### Hashcat Initial Cracking Command Example Source: https://hashcat.net/wiki/doku.php?id=restore This is an example of a command line used to start a Hashcat cracking job. The .restore file will be generated based on this job's progress. ```bash hashcat -m 0 -a 3 --session session_name example0.hash masks/rockyou-7-2592000.hcmask ``` -------------------------------- ### Verify GPU and OpenCL Setup Source: https://hashcat.net/wiki/doku.php?id=linux_server_howto Checks if the X server is running, lists detected GPUs and CPU for OpenCL, and displays GPU temperatures. These commands verify the successful installation and configuration of the graphics drivers and OpenCL environment. ```bash ps -ef | grep X ## should show that X is running clinfo ## should show all GPUs + CPU amdconfig --adapter=all --odgt ## should show temperature of all GPUs ``` -------------------------------- ### Build and install winpty Source: https://hashcat.net/wiki/doku.php?id=hashcat_on_windows_ssh Standard commands to configure, compile, and install winpty from the project directory. ```bash $ ./configure $ make $ make install ``` -------------------------------- ### Hashcat output example Source: https://hashcat.net/wiki/doku.php?id=mask_attack_in_hashcat Example output showing the progress and status of a hashcat-legacy run. ```text Added hashes from file hashes.txt: 5142830 (1 salts) Wordlist..: dict Index.....: 1/1 (segment), 59651869 (words), 536866821 (bytes) Recovered.: 0/5142830 hashes, 0/1 salts Speed/sec.: 7.96M plains, 7.96M words Progress..: 59651869/59651869 (100.00%) Running...: 00:00:00:08 Estimated.: --:--:--:-- [...] Wordlist..: dict Index.....: 77/1 (segment), 36217956 (words), 325961604 (bytes) Recovered.: 19/5142830 hashes, 0/1 salts Speed/sec.: 5.57M plains, 5.57M words Progress..: 36217956/36217956 (100.00%) Running...: 00:00:00:06 Estimated.: --:--:--:-- ``` -------------------------------- ### Install Minimal X11 Environment and Drivers Source: https://hashcat.net/wiki/doku.php?id=linux_server_howto Installs necessary packages for a minimal X11 environment and the AMD fglrx driver. This setup is required for libatiadlxx to manage GPUs. ```bash aptitude install build-essential dkms xserver-xorg xserver-xorg-core \ xserver-xorg-input-evdev xserver-xorg-video-dummy x11-xserver-utils fglrx xdm ``` -------------------------------- ### Install SSH and Screen on Ubuntu Source: https://hashcat.net/wiki/doku.php?id=ssh_running_process Commands to install the necessary SSH and screen packages on an Ubuntu system. ```bash sudo apt-get install openssh-server openssh-client ``` ```bash sudo apt-get install screen ``` -------------------------------- ### Download and Install Portable VCL Init Script Source: https://hashcat.net/wiki/doku.php?id=vcl_cluster_howto_original Download and install a portable init script for VCL. This script is then made executable and registered with the system's run levels. Run on each node. ```bash https://web.archive.org/web/20140607162252/http://bindshell.nl/pub/vcl.init install -m 0755 -o root vcl.init /etc/init.d/vcl update-rc.d vcl defaults ``` -------------------------------- ### Install OpenCL Dependencies on Linux Source: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions Installs necessary OpenCL runtime and header files. ```bash apt-get install ocl-icd-libopencl1 opencl-headers clinfo ``` -------------------------------- ### Install hashcat on Ubuntu/Debian/Kali Source: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions Use apt-get to install hashcat on Debian-based Linux distributions. Ensure your package list is updated before installation. ```bash $ sudo apt-get update && sudo apt-get install hashcat ``` -------------------------------- ### Example Dictionary 1 Input Source: https://hashcat.net/wiki/doku.php?id=combinator_attack This is an example of the content for the first dictionary file (dict1.txt) used in a combinator attack. ```text pass 12345 omg Test ``` -------------------------------- ### Example Table File Name Source: https://hashcat.net/wiki/doku.php?id=table_lookup_beginner_guide