LabEx
Log InJoin Free

Use the Potfile to Manage Cracked Hashes

Kali LinuxBeginner
Practice Now

Introduction

Hashcat is a powerful and popular password recovery tool. One of its key features for efficient operation is the "potfile". The potfile (short for "pot of gold file") is a file where hashcat automatically stores successfully cracked hashes and their corresponding plaintexts. This prevents hashcat from wasting time and resources trying to re-crack hashes that have already been solved in previous sessions.

In this lab, you will learn the fundamentals of managing cracked hashes using the hashcat potfile. You will learn how to locate the potfile, view its contents, and use specific hashcat flags to query it or even ignore it when necessary.

Understand the Purpose of the Potfile

In this step, you will learn about the fundamental role of the hashcat potfile.

The potfile is one of hashcat's most important features for efficiency. Every time hashcat successfully cracks a hash, it saves the result to the potfile. The primary purpose of this is to build a database of solved hashes.

Before starting a new cracking session, hashcat checks the hashes in your input file against the entries in the potfile. If a hash is already present in the potfile, hashcat will skip it, displaying a "Removed" status. This ensures that you don't waste valuable CPU/GPU cycles on work that has already been done.

The standard format for entries in the potfile is simple and effective:

HASH:PLAINTEXT

This step is purely conceptual to build your understanding. There are no commands to execute. You can proceed to the next step to find where this file is located.

Locate the Default hashcat.potfile

In this step, you will locate the default potfile created by hashcat.

By default, hashcat does not create the potfile in your current working directory. Instead, it places it in a dedicated hashcat folder within your user's home directory to keep it persistent across different cracking sessions and projects. The default location on a Linux system is ~/.local/share/hashcat/.

Let's verify the file's existence. Use the ls -l command to list the contents of the hashcat directory.

ls -l ~/.local/share/hashcat/

You should see the hashcat.potfile in the output, along with other potential session-related files.

total 4
-rw-r--r-- 1 labex labex 42 May 20 10:30 hashcat.potfile

Now that you've located the file, the next step will be to view its contents.

View the Contents of the Potfile

In this step, you will inspect the contents of the hashcat.potfile to see how cracked hashes are stored.

Since the potfile is a plain text file, you can use any standard command-line text viewer like cat, less, or more to see what's inside. For a small file like ours, cat is perfect.

Execute the following command in your terminal to display the contents of the default potfile:

cat ~/.local/share/hashcat/hashcat.potfile

The output will show the hash that was cracked during the lab setup, followed by a colon (:), and then the plaintext password.

5f4dcc3b5aa765d61d8327deb882cf99:password

This simple HASH:PLAINTEXT format makes the file easy to read and parse, both for humans and for hashcat itself.

Use the --show Flag to Query the Potfile

In this step, you will learn how to use the --show flag to efficiently query the potfile for cracked hashes.

While you can manually cat and grep the potfile, hashcat provides a much more elegant and integrated way to check if hashes from a given file have already been cracked. The --show flag is used for this purpose. It takes a hash file as input and prints the cracked plaintexts for any hashes found in the potfile.

Let's use it to check our hashes.txt file.

hashcat -m 0 --show hashes.txt

Let's break down the command:

  • hashcat: The program itself.
  • -m 0: Specifies the hash mode. 0 is for MD5, which is the type of hash in our hashes.txt file. This is required for --show to work correctly.
  • --show: This flag tells hashcat to perform a query operation instead of a cracking session.
  • hashes.txt: The input file containing the hashes you want to check.

The command will produce the following output, which is identical to the content of the potfile because our hash was found.

5f4dcc3b5aa765d61d8327deb882cf99:password

This command is extremely useful when you have a large list of hashes and want to quickly see which ones have been previously recovered.

Remove Cracked Hashes from Input with --potfile-disable

In this step, you will learn how hashcat automatically avoids re-cracking hashes and how you can override this behavior with the --potfile-disable flag.

First, let's see what happens when you try to run the same cracking job again. Since the hash is already in the potfile, hashcat should recognize this and finish instantly.

hashcat -m 0 -a 0 hashes.txt wordlist.txt --force

Notice the output. Hashcat will report that all hashes were found in the potfile and will not re-process them.

...
All hashes found in potfile!

NOTE: All hashes loaded from file hashes.txt are already cracked and were skipped.
To re-crack these hashes, you need to remove them from the potfile.
...

Now, what if you want to re-crack the hash, perhaps for benchmarking purposes or to test a different attack mode? You can use the --potfile-disable flag. This tells hashcat to completely ignore the potfile for both reading and writing.

Run the command again, but this time add the flag:

hashcat -m 0 -a 0 hashes.txt wordlist.txt --force --potfile-disable

This time, hashcat will perform the full cracking operation because it is ignoring the potfile. You will see the status progress and a "Cracked" status at the end.

...
Session..........: hashcat
Status...........: Cracked
...
Cracked (1/1) hashes, (1/1) digests
...

Using --potfile-disable is a specific tool for specific situations. In most cases, you want to leverage the potfile to save time.

Summary

In this lab, you have learned the essential skills for managing cracked hashes with hashcat's potfile.

You now understand that the potfile is a crucial feature for efficiency, acting as a database of solved hashes. You have learned how to:

  • Locate the default potfile at ~/.local/share/hashcat/hashcat.potfile.
  • View its contents using standard Linux commands like cat.
  • Query the potfile for specific hashes from an input file using the --show flag.
  • Bypass the potfile's functionality for specific use cases with the --potfile-disable flag.

Mastering the use of the potfile is a fundamental step toward becoming a proficient hashcat user, allowing you to run more effective and efficient password recovery tasks.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux