Use Hashcat Brain for Distributed Cracking

MySQLBeginner
Practice Now

Introduction

Hashcat is a world-renowned password recovery tool, known for its speed and versatility. When performing large-scale password cracking, it's common to use multiple systems to attack the same list of hashes. This distributed approach can lead to inefficiency, as different systems might waste time trying the same password candidates.

To solve this problem, Hashcat introduced the "Brain" feature. The Hashcat Brain acts as a centralized server that keeps a record of every password candidate that has been attempted. Before a client tries a password, it queries the Brain. If the password has been tried before, the client skips it, saving valuable time and resources.

In this lab, you will learn how to:

  • Start a Hashcat Brain server.
  • Connect a Hashcat client to the server.
  • Run a password attack and observe how the Brain prevents redundant work.

Understand the Concept of Hashcat Brain

In this step, we will briefly cover the core concept of the Hashcat Brain and the problem it is designed to solve. This step is purely conceptual, and no commands are required.

In a typical password cracking scenario, you have a list of hashes and a list of potential passwords (a wordlist). Hashcat tries each password from the wordlist against the hashes. Now, imagine you have two separate computers (or clients) working on the same task.

The Problem: Without coordination, both Client A and Client B might try the exact same password, such as "123456", at different times. This is a waste of computational power, as the work is being duplicated.

The Solution (Hashcat Brain): The Hashcat Brain acts as a smart central server. The workflow is as follows:

  1. A client (e.g., Client A) wants to try the password "123456".
  2. It first sends a request to the Brain Server: "Has '123456' been tried before?"
  3. The Brain Server checks its database. If it's the first time, it responds: "No, it has not."
  4. Client A proceeds to test the password. After it's done, it informs the Brain Server: "I have now tested '123456'." The Brain Server records this.
  5. Later, if Client B wants to try "123456", it asks the Brain Server. The server will now respond: "Yes, it has been tried."
  6. Client B immediately skips this password and moves to the next one, saving time and electricity.

This mechanism ensures that each password candidate across the entire distributed network is tested only once, dramatically improving the efficiency of large-scale attacks.

Start the Hashcat Brain Server

In this step, you will start the Hashcat Brain server. This server will listen for connections from Hashcat clients and manage the database of tried passwords.

For this lab, we will run the server and client on the same machine, but they will communicate over the network as if they were on separate systems.

The command to start the server is hashcat with the --brain-server flag. We will also specify a port for it to listen on. For security, Hashcat can automatically generate a password for the server.

First, let's create a directory for our brain files inside our project folder.

mkdir -p ~/project/brain

Now, run the following command in your terminal to start the server. It will listen on port 7890 and store its data in the ~/project/brain/ directory.

Note: This command will occupy your current terminal. For the next steps, you will need to open a new terminal tab by clicking the + icon in the terminal panel.

hashcat --brain-server --brain-port 7890 --brain-session-path ~/project/brain/

After running the command, you will see output indicating that the server is running. Pay close attention to the line that says Password..:, as this is the automatically generated password you will need for the client to connect.

Starting brain server on 0.0.0.0:7890...

Password..: 82b5d1a3e... (a long hex string)

Accepting clients...

Leave this terminal running. Do not close it. Open a new terminal for the following steps.

Obtain the Brain Server Password

In this step, you will learn how to retrieve the Brain server's password from its session file. While the password was displayed in the terminal when you started the server, it's also stored in a file for easy access, which is useful in automated environments.

The session file, by default, is named hashcat.brain. Since we specified a custom path with --brain-session-path, our file is located at ~/project/brain/hashcat.brain.

In your new terminal tab, use the cat command to display the contents of this file. This content is the server password.

cat ~/project/brain/hashcat.brain

The output will be a long string of hexadecimal characters, which is the password.

82b5d1a3e4c9a0f7d6b3c1a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9

This password is required by any client that wants to connect to your Brain server. In the next steps, we will use a command to read this password directly from the file to avoid copy-pasting errors.

Configure a Hashcat Client to Connect to the Brain

In this step, you will configure a Hashcat client to use the Brain server. This is done by adding several --brain-* options to a standard hashcat command.

We will run a "dry-run" command to test the connection. The --show option in Hashcat is used to display previously cracked hashes, but when combined with the brain client options, it serves as a good way to verify the connection without starting a full attack.

The required client options are:

  • --brain-client: Tells Hashcat to operate in client mode.
  • --brain-host: The IP address of the server. We'll use 127.0.0.1 since it's on the same machine.
  • --brain-port: The port the server is listening on, which is 7890.
  • --brain-password: The password for the server. We can use command substitution $(cat ...) to read it directly from the file.

Execute the following command in your new terminal tab:

hashcat --show -m 0 ~/project/hashes.txt --brain-client --brain-host=127.0.0.1 --brain-port=7890 --brain-password=$(cat ~/project/brain/hashcat.brain)

This command will not produce much output in the client terminal. However, if you switch back to your first terminal tab (the one running the server), you should see a new line that says Client connected from 127.0.0.1. This confirms that the client successfully connected to the server.

## In the server terminal
Accepting clients...
Client connected from 127.0.0.1

This confirms your client configuration is correct.

Run an Attack and Observe Brain Communication

In this step, you will perform a dictionary attack and see the Hashcat Brain in action. We will use the hashes.txt and wordlist.txt files that were prepared for you.

First, run the attack. The command is a standard dictionary attack (-a 0) for MD5 hashes (-m 0), with the brain client options added.

Execute this in your client terminal (the second tab):

hashcat -m 0 -a 0 ~/project/hashes.txt ~/project/wordlist.txt --brain-client --brain-host=127.0.0.1 --brain-port=7890 --brain-password=$(cat ~/project/brain/hashcat.brain)

The attack will run, and you will see it quickly find the password.

...
5f4dcc3b5aa765d61d8327deb882cf99:password
...
Session..........: hashcat
Status...........: Cracked
...

Now, here is the important part. Run the exact same command again.

hashcat -m 0 -a 0 ~/project/hashes.txt ~/project/wordlist.txt --brain-client --brain-host=127.0.0.1 --brain-port=7890 --brain-password=$(cat ~/project/brain/hashcat.brain)

Observe the output this time. The attack should finish almost instantly. Notice the Status line.

...
Session..........: hashcat
Status...........: Exhausted
...

The status is Exhausted because the Brain client asked the server about every password in wordlist.txt, and the server replied, "Yes, all of these have been tried before." The client then knew there was no work to do and exited immediately. This demonstrates the power and efficiency of the Hashcat Brain.

Summary

In this lab, you successfully explored the Hashcat Brain, a powerful feature for optimizing distributed password cracking operations.

You have learned:

  • The core concept behind Hashcat Brain and how it prevents redundant work.
  • How to start a Hashcat Brain server and let it generate a secure password.
  • How to locate the server's session file to retrieve the password.
  • How to configure a Hashcat client with the necessary flags to connect to the Brain.
  • How to run an attack and observe the Brain in action, witnessing how it intelligently skips previously attempted passwords.

By mastering the Hashcat Brain, you can significantly enhance the efficiency of any large-scale or long-running password recovery campaign, saving time, and computational resources.