Introduction
Hashcat is a powerful and popular password recovery tool. When you are working with very large lists of hashes, a cracking session can take a long time and might be interrupted. In these situations, it's crucial to know which hashes have already been cracked and which ones remain.
In this lab, you will learn how to use two essential hashcat flags: --show and --left. The --show flag allows you to view the passwords that have already been successfully cracked, while the --left flag shows you only the hashes that are still uncracked. This allows you to efficiently manage your password cracking tasks.
Start an Attack on a Large Hash List
In this step, you will begin a standard dictionary attack with hashcat. We have prepared two files for you in the ~/project directory: hashes.txt, which contains a list of MD5 hashes, and wordlist.txt, which is a small dictionary of potential passwords.
The basic command structure for a hashcat attack is hashcat -m <mode> <hash_file> <wordlist_file>. We will use -m 0 to specify that our hashes are MD5.
Execute the following command in your terminal to start the attack.
hashcat -m 0 hashes.txt wordlist.txt
Hashcat will start, initialize its backend, and begin the cracking process. You will see a status screen that updates in real-time. Let it run for a few seconds.
hashcat (v6.2.6) starting
...
Session..........: hashcat
Status...........: Running
Hash.Name........: MD5
Hash.Target......: hashes.txt
Time.Started.....: ...
Time.Estimated...: ...
Guess.Base.......: File (wordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: ... H/s (0.01ms) @ Accel:128 Loops:1 Thr:1 Vec:8
Recovered........: 3/5 (60.00%) Digests
Progress.........: 5/5 (100.00%)
Rejected.........: 0/5 (0.00%)
Restore.Point....: 5/5 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: password -> admin
Hardware.Mon.#1..: Temp: 46c
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>
Stop the Attack Midway Through
In this step, we will simulate an interruption or a situation where you need to stop the cracking process before it's fully complete. Hashcat allows you to quit gracefully, saving your progress so you can resume later or inspect the results.
While the hashcat status screen is active in your terminal, simply press the q key on your keyboard to quit.
q
After you press q, hashcat will stop the session and return you to the command prompt. It automatically saves all cracked passwords into a file named hashcat.potfile in its working directory. This file is crucial for the next steps.
Session hashcat stopping.
Use the --show Flag to See Already Cracked Hashes
Now that the session has been stopped, you might want to see which passwords have been successfully recovered so far. This is where the --show flag comes in handy. It checks the input hash file against the hashcat.potfile and displays any matches.
In your terminal, run the hashcat command again on the same hash file, but this time add the --show flag.
hashcat -m 0 hashes.txt --show
The output will list each cracked hash followed by its corresponding plaintext password, separated by a colon.
5f4dcc3b5aa765d61d8327deb882cf99:password
e10adc3949ba59abbe56e057f20f883e:123456
e9a71b642151421421257419a0a23d89:sunshine
This confirms that three of the five hashes were successfully cracked using our wordlist.
Use the --left Flag to See Uncracked Hashes
Just as it's useful to see what's been cracked, it's equally important to see what's left. The --left flag does the opposite of --show. It compares the input hash file with the hashcat.potfile and displays only the hashes that have not been cracked.
To see the remaining hashes, run the hashcat command with the --left flag.
hashcat -m 0 hashes.txt --left
The output will be a list of the hashes from hashes.txt that are not yet in the hashcat.potfile.
2c7e3378803a5b054952514139821a79
b8d3c555434b89a01af1654b26d30609
These are the two hashes that our wordlist.txt could not crack.
Create a New File Containing Only Uncracked Hashes
A common workflow is to save the remaining uncracked hashes to a new file. This allows you to target them specifically in a future attack, perhaps with a different wordlist or a different attack mode, without wasting time on the hashes you've already cracked.
You can do this easily by redirecting the output of the --left command into a new file. Let's call it uncracked.txt.
hashcat -m 0 hashes.txt --left > uncracked.txt
This command won't produce any output in the terminal because the output has been redirected to the file. To verify that it worked, you can display the contents of the new file using the cat command.
cat uncracked.txt
You should see the two uncracked hashes, which are now ready for your next cracking attempt.
2c7e3378803a5b054952514139821a79
b8d3c555434b89a01af1654b26d30609
Summary
In this lab, you learned how to manage and filter hash lists during a password cracking session with hashcat.
You started an attack and then stopped it, simulating a common real-world scenario. You then used the --show flag to view the successfully cracked passwords and the --left flag to isolate the hashes that remained uncracked. Finally, you learned a practical technique to save these remaining hashes to a new file for future attacks.
Mastering --show and --left is essential for an efficient password recovery workflow, especially when dealing with large-scale tasks.
