Hashcat is one of the most popular password cracking tools available today. Hashcat utilizes GPU to crack hashes.
HashCat Version 6.2.6
## Core Attack Modes ##
### Dictionary Attacks
The dictionary attack, or “straight mode,” is a very simple attack mode. It is also known as a “Wordlist attack”.
All that is needed is to read line by line from a textfile (aka “dictionary” or “wordlist”) and try each line as a password candidate.
### Combinator Attacks
Each word of a dictionary is appended to each word in a dictionary.
If our dictionary contains the words:
```text
pass
12345
omg
Test
```
Hashcat creates the following password candidates:
```text
passpass
pass12345
passomg
passTest
12345pass
1234512345
12345omg
12345Test
omgpass
omg12345
omgomg
omgTest
Testpass
Test12345
Testomg
TestTest
```
Using the Combinator Attack within hashcat (not standalone version of Combinator Attack).
The command for the Combinator Attack in hashcat is -a 1
You need to specify **exactly** 2 dictionaries in you command line: e.g.
./hashcat64.bin -m 0 -a 1 hash.txt dict1.txt dict2.txt
If you wish to add rules to either the left or right dictionary or both at once then you can use the -j or -k commands.
| Flag | format | Description |
| ---- | ---------------- | ------------------------------------------------------- |
| -j | --rule-left=RULE | Single rule applied to each word on the left dictionary |
| -k | --rule-right=RULE| Single rule applied to each word on the right dictionary|
Example:
Dictionary 1
```text
yellow
green
black
blue
```
Dictionary 2
```text
car
bike
```
Commands
```text
-j '$-'
-k '$!'
```
Note: the quotes are only there to escape the $ character, which would otherwise allow $- to be interpreted as a variable. The rules that are used here are still just $- and $!. Escaping might not work exactly the same way on each operating system and with each shell interpreter (if you are unsure about what needs to be escaped and how it should be escape, please consider looking up your OS and/or shell interpreter manual).
The output would be…
```text
yellow-car!
green-car!
black-car!
blue-car!
yellow-bike!
green-bike!
black-bike!
blue-bike!
```
### Brute Force Attacks ###
Try all combinations from a given keyspace
### Mask Attacks ###
Try all combinations from a given keyspace just like in [Brute-Force attack](https://hashcat.net/wiki/doku.php?id=brute_force_attack "brute_force_attack"), but more specific.
## Advantage over Brute-Force
The reason for doing this and not to stick to the traditional Brute-Force is that we want to **reduce** the password candidate **keyspace** to a more efficient one.
Here is a single example. We want to crack the password: _Julia1984_
In traditional Brute-Force attack we require a charset that contains all upper-case letters, all lower-case letters and all digits (aka “mixalpha-numeric”). The Password length is 9, so we have to iterate through 62^9 (13.537.086.546.263.552) combinations. Lets say we crack with a rate of 100M/s, this requires more than **4 years** to complete.
In Mask attack we know about humans and how they design passwords. The above password matches a simple but common pattern. A name and year appended to it. We can also configure the attack to try the upper-case letters only on the first position. It is very uncommon to see an upper-case letter only in the second or the third position. To make it short, with Mask attack we can reduce the keyspace to 52*26*26*26*26*10*10*10*10 (237.627.520.000) combinations. With the same cracking rate of 100M/s, this requires just **40 minutes** to complete.
## Disadvantage compared to Brute-Force
There is **none**. One can argue that the above example is very specific but this does not matter. Even in mask attack we can configure our mask to use exactly the same keyspace as the Brute-Force attack does. The thing is just that this cannot work vice versa.
Note that masks are split into two parts internally to give hashcat something to work as an amplifier to overcome PCI-E bottleneck.
## Masks
For each position of the generated password candidates we need to configure a placeholder. If a password we want to crack has the length _8_, our mask must consist of _8_ placeholders.
- A mask is a simple **string** that configures the keyspace of the password candidate engine using placeholders.
- A placeholder can be either a custom charset variable, a built-in charset variable or a static letter.
- A variable is indicated by the ? letter followed by one of the built-in charset (l, u, d, s, a) or one of the custom charset variable names (1, 2, 3, 4).
- A static letter is not indicated by a letter. An exception is if we want the static letter ? itself, which must be written as ??.
## Output
Optimized due its partially reverse algorithms, password candidates are generated in the following order:
```text
aaaaaaaa
aaaabaaa
aaaacaaa
.
