Hashcat is a popular and effective password cracker widely used by both penetration testers and sysadmins as well as criminals and spies.
Cracking passwords is different from guessing a web login password, which typically only allows a small number of guesses before locking your account. Instead, someone who has gained access to a system with encrypted passwords ("hashes") will often try to crack those hashes to recover those passwords.
Passwords are no longer stored in plaintext (or shouldn't be, anyway). Instead, passwords are encrypted using a one-way function called a hash. Calculating a password like "Password1" into a hash is lightning quick.
What if all you've got is the hash? A brute-force attack to reverse the hash function and recover the password could be computationally infeasible. Like, until the heat death of the universe infeasible.
Luckily, or unluckily depending on your point of view, none of us are likely to live that long, but there are many ways to reverse a hash to recover the original password without resorting to a probably fruitless brute-force attack.
Enter hashcat. It turns out humans are so predictable in their password choices that hashcat can often recover a password.
Cracking passwords has many legitimate uses, besides the obvious criminal and espionage ones. A sysadmin may wish to pre-emptively check the security of user passwords. If hashcat can crack them, so can an attacker.
Penetration testers on engagement will frequently find themselves cracking stolen password hashes to move laterally inside a network, or to escalate privileges to an admin user. Since penetration testers work to find security holes on purpose, under contract, so that their customer can improve their security, this is also a perfectly legitimate use case.
The real takeaway is that both illegal attackers and legit defenders use hashcat. The best way to prevent an attacker from using hashcat against you is to test your own defences first to make sure any such attack can't succeed.
How does hashcat work?
At its most basic level, hashcat guesses a password, hashes it, and then compares the resulting hash to the one it's trying to crack. If the hashes match, we know the password. If not, keep guessing.
There are numerous attacks short of a full brute-force attempt, including dictionary attacks, combinator attacks, mask attacks, and rule-based attacks. Hashcat can also harness the power of your GPU to brute force if you have the computing rig for it -- and time to spare.
Hashcat dictionary attack
Since humans tend to use really bad passwords, a dictionary attack is the first and obvious place to start. The rockyou.txt word list is a popular option.
Containing more than 14 million passwords sorted by frequency of use, it begins with common passwords such as “123456”, “12345”, “123456789”, “password”, “iloveyou”, “princess”, “1234567”, and “rockyou”, all the way to less common passwords such as “xCvBnM”, “ie168”, “abygurl69”, “a6_123”, and “*7¡Vamos!”.
Many other free wordlists exist on the internet, especially targeted at specific languages. Hashcat lets you specify the wordlist of your choice.
Hashcat combinator attack
Humans often create passwords that are two words mushed together. Hashcat exploits this using a combinator attack that takes two-word lists (also known as "dictionaries") and creates a new word list of every word combined with every other word.
The hashcat documentation gives the following example of two dictionaries:
Hashcat then smushes up every word with every other word, and then test the following passwords:
Punctuation such as hyphens (-), exclamation points (!) and other special characters can also be added to create a final word list that has passwords like "yellow-car!" and "blue-bike!" and so forth.
Hashcat mask attack
Lots of users tend to use passwords in a certain format. One uppercase letter followed by six letters plus a digit on the end is common for older passwords -- "Bananas1", for example.
Instead of trying to brute-force every possible password, you can use hashcat to search for all passwords in that format, which drastically reduces the number of possible guesses necessary -- if, indeed, the password in question is in that format.
The hashcat documentation explains why a mask attack is often orders of magnitude faster than a brute-force attack:
In traditional brute-force attack we require a charset that contains all uppercase letters, all lowercase letters and all digits (a.k.a. “mixalpha-numeric”). The password length is 9, so we have to iterate through 62^9 (13.537.086.546.263.552) combinations. Let’s say we crack with a rate of 100M/s, this requires more than four years to complete.
In mask attack we know about humans and how they design passwords. The above password matches a simple but common pattern. A name and year appended to it. We can also configure the attack to try the uppercase letters only on the first position. It is very uncommon to see an uppercase letter only in the second or the third position. To make it short, with mask attack we can reduce the keyspace to 52*26*26*26*26*10*10*10*10 (237.627.520.000) combinations. With the same cracking rate of 100M/s, this requires just 40 minutes to complete.
Hashcat rule-based attack
If other, easier, options fail, and you've got a specific sense of how your target constructs a password, hashcat offers a programming language-like syntax for a rule-based attack, in which you can specify what kind of passwords to try.
"The rule-based attack is one of the most complicated of all the attack modes," the hashcat website says. "The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack."
The learning curve to get started with hashcat is very low but learning the hashcat rule syntax will spike that learning curve sharply.
Hashcat brute-force attack
If all else fails, throw a hail Mary and hope hashcat's brute-force attack succeeds before our sun goes nova and engulfs the Earth. You never know, you might get lucky.