Introduction
Hashcat is a powerful and versatile password recovery tool, widely used in cybersecurity for testing password strength and recovering lost passwords. It supports numerous hashing algorithms and several attack modes.
In this lab, you will focus on one of the most fundamental password cracking techniques: the dictionary attack. You will learn how to use Hashcat's "Straight" attack mode (-a 0) to crack a simple MD5 hash using a custom wordlist. This hands-on experience will provide a solid foundation for understanding how password cracking works.
Understand the concept of a dictionary attack (-a 0)
In this step, you will learn about the dictionary attack and how it is implemented in Hashcat.
A dictionary attack is a method of breaking into a password-protected system by systematically entering every word in a list, called a dictionary or wordlist, as a password. It is a simple yet effective technique, especially against weak or common passwords.
Hashcat refers to this method as a "Straight" attack, which is assigned the attack mode number 0. You specify the attack mode using the -a option.
Let's use the hashcat --help command to see examples of attack mode 0. We can pipe the output to grep to find the specific lines.
hashcat --help | grep -- "-a 0"
You will see the following output, showing examples of dictionary attacks using -a 0:
Wordlist | $P$ | hashcat -a 0 -m 400 example400.hash example.dict
Wordlist + Rules | MD5 | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
This confirms that to perform a dictionary attack, you will use the -a 0 option in your Hashcat command, where -a 0 represents the Straight (dictionary) attack mode.
Prepare a target hash file and a simple wordlist
In this step, you will prepare the two essential files needed for a dictionary attack: a file containing the target hash and a wordlist file. All operations will be performed in the ~/project directory.
First, let's create a file to store our target hash. We will use the MD5 hash of the string "password123", which is 482c811da5d5b4bc6d497ffa98491e38.
Use the echo command to create a file named my_hash.txt containing this hash.
echo "482c811da5d5b4bc6d497ffa98491e38" > my_hash.txt
Next, create a simple wordlist file named my_wordlist.txt. A real-world wordlist can contain millions of words, but for this lab, we will create a small one that includes the correct password.
echo "password" > my_wordlist.txt
echo "123456" >> my_wordlist.txt
echo "password123" >> my_wordlist.txt
echo "qwerty" >> my_wordlist.txt
Now, verify the contents of both files using the cat command.
First, check the hash file:
cat my_hash.txt
Expected output:
482c811da5d5b4bc6d497ffa98491e38
Then, check the wordlist file:
cat my_wordlist.txt
Expected output:
password
123456
password123
qwerty
You now have a target hash and a wordlist, ready for the attack.
Launch a dictionary attack on an MD5 hash
In this step, you will launch the dictionary attack against the MD5 hash you prepared.
To do this, you need to construct a Hashcat command that specifies the attack mode, hash type, hash file, and wordlist file.
The command structure is as follows:
hashcat [options] [hash_file] [wordlist_file]
Here are the options we will use:
-a 0: Specifies the Straight (dictionary) attack mode.-m 0: Specifies the hash type.0corresponds to MD5. It is crucial to match the hash type correctly.--force: This option is often needed in virtualized environments or when running on a CPU to bypass certain warnings and force Hashcat to run.
Now, execute the command to start the attack:
hashcat -a 0 -m 0 my_hash.txt my_wordlist.txt --force
Hashcat will start and display a status screen. Since our wordlist is very small, the process will finish almost instantly. The output will look similar to this (some details like start time will vary):
hashcat (v6.2.6) starting
... (some initial warnings and info) ...
Session..........: hashcat
Status...........: Cracked
Hash.Type........: MD5
Hash.Target......: 482c811da5d5b4bc6d497ffa98491e38
Time.Started.....: Sun Nov 19 10:30:00 2023 (0 secs)
Time.Estimated...: Sun Nov 19 10:30:00 2023 (0 secs)
Guess.Base.......: File (my_wordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#*.........: 133.7 kH/s (0.02ms) @ Accel:128 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 4/4 (100.00%)
Rejected.........: 0/4 (0.00%)
Restore.Point....: 3/4 (75.00%)
Restore.Sub.#*...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#*....: password123 -> qwerty
Hardware.Mon.#*..: Temp: 45c
Started: ...
Stopped: ...
The Status...........: Cracked line indicates that the password was successfully found in your wordlist.
Analyze the output status and keywords
In this step, you will take a closer look at the output from the previous step to understand what it means. When Hashcat successfully cracks a hash, it saves the result to a file called a "potfile" and reports the success on the screen.
Let's break down the key lines from the status output:
Status...........: Cracked: This is the most important indicator. It confirms that at least one hash was successfully cracked. If it saidExhausted, it would mean Hashcat tried every word in the wordlist without success.Hash.Type........: MD5: Confirms the hash algorithm being targeted.Hash.Target......: 482c811da5d5b4bc6d497ffa98491e38: Shows the hash being attacked.Guess.Base.......: File (my_wordlist.txt): Indicates that the source of password candidates is our wordlist file.Recovered........: 1/1 (100.00%) Digests: This shows that out of 1 total hash provided, 1 has been recovered.Progress.........: 4/4 (100.00%): This indicates that all 4 words from our wordlist have been tested.
After a successful crack, Hashcat automatically stores the cracked hash and its corresponding plaintext password in its potfile. The default location for this file is ~/.local/share/hashcat/hashcat.potfile. This prevents you from wasting time re-cracking the same hash in the future.
You can verify that the potfile was created by listing its contents, but we will use a more direct Hashcat feature in the next step.
View the cracked password using the '--show' option
In this step, you will learn how to view the cracked password using a convenient Hashcat option.
While you could look inside the potfile directly, Hashcat provides the --show option to display the cracked passwords for the hashes in a given file. It cross-references your hash file with its potfile and prints any matches it finds.
To use this option, you need to provide the original hash file and specify the hash type, just as you did for the attack.
Run the following command:
hashcat -m 0 my_hash.txt --show
Hashcat will immediately print the result in the format hash:password.
482c811da5d5b4bc6d497ffa98491e38:password123
This output clearly shows the original MD5 hash and its corresponding plaintext password, "password123".
For comparison, you can also view the raw content of the potfile. This will show the same information, but --show is often cleaner when you want to check specific hashes.
cat ~/.local/share/hashcat/hashcat.potfile
Expected output:
482c811da5d5b4bc6d497ffa98491e38:password123
Using --show is the standard way to check for already-cracked passwords in Hashcat's database.
Summary
In this lab, you learned the fundamentals of performing a dictionary attack with Hashcat. You successfully cracked an MD5 hash by testing candidates from a small, custom-made wordlist.
You have gained hands-on experience with the following key skills:
- Understanding the concept of a dictionary attack and Hashcat's Straight attack mode (
-a 0). - Preparing a target hash file and a wordlist file.
- Launching an attack on an MD5 hash by specifying the correct attack mode (
-a 0) and hash type (-m 0). - Analyzing the status screen to confirm a successful crack.
- Viewing the cracked password using the
--showoption.
This knowledge forms a critical base for exploring more advanced password cracking techniques and understanding the importance of using strong, unique passwords.
