Hashcat

  • Installation
    • Benchmark testing
  • Cracking the Hash (NTLMv2)
    • Finding the Cracked Hashes
  • Command Used
    • Options
    • Hash-Types
    • Attack-Modes
  • References

Installation

Hashcat can be downloaded from the following website;

https://hashcat.net/hashcat/

Once downloaded move the extracted hashcat folder to any location you in this example its placed in C:\hashcat-5.1.0;

Benchmark testing

Hashcat is ready for benchmark testing (using it with -m for the following Hash-type);

.\hashcat64.exe -b -m 2500

Cracking the Hash

Using hashcat with a NTLMv2 hash for testing (the cracked password is marked with the color green);

.\hashcat64.exe -m 5600 -a 3

C:\hashcat-5.1.0>hashcat64.exe -m 5600  -a 3 test::test-PC:1122334455667788:CCE958E2567F8FFF0217AB32D4454154:010100000000000038A2288013FACF0139F4C139FC72D23E000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C00080030003000000000000000010000000020000089466F4E6E55EB571B1DE1F1C0FF5F13300EC7AB644E01BC8BE7C907DDC41D030A001000000000000000000000000000000000000900120048005400540050002F0077007000610064000000000000000000

hashcat (v5.1.0) starting…

* Device #1: Intel’s OpenCL runtime (GPU only) is currently broken.

             We are waiting for updated OpenCL drivers from Intel.

             You can use –force to override, but do not report related errors.

* Device #3: WARNING! Kernel exec timeout is not disabled.

             This may cause “CL_OUT_OF_RESOURCES” or related errors.

             To disable the timeout, see: https://hashcat.net/q/timeoutpatch

nvmlDeviceGetFanSpeed(): Not Supported

OpenCL Platform #1: Intel(R) Corporation

========================================

* Device #1: Intel(R) UHD Graphics 630, skipped.

* Device #2: Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz, skipped.

OpenCL Platform #2: NVIDIA Corporation

======================================

* Device #3: GeForce GTX 1050 Ti, 1024/4096 MB allocatable, 6MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts

Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:

* Zero-Byte

* Not-Iterated

* Single-Hash

* Single-Salt

* Brute-Force

Minimum password length supported by kernel: 0

Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.

This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.

If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger set to 90c

The wordlist or mask that you are using is too small.

This means that hashcat cannot use the full parallel power of your device(s).

Unless you supply more work, your cracking speed will drop.

For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace – workload adjusted.

TEST::test-PC:1122334455667788:cce958e2567f8fff0217ab32d4454154:010100000000000038a2288013facf0139f4c139fc72d23e000000000200060053004d0042000100160053004d0042002d0054004f004f004c004b00490054000400120073006d0062002e006c006f00630061006c000300280073006500720076006500720032003000300033002e0073006d0062002e006c006f00630061006c000500120073006d0062002e006c006f00630061006c00080030003000000000000000010000000020000089466f4e6e55eb571b1de1f1c0ff5f13300ec7ab644e01bc8be7c907ddc41d030a001000000000000000000000000000000000000900120048005400540050002f0077007000610064000000000000000000:test

Session……….: hashcat

Status………..: Cracked

Hash.Type……..: NetNTLMv2

Hash.Target……: TEST::test-PC:1122334455667788:cce958e2567f8fff0217…000000

Time.Started…..: Wed Jan 22 11:53:12 2020 (0 secs)

Time.Estimated…: Wed Jan 22 11:53:12 2020 (0 secs)

Guess.Mask…….: ?1?2?2?2 [4]

Guess.Charset….: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined

Guess.Queue……: 4/15 (26.67%)

Speed.#3………:   138.2 MH/s (3.39ms) @ Accel:32 Loops:15 Thr:1024 Vec:1

Recovered……..: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts

Progress………: 699840/2892672 (24.19%)

Rejected………: 0/699840 (0.00%)

Restore.Point….: 0/46656 (0.00%)

Restore.Sub.#3…: Salt:0 Amplifier:0-15 Iteration:0-15

Candidates.#3….: sari -> 2qxv

Hardware.Mon.#3..: Temp: 40c Util: 70% Core:1227MHz Mem:2504MHz Bus:16

Driver temperature threshold met on GPU #3. Expect reduced performance.

[s]tatus [p]ause

[b]

ypass [c]heckpoint [q]uit => Started: Wed Jan 22 11:53:03 2020

Stopped: Wed Jan 22 11:53:13 2020

Finding the cracked hashes;

When the hash isnt exported to a file type, the cracked hashes can be found in the potfile located in the root of the Hashcat folder;

Command

The command, and options used are described below (More options available at https://hashcat.net/wiki/doku.php?id=hashcat );

Options Used

Options Short long Type Description Example
-m –hash-type Num Hash-Type, see references below -m 5600
-a –attack-mode Num Attack-Mode, see refences below -a 3

Hash-Type

# Name Category
5600 NetNTLMv2 Network Protocols

Attack-Modes

# Mode
0 Straight
1 Combination
3 Brute-force
6 Hybrid Wordlist + Mask
7 Hybrid Mask + Wordlist

References