This is an example name for a table file. Replace 'A.table' with your chosen table file name. Ensure the correct path is provided if the file is not in the current directory. ```bash A.table ``` -------------------------------- ### Hashcat Command Examples by Attack Mode Source: https://hashcat.net/wiki/doku.php?id=ubernoobs These examples demonstrate how to use hashcat for different attack modes, including wordlist, wordlist with rules, brute-force, combinator, and association attacks. Ensure you have the necessary hash files and dictionaries. ```bash hashcat -a 0 -m 400 example400.hash example.dict ``` ```bash hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule ``` ```bash hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a ``` ```bash hashcat -a 1 -m 0 example0.hash example.dict example.dict ``` ```bash hashcat -a 9 -m 500 example500.hash 1word.dict -r rules/best64.rule ``` -------------------------------- ### Example Dictionary 2 Input Source: https://hashcat.net/wiki/doku.php?id=combinator_attack This is an example of the content for the second dictionary file (dict2.txt) used in a combinator attack. ```text alice bob cat dog ``` -------------------------------- ### Manually Install VCL Binaries and Libraries Source: https://hashcat.net/wiki/doku.php?id=vcl_cluster_howto_original Manually install VCL components, including binaries and libraries, into system directories. These commands require root privileges and are run on each node. ```bash cd vcl-1.22/ mkdir /usr/lib/vcl /etc/vcl install -m 0755 -o root opencld /sbin/opencld install -m 0755 -o root opencld_1.2 /sbin/opencld_1.2 install -m 0755 -o root broker /sbin/broker install -m 0755 -o root libOpenCL.so /usr/lib/vcl/libOpenCL.so install -m 0644 -o root man/man7/vcl.7 /usr/share/man/man7/vcl.7 ln -s libOpenCL.so /usr/lib/vcl/libOpenCL.so.1 ln -s libOpenCL.so.1 /usr/lib/libOpenCL.so ``` -------------------------------- ### Start VCL Service on Compute Node Source: https://hashcat.net/wiki/doku.php?id=vcl_cluster_howto_original Start the VCL service on the compute node. This command should be run on each compute node after configuration. ```bash /etc/init.d/vcl start ``` -------------------------------- ### Example Dictionary 1 Input (Rules) Source: https://hashcat.net/wiki/doku.php?id=combinator_attack Example input for the first dictionary when applying rules in a combinator attack. ```text yellow green black blue ``` -------------------------------- ### Example Dictionary 2 Input (Rules) Source: https://hashcat.net/wiki/doku.php?id=combinator_attack Example input for the second dictionary when applying rules in a combinator attack. ```text car bike ``` -------------------------------- ### Manual Workload Distribution Options Source: https://hashcat.net/wiki/doku.php?id=distributing-work Use --skip to define the starting point in the keyspace and --limit to define the size of the chunk to process. ```bash --skip 0 --limit 5 ``` ```bash --skip 5 --limit 5 ``` ```bash --skip 10 --limit 5 ``` ```bash --skip 5 --limit 10 ``` -------------------------------- ### Hashcat Mask Attack Command Examples Source: https://hashcat.net/wiki/doku.php?id=mask_attack Examples of mask attack commands and their resulting keyspace ranges. ```text command: -a 3 ?l?l?l?l?l?l?l?l keyspace: aaaaaaaa - zzzzzzzz ``` ```text command: -a 3 -1 ?l?d ?1?1?1?1?1 keyspace: aaaaa - 99999 ``` ```text command: -a 3 password?d keyspace: password0 - password9 ``` ```text command: -a 3 -1 ?l?u ?1?l?l?l?l?l19?d?d keyspace: aaaaaa1900 - Zzzzzz1999 ``` ```text command: -a 3 -1 ?dabcdef -2 ?l?u ?1?1?2?2?2?2?2 keyspace: 00aaaaa - ffZZZZZ ``` ```text command: -a 3 -1 efghijklmnop ?1?1?1 keyspace: eee - ppp ``` -------------------------------- ### DEScrypt htpasswd Example Source: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions An example of a DEScrypt formatted line within an htpasswd file. ```text admin:48c/R8JAv757A ``` -------------------------------- ### Basic Rule Example Source: https://hashcat.net/wiki/doku.php?id=rule_based_attack A