.exe --hash-type 0 --attack-mode 0 d:md5.txt d:dict1.txt d:dict2.txt
crunch 8 8 0123456789 -o dic.txt
Cracking a pure numeric password using a dictionary:
Due to the influence of disk and memory speed, the speed of dictionary cracking cannot reach the maximum computational speed of the GPU. Generally, a 5GB dictionary can be completed within 10 minutes for MD5 cracking. To generate a dictionary for pure numbers, use the following command: crunch 8 8 0123456789 -o dic.txt. The generated pure numeric dictionary will be around 900MB.
hashcat64.exe -m 0 -a 0 5ec822debe54b1935f78d9a6ab900a39 password.dict
hashcat64.exe -m 0 -a 0 md5_list.txt password.dict
hashcat64.exe -m 0 -a 3 3d9865a2843dcb59e7a6296c894732a4 ?d?d?d?d?d?d?d?d
hashcat64.bin -m 0 -a 0 hash.txt dict1.txt dict2.txt dict3.txt
hashcat -a 3 -m 0 --force ed2b1f468c5f915f3f1cf75d7068baae "?d?d?d?d?d?d?d?d"
hashcat -a 3 -m 0 --force 4488cec2aea535179e085367d8a17d75 --increment --increment-min 1 --increment-max 8 "?d?d?d?d?d?d?d?d"
Loading a password dictionary and cracking a single MD5 hash.
Loading a password dictionary and cracking multiple MD5 hashes.
Loading multiple password dictionaries is only supported in “-a 0” mode.
Other common brute-force attacks include:
- Brute-forcing an 8-digit numeric MD5 hash (2 seconds).
- Brute-forcing MD5 hashes from 1 to 8 digits.
hashcat -a 3 -m 0 --force 80d41e1777e11df88fa2a02508112a6c "?l?l?l?l?l?l?l?l"
hashcat -a 0 ede900ac1424436b55dc3c9f20cb97a8 password.txt -o result.txt
hashcat -a 0 hash.txt password.txt -o result.txt
hashcat -a 1 25f9e794323b453885f5181f1b624d0b pwd1.txt pwd2.txt
hashcat -a 6 9dc9d5ed5031367d42543763423c24ee password.txt "?l?l?l?l?l"
select host,user,authentication_string from mysql.user;
hashcat -a 0 -m 300 --force 81F5E21E35407D884A6CD4A731AEBFB6AF209E1B ~/pwd
hashcat -a 3 -m 132 --force 0x01008c8006c224f71f6bf0036f78d863c3c4ff53f8c3c48edafb "?l?l?l?l?l?d?d?d"
NT-hash:
hashcat -a 3 -m 1000 209C6174DA490CAEB422F3FA5A7AE634 "?l?l?l?l?l"
LM-hash:
hashcat -a 3 -m 3000 --force F0D412BD764FFE81AAD3B435B51404EE "?l?l?l?l?l"
Brute-forcing an 8-character lowercase letter MD5 hash (11 minutes).
Using a dictionary to brute-force.
Batch cracking hash.txt.
Dictionary + dictionary combination.
Dictionary + mask combination.
Brute-forcing MySQL password (6 seconds).
Brute-forcing MSSQL password.
Brute-forcing Windows password.
hashcat -a 3 -m 400 --force "$P$BYEYcHEj3vDhV1lwGBv6rpxurKOEWY/" "?d?d?d?d?d?d"
hashcat -a 3 -m 2611 --force 14e1b600b1fd579f47433b88e8d85291: "?d?d?d?d?d?d"
rar2john 1.rar
hashcat -a 3 -m 13000 --force "$rar5$16$639e9ce8344c680da12e8bdd4346a6a3$15$a2b056a21a9836d8d48c2844d171b73d$8$04a52d2224ad082e" "?d?d?d?d?d?d"
Brute-forcing WordPress password. The specific encryption script can be found in ./wp-includes/class-phpass.php, in the HashPassword function.
Brute-forcing Discuz password (md5(md5(salt))).
Brute-forcing RAR password (note whether it is rar5 or RAR3-hp mode).
zip2john.exe 1.zip
hashcat -a 3 -m 13600 "$zip2$*0*3*0*554bb43ff71cb0cac76326f292119dfd*ff23*5*24b28885ee*d4fe362bb1e91319ab53*$/zip2$" --force "?d?d?d?d?d?d"
python /usr/share/john/office2john.py 11.docx
hashcat -a 3 -m 9600 "$office$*2013*100000*256*16*e4a3eb62e8d3576f861f9eded75e0525*9eeb35f0849a7800d48113440b4bbb9c*577f8d8b2e1c5f60fed76e62327b38d28f25230f6c7dfd66588d9ca8097aabb9" --force "?d?d?d?d?d?d"
hashcat hash --show