Wachtwoord herstel – Hashcat

hashcat logoWebsite

Informatie (ENG):

Hashcat is the world’s fastest CPU-based password recovery tool.

While it’s not as fast as its GPU counterpart oclHashcat, large lists can be easily split in half with a good dictionary and a bit of knowledge of the command switches.

Background

Hashcat was written somewhere in the middle of 2009. Yes, there were already close-to-perfect working tools supporting rule-based attacks like “PasswordsPro”, “John The Ripper”. However for some unknown reason, both of them did not support multi-threading. That was the only reason to write Hashcat: To make use of the multiple cores of modern CPUs.

Granted, that was not 100% correct. John the Ripper already supported MPI using a patch, but at that time it worked only for Brute-Force attack. There was no solution available to crack plain MD5 which supports MPI using rule-based attacks.

Hashcat, from its first version, v0.01, was called “atomcrack”. This version was very poor, but at least the MD5 kernel was written in assembler utilizing SSE2 instructions and of course it was multi-threaded. It was a simple dictionary cracker, nothing more. But it was fast. Really fast. Some guys from the scene become interested in it and after one week there were around 10 beta testers. Everything worked fine and so requests for more algorithm types, a rule-engine for mutation of dictionaries, a windows version and different attack modes were added. These developments took around half a year, and were completely non-public.

Then, with version 0.29, “atomcrack” was renamed to “Dr. Hash”. Then with the release of version 0.30 to “hashcat”.

The first official hashcat release was v0.30, released on 24.12.2009.

Starting with hashcat release v0.40, released on 05.08.2012, binaries for Mac OSX were added.

Features

  • Multi-Threaded
  • Free
  • Multi-Hash (up to 24 million hashes)
  • Multi-OS (Linux, Windows and OSX native binaries)
  • Multi-Algo (MD4, MD5, SHA1, DCC, NTLM, MySQL, …)
  • SSE2, AVX and XOP accelerated
  • All Attack-Modes except Brute-Force and Permutation can be extended by rules
  • Very fast Rule-engine
  • Rules compatible with JTR and PasswordsPro
  • Possible to resume or limit session
  • Automatically recognizes recovered hashes from outfile at startup
  • Can automatically generate random rules
  • Load saltlist from external file and then use them in a Brute-Force Attack variant
  • Able to work in an distributed environment
  • Specify multiple wordlists or multiple directories of wordlists
  • Number of threads can be configured
  • Threads run on lowest priority
  • Supports hex-charset
  • Supports hex-salt
  • 90+ Algorithms implemented with performance in mind
  • and much more

Attack-Modes

  • Straight *
  • Combination *
  • Toggle-Case
  • Brute-Force
  • Permutation
  • Table-Lookup
  • PRINCE

Algorithms

  • MD5
  • md5($pass.$salt)
  • md5($salt.$pass)
  • md5(unicode($pass).$salt)
  • md5($salt.unicode($pass))
  • HMAC-MD5 (key = $pass)
  • HMAC-MD5 (key = $salt)
  • SHA1
  • sha1($pass.$salt)
  • sha1($salt.$pass)
  • sha1(unicode($pass).$salt)
  • sha1($salt.unicode($pass))
  • HMAC-SHA1 (key = $pass)
  • HMAC-SHA1 (key = $salt)
  • MySQL323
  • MySQL4.1/MySQL5
  • phpass, MD5(WordPress), MD5(phpBB3), MD5(Joomla)
  • md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
  • MD4
  • NTLM
  • Domain Cached Credentials, mscash
  • SHA256
  • sha256($pass.$salt)
  • sha256($salt.$pass)
  • sha256(unicode($pass).$salt)
  • sha256($salt.unicode($pass))
  • HMAC-SHA256 (key = $pass)
  • HMAC-SHA256 (key = $salt)
  • md5apr1, MD5(APR), Apache MD5
  • SHA512
  • sha512($pass.$salt)
  • sha512($salt.$pass)
  • sha512(unicode($pass).$salt)
  • sha512($salt.unicode($pass))
  • HMAC-SHA512 (key = $pass)
  • HMAC-SHA512 (key = $salt)
  • SHA-512(Unix)
  • Cisco-PIX MD5
  • Cisco-ASA MD5
  • WPA/WPA2
  • Double MD5
  • bcrypt, Blowfish(OpenBSD)
  • MD5(Sun)
  • md5(md5(md5($pass)))
  • md5(md5($salt).$pass)
  • md5($salt.md5($pass))
  • md5($pass.md5($salt))
  • md5($salt.$pass.$salt)
  • md5(md5($pass).md5($salt))
  • md5($salt.md5($salt.$pass))
  • md5($salt.md5($pass.$salt))
  • md5($username.0.$pass)
  • md5(strtoupper(md5($pass)))
  • md5(sha1($pass))
  • Double SHA1
  • sha1(sha1(sha1($pass)))
  • sha1(md5($pass))
  • sha1($salt.$pass.$salt)
  • MD5(Chap), iSCSI CHAP authentication
  • SHA-3(Keccak)
  • Half MD5
  • Password Safe SHA-256
  • IKE-PSK MD5
  • IKE-PSK SHA1
  • NetNTLMv1-VANILLA / NetNTLMv1-ESS
  • NetNTLMv2
  • Cisco-IOS SHA256
  • Android PIN
  • AIX {smd5}
  • AIX {ssha256}
  • AIX {ssha512}
  • AIX {ssha1}
  • GOST, GOST R 34.11-94
  • Fortigate (FortiOS)
  • OS X v10.8 / v10.9
  • GRUB 2
  • IPMI2 RAKP HMAC-SHA1
  • sha256crypt, SHA256(Unix)
  • Drupal7
  • WBB3, Woltlab Burning Board 3
  • scrypt
  • Cisco $8$
  • Cisco $9$
  • Radmin2
  • Django (PBKDF2-SHA256)
  • Cram MD5
  • SAP CODVN H (PWDSALTEDHASH) iSSHA-1
  • Plaintext
  • Joomla < 2.5.18
  • PostgreSQL
  • osCommerce, xt:Commerce
  • Skype
  • nsldap, SHA-1(Base64), Netscape LDAP SHA
  • nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
  • Oracle 11g/12c
  • SMF > v1.1
  • OS X v10.4, v10.5, v10.6
  • EPi
  • Django (SHA-1)
  • MSSQL(2000)
  • MSSQL(2005)
  • PeopleSoft
  • EPiServer 6.x < v4
  • hMailServer
  • EPiServer 6.x > v4
  • SSHA-512(Base64), LDAP {SSHA512}
  • OS X v10.7
  • MSSQL(2012 & 2014)
  • vBulletin < v3.8.5
  • PHPS
  • vBulletin > v3.8.5
  • IPB2+, MyBB1.2+
  • Mediawiki B type
  • WebEdition CMS
  • Redmine Project Management Web App

hashcat screen

Commandolijn opties

Benchmark

Ik heb het zelf op 2 computers geprobeerd met --benchmark  , zit zijn de benchmark resultaten:

hashcat benchmark - AMD Phenom II X6 1100T

hashcat benchmark - Intel Core 2 DUO E8400

Wat heb je nodig?

1) Wachtwoord databanken

Zet bijvoorbeeld wachtwoord databanken in een map (in de hashcat folder) genaamd “dicts“, sla de hashes op die je wilt achterhalen in hash.txt, en gebruik het volgende commando:

hashcat-cli64.exe hash.txt dicts