simple Hashcat rule example demonstrating appending a digit to a password. Whitespace is generally ignored unless used as a parameter, and '#' denotes comments. ```hashcat-rules $1 ``` -------------------------------- ### Display Maskprocessor Version and Help Source: https://hashcat.net/wiki/doku.php?id=maskprocessor Use these commands to verify the installed version or view available command-line options. ```bash $ ./mp64.bin -V v0.73 $ ./mp64.bin --help High-Performance word generator with a per-position configureable charset Usage: ./mp64.bin [options]... mask * Startup: -V, --version Print version -h, --help Print help * Increment: -i, --increment=NUM:NUM Enable increment mode. 1st NUM=start, 2nd NUM=stop Example: -i 4:8 searches lengths 4-8 (inclusive) * Misc: --combinations Calculate number of combinations --hex-charset Assume charset is given in hex -q, --seq-max=NUM Maximum number of multiple sequential characters -r, --occurrence-max=NUM Maximum number of occurrence of a character * Resources: -s, --start-at=WORD Start at specific position -l, --stop-at=WORD Stop at specific position * Files: -o, --output-file=FILE Output-file * Custom charsets: -1, --custom-charset1=CS User-defineable charsets -2, --custom-charset2=CS Example: -3, --custom-charset3=CS --custom-charset1=?dabcdef -4, --custom-charset4=CS sets charset ?1 to 0123456789abcdef * Built-in charsets: ?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = 0123456789 ?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ?a = ?l?u?d?s ?b = 0x00 - 0xff ``` -------------------------------- ### combinatorX Usage and Example Source: https://hashcat.net/wiki/doku.php?id=hashcat_utils Combines up to eight elements with custom separators and session support. ```bash $ cat list1.txt the quick $ cat list2.txt brown fox $ cat list3.txt jumped over $ combinatorX -1 list1.txt -2 list2.txt -3 list3.txt thebrownjumped thebrownover thefoxjumped thefoxover quickbrownjumped quickbrownover quickfoxjumped quickfoxover ``` -------------------------------- ### Table File for Toggle-Case Example Source: https://hashcat.net/wiki/doku.php?id=table_lookup_attack A table file configured to simulate toggle-case variations for the table-lookup attack. ```text a=a a=A b=b b=B c=c c=C d=d d=D etc.. ``` -------------------------------- ### Hashcat multi-rule combination example Source: https://hashcat.net/wiki/doku.php?id=rule_based_attack Demonstrates combining multiple rule files ('-r') to generate a larger set of attack rules. Each rule from each file is combined with every other rule. ```bash $ cat 123.rule\n$1\n$2\n$3\n\n$ cat abc.rule\n$a\n$b\n$c\n\n$ hashcat --stdout -r 123.rule -r abc.rule wordlist\nhashcat1a\nhashcat2a\nhashcat3a\nhashcat1b\nhashcat2b\nhashcat3b\nhashcat1c\nhashcat2c\nhashcat3c ``` -------------------------------- ### Example GPG Verification Output Source: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions This is an example of the expected output when a PGP signature is successfully verified. Manually inspect the fingerprint. ```text gpg: Signature made Fri Sep 9 05:03:50 2022 AKDT gpg: using RSA key A70833229D040B4199CC00523C17DA8B8A16544F gpg: Good signature from "Hashcat signing key " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A708 3322 9D04 0B41 99CC 0052 3C17 DA8B 8A16 544F ``` -------------------------------- ### Equivalent Hashcat Command Parameter Orderings Source: https://hashcat.net/wiki/doku.php?id=ubernoobs Hashcat allows flexibility in the order of parameters. These examples show equivalent commands, illustrating that the target hash and primary input can be placed in different positions relative to flags. ```bash hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule ``` ```bash hashcat -a 0 -m 0 example0.hash -r rules/best64.rule example.dict ``` ```bash hashcat -m 0 -a 0 example0.hash -r rules/best64.rule example.dict ``` ```bash hashcat example0.hash -r rules/best64.rule example.dict -m 0 -a 0 ``` ```bash hashcat example0.hash -a 0 -m 0 example.dict -r rules/best64.rule ``` ```bash hashcat example0.hash -a 