HashCat Mask Attack
In this section, you will learn how to "fine tune" your password cracking so that instead of it taking 2 days to crack a password, it will be cracked in 10 minutes! This is a valuable skill when penetration testing as time is of the essence.
NOTE: Please use Source or Finding Leaked Credentials for additional information about this topic! Here you can Identify a hash from examples. Here you may learn about hashes and cracking of hashes
Before you start
Every computer has a bottle neck. What you want to choose, is to use it's advantages for faster cracking (the best component in your device). Two of the most popular hash cracking programs used are HashCat and JohnTheRipper. They both come with advantages and disadvantages. Read up about it!
Hashcat- Uses the GPU to crack passwordsJohnTheRipper- Uses the CPU and/or GPU to crack passwords This is why it's important to choose the one you know will benefit you the most! In this Lab, HashCat will be used.
What are Masks?
HashCat comes with a really great feature, called Mask Attack. When brute forcing a 8 character long password, all small letters, it's unnecessary to include large characters and special characters, which it does by default and lengthening the whole process of the cracking by a large amount!
Why Mask Attacks?
Imagine you have extracted all hashes from a website, but the minimum requitement is 8 characters. No need to brute force 1-7 characters.
Another instance might be that you've found someone's password in DirectoryBreach (see the first note) and you know that the first 4 chacters in the password.
Therefore, make it faster by already setting these characters and brute force the rest of the characters. Less time consuming.
Mask Flags Overview
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?h = 0123456789abcdef
?H = 0123456789ABCDEF
?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff
Let's imagine the following 6 character password united. The MD5 hash for this is:
3db1a73a245aa55c61204c56c8d99f6d
By Default, HashCat will include:
- Small characters - 26 (a-z)
- Large Characters - 26 (A-Z)
- Special Characters - 33
To calculate the amount of guesses the computer has to make, it's 85^6 (26+26+33 = 85) to the power of the amount of characters there are in the password attempted to be cracked (united having 6 characters). In this case, the computer needs to guess 377,149,515,625 hashes, which is a lot. The reason why is because of HashCat's default value of cracking.
We know that the password is only 6 (small) characters long, which we can fine tune. This results in 26^6 which equals to 308,915,776 hash guesses. Decreasing the time by a large margin!
Example Syntax
hashcat -a 3 -m 0 hashes.txt ?l?l?l?l?l?l
-a 3 - Attack = Brute Forcing
-m 0 - Mode = MD5 Hash
hashes.txt - Added all hashes to be cracked within this text-file
?l?l?l?l?l?l - 6 small characters (See Mask Flags section!)
Lab
8 characters! MD5 Hashes
A = Capital Letter
a = Small Letter
1 = Integer Character
- 8 small -
aaaaaaaa
5f4dcc3b5aa765d61d8327deb882cf99
4755d074657c2afcfa0a05823a2b96a2
bbb3606b5cab898386e0d9590278068e
bb7409e82cb01b88edc816a6b2f3ec7d
9648562d660bdae8f7b6fa904adf0835
- 6 small and 2 integers -
aaaaaa11
0cbb58b38fb378ca24f7bdb80819bbfb
03299864cc4f7e28481953ac4f67d4b9
9923856e9980834f82b8880e1f84312a
9c40d47f195b1bb71f3986a2e075446c
3d33510bd0634dbd45e8edee26cd4be8
- 1 large, 6 small, 1 integer -
Aaaaaaa1
8897ee4653bc5a9a3680f991694cad4c
51eaef84f3930bf8aafd1fd75f258763
f413a92b7f3e8b995b8ea2c224722620
c8a45cf80c44f4080dd838d56562da0e
68a11527b34a50e20a0bb211236c03d4
Note: Answers can be found in this section!