Introduction
Hashcat is a renowned and powerful password recovery tool, widely used for cracking password hashes. One of its most flexible features is the hybrid attack, which combines the speed of a wordlist attack with the thoroughness of a brute-force (or mask) attack. This method is particularly effective against passwords that are based on a common word but modified with appended or prepended characters, such as numbers or symbols.
In this lab, you will learn how to use Hashcat's hybrid attack capabilities. You will explore the two main hybrid modes: wordlist+mask and mask+wordlist. By the end of this lab, you will have hands-on experience in setting up and executing these attacks to crack sample password hashes.
Differentiate Between Hybrid Wordlist+Mask and Mask+Wordlist
In this step, you will learn the theoretical difference between the two primary hybrid attack modes in Hashcat. Understanding this distinction is crucial for choosing the correct strategy for a given password pattern.
Hybrid Wordlist+Mask (Attack Mode 6)
This mode, specified with the -a 6 flag, takes each word from your wordlist and appends characters to it based on a defined mask. It's ideal for passwords where users add a suffix to a base word, such as adding a year or special characters at the end.
- Example: If your wordlist contains
passwordand your mask is?d?d, Hashcat will try candidates likepassword00,password01,password02, and so on, up topassword99.
Hybrid Mask+Wordlist (Attack Mode 7)
This mode, specified with the -a 7 flag, does the opposite. It prepends characters defined by a mask to each word from your wordlist. This is useful when users add a prefix to a base word.
- Example: If your wordlist contains
passwordand your mask is?d?d, Hashcat will try candidates like00password,01password,02password, and so on, up to99password.
No commands are needed for this step. Your goal is to understand these two fundamental concepts before applying them in the upcoming steps.
Create a Sample Hash and a Base Wordlist
In this step, you will create the necessary files for our attack: a sample password hash and a simple wordlist. All operations will be performed in the ~/project directory.
First, we need a target hash to crack. For this lab, we'll use an MD5 hash. Let's assume the password is labex2024. The MD5 hash for this string is 2d3c839a453c68206911871584a5f70f.
Create a file named hash.txt and save the hash into it.
echo "2d3c839a453c68206911871584a5f70f" > ~/project/hash.txt
You can verify the content of the file using the cat command:
cat ~/project/hash.txt
You should see the following output:
2d3c839a453c68206911871584a5f70f
Next, we need a wordlist that contains the base word of our target password. Since the password is labex2024, the base word is labex. Let's create a wordlist file named wordlist.txt containing only this word.
echo "labex" > ~/project/wordlist.txt
Verify the content of your new wordlist:
cat ~/project/wordlist.txt
The output should be:
labex
Now you have a target hash and a base wordlist, ready for the attack.
Run a Hybrid Attack Appending Digits to Words
In this step, you will perform a hybrid attack using the wordlist+mask mode (-a 6) to crack the hash you created. Our hypothesis is that the password consists of the word labex followed by four digits.
We will construct the hashcat command with the following components:
-m 0: Specifies the hash type, which is MD5.-a 6: Selects the hybrid wordlist+mask attack mode.~/project/hash.txt: The file containing our target hash.~/project/wordlist.txt: Our base wordlist.?d?d?d?d: The mask to append.?drepresents a single digit.
Now, run the following command in your terminal:
hashcat -m 0 -a 6 ~/project/hash.txt ~/project/wordlist.txt ?d?d?d?d
Hashcat will initialize and start the cracking process. You might see a warning about performance in a virtualized environment, which is normal. After a short time, Hashcat will find the password.
The output will look similar to this (some details may vary):
...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: 2d3c839a453c68206911871584a5f70f
Time.Started.....: ...
Time.Estimated...: 0 secs (0.00ms)
Guess.Base.......: File (~/project/wordlist.txt)
Guess.Mod........: Mask (?d?d?d?d)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: ... H/s (...)
Recovered........: 1/1 (100.00%) Digests
Progress.........: 10000/10000 (100.00%)
Rejected.........: 0/10000 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: labex1000 -> labex9999
Hardware.Mon.#1..: Temp: ...
2d3c839a453c68206911871584a5f70f:labex2024
Started: ...
Stopped: ...
Hashcat has successfully cracked the hash and found the password: labex2024.
You can view the cracked password at any time using the --show option:
hashcat -m 0 --show ~/project/hash.txt
This will display the cracked hash-password pair directly:
2d3c839a453c68206911871584a5f70f:labex2024
Run a Hybrid Attack Prepending Digits to Words
Now, let's try the other hybrid mode: mask+wordlist (-a 7). In this step, you will attempt to crack a new hash where the pattern is prepended.
Let's assume our new target password is 2024labex. The MD5 hash for this string is b68137c355d785422120884212515e86.
First, create a new hash file named hash2.txt with this new hash.
echo "b68137c355d785422120884212515e86" > ~/project/hash2.txt
For this scenario, we need to use attack mode -a 7 to prepend the four-digit mask to our base word. The command structure is similar, but the attack mode is different.
Run the following command:
hashcat -m 0 -a 7 ~/project/hash2.txt ~/project/wordlist.txt ?d?d?d?d
Hashcat will start again. Because we've chosen the correct attack mode for this password structure, it will quickly find the password.
The output will show the cracked password:
...
Session..........: hashcat
Status...........: Cracked
...
b68137c355d785422120884212515e86:2024labex
...
You have successfully cracked the second hash using the mask+wordlist mode.
As before, you can use the --show option to see the result:
hashcat -m 0 --show ~/project/hash2.txt
Output:
b68137c355d785422120884212515e86:2024labex
Compare the Effectiveness of Both Hybrid Modes
In this final practical step, you will see what happens when you use the wrong hybrid mode for a given password pattern. This will highlight the importance of choosing the correct attack strategy.
First, let's try to crack our original hash (hash.txt, for labex2024) using the mask+wordlist (-a 7) mode. This mode prepends digits, which is incorrect for this password.
hashcat -m 0 -a 7 ~/project/hash.txt ~/project/wordlist.txt ?d?d?d?d
Hashcat will run, but it will be trying candidates like 0000labex, 0001labex, etc. Since the correct password is labex2024, this attack will fail. After checking all 10,000 possibilities, the process will end with an Exhausted status, meaning it tried all combinations without success. You can wait for it to finish or press q to quit.
Next, let's try to crack our second hash (hash2.txt, for 2024labex) using the wordlist+mask (-a 6) mode. This mode appends digits, which is also incorrect for this password.
hashcat -m 0 -a 6 ~/project/hash2.txt ~/project/wordlist.txt ?d?d?d?d
Similarly, this attack will try candidates like labex0000, labex0001, etc., and will also fail, ending with an Exhausted status.
This experiment demonstrates a critical point: the success of a hybrid attack depends entirely on correctly identifying the password's structure. Using the wrong mode will waste time and resources without yielding the correct password.
Summary
In this lab, you gained practical experience with Hashcat's powerful hybrid attack feature. You have learned how to combine wordlists and masks to efficiently crack passwords that follow a predictable pattern.
Specifically, you learned:
- The fundamental difference between the two hybrid attack modes: wordlist+mask (
-a 6) for appending patterns and mask+wordlist (-a 7) for prepending patterns. - How to prepare for an attack by creating a target hash file and a base wordlist.
- How to execute both types of hybrid attacks to successfully crack passwords.
- The critical importance of selecting the correct attack mode based on the suspected password structure, as using the wrong mode will lead to failure.
Hybrid attacks are an essential technique in any password auditor's toolkit, offering a smart balance between targeted and brute-force methods.
