Hashcat howto

1. ============================================================
2. HASHCAT HOWTO
3. ============================================================
4.  
5. - [ Resources ] -
6.  
7. * hashcat Wiki: https://hashcat.net/wiki/doku.php?id=hashcat
8.  
9. - [ Usage ] -
10.  
11. hashcat [options]... hash|hashfile|hcapxfile [dictionary|mask|directory]...
12.  
13. - [ Basic Examples ] -
14.  
15. Attack-Mode | Hash |
16. -a | -m | Example command
17. ==================+======+==================================================================
18. Wordlist | $P$ | hashcat -a 0 -m 400 example.hash wordlist.dict
19. Wordlist + Rules | MD5 | hashcat -a 0 -m 0 -r example1.rule -r example2.rule example0.hash wordlist.dict
20. Wordlist | MD | hashcat -a 0 -m 0 --remove -o output.txt example.hash wordlist.dict
21. Brute-Force | MD5 | hashcat -a 3 -m 0 example0.hash ?u?l?l?l?l?d
22. Brute-Force var | MD5 | hashcat -a 3 -m 0 -1 ?u -2 -?l?u?d -3 ?d example.hash ?1?2?2?2?2?2?2?3
23. Brute-Force inc | MD5 | hashcat -a 3 -m 0 --increment example.hash ?l?l?l?l?l?l?l
24. Brute-Force ses | MD5 | hashcat -a 3 -m 0 --session=session_name example.hash mask_file.hcmask
25. Combinator | MD5 | hashcat -a 1 -m 0 --rule-left='^-' --rule-right='$!' example.hash wordlist.dict wordlist.dict
26. Hybrid - Wrd/Msk | MD5 | hashcat -a 6 wordlist.dict ?d?d?d?d
27. Hybrid - Msk/Wrd | MD5 | hashcat -a 7 ?d?d?d?d wordlist.dict
28. Debug rules | | hashcat --stdout -r capitalize.rule -r swap.rule wordlist.dict
29. Restore Session | | hashcat --session session_name --restore
30.  
31.  
32. - [ Attack Modes ] -
33.  
34. # | Mode ( -a )
35. ===+======
36. 0 | Straight
37. 1 | Combination
38. 3 | Brute-force
39. 6 | Hybrid Wordlist + Mask
40. 7 | Hybrid Mask + Wordlist
41.  
42. - [ Basic options ] -
43.  
44. Options Short / Long | Type | Description | Example
45. ===============================+======+======================================================+=======================
46. -m, --hash-type | Num | Hash-type, see references below | -m 1000
47. -a, --attack-mode | Num | Attack-mode, see references below | -a 3
48. -V, --version | | Print version |
49. -h, --help | | Print help |
50. --quiet | | Suppress output |
51. --hex-charset | | Assume charset is given in hex |
52. --hex-salt | | Assume salt is given in hex |
53. --hex-wordlist | | Assume words in wordlist are given in hex |
54. --force | | Ignore warnings |
55. --status | | Enable automatic update of the status screen |
56. --status-timer | Num | Sets seconds between status screen updates to X | --status-timer=1
57. --machine-readable | | Display the status view in a machine-readable format |
58. --keep-guessing | | Keep guessing the hash after it has been cracked |
59. --loopback | | Add new plains to induct directory |
60. --weak-hash-threshold | Num | Threshold X when to stop checking for weak hashes | --weak=0
61. --markov-hcstat | File | Specify hcstat file to use | --markov-hc=my.hcstat
62. --markov-disable | | Disables markov-chains, emulates classic brute-force |
63. --markov-classic | | Enables classic markov-chains, no per-position |
64. -t, --markov-threshold | Num | Threshold X when to stop accepting new markov-chains | -t 50
65. --runtime | Num | Abort session after X seconds of runtime | --runtime=10
66. --session | Str | Define specific session name | --session=mysession
67. --restore | | Restore session from --session |
68. --restore-disable | | Do not write restore file |
69. --restore-file-path | File | Specific path to restore file | --restore-file-path=my.restore
70. -o, --outfile | File | Define outfile for recovered hash | -o outfile.txt
71. --outfile-format | Num | Define outfile-format X for recovered hash | --outfile-format=7
72. --outfile-autohex-disable | | Disable the use of $HEX[] in output plains |
73. --outfile-check-timer | Num | Sets seconds between outfile checks to X | --outfile-check=30
74. -p, --separator | Char | Separator char for hashlists and outfile | -p :
75. --stdout | | Do not crack a hash, instead print candidates only |
76. --show | | Compare hashlist with potfile; show cracked hashes |
77. --left | | Compare hashlist with potfile; show uncracked hashes |
78. --username | | Enable ignoring of usernames in hashfile |
79. --remove | | Enable removal of hashes once they are cracked |
80. --remove-timer | Num | Update input hash file each X seconds | --remove-timer=30