0 -m 0 -r rules/best64.rule example.dict ``` ```bash hashcat example0.hash example.dict -a 0 -m 0 -r rules/best64.rule ``` ```bash hashcat -a 0 -m 0 -r rules/best64.rule example0.hash example.dict ``` ```bash hashcat -r rules/best64.rule -a 0 -m 0 example0.hash example.dict ``` -------------------------------- ### Table File for Leetspeak Example Source: https://hashcat.net/wiki/doku.php?id=table_lookup_attack A table file configured to handle common leetspeak substitutions for the table-lookup attack. ```text a=a a=@ a=4 c=c c=< c=[ c={ e=e e=3 i=i i=I i=! i=| i=. etc.. ``` -------------------------------- ### yescrypt hash format examples Source: https://hashcat.net/wiki/doku.php?id=hash_format_guidance Displays the expected hashcat format versus the standard /etc/shadow format for yescrypt. ```text SCRYPT:16384:8:1:OTEyNzU0ODg=:Cc8SPjRH1hFQhuIPCdF51uNGtJ2aOY/isuoMlMUsJ8c= ``` ```text $y$jC5$mvBhUbBxNn1$y0uUAyiNRvM2pAa1kKoYFJ2QqGcYONT.n5IreOKA1/4 ``` -------------------------------- ### Locate clinfo utility Source: https://hashcat.net/wiki/doku.php?id=vcl_cluster_howto_original Verify the installation path of the clinfo command. ```bash # which clinfo /usr/bin/clinfo ``` -------------------------------- ### Display kwprocessor version Source: https://hashcat.net/wiki/doku.php?id=kwprocessor Use the -V or --version flag to display the installed version of kwprocessor. ```bash $ ./kwp -V v1.00 ``` -------------------------------- ### Combined Table File Example Source: https://hashcat.net/wiki/doku.php?id=table_lookup_attack A comprehensive table file combining leetspeak and toggle-case substitutions for the table-lookup attack. ```text a=a a=A a=@ a=4 b=b b=B c=c c=C c=< c=[ c={ d=d d=D e=e e=E e=3 etc.. ``` -------------------------------- ### combinator3 Usage and Example Source: https://hashcat.net/wiki/doku.php?id=hashcat_utils Combines words from three input files. ```bash $ cat three.list nes tor $ combinator3 three.list three.list three.list nesnesnes nesnestor nestornes nestortor tornesnes tornestor tortornes tortortor ``` -------------------------------- ### Example .hcmask file content Source: https://hashcat.net/wiki/doku.php?id=mask_attack Valid lines demonstrating custom charset definitions and various mask patterns. ```text ?d?l,test?1?1?1 abcdef,0123,ABC,789,?3?3?3?1?1?1?1?2?2?4?4?4?4 company?d?d?d?d?d ?l?l?l?l?d?d?d?d?d?d ?u?l,?s?d,?1?a?a?a?a?2 ``` -------------------------------- ### Hashcat Status View Example Source: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions This snippet shows an example of how rejected password candidates are displayed in the Hashcat status view. It indicates that 1 out of 4 password candidates were rejected. ```text ... Rejected.......: 1/4 (25.00%) ... ``` -------------------------------- ### Hashcat Charset File Configuration Source: https://hashcat.net/wiki/doku.php?id=mask_attack Example of specifying a custom charset file using the -1 parameter. ```text -1 charsets/standard/German/de_cp1252.hcchr ``` -------------------------------- ### combipow Usage and Example Source: https://hashcat.net/wiki/doku.php?id=hashcat_utils Produces all unique combinations from a short list of inputs. ```bash $ cat wordlist a b c XYZ 123 $ combipow wordlist a b ab c ac bc abc XYZ aXYZ bXYZ abXYZ cXYZ acXYZ bcXYZ abcXYZ 123 a123 b123 ab123 c123 ac123 bc123 abc123 XYZ123 aXYZ123 bXYZ123 abXYZ123 cXYZ123 acXYZ123 bcXYZ123 abcXYZ123 ``` -------------------------------- ### Run Hashcat with MD5 hash file Source: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions Example of running hashcat with a specified hash type and file. This command may trigger a 'Line-length exception' if the hash file is malformed. ```bash ./hashcat.bin -m 0 md5_hashes.txt dict.txt ``` -------------------------------- ### Execute Hashcat with absolute paths via winpty Source: https://hashcat.net/wiki/doku.php?id=hashcat_on_windows_ssh Example command for running Hashcat in a remote SSH environment using absolute Windows filesystem paths. ```bash sshd@TimmyStation /opt/data/hashcat-3.20 $ winpty hashcat64.exe -m 0 -o C:/INSTALL_PATH/opt/data/hashcat_outputhashes C:/INSTALL_PATH/opt/data/RawMD5_test.dump -a 0 C:/INSTALL_PATH/opt/data/wordlists/MyWordlist -r rules/best64.rule ``` -------------------------------- ### Hashcat Restore Command Example Source: https://hashcat.net/wiki/doku.php?id=restore Use this command to resume a previously stopped Hashcat cracking job. It requires the --session argument to identify the job. ```bash hashcat --session session_name --restore ``` -------------------------------- ### Run Hashcat for Password Cracking Source: https://hashcat.net/wiki/doku.php?id=vcl_cluster_howto_original Execute Hashcat with specified parameters for password cracking. This example uses mode -a 7 for dictionary attack and specifies hash file, mask, and dictionary. ```bash root@token:~/oclHashcat-plus-0.15# export LD_LIBRARY_PATH=/usr/lib/vcl root@token:~/oclHashcat-plus-0.15# ./oclHashcat-plus64.bin -t 32 -a 7 example0.hash ?a?a?a?a example.dict oclHashcat-plus v0.15 by atom starting... Hashes: 6494 total, 1 unique salts, 6494 unique digests Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes Workload: 256 loops, 80 accel Watchdog: Temperature abort trigger disabled Watchdog: Temperature retain trigger disabled Device #1: Cayman, 1024MB, 800Mhz, 24MCU Device #2: Cypress, 512MB, 800Mhz, 20MCU Device #3: Cayman, 1024MB, 800Mhz, 24MCU Device #4: Cypress, 512MB, 800Mhz, 20MCU Device #5: Cayman, 1024MB, 800Mhz, 24MCU Device #6: Cypress, 512MB, 800Mhz, 20MCU Device #7: Cayman, 1024MB, 800Mhz, 24MCU Device #8: Cypress, 512MB, 800Mhz, 20MCU Device #9: Cayman, 1024MB, 800Mhz, 24MCU Device #10: Cypress, 512MB, 800Mhz, 20MCU Device #11: Cayman, 1024MB, 800Mhz, 24MCU Device #1: Kernel ./kernels/4098/m0000_a1.Cayman_938.2_CAL 1.4.1741.kernel (490316 bytes) Device #2: Kernel ./kernels/4098/m0000_a1.Cypress_938.2_CAL 1.4.1741.kernel not found in cache! Building may take a while... Device #2: Kernel ./kernels/4098/m0000_a1.Cypress_938.2_CAL 1.4.1741.kernel (456788 bytes) Device #3: Kernel ./kernels/4098/m0000_a1.Cayman_938.2_CAL 1.4.1741.kernel (490316 bytes) Device #4: Kernel ./kernels/4098/m0000_a1.Cypress_938.2_CAL 1.4.1741.kernel (456788 bytes) Device #5: Kernel ./kernels/4098/m0000_a1.Cayman_938.2_CAL 1.4.1741.kernel (490316 bytes) Device #6: Kernel ./kernels/4098/m0000_a1.Cypress_938.2_CAL 1.4.1741.kernel (456788 bytes) Device #7: Kernel ./kernels/4098/m0000_a1.Cayman_938.2_CAL 1.4.1741.kernel (490316 bytes) Device #8: Kernel ./kernels/4098/m0000_a1.Cypress_938.2_CAL 1.4.1741.kernel (456788 bytes) Device #9: Kernel ./kernels/4098/m0000_a1.Cayman_938.2_CAL 1.4.1741.kernel (490316 bytes) Device #10: Kernel ./kernels/4098/m0000_a1.Cypress_938.2_CAL 1.4.1741.kernel (456788 bytes) Device #11: Kernel ./kernels/4098/m0000_a1.Cayman_938.2_CAL 1.4.1741.kernel (490316 bytes) Cache-hit dictionary stats example.dict: 1210228 bytes, 129988 words, 129988 keyspace e973fc5ba3f41964b28cbf1d3d3e7f5c:dyn10001000 7ac74b85753f5cee6c9446b103cc59e8:scas0000 aa1ce869d58da099b8c15859540ad220:linn01111986 0142b84c7d5ab92691cf9e21fbca9a08:f8140123 5be4a34c048a4d4af2462679b7886151:55bo02020202 d2a92d0b635bdc8fd3df226b7084dc8c:368901man ``` -------------------------------- ### Run Hashcat Benchmark Source: https://hashcat.net/wiki/doku.php?id=vcl_cluster_howto_original Execute Hashcat in benchmark mode to measure performance. This example uses benchmark mode 1 for type -m 1000 (NTLM). ```bash root@token:~/oclHashcat-lite-0.15# export LD_LIBRARY_PATH=/usr/lib/vcl root@token:~/oclHashcat-lite-0.15# ./oclHashcat-lite64.bin -b --benchmark-mode 1 -m 1000 oclHashcat-lite v0.15 by atom starting... Password lengths: 1 - 54 Watchdog: Temperature abort trigger disabled Watchdog: Temperature retain trigger disabled Device #1: Cayman, 1024MB, 800Mhz, 24MCU Device #2: Cypress, 512MB, 800Mhz, 20MCU Device #3: Cayman, 1024MB, 800Mhz, 24MCU Device #4: Cypress, 512MB, 800Mhz, 20MCU Device #5: Cayman, 1024MB, 800Mhz, 24MCU Device #6: Cypress, 512MB, 800Mhz, 20MCU Device #7: Cayman, 1024MB, 800Mhz, 24MCU Device #8: Cypress, 512MB, 800Mhz, 20MCU Device #9: Cayman, 1024MB, 800Mhz, 24MCU Device #10: Cypress, 512MB, 800Mhz, 20MCU Device #11: Cayman, 1024MB, 800Mhz, 24MCU [s]tatus [p]ause [r]esume [q]uit => NOTE: Runtime limit reached, aborting... Hash.Type....: NTLM Speed.GPU.