.
.
aaaaxzzz
aaaayzzz
aaaazzzz
baaaaaaa
baaabaaa
baaacaaa
.
.
.
baaaxzzz
baaayzzz
baaazzzz
.
.
.
zzzzzzzz
```
NOTE: This shows that the first four letters are increased first and most often. The exact number however can vary, especially in a smaller keyspace, but it is fixed until a keyspace has been scanned completly.
## Built-in charsets
- ?l = abcdefghijklmnopqrstuvwxyz
- ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
- ?d = 0123456789
- ?h = 0123456789abcdef
- ?H = 0123456789ABCDEF
- ?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
- ?a = ?l?u?d?s
- ?b = 0x00 - 0xff
## Custom charsets
All hashcat derivates have four commandline-parameters to configure four custom charsets.
```text
--custom-charset1=CS
--custom-charset2=CS
--custom-charset3=CS
--custom-charset4=CS
```
These commandline-parameters have four analogue shortcuts called -1, -2, -3 and -4. You can specify the chars directly on the command line or use a so-called hashcat charset file (plain text file with .hcchr extension which contains the chars/digits to be used on the 1st line of the file). See examples below:
### Examples
The following commands all define the **same** custom charset that consists of the chars “abcdefghijklmnopqrstuvwxyz0123456789” (aka “lalpha-numeric”):
```text
-1 abcdefghijklmnopqrstuvwxyz0123456789
-1 abcdefghijklmnopqrstuvwxyz?d
-1 ?l0123456789
-1 ?l?d
-1 loweralpha_numeric.hcchr # file that contains all digits + chars (abcdefghijklmnopqrstuvwxyz0123456789)
```
The following command defines a charset that consists of the chars “0123456789abcdef”:
```text
-1 ?dabcdef
```
The following command defines a full 7-bit ascii charset (aka “mixalpha-numeric-all-space”):
```text
-1 ?l?d?s?u
```
The following command sets the first custom charset (-1) to russian language specific chars:
```text
-1 charsets/special/Russian/ru_ISO-8859-5-special.hcchr
```
## Example
##### The following commands creates the following password candidates: #####
```bash
command: -a 3 ?l?l?l?l?l?l?l?l
```
keyspace: aaaaaaaa - zzzzzzzz
```bash
command: -a 3 -1 ?l?d ?1?1?1?1?1
```
keyspace: aaaaa - 99999
```bash
command: -a 3 password?d
```
keyspace: password0 - password9
```bash
command: -a 3 -1 ?l?u ?1?l?l?l?l?l19?d?d
```
keyspace: aaaaaa1900 - Zzzzzz1999
```bash
command: -a 3 -1 ?dabcdef -2 ?l?u ?1?1?2?2?2?2?2
```
keyspace: 00aaaaa - ffZZZZZ
```bash
command: -a 3 -1 efghijklmnop ?1?1?1
```
keyspace: eee - ppp
## Password length increment
A Mask attack is always specific to a password length. For example, if we use the mask “?l?l?l?l?l?l?l?l” we can only crack a password of the length 8. But if the password we try to crack has the length 7 we will not find it. Thats why we have to repeat the attack several times, each time with one placeholder added to the mask. This is transparently automated by using the “--increment” flag (Attention: the mask length itself is the limiting factor for hashcat. That implies that if i.e. the mask is only of length 4 --increment won't increment the length of the password candidates above 4. A mask of length, therefore, won't increase at all even if --increment was specified).
?l
?l?l
?l?l?l
?l?l?l?l
?l?l?l?l?l
?l?l?l?l?l?l
?l?l?l?l?l?l?l
?l?l?l?l?l?l?l?l
## Hashcat charset files
Hashcat charsets files (file extension: .hcchr) are a convenient way to reuse charsets, define custom charsets and use the language-specific charsets shipped by hashcat.
These files can be used together with the --custom-charsetN= (or -1, -2, -3 and -4) parameter. Instead of providing all the charset directly on command line, the support for .hcchr files allows one to specify the path to the file:
```text
-1 charsets/standard/German/de_cp1252.hcchr
```
It is important that .hcchr files are created with language specific file encodings (e.g. cp1252, ISO-8859-15 etc). For examples of content and encoding of .hcchr files, see the examples shipped with hashcat (e.g. [HASHCATROOT]/charsets/standard/Italian/).
Hint: use iconv and similar tools to convert the files to a language specific file encoding (if for instance created as UTF-8 file).
