Advertisement
mdelatorre

Hashcat howto

Aug 1st, 2017
284
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.27 KB | None | 0 0
  1. ============================================================
  2. HASHCAT HOWTO
  3. ============================================================
  4.  
  5. - [ Resources ] -
  6.  
  7. * hashcat Wiki: https://hashcat.net/wiki/doku.php?id=hashcat
  8.  
  9. - [ Usage ] -
  10.  
  11. hashcat [options]... hash|hashfile|hcapxfile [dictionary|mask|directory]...
  12.  
  13. - [ Basic Examples ] -
  14.  
  15. Attack-Mode | Hash |
  16. -a | -m | Example command
  17. ==================+======+==================================================================
  18. Wordlist | $P$ | hashcat -a 0 -m 400 example.hash wordlist.dict
  19. Wordlist + Rules | MD5 | hashcat -a 0 -m 0 -r example1.rule -r example2.rule example0.hash wordlist.dict
  20. Wordlist | MD | hashcat -a 0 -m 0 --remove -o output.txt example.hash wordlist.dict
  21. Brute-Force | MD5 | hashcat -a 3 -m 0 example0.hash ?u?l?l?l?l?d
  22. Brute-Force var | MD5 | hashcat -a 3 -m 0 -1 ?u -2 -?l?u?d -3 ?d example.hash ?1?2?2?2?2?2?2?3
  23. Brute-Force inc | MD5 | hashcat -a 3 -m 0 --increment example.hash ?l?l?l?l?l?l?l
  24. Brute-Force ses | MD5 | hashcat -a 3 -m 0 --session=session_name example.hash mask_file.hcmask
  25. Combinator | MD5 | hashcat -a 1 -m 0 --rule-left='^-' --rule-right='$!' example.hash wordlist.dict wordlist.dict
  26. Hybrid - Wrd/Msk | MD5 | hashcat -a 6 wordlist.dict ?d?d?d?d
  27. Hybrid - Msk/Wrd | MD5 | hashcat -a 7 ?d?d?d?d wordlist.dict
  28. Debug rules | | hashcat --stdout -r capitalize.rule -r swap.rule wordlist.dict
  29. Restore Session | | hashcat --session session_name --restore
  30.  
  31.  
  32. - [ Attack Modes ] -
  33.  
  34. # | Mode ( -a )
  35. ===+======
  36. 0 | Straight
  37. 1 | Combination
  38. 3 | Brute-force
  39. 6 | Hybrid Wordlist + Mask
  40. 7 | Hybrid Mask + Wordlist
  41.  
  42. - [ Basic options ] -
  43.  
  44. Options Short / Long | Type | Description | Example
  45. ===============================+======+======================================================+=======================
  46. -m, --hash-type | Num | Hash-type, see references below | -m 1000
  47. -a, --attack-mode | Num | Attack-mode, see references below | -a 3
  48. -V, --version | | Print version |
  49. -h, --help | | Print help |
  50. --quiet | | Suppress output |
  51. --hex-charset | | Assume charset is given in hex |
  52. --hex-salt | | Assume salt is given in hex |
  53. --hex-wordlist | | Assume words in wordlist are given in hex |
  54. --force | | Ignore warnings |
  55. --status | | Enable automatic update of the status screen |
  56. --status-timer | Num | Sets seconds between status screen updates to X | --status-timer=1
  57. --machine-readable | | Display the status view in a machine-readable format |
  58. --keep-guessing | | Keep guessing the hash after it has been cracked |
  59. --loopback | | Add new plains to induct directory |
  60. --weak-hash-threshold | Num | Threshold X when to stop checking for weak hashes | --weak=0
  61. --markov-hcstat | File | Specify hcstat file to use | --markov-hc=my.hcstat
  62. --markov-disable | | Disables markov-chains, emulates classic brute-force |
  63. --markov-classic | | Enables classic markov-chains, no per-position |
  64. -t, --markov-threshold | Num | Threshold X when to stop accepting new markov-chains | -t 50
  65. --runtime | Num | Abort session after X seconds of runtime | --runtime=10
