MITRE ATT&CK™ Sub-technique T1110.002
Cracking is an operation that can be carried out through different types of attacks:
- Brute-force: every possibility for a given character set and a given length (i.e.
aac, ...) is hashed and compared against the target hash.
- Dictionary: every word of a given list (a.k.a. dictionary) is hashed and compared against the target hash.
- Rainbow tables: the hash is looked for in a pre-computed table. It is a time-memory trade-off that allows cracking hashes faster, but costing a greater amount of memory than traditional brute-force of dictionary attacks. This attack cannot work if the hashed value is salted (i.e. hashed with an additional random value as prefix/suffix, making the pre-computed table irrelevant)
There are many other and more complex types of attacks (incremental, mask, rules, hybrid types, ...) but the major/core ones are the three above.
- it is cross-platform (support for Linux, Windows and macOS) and supports anything that comes with an OpenCL runtime (CPU, GPU, APU, ...)
- it can crack multiple hashes at the same time and use multiple devices at once (distributed cracking networks supported too)
- it can save and restore sessions
- it has a builtin benchmarking system
Below is a short list of the most useful hash types for Active Directory hunting.
Below is an example of how to use hashcat for a dictionary attack.
hashcat --attack-mode 0 --hash-type $number $hashes_file $wordlist_file
Hashcat can also be used in a hybrid mode by combining a dictionary attack with rules that will operate transformations to the words of the list.
hashcat --loopback --attack-mode 0 --rules-file $rules_file --hash-type $number $hashes_file $wordlist_file
Hashcat has the following built-in charsets that can be used.
Below are examples of hashcat being used with built-in charset.
# Passwords are like : 1 capital letter, 3 letters, 4 numbers, 1 special char
hashcat --attack-mode 3 --hash-type $number $hashes_file "?u?l?l?l?d?d?d?d?s"
# Password are 8 chars-long and can be any printable char.
hashcat --attack-mode 3 --hash-type $number $hashes_file "?a?a?a?a?a?a?a?a"
Hashcat can also be started with custom charsets in the following manner.
hashcat --attack-mode 3 --custom-charset1 "?u" --custom-charset2 "?l?u?d" --custom-charset3 "?d" --hash-type $number $hashes_file "?1?2?2?2?3"
Hashcat also has an incremental feature that allows to bruteforce passwords up to a certain length whereas the commands above only try the specified mask's length.
# Password are up to 8 chars-long and can be any printable char.
hashcat --attack-mode 3 --increment --hash-type $number $hashes_file "?a?a?a?a?a?a?a?a"
# Password are 4 to 8 chars-long and can be any printable char (mask length is 12 so that --increment-max can be upped to 12).
hashcat --attack-mode 3 --increment --increment-min 4 --increment-max 8 --hash-type $number $hashes_file "?a?a?a?a?a?a?a?a?a?a?a?a"
A robust alternative to hashcat is John the Ripper, a.k.a. john (C). It handles some hash types that hashcat doesn't (Domain Cached Credentials for instance) but it also has a strong community that regularly releases tools in the form of "something2john" that convert things to a john crackable format (e.g.
lastpass2johnand so on).