Hashcat is praised as one of the most advanced, thorough, and powerful password cracking programs available today. It’s also a personal favorite of mine, and we will be going over the basics so you can get started.
By the end of this guide, you will attempt to crack as many passwords as you can from a list of many, many hashes created for this tutorial. When you’re done, post a comment below to tell us how many you got, and see how many passwords other people were able to find!
This is what winning looks like.
I highly recommend using a Linux distribution, and more specifically either Kali or ParrotSec (this is what I use), for your hashcatting shenanigans. However, Windows and Mac will work – you just won’t be allowed to sit at the cool kids’ table. But seriously though, if you are looking to get into the tech industry, Linux experience will put you above and beyond your anti-penguin counterparts.
Check out our guide to get ParrotSec installed in a VM to get the hang of it. Alternatively, if you’re feeling up to it, use our other guide to install ParrotSec on a live USB. Hashcat will not run nearly as fast in a VM, but it WILL get you started in the right direction.
To begin, let’s go over what hashed passwords are. There are many different algorithms used to hash a password, but we will be using MD5 because of the speed at which we will be able to go through the hashes. This is an MD5 hash:
15083d88c574b319857947d1255f0b7e
MD5 is considered broken, and should NEVER be used. It’s simply for our tutorial today to get you started. There are plenty of other MUCH more secure hashing algorithms that should be used in environments where actual user’s passwords are being stored.
Let’s use the word password as an example. The hash of password is 5f4dcc3b5aa765d61d8327deb882cf99. Put simply, hashing a string turns it into complete garbage text that is mathematically irreversible. What we need to do to find out what the original word was, is to compute every possibility until we find the hash that matches. So let’s do it!
Open your terminal and type hashcat, and you should get this result:
Now type hashcat --help, and you’ll see exactly how thorough this program really is!
The first hash we are going to crack is edc9f0a5a5d57797bf68e37364743831. To do this, we are going to enter into our terminal
hashcat -a 3 -m 0 edc9f0a5a5d57797bf68e37364743831
hashcat calls the program. -a 3 specifies our attack mode, which in this case is going to be “brute-force” – this simply hashes every possible string, starting at “aaaaaa”, “aaaaab”, “aaaaac”, and so forth ad nauseam. The next argument is -m 0 which specifies our hashing algorithm, or “mode”. 0 (zero) is the mode for MD5. Let hashcat run until we find the original word!
Next, let’s try the hash 24f7ca5f6ff1a5afb9032aa5e533ad95. What was the original word? Why did this one take longer to find?
Finally, let’s get to our project – cracking passwords from a list of hashes! To do this, we need to add in our file of hashes for hashcat to chug through. Download hashes.txt. Right-click and “Save As”, or else you’ll open nearly 200,000 hashes in a new tab 🙂
Now, instead of specifying a particular hash in our command, we are going to substitute that with the filename of our hashes. Our command will be
hashcat -a 3 -m 0 hashes.txt
as long as our terminal is open in the folder containing the file. Otherwise, you’ll need to enter the full path, or navigate to the containing directory.
Once you hit enter, you will realize how quickly we are able to crack passwords stored as MD5. This will be a perfect example as to why MD5 should never be used to store passwords, and why you should always exercise good habits when creating a password for yourself!
To get an idea of what a solid password needs to look like, watch this video of Edward Snowden (3 minutes) explaining why most passwords are terrible, and how you can create one that won’t be cracked so easily:
One of the most important skills to have in the tech industry is being able to learn on your own, and find answers to sometimes pretty unique questions. In order to encourage this, the final section of this tutorial is up to you!
- Read through the
hashcat --helpscreen to find out how you would perform a dictionary attack. A dictionary, in this case, will be a list of words that hashcat will use, rather than simply (and rather barbarically) brute-forcing the solution. In real world use, brute-forcing is almost always a last resort. - Find out how you can write all of the cracked passwords to a file alongside their hashes, instead of just displaying them in the terminal.
- See if you can figure out how to use a “mask”. This will enable you to crack passwords with certain parameters, and ultimately allow you to find some that would take far too long otherwise.
Now that you’ve got a handle on how to use hashcat, let us know how many passwords you were able to crack!