  66. --session | Str | Define specific session name | --session=mysession
  67. --restore | | Restore session from --session |
  68. --restore-disable | | Do not write restore file |
  69. --restore-file-path | File | Specific path to restore file | --restore-file-path=my.restore
  70. -o, --outfile | File | Define outfile for recovered hash | -o outfile.txt
  71. --outfile-format | Num | Define outfile-format X for recovered hash | --outfile-format=7
  72. --outfile-autohex-disable | | Disable the use of $HEX[] in output plains |
  73. --outfile-check-timer | Num | Sets seconds between outfile checks to X | --outfile-check=30
  74. -p, --separator | Char | Separator char for hashlists and outfile | -p :
  75. --stdout | | Do not crack a hash, instead print candidates only |
  76. --show | | Compare hashlist with potfile; show cracked hashes |
  77. --left | | Compare hashlist with potfile; show uncracked hashes |
  78. --username | | Enable ignoring of usernames in hashfile |
  79. --remove | | Enable removal of hashes once they are cracked |
  80. --remove-timer | Num | Update input hash file each X seconds | --remove-timer=30
  81. --potfile-disable | | Do not write potfile |
  82. --potfile-path | Dir | Specific path to potfile | --potfile-path=my.pot
  83. --encoding-from | Code | Force internal wordlist encoding from X | --encoding-from=iso-8859-15
  84. --encoding-to | Code | Force internal wordlist encoding to X | --encoding-to=utf-32le
  85. --debug-mode | Num | Defines the debug mode (hybrid only by using rules) | --debug-mode=4
  86. --debug-file | File | Output file for debugging rules | --debug-file=good.log
  87. --induction-dir | Dir | Specify the induction directory to use for loopback | --induction=inducts
  88. --outfile-check-dir | Dir | Specify the outfile directory to monitor for plains | --outfile-check-dir=x
  89. --logfile-disable | | Disable the logfile |
  90. --hccapx-message-pair | Num | Load only message pairs from hccapx matching X | --hccapx-message-pair=2
  91. --nonce-error-corrections | Num | The BF size range to replace AP's nonce last bytes | --nonce-error-corrections=16
  92. --truecrypt-keyfiles | File | Keyfiles to use, separated with commas | --truecrypt-key=x.png
  93. --veracrypt-keyfiles | File | Keyfiles to use, separated with commas | --veracrypt-key=x.txt
  94. --veracrypt-pim | Num | VeraCrypt personal iterations multiplier | --veracrypt-pim=1000
  95. -b, --benchmark | | Run benchmark |
  96. --speed-only | | Return expected speed of the attack, then quit |
  97. --progress-only | | Return ideal progress step size and time to process |
  98. -c, --segment-size | Num | Sets size in MB to cache from the wordfile to X | -c 32
  99. --bitmap-min | Num | Sets minimum bits allowed for bitmaps to X | --bitmap-min=24
  100. --bitmap-max | Num | Sets maximum bits allowed for bitmaps to X | --bitmap-max=24
  101. --cpu-affinity | Str | Locks to CPU devices, separated with commas | --cpu-affinity=1,2,3
  102. -I, --opencl-info | | Show info about detected OpenCL platforms/devices | -I
  103. --opencl-platforms | Str | OpenCL platforms to use, separated with commas | --opencl-platforms=2
  104. -d, --opencl-devices | Str | OpenCL devices to use, separated with commas | -d 1
  105. -D, --opencl-device-types | Str | OpenCL device-types to use, separated with commas | -D 1
  106. --opencl-vector-width | Num | Manually override OpenCL vector-width to X | --opencl-vector=4
  107. -w, --workload-profile | Num | Enable a specific workload profile, see pool below | -w 3
  108. -n, --kernel-accel | Num | Manual workload tuning, set outerloop step size to X | -n 64
  109. -u, --kernel-loops | Num | Manual workload tuning, set innerloop step size to X | -u 256
  110. --nvidia-spin-damp | Num | Workaround NVIDIAs CPU burning loop bug, in percent | --nvidia-spin-damp=50
  111. --gpu-temp-disable | | Disable temperature and fanspeed reads and triggers |
  112. --gpu-temp-abort | Num | Abort if GPU temperature reaches X degrees Celsius | --gpu-temp-abort=100
  113. --gpu-temp-retain | Num | Try to retain GPU temperature at X degrees Celsius | --gpu-temp-retain=95
  114. --powertune-enable | | Enable power tuning. Restores settings when finished |
  115. --scrypt-tmto | Num | Manually override TMTO value for scrypt to X | --scrypt-tmto=3
  116. -s, --skip | Num | Skip X words from the start | -s 1000000
  117. -l, --limit | Num | Limit X words from the start + skipped words | -l 1000000
  118. --keyspace | | Show keyspace base:mod values and quit |
  119. -j, --rule-left | Rule | Single rule applied to each word from left wordlist | -j 'c'
  120. -k, --rule-right | Rule | Single rule applied to each word from right wordlist | -k '^-'
  121. -r, --rules-file | File | Multiple rules applied to each word from wordlists | -r rules/best64.rule
  122. -g, --generate-rules | Num | Generate X random rules | -g 10000
  123. --generate-rules-func-min | Num | Force min X functions per rule |
  124. --generate-rules-func-max | Num | Force max X functions per rule |
  125. --generate-rules-seed | Num | Force RNG seed set to X |
  126. -1, --custom-charset1 | CS | User-defined charset ?1 | -1 ?l?d?u
  127. -2, --custom-charset2 | CS | User-defined charset ?2 | -2 ?l?d?s
  128. -3, --custom-charset3 | CS | User-defined charset ?3 |
  129. -4, --custom-charset4 | CS | User-defined charset ?4 |
  130. -i, --increment | | Enable mask increment mode |
  131. --increment-min | Num | Start mask incrementing at X | --increment-min=4
  132. --increment-max | Num | Stop mask incrementing at X | --increment-max=8
  133.  
  134. - [ Hash modes ] -
  135. # | Name | Category
  136. ======+==================================================+======================================
  137. 0 | MD5 | Raw Hash
  138. 100 | SHA1 | Raw Hash
  139. 1400 | SHA-256 | Raw Hash
  140. 1700 | SHA-512 | Raw Hash
  141. 5000 | SHA-3 (Keccak) | Raw Hash
  142. 400 | phpass | Generic KDF
  143. 8900 | scrypt | Generic KDF
  144. 5600 | NetNTLMv2 | Network Protocols
  145. 11200 | MySQL CRAM (SHA1) | Network Protocols
  146. 12 | PostgreSQL | Database Server
  147. 131 | MSSQL (2000) | Database Server
  148. 132 | MSSQL (2005) | Database Server
  149. 1731 | MSSQL (2012, 2014) | Database Server
  150. 200 | MySQL323 | Database Server
  151. 300 | MySQL4.1/MySQL5 | Database Server
  152. 11500 | CRC32 | Checksums
  153. 1500 | descrypt, DES (Unix), Traditional DES | Operating Systems
  154. 500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) | Operating Systems
  155. 3200 | bcrypt $2*$, Blowfish (Unix) | Operating Systems
  156. 1800 | sha512crypt $6$, SHA512 (Unix) | Operating Systems
  157. 3000 | LM | Operating Systems
  158. 1000 | NTLM | Operating Systems
  159. 6600 | 1Password, agilekeychain | Password Managers
  160. 8200 | 1Password, cloudkeychain | Password Managers
  161. 11300 | Bitcoin/Litecoin wallet.dat | Password Managers
  162. 13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) | Password Managers
  163. 15600 | Ethereum Wallet, PBKDF2-HMAC-SHA256 | Password Managers
  164. 15700 | Ethereum Wallet, SCRYPT | Password Managers
  165.  