81. --potfile-disable | | Do not write potfile |
82. --potfile-path | Dir | Specific path to potfile | --potfile-path=my.pot
83. --encoding-from | Code | Force internal wordlist encoding from X | --encoding-from=iso-8859-15
84. --encoding-to | Code | Force internal wordlist encoding to X | --encoding-to=utf-32le
85. --debug-mode | Num | Defines the debug mode (hybrid only by using rules) | --debug-mode=4
86. --debug-file | File | Output file for debugging rules | --debug-file=good.log
87. --induction-dir | Dir | Specify the induction directory to use for loopback | --induction=inducts
88. --outfile-check-dir | Dir | Specify the outfile directory to monitor for plains | --outfile-check-dir=x
89. --logfile-disable | | Disable the logfile |
90. --hccapx-message-pair | Num | Load only message pairs from hccapx matching X | --hccapx-message-pair=2
91. --nonce-error-corrections | Num | The BF size range to replace AP's nonce last bytes | --nonce-error-corrections=16
92. --truecrypt-keyfiles | File | Keyfiles to use, separated with commas | --truecrypt-key=x.png
93. --veracrypt-keyfiles | File | Keyfiles to use, separated with commas | --veracrypt-key=x.txt
94. --veracrypt-pim | Num | VeraCrypt personal iterations multiplier | --veracrypt-pim=1000
95. -b, --benchmark | | Run benchmark |
96. --speed-only | | Return expected speed of the attack, then quit |
97. --progress-only | | Return ideal progress step size and time to process |
98. -c, --segment-size | Num | Sets size in MB to cache from the wordfile to X | -c 32
99. --bitmap-min | Num | Sets minimum bits allowed for bitmaps to X | --bitmap-min=24
100. --bitmap-max | Num | Sets maximum bits allowed for bitmaps to X | --bitmap-max=24
101. --cpu-affinity | Str | Locks to CPU devices, separated with commas | --cpu-affinity=1,2,3
102. -I, --opencl-info | | Show info about detected OpenCL platforms/devices | -I
103. --opencl-platforms | Str | OpenCL platforms to use, separated with commas | --opencl-platforms=2
104. -d, --opencl-devices | Str | OpenCL devices to use, separated with commas | -d 1
105. -D, --opencl-device-types | Str | OpenCL device-types to use, separated with commas | -D 1
106. --opencl-vector-width | Num | Manually override OpenCL vector-width to X | --opencl-vector=4
107. -w, --workload-profile | Num | Enable a specific workload profile, see pool below | -w 3
108. -n, --kernel-accel | Num | Manual workload tuning, set outerloop step size to X | -n 64
109. -u, --kernel-loops | Num | Manual workload tuning, set innerloop step size to X | -u 256
110. --nvidia-spin-damp | Num | Workaround NVIDIAs CPU burning loop bug, in percent | --nvidia-spin-damp=50
111. --gpu-temp-disable | | Disable temperature and fanspeed reads and triggers |
112. --gpu-temp-abort | Num | Abort if GPU temperature reaches X degrees Celsius | --gpu-temp-abort=100
113. --gpu-temp-retain | Num | Try to retain GPU temperature at X degrees Celsius | --gpu-temp-retain=95
114. --powertune-enable | | Enable power tuning. Restores settings when finished |
115. --scrypt-tmto | Num | Manually override TMTO value for scrypt to X | --scrypt-tmto=3
116. -s, --skip | Num | Skip X words from the start | -s 1000000
117. -l, --limit | Num | Limit X words from the start + skipped words | -l 1000000
118. --keyspace | | Show keyspace base:mod values and quit |
119. -j, --rule-left | Rule | Single rule applied to each word from left wordlist | -j 'c'
120. -k, --rule-right | Rule | Single rule applied to each word from right wordlist | -k '^-'
121. -r, --rules-file | File | Multiple rules applied to each word from wordlists | -r rules/best64.rule
122. -g, --generate-rules | Num | Generate X random rules | -g 10000
123. --generate-rules-func-min | Num | Force min X functions per rule |
124. --generate-rules-func-max | Num | Force max X functions per rule |
125. --generate-rules-seed | Num | Force RNG seed set to X |
126. -1, --custom-charset1 | CS | User-defined charset ?1 | -1 ?l?d?u
127. -2, --custom-charset2 | CS | User-defined charset ?2 | -2 ?l?d?s
128. -3, --custom-charset3 | CS | User-defined charset ?3 |
129. -4, --custom-charset4 | CS | User-defined charset ?4 |
130. -i, --increment | | Enable mask increment mode |
131. --increment-min | Num | Start mask incrementing at X | --increment-min=4
132. --increment-max | Num | Stop mask incrementing at X | --increment-max=8
133.  
