Skip to main content

Software review: Hashcat

In the following blogpost the way I used software called hashcat in my project is described. The example of using this software for dictionary attack is demonstrated. In my work I used information provided by Tavarez (2020).

 

According to Porup (2020) hashcat is one of the most popular password crackers all around the world. Moreover, hashcat is included in the list of basic tools in Kali linux – linux distribution widely used by cybersecurity specialists. I installed Kali linux virtual machine in order to use this program and to show the example of a dictionary attack


(Author's screenshot)

However, before looking at the examples of using hashcat on practise, it is useful to understand in which areas hashcat is using. In plain words, hashcat is a password guesser which includes a number of features and pre-installed functionalities for cracking passwords by penetrating brute-force and dictionary attacks. The way it works is not too sophisticated, it hashes considerable numbers of passwords and tries to find same with the provided target password hash (Porup, 2020). Hashcat is a useful tool when used for benign purposes, such as finding holes or weak credentials in a security chain of a company. It is free and pre-installed in a multiple operating systems. However, hashcat is as powerful for nefarious purposes as it is for honest ones (HYPR, n. d.). Nevertheless, in my opinion it is necessary to understand how password guessers work in order to be educated in the field of password security and not to fall a victim of frauds. Hashcat is a perfect tool for such purposes since its basics are easy to understand and there are a lot of tutorials on the internet.

 

In order to load hashcat in kali linux user needs to open a console and type the command hashcat -h

(Author's screenshot)

(Author's screenshot)

After this, hashcat is loaded and shows a lot of information about itself, such as options or hash-types.

(Author's screenshot)

In order to penetrate a dictionary attack a user needs to have a file with target hashes. It can be easily created in console by typing:


(Author's screenshot)

After this operation, 4 passwords: ilya2003, bondbond, drowssap, imsecured – are hashed with md5 hash, and their hash is loaded into the target_hashes.txt file on the desktop.


(Author's screenshot)


Next step is to create a dictionary with possible passwords or to choose one of the preinstalled dictionaries. In kali linux pre-installed dictionaries are located in /usr/share/wordlists…

(Author's screenshot)

One of the popular dictionaries is rockyou.txt which is widely used against weak passwords. It contains a number of weak obvious and weak passwords and can be freely downloaded from the web:

(Author's screenshot)

In the example above you can see the beginning of the rockyou.txt.

In order to penetrate a dictionary attack user needs to type a command which is shown below:

(Author's screenshot)

Here -m stands for the hash function and 0 stands for md5 hash. -a 0 means dictionary attack and -o means the file, where output is going to be put – I have created an empty cracked.txt file on the desktop. Than goes target_hashes.txt which means the file where target hashes are loaded from, and rockyou.txt – dictionary, which I moved into the desktop in order to shorten the command, otherwise I would have typed the whole pass to it in the directory /usr/share/wordlists…

After penetrating this command, the file cracked.txt is shown below:


(Author's screenshot)

Only two of the targeted passwords were found in the rockyou.txt. However, penetrating of the attack took only 3 seconds though rockyou.txt consists of an essential number of passwords [it is 130Mb] and despite the fact that I run kali linux on a virtual machine.

 In order to go further I created my own dictionary on the desktop, included all 4 passwords and used it for a dictionary attack:

(Author's screenshot)

To conclude, hashcat is a powerful and considerably easy to learn and understand software. It can be used for either educational purposes and professional penetration testing. Altogether, learning how to use hashcat gives a person solid knowledge about how password cracking works and can make people to overthink their attitude towards password hygiene.

 

 

Reference:

HYPR (no date) ‘Hashcat’, HYPR. Available from: https://www.hypr.com/hashcat/ (Accessed: 4 December 2021).

Porup, J.M. (2020) ‘Hashcat explained: How this password cracker works’, CSO. Available from: https://www.csoonline.com/article/3542630/hashcat-explained-why-you-might-need-this-password-cracker.html (Accessed: 4 December 2021).

Tavarez, P. (2020) ‘Hashcat tutorial for beginners [updated 2021]’, INFOSEC. Available from: https://resources.infosecinstitute.com/topic/hashcat-tutorial-beginners/ (Accessed: 4 December 2021).

Comments

  1. Carrie MansfieldDecember 6, 2021 at 6:07 AM

    Really good post that shows testing, engagement and discussion about the software.

    ReplyDelete

Post a Comment

Popular posts from this blog

Major project theme

Every person has heard about how important it is to have a well-built strong password. An essential number of people would agree that password hygiene is as important as the personal hygiene is, since violation of first may lead to much more serious consequences. However, the statistics show that 59% of users use their names and dates of birth as their passwords, 43% shared their passwords with other people and only 45% would change a password after a breach (O’Driscoll, 2020). The aim of this post is to show how to create strong passwords. It is necessary to know how passwords are cracked in order to properly understand what password can be referred as strong one. There are to ways to execute an attack: online and offline.  Online attack is done by trying different passwords one by one through a normal log in process. Usually, such attacks are unsuccessful since they are easy to detect and block if necessary (Burnett and Kleiman, 2006).  I think everybody encountered situatio...
2 comments
Read more