  166. - [ Outfile Formats ] -
  167.  
  168. # | Format
  169. ===+========
  170. 1 | hash[:salt]
  171. 2 | plain
  172. 3 | hash[:salt]:plain
  173. 4 | hex_plain
  174. 5 | hash[:salt]:hex_plain
  175. 6 | plain:hex_plain
  176. 7 | hash[:salt]:plain:hex_plain
  177. 8 | crackpos
  178. 9 | hash[:salt]:crack_pos
  179. 10 | plain:crack_pos
  180. 11 | hash[:salt]:plain:crack_pos
  181. 12 | hex_plain:crack_pos
  182. 13 | hash[:salt]:hex_plain:crack_pos
  183. 14 | plain:hex_plain:crack_pos
  184. 15 | hash[:salt]:plain:hex_plain:crack_pos
  185.  
  186.  
  187. - [ Built-in Charsets ] -
  188.  
  189. ? | Buit-in charset masks
  190. ===+=========
  191. l | abcdefghijklmnopqrstuvwxyz
  192. u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  193. d | 0123456789
  194. h | 0123456789abcdef
  195. H | 0123456789ABCDEF
  196. s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  197. a | ?l?u?d?s
  198. b | 0x00 - 0xff
  199.  
  200. - [ OpenCL Device Types ] -
  201.  
  202. # | Device Type
  203. ===+=============
  204. 1 | CPU
  205. 2 | GPU
  206. 3 | FPGA, DSP, Co-Processor
  207.  
  208. - [ Workload Profiles ] -
  209.  
  210. # | Performance | Runtime | Power Consumption | Desktop Impact
  211. ===+=============+=========+===================+=================
  212. 1 | Low | 2 ms | Low | Minimal
  213. 2 | Default | 12 ms | Economic | Noticeable
  214. 3 | High | 96 ms | High | Unresponsive
  215. 4 | Nightmare | 480 ms | Insane | Headless
  216.  
  217. - [ Rule Compatible Functions ] -
  218.  
  219. Name | Rule | Description | Example Rule | In Word | Output Word |
  220. =============+========+===========================================+===============+===========+===========================+
  221. Nothing | : | Do nothing | : | p@ssW0rd | p@ssW0rd |
  222. Lowercase | l | Lowercase all letters | l | p@ssW0rd | p@ssw0rd |
  223. Uppercase | u | Uppercase all letters | u | p@ssW0rd | P@SSW0RD |
  224. Capitalize | c | Cap the 1st letter and lower the rest | c | p@ssW0rd | P@ssw0rd |
  225. Inv Capital | C | Lower 1st found char, uppercase the rest | C | p@ssW0rd | p@SSW0RD |
  226. Toggle Case | t | Toggle the case of all characters in word | t | p@ssW0rd | P@SSw0RD |
  227. Toggle @ | TN | Toggle the case of char at position N | T3 | p@ssW0rd | p@sSW0rd |
  228. Reverse | r | Reverse the entire word | r | p@ssW0rd | dr0Wss@p |
  229. Duplicate | d | Duplicate entire word | d | p@ssW0rd | p@ssW0rdp@ssW0rd |
  230. Reflect | f | Duplicate word reversed | f | p@ssW0rd | p@ssW0rddr0Wss@p |
  231. Rotate Left | { | Rotates the word left | { | p@ssW0rd | @ssW0rdp |
  232. Rotate Right | } | Rotates the word right | } | p@ssW0rd | dp@ssW0r |
  233. Append Char | $X | Append character X to end | $1 | p@ssW0rd | p@ssW0rd1 |
  234. Prepend Char | ^X | Prepend character X to front | ^1 | p@ssW0rd | 1p@ssW0rd |
  235. Truncate left| [ | Deletes first character | [ | p@ssW0rd | @ssW0rd |
  236. Trunct right | ] | Deletes last character | ] | p@ssW0rd | p@assW0r |
  237. Replace | sXY | Replace all instances of X with Y | ss$ | p@ssW0rd | p@$$W0rd |
  238. Purge | @X | Purge all instances of X | @s | p@ssW0rd | p@W0rd |
  239.  