## Hashcat mask files
Hashcat mask files (file extension: .hcmask) are files which contain custom charsets (optional) and masks (e.g. ?1?1?1?1?d?d) line-by-line. The advantage of using .hcmask files, which are plain text files, is that those files allow the hashcat user to have a set of predefined and well-working masks stored within a file (or several e.g. password policy specific files) where the lines contained in the hcmask file could for instance be sorted by increasing runtime and/or likelihood of matches*.
The general format of 1 single line in the .hcmask file is as follows:
[?1,][?2,][?3,][?4,]mask
where the placeholders are as follows:
- [?1] the 1st custom charset (--custom-charset1 or -1) will be set to this value, optional
- [?2] the 2nd custom charset (--custom-charset2 or -2) will be set to this value, optional
- [?3] the 3rd custom charset (--custom-charset3 or -3) will be set to this value, optional
- [?4] the 4th custom charset (--custom-charset4 or -4) will be set to this value, optional
- [mask] the mask which should (but does not need) to use the custom-charset defined by [?1], [?2], [?3] or [?4] and can use any additional predefined charset (?l, ?u, ?d, ?h, ?H, ?s, ?a, ?b) and can contain fixed chars too (example value: pass?1?d?d?2?l?l)
* see the PACK program and some example hcmask files shipped by hashcat (in the masks/ folder).
You supply the .hcmask file just where you would normally place the single mask on the command line, like so:
```bash
-a 3 hash.txt mask_file.hcmask
```
Other less-important syntax available in .hcmask files:
- with # you can comment a line (it won't be used), with \# you can use a # at the beginning of the line (either within the custom charsets or, if no custom charset is used, within the mask)
- \, means that the comma should be used literally (not a separator between ?1, ?2, ?3, ?4 or mask)
- ?? within the mask or custom charsets means that the question mark should be used as a literal character (otherwise if only a single question mark was used it would be interpreted as the beginning of a reference to a custom charset or built-in charset)
Notes:
- .hcmask files can be used together with -i (increment) parameter for brute-force mode.
- It is not allowed for a [mask] to contain ?1,?2,?3 or ?4 references without those being set via [?1], [?2], [?3], [?4]. This will result in an error message. If you want to use a custom charset for your masks you must define it within the same line of the hcmask file by using the [?1], [?2], [?3], [?4] fields.
- If for instance [?2] was not set because not needed, the comma that would be normally following [?2] must also be omitted. See examples below.
### Example
The following .hcmask file contains some valid example lines which show how to use this feature:
```text
?d?l,test?1?1?1
abcdef,0123,ABC,789,?3?3?3?1?1?1?1?2?2?4?4?4?4
company?d?d?d?d?d
?l?l?l?l?d?d?d?d?d?d
?u?l,?s?d,?1?a?a?a?a?2
```
Note: also see [FAQ: What is a hashcat mask file?](https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#what_is_a_hashcat_mask_file "frequently_asked_questions")
## Charsets in hex
This can be done by some of the hashcat tools using the “--hex-charset” flag.
### Hybrid Attacks ###
Basically, the hybrid attack is just a [Combinator attack](https://hashcat.net/wiki/doku.php?id=combinator_attack "combinator_attack"). One side is simply a dictionary, the other is the result of a [Brute-Force attack](https://hashcat.net/wiki/doku.php?id=brute_force_attack "brute_force_attack"). In other words, the full Brute-Force keyspace is either appended or prepended to each of the words from the dictionary. That's why it's called “hybrid”.
Alternatively you can use [Mask attack](https://hashcat.net/wiki/doku.php?id=mask_attack "mask_attack") or [Rule-based attack](https://hashcat.net/wiki/doku.php?id=rule_based_attack "rule_based_attack") to replace the Brute-Force side.
## Examples
If your example.dict contains:
```text
password
hello
```
The configuration:
```text
$ ... -a 6 example.dict ?d?d?d?d
```
generates the following password candidates:
```text
password0000
password0001
password0002
.
.
.
password9999
hello0000
hello0001
hello0002
.
.
.
hello9999
```
It also works on the opposite side!
The configuration:
```text
$ ... -a 7 ?d?d?d?d example.dict
```
generates the following password candidates:
```text
0000password
0001password
0002password
.
.
.
9999password
0000hello
0001hello
0002hello
.
.
.
