Jun 30, 2023 3:12:19 AM | Adversarial Simulation Hashcat Quick Guide Techniques & Tips

unlocked lock with 4 * under it, representing passwords in this hashcat blog by White Oak Security.

Password Cracking has its own large methodology when it comes to targeted methods of cracking passwords. You can consider English and other language models, passphrases, 1337sp34k translations, case MoDiFCaTiOn, distributed cracking, cloud cracking, and so much more. This guide is not a guide on the methodology of cracking passwords, but a quick guide to the most commonly used password cracking tool (Hashcat) and its most commonly used options within the penetration testing space. The goal of this document is to provide beginners with the common hash types, attack modes, and some tips for using the software to start them down the road of cracking passwords.

Common Hash Types

There are several types of password hashes you may encounter while performing security assessments, generally, it depends on the technology or platform you are attacking will determine which type of password hash you may obtain. Below is a list of the most common password hashes observed in penetration testing along with a brief description of the hashing algorithm.

  • LM (-m 3000)
    • LM Hashing was released in 1987 and contained several vulnerabilities immediately from implementation. Weaknesses include the limitation of passwords to 14 characters, case insensitivity, and the 14-character password being broken into two 7-byte halves. As a result, it is trivial for an attacker to recover the original password by brute-forcing all possible combinations (as shown later in this post) or with the use of rainbow tables. LM Hashes are generally extracted from either the Security Account Manager, NTDS, or LSASS process space.
  • NTLM (-m 1000)
    • NTLM Hashing is the successor to the LM Hashing algorithm. Released in 1993 along with Windows NT 3.1 it strengthened some of the deficiencies observed in LM Hashing. The primary issue with NTLM is that it is a “fast” hashing algorithm which means it chooses speed over security and can allow password-cracking attacks to run at very high speeds. In modern times it is trivial and inexpensive to crack 8-character passwords, however, that becomes exponentially more difficult and infeasible for a comprehensive brute force attack (all permutations) when increased beyond 12 characters. Similar to LM Hashes, these hashes are generally extracted from either the Security Account Manager, NTDS, or LSASS process space.
  • NetNTLM (-m5500 + -m5600)
    • NetNTLM is a protocol meant for protecting password hashes that are in transit over the network. There are practical attacks against version 1 (NTLMv1) types of password hashes, and only NTLMv2 should be used. Even then passwords can be cracked by obtaining the password hashes and challenges and attacking them with Hashcat. While not as quick as NTLM these attacks are still highly successful and generally use a password wordlist along with transformation rules to crack. These password hashes can generally be obtained by man-in-the-middling domain-based authentication requests on the network.
  • WPA-PSK (-m 22000)
    • WPA-PSK’s are the hashed form of a wireless password key. Transmitted in wireless signals they can be easily obtained by sniffing wireless traffic while a client is connecting to the wireless network. These password hashes are all at a minimum 8 characters long and use a stronger password hashing algorithm to make brute-forcing the password more difficult. Targeted attacks with high-quality word lists and transformation rules will yield the best results against attacking these password hashes.
  • TGS-REP (-m 13100)
    • TGS-REP is the hashed authentication credential for Kerberos authentication. These hashes can be obtained by making queries to a domain as an authenticated user. These hashes are generated using a strong algorithm so leveraging quality word lists and rules is also the best route for attacking these hashes.
  • SHA (varies)
    • SHA hashes will typically be found within web applications. These may be extracted from systems via a compromised database or SQL injection attack. SHA has varying levels of strength depending on the key size which affects the speed at which they can be attacked. Depending on the strength of the hash obtained, a brute force, mask attack, or wordlist attack may be the best method for recovery.

Attack Mode Types

There are various attack modes that can be used within Hashcat, each with its own proper use case. Below are the most commonly used attack mode types though other techniques and modes exist to be explored.

  • Mode 0 – Straight (-a 0)
    • Mode 0 also known as “Straight” mode takes in a required wordlist, and optionally will take in one or more list of transformation rule lists. The most recent public password list commonly used for this attack type would be RockYou2021. Download links can be found at Github here. Straight mode will first try the base word provided in the password list, and then apply any rules to it. A quick example of the word “password” with some simple rules applied to it would yield the candidates such as:
screenshot by White Oak Security shows password list of password1
password2
password3, etc
hashcat.exe –a 0 –m 1000 password.txt –stdout –r rules/best64.rule
  • Mode 1 – Combination (-a 1)
    • Mode 1, known as the combination attack will take in two wordlists and match up every possible combination of those words. This makes it possible to take commonly used words and generate effective passphrase password attacks. Rules cannot be used in this attack mode without using advanced techniques such as STDIN. By using smaller wordlists, but multiple wordlists we can generate multiword password candidates to attack the password. For example:
wordlist screenshot by white oak security shows words like whitehorse,greeneagle,etc
hashcat.exe –a 1 –m 1000 colors.txt animals.txt --stdout
  • Mode 3 – Mask (-a 3)
    • Mode 3 is for Mask attacks and is probably my favorite method of attack. By looking at a word we can break the word down into its character structure. For example, if we take the password “Password1”, and substitute all upper case letters for ?u, lowercase letters for ?l, and digits for ?d, we can easily crack this 9 character password in seconds using the format ?u?l?l?l?l?l?l?l?d. Imagine how many other passwords use the same format of capital, followed by X amount of lowercase, followed by a digit. See below for recovery that took less than a second:
screenshot by WOS shows u?l?u?l?
hashcat screenshot by white oak security shows its been cracked
hashcat.exe –a 3 –m 1000 hash.txt ?u?l?l?l?l?l?l?l?d
  • Mode 6 and 7 – Hybrid (-a 6 + -a 7)
    • Mode 6 and 7 are often overlooked but are also amazing cracking modes. These combine attack mode 0 (straight wordlist) along with attack mode 3 (mask). So now we could use a large wordlist and add a mask such as ?d?d?d?d to the end to crack passwords that have the word in our wordlist and have any 4 numbers at the end! The difference between 6 and 7 is where the mask and wordlist are, so either WORD+MASK or MASK+WORD. See below for an example:
screenshot by white oak security shows animals txt in hashcat
hashcat screenshot by white oak security shows its cracked with animal passsword
hashcat.exe –a 6 –m 1000 hash.txt animals.txt ?d?d?d?d

