Introduction
Hashcat is a powerful and popular password recovery tool. When you run a cracking session, Hashcat needs a way to manage the results. It's crucial to know which passwords have been successfully cracked and which ones remain unsolved.
In this lab, you will learn the fundamentals of managing Hashcat's output. We will explore the hashcat.potfile, which automatically stores cracked passwords. You will also learn how to use command-line options like --show to display cracked passwords, -o to save results to a specific file, and --left to identify which hashes are still uncracked. Mastering these features is essential for any effective password auditing or recovery workflow.
Understand the purpose of the hashcat.potfile
In this step, you will learn about the hashcat.potfile, a crucial component of Hashcat. To avoid re-cracking the same hashes in future sessions, Hashcat automatically saves every successfully cracked hash and its corresponding plaintext password into a file. This file is called the "potfile". By default, it is named hashcat.potfile and is located in the ~/.local/share/hashcat/ directory.
Let's run a basic dictionary attack to crack some hashes. This will generate the potfile for us. We have a file named hashes.txt containing MD5 hashes and a wordlist.txt file with potential passwords.
Execute the following command to start the attack:
hashcat -m 0 -a 0 hashes.txt wordlist.txt
Here's a breakdown of the command:
-m 0: Specifies the hash type, where0corresponds to MD5.-a 0: Specifies the attack mode, where0is a straight dictionary attack.hashes.txt: The input file containing the hashes to be cracked.wordlist.txt: The dictionary file containing passwords to try.
You will see Hashcat start up. Since our wordlist contains the correct passwords for all of the hashes, the process will finish quickly.
...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: hashes.txt
Time.Started.....: ...
Time.Estimated...: 0 secs
Guess.Base.......: File (wordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: ... H/s (0.00ms) @ Accel:128 Loops:1 Thr:1 Vec:8
Recovered........: 4/4 (100.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 5/5 (100.00%)
Rejected.........: 0/5 (0.00%)
Restore.Point....: 5/5 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: password -> testing
Hardware.Mon.#1..: Temp: 46c Fan: 33%
...
Started: ...
Stopped: ...
The output shows that all 4 hashes were recovered. This means the hashcat.potfile has now been created and populated with these results.
View cracked hash-password pairs in the potfile
In this step, we will inspect the contents of the hashcat.potfile directly. This will help you understand how Hashcat stores the cracked credentials. The format is simple and effective: each line contains the hash, a colon separator, and the cracked plaintext password.
To view the contents of the potfile, use the cat command. The file is located in a hidden directory within your home folder.
cat ~/.local/share/hashcat/hashcat.potfile
The output will display the hash-password pairs that were successfully cracked in the previous step.
5f4dcc3b5aa765d61d8327deb882cf99:password
e10adc3949ba59abbe56e057f20f883e:123456
d8578edf8458ce06fbc5bb76a58c5ca4:qwerty
f9664ea1803311b35f81d07d8c9e072d:lab
As you can see, the file contains the four hashes from hashes.txt that matched passwords in wordlist.txt. While viewing the potfile directly is useful for understanding its structure, it can become cluttered and difficult to read in real-world scenarios with thousands of cracked passwords. In the next step, you'll learn a more efficient way to view results for a specific task.
Use '--show' to display cracked passwords for a specific hash list
In this step, you'll learn a more practical method for checking your results. Instead of manually reading the entire potfile, you can use Hashcat's --show option. This command instructs Hashcat to compare a given hash list against its potfile and display only the cracked hashes from that list. It does not perform any new cracking.
This is extremely useful when you want to quickly see the results for a specific target list without sifting through a potentially massive potfile containing results from many different sessions.
Run the following command to display the cracked hashes from our hashes.txt file:
hashcat -m 0 --show hashes.txt
Hashcat will instantly check the potfile and print the results in a clean, readable format.
5f4dcc3b5aa765d61d8327deb882cf99:password
e10adc3949ba59abbe56e057f20f883e:123456
d8578edf8458ce06fbc5bb76a58c5ca4:qwerty
f9664ea1803311b35f81d07d8c9e072d:lab
The output is clean and directly answers the question: "Which hashes from hashes.txt have I already cracked?" This is the recommended way to check for cracked passwords from a specific session.
Save cracked passwords to a dedicated output file using '-o'
In this step, you will learn how to save your cracking results to a separate file. While the potfile is an excellent internal database for Hashcat, you often need a clean output file for reporting or analysis. This is achieved using the -o (or --outfile) option.
When you add -o to your attack command combined with --show, Hashcat will retrieve the cracked hash-password pairs from the potfile and write them to the specified output file. This is particularly useful when the hashes have already been cracked and exist in the potfile, as you can quickly extract and save those results to a dedicated file.
Let's run the command with both --show and -o options to save the cracked results.
hashcat -a 0 -m 0 --show -o cracked.txt hashes.txt wordlist.txt
Hashcat will instantly check the potfile and write all the cracked password pairs to cracked.txt.
Now, let's view the contents of our new output file.
cat cracked.txt
The output will be a clean list of the cracked pairs.
5f4dcc3b5aa765d61d8327deb882cf99:password
e10adc3949ba59abbe56e057f20f883e:123456
d8578edf8458ce06fbc5bb76a58c5ca4:qwerty
f9664ea1803311b35f81d07d8c9e072d:lab
This cracked.txt file is now a portable record of the successful results from this specific attack, separate from the main potfile.
Use '--left' to see which hashes were not cracked
In this step, you'll learn how to identify which hashes remain uncracked. This is just as important as knowing which ones you've solved, as it allows you to focus your efforts in subsequent attacks (e.g., using a different wordlist or attack mode). Hashcat provides the --left option for this purpose.
When used with --show, the --left flag will display all hashes from your input list that are not present in the potfile.
Let's see which hashes from hashes.txt are still uncracked.
hashcat -m 0 --show --left hashes.txt
Since all hashes in our list have been cracked, the output will be empty (no uncracked hashes remain).
You can also combine --left with the -o option to save these remaining hashes to a new file. This is a common practice to create a worklist for your next cracking attempt.
hashcat -a 0 -m 0 --show --left -o uncracked.txt hashes.txt wordlist.txt
Now, check the contents of the uncracked.txt file.
cat uncracked.txt
Since all hashes were cracked, the uncracked.txt file will be empty.
Summary
In this lab, you have learned the essential techniques for managing and interpreting the output of Hashcat. These skills are fundamental to organizing an efficient password cracking workflow.
You have learned:
- The role of the
hashcat.potfileas an automatic database for all cracked passwords. - How to use
hashcat --showto cleanly display the cracked passwords from a specific hash list. - How to use the
-ooption to save cracked passwords to a dedicated output file for reporting and analysis. - How to use the
--leftoption to isolate uncracked hashes, allowing you to focus your future efforts effectively.
By mastering these output and file management features, you can run more organized, efficient, and effective password recovery sessions with Hashcat.
