How to Use hashcat to Crack Hashes on Linux

Are you a beginner in the domain of cybersecurity? Do you want to be on its offensive side? As a red teamer, you learn many techniques and tactics that help you perform the cyber kill chain activities. One such task is privilege escalation, where you get hold of password hashes.

hashcat is a powerful and versatile tool that brute forces the stored credentials using known hashes by conducting various modes of attacks. The article covers this password cracking utility used by penetration testers, system administrators, spies, or hackers to find passwords.


What Are Hashes?

Hashing is a one-way mathematical function or unique identifier that returns a fixed-length output irrespective of input size/length. Hence, it is an irreversible process that does not require a key as in encryption to decipher the hash value.

The most common purpose of hashing is to ensure data integrity from tampering during data transmission. The properties of hashing are as follows:

  • Offers fast computation
  • Good algorithms avoid the same output for different inputs
  • They have a deterministic nature
  • Small changes in the input significantly influence the output hash value

Why Use hashcat?

hashcat is a multithreaded utility that allows you to configure the number of threads and limit execution based on priority. It supports over 300 hashing algorithms such as MD4, MD5, SHA1, SHA512, bcrypt, HMAC-SHA512, NTLM, MySQL, WHIRLPOOL, among many others. It is available for all types of operating systems, including Windows, Linux, Unix, and BSD.

MAKEUSEOF VIDEO OF THE DAY

Ways to Crack Password Hashes Using hashcat

hashcat offers a variety of attack modes (Combinator, Rule-based, Brute-force guessing, hybrid, and dictionary attacks) to provide better coverage. Here is an explanation of some attacks that hashcat uses to crack hashed passwords:

  1. Brute-force attack: A brute-force attack utilizes all possible character combinations to determine the exact password. However, it has a limitation of maximum password length and number of characters. Moreover, an advanced level of brute-force attack can also optimize time by making complexity assumptions. For instance, an advanced brute-force technique can assume that the first character is more likely to be upper case and digits are most likely to appear at the end of a password, etc.
  2. Dictionary attack: A dictionary attack utilizes a precomputed list of passwords depending on the information gathered around the target or a pattern observed across users. Hence, it takes some most commonly used passwords and adds some permutations to them to increase the scope.
  3. Hybrid attack: Hybrid is a combination of the above-discussed attacks, as it checks if the password is “crackable” via a dictionary attack and moves on to the brute-force technique, if not possible.


How to Install hashcat on Linux

hashcat is available by default in Kali Linux. To install it on Ubuntu and Debian:

sudo apt-get update
sudo apt-get install hashcat

On Fedora, CentOS, and other RHEL-based distros:

sudo dnf update
sudo dnf install hashcat

To install hashcat on Arch Linux:

sudo pacman -Syu
sudo pacman -S hashcat

Post-installation, use the help command to list all available options:

hashcat --help

Some hashcat options and their description are as follows:

Options Description
-m The type of hash with a default value of 0 i.e. MD5 hash
-a Type of attack, 0 for a straight attack, 2 for combination, and 3 for a brute-force attack
-o Stores cracked password in an output file
wordlist Requires a path to the wordlist of passwords to match and crack the hashes

Note: Before working with hashcat, ensure your system adheres to its hardware working requirements. Check out the official website for more details.

Crack Hashes From the /etc/shadow File in Linux

The /etc/shadow file stores the garbled or hashed values of all user’s passwords on Linux. It’s a critical file with strict access permissions; it is and must only be accessible by the root account.

Hence, if you come across a readable /etc/shadow file through any regular user account, you can get the hash value of the root account and crack the password hash using the hashcat utility.

For demonstration purposes, change to the root account and create a new user account alice to understand how hashcat works:

sudo su
sudo useradd -c "Alice" alice

Create a password using the passwd command:

passwd alice

Check the hashed password value inside the /etc/shadow file as follows:

cut -d: -f1 /etc/shadow | grep alice

Output:

alice:$y$j9T$TANXgpk59y8r3jgPbDl/w/$UqiK6yahwqfyqhcegWLa1.z64TyePP5.VQpUnLqI3VD:19023:0:99999:7::

The hash in the above output begins from “alice:” onwards; save it inside a new file hash.txt.

You can go to the hashcat website to identify the type of hash function and associated reference value. SHA512 hash mode is generally identified by the $6$ term and has a reference value of 1800.

You can also look for the encryption method inside the login.defs file:

grep ENCRYPT_METHOD /etc/login.defs

Alice Password Hash And Hash Type

Then, check the associated value of the hashing function using the hashcat command as follows:

hashcat -h | grep sha512

Hashcat Sha512

Now use the hashcat utility to crack the hash with the -a flag for attack mode, -m flag for hash reference value (as it does not support hash function name), hash.txt file path, and a path to the wordlist rockyou.txt.

hashcat -m 1800 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Output:

<snip>
.
.
$y$j9T$TANXgpk59y8r3jgPbDl/w/$UqiK6yahwqfyqhcegWLa1.z64TyePP5.VQpUnLqI3VD:12345
.
.
<snip>

Note: On Kali Linux, the rockyou.txt file is available by default inside the /usr/share/wordlists directory. You can also use other wordlists by running the following command in the terminal:

locate wordlists | less

Output:


Locate Wordlists in Kali Linux

However, for other Linux distributions, you will need to download the rockyou.txt file from the GitHub repository as follows:

wget https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou-20.txt

Cracking Passwords on Linux With hashcat

A well-built authentication system does not store user passwords in plain text and clear sight as they can cause security vulnerabilities. A better authentication mechanism stores passwords as hashes in secure and inaccessible files. However, a password cracker such as hashcat is designed to decipher or guess the passwords using various attack modes.

This article details ways a penetration tester must know to crack hashed passwords using the hashcat utility. As a red teamer, it’s necessary to understand the techniques an attacker can use to compromise the authentication controls and provide guidelines on covering system loopholes.


hash-checkers
7 Free Hash Checkers to Check the Integrity of Any File

Do you ignore file hash verification at your own peril? Use these tools to verify the file you’re downloading is safe.

Read Next


About The Author

Leave a Comment