General Tips & Tricks

Below are some quick tips I’ve found that should help you along your journey of password cracking. As you perform more cracking you will begin to see patterns and other common formats which may assist you in becoming an expert password cracker.

  • Tuning – W4
    • Tuning can increase your performance but can also take a toll on your system. If your system is using a GUI, you would likely want to specify –w 3 if you don’t plan on using it while cracking, -w 2 or –w 1 if you do plan on using it. If you do not have a GUI at all you can go ahead and specify –w 4 which will maximize performance from the GPU.
  • Character Sets
    • What the !@#$%^&*()
      • Character sets can be looked at in two ways, one as we mentioned above as simply upper, lower, special character or digit. You could create a custom character set of these by using -1 (number of custom set) and then the mask you want, for example ?s?d would select all special characters and numbers. (ex: -1 ?s?d)
      • But you can also make custom character subsets, most commonly used for special characters as there 33 potential special characters but most people use only a handful of them. Limiting this key space can greatly cut down on cracking time and increase efficiency. For example, if we only wanted to use the 10 shift+number keys we could use: (ex: -1 “!@#$%^&*()”)
  • –loopback
    • Loopback will take the list of all passwords cracked in attack mode 0 and recirculate them through the process. So let’s assume you had two passwords, “Password1” and “Password10”. If you had a wordlist with the word Password in it and a rule list that added 0-9 to the end of each password, the first attempt at cracking it would crack Password1, however, with loopback it will then ADD Password1 to a wordlist, and apply rules again, so applying 0-9 again resulting in it cracking Password10. This gets infinitely more complex with the more complex rules you use. This works well because it targets words commonly used in the target organization rather than words you built in your initial wordlist.
  • Increment
    • Increment is used in attack modes 3, 6, and 7. It will take a mask such as our example above “?u?l?l?l?l?l?l?l?d” and start with ?u, then do ?u?l, then do ?u?l?l and so on. This is a great method for cracking 8-10 character passwords, for example, the mask ?u?l?l?l?l?l?l?a?a?a with –i will use the masks ?u?l?l?l?l?l?l?a, ?u?l?l?l?l?l?l?a?a and ?u?l?l?l?l?l?l?a?a?a attacking all capitalized words between 8 and 10 characters long!
  • LM Cracking
    • Since LM passwords are case insensitive, and a maximum of 7 characters, we can attack them using a “custom” (character set) “mask” (attack mode 3) “increment” (-i) “brute force” (exhaustive) method. This might sound complicated but let’s break it down before we execute it.
      • Character Set – We know that passwords will be either upper, digit, or a special character – character set. So we will set our character set for the variable ?1 to be ?u?d?s.
      • Mask Attack – This will be attack mode 3, so –a 3
      • Increment – This will be UP TO 7 characters, so we will use –i for increment and ?1?1?1?1?1?1?1 for up to 7 characters of our custom character set.
      • Hash format for LM is –m 3000
      • Bringing this all together to attack the password “Str0ngP4a$w0rd” we recover the password in 22 seconds:
screenshot by white oak security hashcat lmhash autodetect mode
hashcat screenshot by white oak securityis showing lmhash cracked
hashcat.exe –a 3 –m 3000 –i -1 ?u?s?d lmhash.txt ?1?1?1?1?1?1?1
  • Runtimes (-O)
    • If you see the following image it means that Hashcat is not using optimized hashcat kernel libraries to attack the passwords. Hashcat has custom libraries it can use which GREATLY increase speed at the tradeoff of not being able to crack 32 character or more passwords (unlikely in the first place). Therefore you almost always want to apply –O when you get this message, with the exception of SALTED hash types.
screenshot by white oak security shows warning of backened kernels, pure kernals can crack longer passwords but reduce performance, optimized kernals can help

 

Hashcat Conclusion

Hopefully, some of this information will get you started on targeted password cracking in your engagements and or environments. Using techniques that are efficient will result in shorter times and better results which can mean a world of difference when performing an assessment or determining internal security. Once you have mastered these concepts, explore the help file for Hashcat for other advanced techniques and tactics which can be leveraged to attack passwords further.

MORE FROM OUR TECHNICAL BLOG

Cyber Advisors specializes in providing fully customizable cyber security solutions & services. Our knowledgeable, highly skilled, talented security experts are here to help design, deliver, implement, manage, monitor, put your defenses to the test, & strengthen your systems - so you don’t have to.

Read more from our technical experts...

Talk A Trusted Cyber Advisor

Written By: Joshua Platz