Hashcat help

Sometimes you come along a password and want to try other variations of that password. Or you have a password list and want to add all possible solutions into a dictionary password file . With hashcat you can create a password list bases on rules you set or existing rules which comes with the installation of kali. This post focus only on existing rules.In Kali Linux you can find an existing set of rules here -> /usr/share/hashcat/rules/Variations of one wordLet’s say we have found a password or a word we think might be a password. Now we want to try all different variation of that word and put them into a dictonary. We use echo and then pipe it into hashcat and output it in an fileecho -n "TheDutchHacker" | hashcat --force --stdout -r /usr/share/hashcat/rules/toggles3.rule >> pwdlist.txtExplanation:ECHO-ndo not output the trailing newlineHASHCATCommandExplanation–forceIgnore warnings–stdoutStoud mode ( Stream mode)-rRule-file to useAnd we use >> to add it to the pwdlist.txt file. Make sure you use >> and not > other wise it will overwrite instead to add the extra words to the listYou can add more rules to the list with the the same word. Just repeat the command but with a different set of rules.Multiple WordsNow let say you have a file with different words and you want to put it through a rules set. You just have to provide the list. Now this list was in the same directory. If it was not then we needed to add the full pathhashcat --force --stdout pwdlist.txt -r /usr/share/hascat/rules/best64.rule >> alteredlist.txtNow cat this out and see the results cat alteredlist.txtSo there we have. We can now build password files based on an existing rule set. If you want to know how a rule set is build up just cat the rule set to screen. If you need more info on this then take a look at the official wiki page rule_based_attack [hashcat wiki]

Extreme_Breach_MasksA set of prioritized Hashcat masks intelligently developed from terabytes of password breach datasets and organized by run time.GoalTo improve the efficiency of password cracking using Hashcat mask attacks by prioritizing masks with the highest password cracking probability in the shortest possible time using high volumes of password breach data.BackgroundInspired by the work of golem445 who compiled a set of password hashcat password masks using real-world data. I took this a step further by building a set of prioritized Hashcat masks using an enormous password breach dataset that I have been personally compiling and curating.MethodologyCompiled every available password breach dataset that I could find -- terabytes of data! Wordlists include everything readily google-able and torrent-able. Noteable inclusions are: crackstation.net, seclists, rockyou, COMB, breach-parse... and many, many more.Combined the wordlists in a way that they were generally sorted by password usage commonality.Deduplicated the wordlist without re-sorting (important to retain the commonality order) using this tool: the wordlist through the statsgen.py tool to convert the wordlist into a counted set of password masks: statsgen.py breach_wordlist.txt -o masks.statsgenRan the resulting statsgen.py output through maskgen.py to generate .hcmask files that are efficently ordered and seperated by run time. The run time duration assumes a hashing speed of 56,636,300,000 keys per second. This was determiend based on the performance of 1x Nvidia GTX1080Ti cracking NTLM hashes in Hashcat. Example command below:python maskgen.py --optindex -o ./1-hour_8.hcmask --minlength=8 --maxlength=8 --pps 56636300000 --targettime 3600 masks.statsgenRepeated step #5 with various execution times to generate files optimized for various run times.UsageThe .hcmask files above describe passwords of differing character lengths, each sorted by efficiency, and formatted for use by the Hashcat password cracking tool. Depending on your situation, you might want to focus on passwords of a specific length only vs the entire set. You should select the hcmask file optimized for your desired time frame. The statsgen file is included if you want to re-sort and generate your own hcmask files; however, I had to pair it down to only 8-14 characters and 7zip it because the full version was too large for github. Recognize that this type of brute force mask attack can take a long time and should be performed last after you have exhausted more targeted methods. My recommended password cracking attack order is below:Backup/Clear your hashcat potfile for the new set of hashes because mixing previous results gets confusing and if the potfile gets too

Large it can slow down the cracking process.Basic dictionary attack with your favorite wordlist... ie rockyou.txt -m 1000 -w 4 -a 0 --session -O">hashcat.exe -d -m 1000 -w 4 -a 0 --session -OBrute force all permutations 1-7 character length passwords... this does not take long given the minimal keyspace of this group. -m 1000 -w 4 -a 3 --session ?a?a?a?a?a?a?a -O">hashcat.exe --increment --increment-min=1 -d -m 1000 -w 4 -a 3 --session ?a?a?a?a?a?a?a -OTargeted dictionary attack... create a custom lowercase wordlist using CeWL and add local sports teams, city names, mascots, etc and apply the best64.rule -m 1000 -w 4 -a 0 --session -r best64.rule -O">hashcat.exe -d -m 1000 -w 4 -a 0 --session -r best64.rule -OAnalyze the set of cracked passwords for potential patterns, run targeted attacks which reflect those patterns.BIG dictionary attack... run the passwords through the largest wordlist you have.Analyze any newly cracked passwords for potential patterns, run targeted attacks which reflect those patterns.Use this repository of work and run the "duration_characters.hcmask" according to your needs.Example Hashcat Command for Using the .hcmask to Crack NTLM Hashes -m 1000 -w 4 -a 3 --session 1-day_8-14.hcmask -O">hashcat.exe -d -m 1000 -w 4 -a 3 --session 1-day_8-14.hcmask -OExtra flags that might be necessary to make Hashcat work on your system. NOTE: These are dangerous, and should only be used very rarely!--force | Force Hashcat to stop bothering you and just crack the damn passwords.--hwmon-disable | Hashcat will throttle based on temp readings... ignore this and go for broke!

WebHashcatHashcat web interfaceWebHashcat is a very simple but efficient web interface for hashcat password cracking tool.It hash the following features:Distributed cracking sessions between multiple server (you only need to install HashcatNode on the remote server)Cracked hashes are displayed almost as soon as they are crackedCracking session restore (for example after host reboot)Upload plaintext files for analytics purposesSearch patterns through the entire databaseAnalyticsCurrently WebHashcat supports rule-based and mask-based attack modeThis project is composed of 2 parts:WebHashcat, the web interface made with the django frameworkHashcatNode, A hashcat wrapper which creates an API over hashcatWebHashcat UsageAdding rules, masks and wordlists to webhashcatGo to the Hashcat > Files page, than simply use the upload button to add new files. Note that uploaded files are added to webhashcat but not deployed to nodes yet.Registering a nodeThe nodes can be simply added and removed on the Node page, you only need to define the ip, port, username and password (as defined in the hashcatnode configuration script).Once a node is registered, click on the node and hit the synchronise button on the top. Rules, Masks and Wordlists should now be uploaded to the node (all files should be green).Adding a hashfileIn the hashcat page, simply hit the bottom "add" button to upload a new hashfile, after comparing the new hashfile to the centralised potfile (can take a few minutes with huge hashfiles), your hashfile should appear in the list.Creating a cracking sessionSimply hit the "+" button on the left of the hashfile, then select the desired cracking method. Note that sessions aren't started automatically, you will need to use the "play" button to start them.If you set the cron to 5 minutes, the central potfile will be updated every 5 minutes with newly cracked hashes.Simply click on the hashfile to view the results, it can take few

Ago.Cracking the HashYou’ll need hashcat installed and setup to crack the hash. Kali Linux has hashcat included (you will just want to have the NVIDIA drivers installed for optimal performance). You can also check out installing hashcat on Fedora, or check out the hashcat website for other systems. the hashes of interest into a text file called hash.txtCommand to crack the passwords ./hashcat.bin -a 3 -m 1500 ./hash.txt -1?l?u ?1?1?1?1?1?1?1?1 -w 3 --session airgatewaythe -1?l?u let’s us specify a custom character list made up of -l and -u. Lower and Upper case letters. –session airgateway will record a checkpoint ever so often. So if our run gets interrupted, we can restore the session with./hashcat.bin --session airgateway --restoreRemediationFortunately, remediation is fairly simple.SSH into the affected device and open up the config filevi /tmp/system.cfgFind the lines that start with “users.3.”, delete them, and save the fileRun the following command to save the changes./usr/etc/rc.d/rc.softrestart save If you are not comfortable with the command line, then you can, through the web gui, download a backup, edit the backup file in a text editor, then upload/restore the backup.Other notesSomething else you may run across is a mcuser that shows up in /etc/passwd. This is typically a user used for AirControl, so if you have used AirControl in the past that is most likely why it is there. Check out the following article to remove the user. Install etherwake withapt install etherwake -yAfter it is installed, run etherwake with the target mac address. etherwake AA:BB:CC:00:11:22 Ubiquiti Airmax gear has tcpdump included. We can easily use it to capture packets to a file and then use SCP from the device to copy the file for analysis.SSH to the devicessh [email protected] /tmp/Start tcpdump with the following command. Change ath0 and file.cap to the appropriate interface and file name.tcpdump -i ath0 -w file.capAfter we are done collecting, we can quit with ctrl + cNow we can use scp or sftp to copy the files off. There is an issue using scp or sftp from a normal Linux machine to the radio, fails with a “sh: /usr/libexec/sftp-server: not found”. It