134. - [ Hash modes ] -
135. # | Name | Category
136. ======+==================================================+======================================
137. 0 | MD5 | Raw Hash
138. 100 | SHA1 | Raw Hash
139. 1400 | SHA-256 | Raw Hash
140. 1700 | SHA-512 | Raw Hash
141. 5000 | SHA-3 (Keccak) | Raw Hash
142. 400 | phpass | Generic KDF
143. 8900 | scrypt | Generic KDF
144. 5600 | NetNTLMv2 | Network Protocols
145. 11200 | MySQL CRAM (SHA1) | Network Protocols
146. 12 | PostgreSQL | Database Server
147. 131 | MSSQL (2000) | Database Server
148. 132 | MSSQL (2005) | Database Server
149. 1731 | MSSQL (2012, 2014) | Database Server
150. 200 | MySQL323 | Database Server
151. 300 | MySQL4.1/MySQL5 | Database Server
152. 11500 | CRC32 | Checksums
153. 1500 | descrypt, DES (Unix), Traditional DES | Operating Systems
154. 500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) | Operating Systems
155. 3200 | bcrypt $2*$, Blowfish (Unix) | Operating Systems
156. 1800 | sha512crypt $6$, SHA512 (Unix) | Operating Systems
157. 3000 | LM | Operating Systems
158. 1000 | NTLM | Operating Systems
159. 6600 | 1Password, agilekeychain | Password Managers
160. 8200 | 1Password, cloudkeychain | Password Managers
161. 11300 | Bitcoin/Litecoin wallet.dat | Password Managers
162. 13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) | Password Managers
163. 15600 | Ethereum Wallet, PBKDF2-HMAC-SHA256 | Password Managers
164. 15700 | Ethereum Wallet, SCRYPT | Password Managers
165.  
166. - [ Outfile Formats ] -
167.  
168. # | Format
169. ===+========
170. 1 | hash[:salt]
171. 2 | plain
172. 3 | hash[:salt]:plain
173. 4 | hex_plain
174. 5 | hash[:salt]:hex_plain
175. 6 | plain:hex_plain
176. 7 | hash[:salt]:plain:hex_plain
177. 8 | crackpos
178. 9 | hash[:salt]:crack_pos
179. 10 | plain:crack_pos
180. 11 | hash[:salt]:plain:crack_pos
181. 12 | hex_plain:crack_pos
182. 13 | hash[:salt]:hex_plain:crack_pos
183. 14 | plain:hex_plain:crack_pos
184. 15 | hash[:salt]:plain:hex_plain:crack_pos
185.  
186.  
187. - [ Built-in Charsets ] -
188.  
189. ? | Buit-in charset masks
190. ===+=========
191. l | abcdefghijklmnopqrstuvwxyz
192. u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
193. d | 0123456789
194. h | 0123456789abcdef
195. H | 0123456789ABCDEF
196. s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
197. a | ?l?u?d?s
198. b | 0x00 - 0xff
199.  
200. - [ OpenCL Device Types ] -
201.  
202. # | Device Type
203. ===+=============
204. 1 | CPU
205. 2 | GPU
206. 3 | FPGA, DSP, Co-Processor
207.  
208. - [ Workload Profiles ] -
209.  
210. # | Performance | Runtime | Power Consumption | Desktop Impact
211. ===+=============+=========+===================+=================
212. 1 | Low | 2 ms | Low | Minimal
213. 2 | Default | 12 ms | Economic | Noticeable
214. 3 | High | 96 ms | High | Unresponsive
215. 4 | Nightmare | 480 ms | Insane | Headless
216.  
217. - [ Rule Compatible Functions ] -
218.  