#1.: 9804.3M/s Speed.GPU.#2.: 9400.3M/s Speed.GPU.#3.: 9790.4M/s Speed.GPU.#4.: 9381.1M/s Speed.GPU.#5.: 9793.9M/s Speed.GPU.#6.: 9381.4M/s Speed.GPU.#7.: 9785.4M/s Speed.GPU.#8.: 9381.3M/s Speed.GPU.#9.: 9783.6M/s Speed.GPU.#10.: 9936.9M/s Speed.GPU.#11.: 9784.6M/s Speed.GPU.#*.: 106.2G/s Started: Fri Jan 4 11:38:37 2013 Stopped: Fri Jan 4 11:38:57 2013 ``` -------------------------------- ### Specify Source Wordlist Source: https://hashcat.net/wiki/doku.php?id=table_lookup_beginner_guide This is an example name for the source text file containing plain or base words. Hashcat will elaborate on these words using the instructions in the table file. ```bash B.txt ``` -------------------------------- ### Run Hashcat with a non-existent file as hash Source: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions Example of running hashcat where the specified file does not exist, causing hashcat to attempt parsing the filename as a hash. ```bash ./hashcat.bin -m 0 non_existing_file.txt dict.txt ``` -------------------------------- ### Hashcat Table-Lookup Attack Output Example Source: https://hashcat.net/wiki/doku.php?id=table_lookup_attack Illustrates the potential output variations generated by the table-lookup attack based on the input word 'word1' and a sample table file. ```text word1 wOrd1 w0rd1 w.rd1 word2 wOrd2 w0rd2 w.rd2 word3 wOrd3 w0rd3 w.rd3 word9 wOrd9 w0rd9 w.rd9 ``` -------------------------------- ### Download and use wordlist Source: https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 Download a wordlist and run hashcat against a capture file. ```bash $ wget https://wpa-sec.stanev.org/dict/cracked.txt.gz $ hashcat -m 22000 test.hc22000 cracked.txt.gz ``` -------------------------------- ### Stack multiple rule files Source: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions Demonstrates applying multiple rule files in a specific order using the -r parameter. ```bash $ ./hashcat.bin -a 0 -m 0 -r rules/best64.rule -r rules/toggles2.rule hashlist.txt dict.txt ``` -------------------------------- ### Update System and Reboot Source: https://hashcat.net/wiki/doku.php?id=linux_server_howto Ensures all system updates are installed and reboots to apply a new kernel. This is crucial before installing graphics drivers. ```bash dpkg --remove-architecture i386 aptitude update && aptitude -y full-upgrade sync && reboot ``` -------------------------------- ### Display kwprocessor help message Source: https://hashcat.net/wiki/doku.php?id=kwprocessor Use the -h or --help flag to display the comprehensive help message, including available options and their descriptions. ```bash $ ./kwp --help Advanced keyboard-walk generator with configureable basechars, keymap and routes Usage: ./kwp [options]... basechars-file keymap-file routes-file Options Short / Long | Type | Description | Default =============================+======+=============================================================+========= -V, --version | | Print version | -h, --help | | Print help | -o, --output-file | FILE | Output-file | -b, --keyboard-basic | BOOL | Include characters reachable without holding shift or altgr | 1 -s, --keyboard-shift | BOOL | Include characters reachable by holding shift | 0 -a, --keyboard-altgr | BOOL | Include characters reachable by holding altgr (non-english) | 0 -z, --keyboard-all | | Shortcut to enable all --keyboard-* modifier | -1, --keywalk-south-west | BOOL | Include routes heading diagonale south-west | 0 -2, --keywalk-south | BOOL | Include routes heading straight south | 1 -3, --keywalk-south-east | BOOL | Include routes heading diagonale south-east | 0 -4, --keywalk-west | BOOL | Include routes heading straight west | 1 -5, --keywalk-repeat | BOOL | Include routes repeating character | 0 -6, --keywalk-east | BOOL | Include routes heading straight east | 1 -7, --keywalk-north-west | BOOL | Include routes heading diagonale north-west | 0 -8, --keywalk-north | BOOL | Include routes heading straight north | 1 -9, --keywalk-north-east | BOOL | Include routes heading diagonale north-east | 0 -0, --keywalk-all | | Shortcut to enable all --keywalk-* directions | -n, --keywalk-distance-min | NUM | Minimum allowed distance between keys | 1 -x, --keywalk-distance-max | NUM | Maximum allowed distance between keys | 1 - ``` -------------------------------- ### Specific Functions Examples Source: https://hashcat.net/wiki/doku.php?id=rule_based_attack Examples of specific functions implemented in Hashcat for advanced password manipulation, not typically found in John the Ripper. ```hashcat-rules k ``` ```hashcat-rules K ``` ```hashcat-rules *34 ``` ```hashcat-rules L2 ``` ```hashcat-rules R2 ``` ```hashcat-rules +2 ``` ```hashcat-rules -1 ``` ```hashcat-rules .1 ``` ```hashcat-rules ,1 ``` ```hashcat-rules y2 ``` ```hashcat-rules Y2 ``` ```hashcat-rules E ``` ```hashcat-rules e- ``` ```hashcat-rules 30- ``` -------------------------------- ### Reject Rules Examples Source: https://hashcat.net/wiki/doku.php?id=rule_based_attack Examples of reject rules used to filter passwords based on length, content, or character positions. These rules are primarily for hashcat-legacy or when using -j/-k options. ```hashcat-rules 8 ``` ```hashcat-rules _7 ``` ```hashcat-rules !z ``` ```hashcat-rules /e ``` ```hashcat-rules (h ``` ```hashcat-rules )t ``` ```hashcat-rules =1a ``` ```hashcat-rules %2a ``` ```hashcat-rules rMrQ ``` -------------------------------- ### Run hashcat-legacy with FIFO Source: https://hashcat.net/wiki/doku.php?id=mask_attack_in_hashcat Executes hashcat-legacy using the FIFO pipe as a wordlist source. ```bash $ ./hashcat-cli64.bin -m 0 -n 2 -c 512 -o found.txt hashes.txt dict ``` ```bash ./hashcat-cli64.bin -m 0 -n 2 -c 512 -o found.txt hashes.txt dict ``` -------------------------------- ### View Hashcat Usage Syntax Source: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions Displays the correct argument order for standard and legacy hashcat versions. ```text Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]... ``` ```text Usage: hashcat [options] hashfile [mask|wordfiles|directories] ``` -------------------------------- ### Example cracked passwords Source: https://hashcat.net/wiki/doku.php?id=fingerprint_attack A list of sample passwords successfully recovered during the attack. ```text &~defcon '#(4)\ August19681 '&a123456 10-D'Ann ~|Bailey Krist0f3r f@cebOOK Nuclear$( zxcvbn2010! 13Hark's NjB3qqm Sydney93? antalya%] Annl05de ;-Fluffy ``` -------------------------------- ### Run Hashcat with winpty Source: https://hashcat.net/wiki/doku.php?id=hashcat_on_windows_ssh Basic syntax for executing Hashcat via winpty in a terminal. ```bash $ winpty hashcat64.exe -m 0 .... ``` -------------------------------- ### Start a cracking job Source: https://hashcat.net/wiki/doku.php?id=oclhashcat Initiate a brute-force cracking task using a mask. ```bash oclHashcat64 -m 0 hash.txt -a 3 ?a?a?a?a?a?a?a ``` -------------------------------- ### Capture traffic with hcxdumptool Source: https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 Start capturing PMKIDs and EAPOL message pairs. ```bash $ hcxdumptool -i INTERFACE_NAME -w dumpfile.pcapng --rds=1 -F ``` -------------------------------- ### Download Hashcat Signing Key (Linux) Source: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions Use this command to download the Hashcat signing key from a keyserver. This is a prerequisite for verifying PGP signatures. ```bash gpg --keyserver keys.gnupg.net --recv 8A16544F ``` ```bash gpg --keyserver pgp.mit.edu --recv 8A16544F ``` -------------------------------- ### Brute-force digits with maskprocessor Source: https://hashcat.net/wiki/doku.php?id=brute_force_in_oclhashcat_plus_original Example of brute-forcing 8-digit passwords on Windows using a pipe. ```bash mp64 ?d?d?d?d?d?d?d?d | oclHashcat-plus64 -m 2500 bla.hccap ``` -------------------------------- ### Brute-force HEX characters with maskprocessor Source: https://hashcat.net/wiki/doku.php?id=brute_force_in_oclhashcat_plus_original Examples of brute-forcing 8-character HEX passwords on Windows and Linux. ```bash mp64 -1 ?dABCDEF ?1?1?1?1?1?1?1?1 | oclHashcat-plus64 -m 2500 bla.hccap ``` ```bash ./mp64.bin -1 ?dabcdef ?1?1?1?1?1?1?1?1 | ./oclHashcat-plus64.bin -m 2500 bla.hccap ``` -------------------------------- ### Initialize AMD GPU on Linux Source: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions Configures AMD GPU adapters for use on Linux systems. ```bash amdconfig --adapter=all --initial -f ``` -------------------------------- ### ct3_to_ntlm Usage and Examples Source: https://hashcat.net/wiki/doku.php?id=hashcat_utils Converts NetNTLMv1 data to NTLM format, supporting both ESS and non-ESS variants. ```bash usage: ./ct3_to_ntlm.bin 8-byte-ct3-in-hex 8-byte-salt-in-hex [24-byte-ESS-in-hex] ``` ```c NETNTLM_bs_fmt_plug.c: {"$NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233", "cory21"}, ``` ```bash ./ct3_to_ntlm.bin C4A70D3BEBD70233 1122334455667788 51ad ``` ```bash ./ct3_to_ntlm.bin 7D01513435B36DCA 1122334455667788 1FA1B9C4ED8E570200000000000000000000000000000000 34d5 ``` -------------------------------- ### combinator Usage and Examples Source: https://hashcat.net/wiki/doku.php?id=hashcat_utils Appends each word from file2 to each word from file1. Requires real files as input. ```bash $ ./combinator.bin usage: ./combinator.bin file1 file2 ``` ```bash $ cat two.list nes tor $ combinator two.list two.list nesnes nestor tornes tortor ``` -------------------------------- ### Backend and Device Management Source: https://hashcat.net/wiki/doku.php?id=hashcat Configuration for hardware backends, device selection, and OpenCL/CUDA/HIP/Metal settings. ```APIDOC ## Backend and Device Management ### Description Settings to manage hardware backends, device affinity, and device-specific optimizations. ### Parameters - **-d, --backend-devices** (Str) - Backend devices to use, separated with commas - **-D, --opencl-device-types** (Str) - OpenCL device-types to use - **--cpu-affinity** (Str) - Locks to CPU devices - **--backend-ignore-cuda** (Flag) - Do not try to open CUDA interface - **--backend-ignore-opencl** (Flag) - Do not try to open OpenCL interface ``` -------------------------------- ### Configure Compute Node Source: https://hashcat.net/wiki/doku.php?id=vcl_cluster_howto_original Mark the current node as a compute node by creating a specific file. Run on each compute node. ```bash touch /etc/vcl/is_back_end ``` -------------------------------- ### cleanup-rules Usage and Examples Source: https://hashcat.net/wiki/doku.php?id=hashcat_utils Strips rules from STDIN incompatible with the specified platform (1 for CPU, 2 for GPU). ```bash usage: ./cleanup-rules.bin mode ``` ```bash $ cat dirty.rules l <3 $ cleanup-rules 1 < dirty.rules l <3 $ cleanup-rules 2 < dirty.rules l $ ``` -------------------------------- ### Configure Broker Node Source: https://hashcat.net/wiki/doku.php?id=vcl_cluster_howto_original Mark the current node as the broker node by creating a specific file. Run only on the broker node. ```bash touch /etc/vcl/is_host ``` -------------------------------- ### Generate keyboard-walk patterns (first 10 lines) Source: https://hashcat.net/wiki/doku.php?id=kwprocessor Generates keyboard-walk patterns using a full base character set, English keymap, and exhaustive 3-character routes. Pipe the output to 'head' to view the initial results. ```bash $ ./kwp basechars/full.base keymaps/en.keymap routes/3-to-3-exhaustive.route | head 0p;/ 1qaz 2wsx 3edc 4rfv 5tgb 6yhn 7ujm 8ik, 9ol. ``` -------------------------------- ### Generated Password Candidates (Simple Example) Source: https://hashcat.net/wiki/doku.php?id=combinator_attack These are the password candidates generated when combining 'dict1.txt' and 'dict2.txt' using the combinator attack. ```text passalice passbob passcat passdog 12345alice 12345bob 12345cat 12345dog omgalice omgbob omgcat omgdog Testalice Testbob Testcat Testdog ```