9999hello
```
## Using rules to create a Hybrid attack
We can utilize the rule engine in [hashcat](https://hashcat.net/wiki/doku.php?id=hashcat "hashcat") to emulate the Hybrid attack.
This section has moved into a dedicated wiki page: [Using rules to emulate hybrid attack](https://hashcat.net/wiki/doku.php?id=hybrid_atttack_with_rules "hybrid_atttack_with_rules").
### Association Attacks ###
The -a 9 association attack tries each word in a single wordlist against a single hash. It is used when a likely password or password component is already known, correlated with each target hash. It is similar to John the Ripper's “single” mode.
## Requirements
- The wordlist must be exactly the same length as the target hash list.
- If the target list has work factors, they must all be identical. For example, all bcrypts can be cost 10, but a mix of cost 10 and 11 will not work.
## Tips
- Remember that -a 9 can be used with rules! And if you do this with slow hashes, you probably also want to use -S.
- You can also use a directory of wordlists, as usual.
## Other Attacks ##
### Rule-Based Attack ###
## Description
The rule-based attack is one of the most complicated of all the attack modes. The reason for this is very simple. The rule-based attack is like a **programming language** designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.
## Why not stick to regular expressions
Why re-invent the wheel? Simple answer: regular expressions are too slow. Typically we have to generate **1.000.000.000** (or more) fresh password candidates in less than **10 ms** before hashing algorithms start to become idle, and then again and again, second after second. Just take a look at your GPU speed display to get an idea of it.
## Compatibility with other rule engines
The rule-engine in [Hashcat](https://hashcat.net/wiki/doku.php?id=hashcat "hashcat") was written so that all functions that share the same letter-name are 100% compatible to [John the Ripper](http://www.openwall.com/john "http://www.openwall.com/john") and [PasswordsPro](http://www.insidepro.com/eng/passwordspro.shtml "http://www.insidepro.com/eng/passwordspro.shtml") rules and vice versa. Later we started to introduce some of our own functions that are not compatible. But these functions got their own letter-names to avoid conflicts.
## Implemented compatible functions
The following functions are 100% compatible to John the Ripper and PasswordsPro. (However, note that while the *functions* are compatible, their “arguments” (the character sets that can be passed to them) may differ, which means that one cannot just take a list of complex John the Ripper rulesets and run them with hashcat.)
| Name | Function | Description | Example Rule | Note |
| ----------- | -------- | ----------------------------------------------- | ------------ | ---- |
| Nothing | : | Do Nothing (pass through) | : | x |
| | | | | |
- Indicates that N starts at 0. For character positions other than 0-9 use A-Z (A=10)
- Indicates that this rule is implemented in hashcat-legacy (non-OpenCL CPU) only.
- Changed in oclHashcat v1.37 → v1.38 and hashcat v0.51 → v0.52
## Rules used to reject plains - FINISH TABLE
| Name | Function | Description | Example Rule | Note |
| ----------- | -------- | ----------------------------------------------- | ------------ | ---- |
| Reject less | <N | Reject plains if their length is greater than N | <G | x |
| | | | | |
Note: Reject rules only work either with hashcat-legacy, or when using “-j” or “-k” with hashcat. They will not work as regular rules (in a rule file) with hashcat.
- * Indicates that N starts at 0. For character positions other than 0-9 use A-Z (A=10)
## Implemented specific functions - FINISH TABLE
The following functions are not available in John the Ripper and/or PasswordsPro:
| Name | Function | Description | Example Rule | Input Word | Output Word | Note |
| ----------- | -------- | ----------------------------------------------- | ------------ | ---------- | ----------- | ---- |
| Reject less | <N | Reject plains if their length is greater than N | <G | p@ssw0rd | @pssw0rd | x |
| | | | | | | |
- Indicates that N starts at 0. For character positions other than 0-9 use A-Z (A=10)
- Only in JtR?
- In beta or not yet released
## Using hex bytes in rules
You can use '\xNN' syntax to use hex bytes in rules.
```bash
> echo "Penguin" | ./hashcat.exe -j '$\x64' --stdout
Penguind
```
This is useful for non-printable ASCII characters, multibyte work, etc.
## Writing rules
The most important thing in writing rules is knowing what you want to write. That typically means you have to analyze dozens of plaintext passwords, maybe from a customer, to see a pattern. For example, a common pattern is that people append a digit to their passwords to improve its strength. So we have two “parameters”:
- We want to _append_ something.
- The value we want to append is a _digit_.
If we take a look at the function overview we see that we can append something using the '