Skip to content

Hashcat

Password Mutation

Flags

Hashcat

-m 1000 # Hash type, 1000 = NTLM
-w 4    #  Workload, set as 4 for insane performance and rip ur gpu
-a 0    # attack mode, 0:wordlist
-O      # Optimize for 32 characters or less passwords
--force # use CUDA GPU interface, buggy but provides more performance
--opencl-device-types 1,2 # use both cpu and gpu
--debug-mode=1 # can only be used when rules are used
--debug-file=stats.debug # output for the rule statistics

Prince Processor

 --elem-cnt-max 4 # Maximum number of elements per chain
--elem-cnt-min 2 # 
--keyspace # Calculate number of combinations 
-o prince.txt# output to file

Examples

I am using hashcat on my host Windows machine. So the file paths and binary name might be different for you.

# Apply rules to hash while cracking
hashcat -m 0 bfield.hash /usr/share/wordlists/rockyou.txt -r rules

# Apply rules to wordlist to mutate it 
hastcat --stdout passwords -r /usr/share/hashcat/rules/best64.rule

# Identify hash mode
./hashcat --quiet '5f4dcc3b5aa765d61d8327deb882cf99'

# Identify Binary File hash mode
./hashcat --quiet /opt/example.hashes

# Cracking NTLM hashes with multiple rule files
hashcat .\parsed_ntds -r .\rules\best64.rule -r .\rules\InsidePro-PasswordsPro.rule -r .\rules\combinator.rule -r .\rules\generated2.rule -r .\rules\rockyou-30000.rule -m 1000 .\xato-net-10-million-passwords.txt --username

# maximum speed cracking with cpu and gpu, but ur pc is unusable
.\hashcat.exe --force -O -w 4 --opencl-device-types 1,2 -r --debug-mode=1 --debug-file=stats.debug .\rules\OneRuleToRuleThemAll.rule parsed_ntds.dit

# resume hashcat session
hashcat --session hashcat --restore


# using hashcat's prince preprocessor
.\pp64.exe users_wordlist.txt -o out.txt


# Piping prince hashtcat's preprocessor to hashcat
.\pp64.exe  .\description.txt  | ..\hashcat-6.2.5\hashcat.exe "0E67AC21335FB74DC5536F685CE97494" -m 1000 -r ..\hashcat-6.2.5\rules\prince_optimized.rule

# If you are gonna output pp64 to a file then use that as a wordlist
# I recommend generating this wordlist on linux so you have to skip
# the convertion process on a large wordlist file at the end from utf-16 to utf-8
# I recommend using 2 for --elem-cnt-max flag if u don't want ur wordlist to be > 10 gigs
./pp64.bin data_cleaned.txt --elem-cnt-max 4 -o prince.txt

Custom Rules

NotSoSecure - OneRuleToRuleThemAll Github

Extra cracking techniques

When all else fails go check out 1. Purple Rain Attack - Password Cracking With Random Generation 2. Tool Deep Dive: PRINCE 3. Check hashcat different attack modes e.g. hyprid, association, etc...

Benchmarking rule files

N.b. when benchmarking different rules, The potfile was disabled so that hashcat didn’t check it prior to each crack and skew our numbers. Debug mode can only be enabled when using rules and the debug file contains the stats. Every time a rule cracks a hash it’s logged in the file. After hashcat completes, the file can then be sorted to show the number of times a rule was successful, therefore revealing the most successful rules in each set.

Wordlists

Obviously it's best if you can craft your own wordlist for the org you are cracking and get personal information for the employees and generate passwords from those. Finally, mutate them with wordlists. but, my favourite generic wordlists for cracking are rockyou.txt and xato-10-million

Use hastcat's prince preprocessor to generate wordlists from a word list. I use this with the name output from the AD enviroment.

Rule files

My favorite rules: - OneRuleToRuleThemStill - LeetSpeak

N.b. when using prince. Use the two supplied prince rules as well prince_optimized.rule, prince_generated.rule

PRINCE algorithm

The princeprocessor is a password candidate generator and can be thought of as an advanced combinator attack. Rather than taking as input two different wordlists and then outputting all the possible two word combinations though, princeprocessor only has one input wordlist and builds "chains" of combined words. These chains can have 1 to N words from the input wordlist concatenated together.

PrinceProcessor - GitHub

Troubleshooting

Hashcat doesn’t detect AMD CPUs (SOLVED)

Resources

Hashcat-Cheatsheet - Github Hash Cracking: Beyond the Basics - Youtube.com