219. Name | Rule | Description | Example Rule | In Word | Output Word |
220. =============+========+===========================================+===============+===========+===========================+
221. Nothing | : | Do nothing | : | p@ssW0rd | p@ssW0rd |
222. Lowercase | l | Lowercase all letters | l | p@ssW0rd | p@ssw0rd |
223. Uppercase | u | Uppercase all letters | u | p@ssW0rd | P@SSW0RD |
224. Capitalize | c | Cap the 1st letter and lower the rest | c | p@ssW0rd | P@ssw0rd |
225. Inv Capital | C | Lower 1st found char, uppercase the rest | C | p@ssW0rd | p@SSW0RD |
226. Toggle Case | t | Toggle the case of all characters in word | t | p@ssW0rd | P@SSw0RD |
227. Toggle @ | TN | Toggle the case of char at position N | T3 | p@ssW0rd | p@sSW0rd |
228. Reverse | r | Reverse the entire word | r | p@ssW0rd | dr0Wss@p |
229. Duplicate | d | Duplicate entire word | d | p@ssW0rd | p@ssW0rdp@ssW0rd |
230. Reflect | f | Duplicate word reversed | f | p@ssW0rd | p@ssW0rddr0Wss@p |
231. Rotate Left | { | Rotates the word left | { | p@ssW0rd | @ssW0rdp |
232. Rotate Right | } | Rotates the word right | } | p@ssW0rd | dp@ssW0r |
233. Append Char | $X | Append character X to end | $1 | p@ssW0rd | p@ssW0rd1 |
234. Prepend Char | ^X | Prepend character X to front | ^1 | p@ssW0rd | 1p@ssW0rd |
235. Truncate left| [ | Deletes first character | [ | p@ssW0rd | @ssW0rd |
236. Trunct right | ] | Deletes last character | ] | p@ssW0rd | p@assW0r |
237. Replace | sXY | Replace all instances of X with Y | ss$ | p@ssW0rd | p@$$W0rd |
238. Purge | @X | Purge all instances of X | @s | p@ssW0rd | p@W0rd |
239.  
240. - [ Rule Specific Functions ] -
241.  
242. Name | Rule | Description | Example Rule | In Word | Output Word |
243. =============+========+===========================================+===============+==============+========================+
244. Swap front | k | Swaps first two characters | k | p@ssW0rd | @pssW0rd |
245. Swap back | K | Swaps last two characters | K | p@ssW0rd | p@ssW0dr |
246. Swap @ N | *NM | Swaps char at pos N with char at pos M | *34 | p@ssW0rd | p@sWs0rd |
247. Btwise s/left| LN | Bitwise shift left character @ N | L2 | p@ssW0rd | p@æsW0rd |
248. Btwise s/rght| RN | Bitwise shift right character @ N | R2 | p@ssW0rd | p@9sW0rd |
249. Ascii incr | +N | Increment character @ N by 1 ascii value | +2 | p@ssW0rd | p@tsW0rd |
250. Ascii decr | -N | Decrement character @ N by 1 ascii value | -1 | p@ssW0rd | p?ssW0rd |
251. Replace N+1 | .N | Replaces char @N with value at @N + 1 | .1 | p@ssW0rd | psssW0rd |
252. Replace N-1 | ,N | Replaces char @N with value at @N - 1 | ,1 | p@ssW0rd | ppssW0rd |
253. Dup blck frnt| yN | Duplicates first N characters | y2 | p@ssW0rd | p@p@ssW0rd |
254. Dup blck back| YN | Duplicates last N characters | Y2 | p@ssW0rd | p@ssW0rdrd |
255. Title | E | Capitalize every word | E | p@ssW0rd w0rld| P@ssw0rd W0rld |
256. Title w/sep | eX | Capitalize first word and after separator | e- | p@ssW0rd-w0rld| P@ssw0rd-W0rld |
257.  
258.  
259. - [ Hashcat Mask Files ] -
260.  
261. - [ Usage ] -
262.  
263. [?1,][?2,][?3,][?4,]mask
264.  
265. where the placeholders are as follows:
266.  
267. [?1] the 1st custom charset (-1) will be set to this value, optional
268. [?2] the 2nd custom charset (-2) will be set to this value, optional
269. [?3] the 3rd custom charset (-3) will be set to this value, optional
270. [?4] the 4th custom charset (-4) will be set to this value, optional
271. [mask] the mask which should (but does not need) to use the custom-charset defined by [?1], [?2], [?3] or [?4]
272. and can use any additional predefined charset (?d, ?l, ?u, ?s, ?a, ?b) and can contain fixed chars too
273. (example value: pass?1?d?d?2?l?l)
274.  
275. - [ Examples ] -
276.  
277. example1.hcmask
278.  
279. ?d?l,test?1?1?1
280. abcdef,0123,ABC,789,?3?3?3?1?1?1?1?2?2?4?4?4?4
281. company?d?d?d?d?d
282. ?u?l,?s?d,?1?a?a?a?a?2
283. ?u?l?l?l?d?d?d?d?d?d
284.  
285. example2.hcmask
286.  
287. ?u?l?l?l?l?l?l?d
288. ?u?l?l?l?l?l?d?d?d?d
289. ?u?l?l?l?l?l?l?l?d?d
290. ?u?l?l?l?l?l?l?l?d?d
291. ?u?l?l?l?l?l?l?d?d?d
292. ?u?l?l?l?d?d?d?d?s
293. ?u?l?l?l?l?ld?d?s
294. ?s?u?l?l?l?d?d?d?d