  240. - [ Rule Specific Functions ] -
  241.  
  242. Name | Rule | Description | Example Rule | In Word | Output Word |
  243. =============+========+===========================================+===============+==============+========================+
  244. Swap front | k | Swaps first two characters | k | p@ssW0rd | @pssW0rd |
  245. Swap back | K | Swaps last two characters | K | p@ssW0rd | p@ssW0dr |
  246. Swap @ N | *NM | Swaps char at pos N with char at pos M | *34 | p@ssW0rd | p@sWs0rd |
  247. Btwise s/left| LN | Bitwise shift left character @ N | L2 | p@ssW0rd | p@æsW0rd |
  248. Btwise s/rght| RN | Bitwise shift right character @ N | R2 | p@ssW0rd | p@9sW0rd |
  249. Ascii incr | +N | Increment character @ N by 1 ascii value | +2 | p@ssW0rd | p@tsW0rd |
  250. Ascii decr | -N | Decrement character @ N by 1 ascii value | -1 | p@ssW0rd | p?ssW0rd |
  251. Replace N+1 | .N | Replaces char @N with value at @N + 1 | .1 | p@ssW0rd | psssW0rd |
  252. Replace N-1 | ,N | Replaces char @N with value at @N - 1 | ,1 | p@ssW0rd | ppssW0rd |
  253. Dup blck frnt| yN | Duplicates first N characters | y2 | p@ssW0rd | p@p@ssW0rd |
  254. Dup blck back| YN | Duplicates last N characters | Y2 | p@ssW0rd | p@ssW0rdrd |
  255. Title | E | Capitalize every word | E | p@ssW0rd w0rld| P@ssw0rd W0rld |
  256. Title w/sep | eX | Capitalize first word and after separator | e- | p@ssW0rd-w0rld| P@ssw0rd-W0rld |
  257.  
  258.  
  259. - [ Hashcat Mask Files ] -
  260.  
  261. - [ Usage ] -
  262.  
  263. [?1,][?2,][?3,][?4,]mask
  264.  
  265. where the placeholders are as follows:
  266.  
  267. [?1] the 1st custom charset (-1) will be set to this value, optional
  268. [?2] the 2nd custom charset (-2) will be set to this value, optional
  269. [?3] the 3rd custom charset (-3) will be set to this value, optional
  270. [?4] the 4th custom charset (-4) will be set to this value, optional
  271. [mask] the mask which should (but does not need) to use the custom-charset defined by [?1], [?2], [?3] or [?4]
  272. and can use any additional predefined charset (?d, ?l, ?u, ?s, ?a, ?b) and can contain fixed chars too
  273. (example value: pass?1?d?d?2?l?l)
  274.  
  275. - [ Examples ] -
  276.  
  277. example1.hcmask
  278.  
  279. ?d?l,test?1?1?1
  280. abcdef,0123,ABC,789,?3?3?3?1?1?1?1?2?2?4?4?4?4
  281. company?d?d?d?d?d
  282. ?u?l,?s?d,?1?a?a?a?a?2
  283. ?u?l?l?l?d?d?d?d?d?d
  284.  
  285. example2.hcmask
  286.  
  287. ?u?l?l?l?l?l?l?d
  288. ?u?l?l?l?l?l?d?d?d?d
  289. ?u?l?l?l?l?l?l?l?d?d
  290. ?u?l?l?l?l?l?l?l?d?d
  291. ?u?l?l?l?l?l?l?d?d?d
  292. ?u?l?l?l?d?d?d?d?s
  293. ?u?l?l?l?l?ld?d?s
  294. ?s?u?l?l?l?d?d?d?d
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement