Hashcat examples

Rule based attack

Use a wordlist and best64 rules to try and crack a wordpress hash. Using rockyou.txt as an example.

-m Specifies the hash type

hashcat -m 400 wordpress.hash -r rules/best64.rule wordlist/rockyou.txt

wordpress.hash is a text file that contains the password hash. You can list multiple hashes in the file

Example contents of file

bob@localhost:~$ cat wordpress.hash 
$P$BeJ2ZWVgSx/rR8ifcTFyjq1ouCCWwu0
bob@localhost:~$

Brute force

Attempt every 8 numeric combination for a WPA2 key.

hashcat -m 2500 -a3 capture.hccapx ?d?d?d?d?d?d?d?d

Hashcat built in Charsets

You can swap out the ?d from the above command with any of the built in character sets below.

  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  d | 0123456789
  h | 0123456789abcdef
  H | 0123456789ABCDEF
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff

More information
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Rule based attacks are recommended
https://hashcat.net/wiki/doku.php?id=rule_based_attack

Crack LUKS volume with Hashcat

Install hashcat

apt install hashcat

Find LUKS Volume

bob@localhost:~/$ dmesg
...
[ 1057.776074] sd 0:0:0:0: [sda] Write Protect is off
[ 1057.776074] sd 0:0:0:0: [sda] Mode Sense: 43 00 00 00
[ 1057.776593] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 1057.780234]  sda: sda1
[ 1057.783346] sd 0:0:0:0: [sda] Attached SCSI removable disk
bob@localhost:~/$

From the above we see that the drive we just pluGged into the system is “sda” so our path and partition is “/dev/sda1”

Run hashcat

The following command will run hashcat against “/dev/sda1”, change if the encrypted partition is different. Mode is to brute force every 8 numeric character combination. Refer to the following link to learn more about mask attacks.
https://hashcat.net/wiki/doku.php?id=mask_attack

Note: You should be able to dump the header and work off of that as well.

sudo hashcat -a 3 -m 14600 /dev/sda1 ?d?d?d?d?d?d?d?d

How to convert an Aircrack capture file to a Hashcat hccapx

Using Aircrack

aircrack-ng input.cap -J hashcat_output

Unfortunately the above command doesn’t seem to work anymore.

If you try to run Hashcat with the outputted file you’ll get an error.

hashcat_output.hccap: Old hccap format detected! You need to update: https://hashcat.net/q/hccapx

Using Hashcat utils

Refer to this guide for installing the Hashcat utils.

Basic syntax is

./cap2hccapx.bin input.cap output.hccapx

Example

~/Downloads/hashcat-utils-master/src/cap2hccapx.bin aircrack-01.cap aircrack.hccapx

Install Hashcat on Fedora

Install nVidia drivers.  Guide here.

Download binary files from the hashcat website

https://hashcat.net/hashcat/

or use wget

wget https://hashcat.net/files/hashcat-4.1.0.7z

Extract with p7zip

7z x hashcat-4.1.0.7z

cd into the hashcat directory

cd hashcat-4.1.0

Run hashcat

./hashcat64.bin -t 32 -a 7 example0.hash ?a?a?a?a example.dict

Example script:

sudo dnf install p7zip
wget https://hashcat.net/files/hashcat-4.1.0.7z
7z x hashcat-4.1.0.7z
cd hashcat-4.1.0
./hashcat64.bin -t 32 -a 7 example0.hash ?a?a?a?a example.dict

Errors:
If you get the following error, try re-extracting the 7z file with the “x” option, not “e”.  “x : eXtract files with full paths” and ” e : Extract files from archive (without using directory names)”

inc_cipher_aes256.cl: No such file or directory