LabEx
Log InJoin Free

Perform a Combinator Attack in Hashcat

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will explore a specific password cracking technique known as a combinator attack using Hashcat, a powerful and versatile password recovery tool. A combinator attack is a method where two separate wordlists are combined to generate password candidates. For example, if one list contains "password" and the other contains "123", the attack will test the combination "password123".

This approach is particularly effective against passwords that are formed by concatenating two words, or a word and a sequence of numbers or symbols. Throughout this lab, you will learn how to prepare wordlists, construct the appropriate Hashcat command, execute the attack against a sample hash, and verify the results.

Understand the Combinator Attack Concept

In this step, you will learn about the core concept of a combinator attack in Hashcat. This attack is designated by the attack mode -a 1. It works by taking a base word from the first wordlist and appending a word from the second wordlist to it, creating a new candidate password. This process is repeated for every word in both lists.

For example, if you have two lists:

  • wordlist1.txt: admin, user
  • wordlist2.txt: 123, !

The combinator attack would generate the following candidates: admin123, admin!, user123, user!.

This method significantly expands the potential password space without needing a single, massive dictionary file. Let's begin by confirming the attack mode in Hashcat's help menu.

Execute the following command to filter the help output for information on the combinator attack:

hashcat --help | grep "Combinator"

You should see a line in the output that explicitly mentions the Combinator attack mode and its corresponding number.

-a, --attack-mode         |      ## | Attack-mode
...
                          |      1 | Combinator
...

This confirms that -a 1 is the correct flag to use for a combinator attack.

Create Two Separate Wordlists for the Attack

In this step, you will create the two wordlists that will be used in our combinator attack. For this lab, we will create two small, custom wordlists. In a real-world scenario, these lists would be much larger and contain more common words, names, and patterns.

Our target password is a combination of a common word and a number sequence. We will place the word part in wordlist1.txt and the number part in wordlist2.txt.

First, create wordlist1.txt with a few potential base words. Use the echo command with the -e flag to handle newlines (\n):

echo -e "admin\nuser\npassword\nguest" > wordlist1.txt

Next, create wordlist2.txt with some common numerical suffixes:

echo -e "2024\n!@#\n123\nxyz" > wordlist2.txt

Now, verify the contents of both files using the cat command to ensure they were created correctly.

Check the first wordlist:

cat wordlist1.txt

Expected output:

admin
user
password
guest

Check the second wordlist:

cat wordlist2.txt

Expected output:

2024
!@#
123
xyz

With these two wordlists, Hashcat will now be able to form the candidate password password123.

Construct the Combinator Attack Command with Two Wordlists

In this step, you will construct the full Hashcat command for the combinator attack. It's important to understand what each part of the command does before executing it.

The general syntax for a combinator attack is: hashcat [options] <hash-file> <wordlist1> <wordlist2>

Here is the breakdown of the command we will use:

  • hashcat: The executable program.
  • -m 0: This specifies the hash type. Mode 0 corresponds to MD5.
  • -a 1: This sets the attack mode to 1, which is the Combinator attack.
  • hash.txt: This is the file containing the hash we want to crack. It was created for you during the lab setup.
  • wordlist1.txt: The first wordlist, containing the left part of the password candidates.
  • wordlist2.txt: The second wordlist, containing the right part of the password candidates.

Before running the full attack, it's good practice to use the --show flag. This flag tells Hashcat to display any hashes that have already been cracked and stored in the potfile, without starting a new cracking session.

Let's run the command with --show to see that our target hash has not yet been cracked:

hashcat -m 0 -a 1 hash.txt wordlist1.txt wordlist2.txt --show

Since this is the first time we are running it, the command will produce no output, which is the expected result. This confirms we are ready to proceed with the actual attack.

Execute the Attack and Observe the Combinations

Now it's time to execute the combinator attack without the --show flag. This will start the cracking process. Hashcat will read the two wordlists, combine them, hash the results, and compare them against the target hash in hash.txt.

Run the following command in your terminal:

hashcat -m 0 -a 1 hash.txt wordlist1.txt wordlist2.txt

Hashcat will initialize and display a status screen. Since our wordlists are very small, the process will finish almost instantly. The output will show that the hash has been cracked.

You will see output similar to the following (some details like speed and time may vary):

hashcat (v6.2.6) starting

...

Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: e10adc3949ba59abbe56e057f20f883e
Time.Started.....: ...
Time.Estimated...: 0 secs (0.00ms)
Guess.Base.......: File (wordlist1.txt), File (wordlist2.txt)
Guess.Queue......: 2/2 (100.00%)
Speed.#*.........: ... H/s (...)
Recovered........: 1/1 (100.00%) Digests
Progress.........: 16/16 (100.00%)
Rejected.........: 0/16 (0.00%)
Restore.Point....: 4/4 (100.00%)
Restore.Sub.#*...: 4/4 (100.00%)
Candidates.#*....: 16

Cracked Hashes: 1/1
e10adc3949ba59abbe56e057f20f883e:password123

...
All hashes have been recovered

Started: ...
Stopped: ...

The line e10adc3949ba59abbe56e057f20f883e:password123 clearly shows the original hash and its cracked plaintext password. This confirms our attack was successful.

Review the Potfile for Combined Password Results

In this step, you will review the Hashcat potfile. The potfile (hashcat.potfile) is a plain text file where Hashcat automatically stores successfully cracked hashes and their corresponding passwords. This is a useful feature that prevents you from wasting time re-cracking hashes that have already been solved.

By default, the potfile is located in the ~/.local/share/hashcat/ directory.

Use the cat command to view the contents of the potfile and confirm that our result was saved:

cat ~/.local/share/hashcat/hashcat.potfile

The output will show the hash and its cracked password, separated by a colon:

e10adc3949ba59abbe56e057f20f883e:password123

This confirms that the attack was successful and the result is now stored permanently in the potfile. If you were to run the same attack again, Hashcat would use the --show flag to instantly retrieve the result from this file instead of re-running the entire cracking process.

Summary

In this lab, you have successfully performed a combinator attack using Hashcat.

You learned how to:

  • Understand the concept of a combinator attack (-a 1) in Hashcat.
  • Create two separate wordlists to serve as the basis for password candidates.
  • Construct the correct Hashcat command, specifying the attack mode, hash type, and input files.
  • Execute the attack and successfully crack an MD5 hash by combining a word and a number sequence.
  • Locate and review the hashcat.potfile to see the stored results of a successful crack.

The combinator attack is a fundamental technique in password cracking, especially useful when dealing with passwords that follow predictable concatenation patterns.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux