Hashcat is a popular tool widely used for password cracking, and is relied upon by cybersecurity professionals to test password vulnerabilities. Hashcat supports a wide range of hash algorithms and is capable of leveraging both CPU and GPU power to speed up the hash cracking process. This article will provide a step-by-step guide on how to use Hashcat on Kali Linux.

What is Hashcat?

Hashcat is a command-line based hash cracking tool that allows you to crack various types of hashes, including MD5, SHA-1, NTLM, and more. In the context of security, hashing is the process of converting data into a unique string of numbers and letters. However, these hashes can be vulnerable to certain attacks, and this is where Hashcat comes in handy to test whether or not they can be cracked.

Installing Hashcat on Kali Linux

Hashcat is usually installed on Kali Linux by default. However, if you are using an older version of Kali Linux or want to make sure Hashcat is installed, you can verify it with the following command:

hashcat -V

If Hashcat is not installed, you can install it with the following command:

sudo apt update
sudo apt install hashcat

Supported Hash Types

Hashcat supports a variety of hash algorithms, including:

• MD5: Commonly used in password hashing.
• SHA-1 and SHA-256: Used in cybersecurity to verify data integrity.
• NTLM: Hashing algorithm used by the Windows operating system.
• bcrypt and argon2: Stronger algorithms used to secure passwords.

For a complete list of supported hash types, you can run the following command:

hashcat -h | grep Hash

Preparing a Hash File

To use Hashcat, you need to prepare a file containing the hashes you want to crack. This file usually contains one hash per line.

For example, if you want to crack the MD5 hash of the password “password123”, you can first calculate the hash:

echo -n "password123" | md5sum

The result will be:

482c811da5d5b4bc6d497ffa98491e38. Save this hash in a text file, such as hash.txt.

Using Hashcat Attack Modes

Hashcat supports several types of attack modes, including:

1. Dictionary Attack: Hashcat tries to guess the password using a list of existing words.
2. Brute-Force Attack: Hashcat tries all combinations of characters.
3. Hybrid Attack: A combination of dictionary and brute-force attacks.

1. Dictionary Attack

A dictionary attack uses a password file that contains many possible passwords. Hashcat will try to match the hash to each word in this list. Here is the command:

hashcat -m 0 -a 0 -o hasil.txt hash.txt /usr/share/wordlists/rockyou.txt

Explanation:

• -m 0: Indicates the MD5 hash type.
• -a 0: Specifies a dictionary attack.
• -o results.txt: Output file for results.
• /usr/share/wordlists/rockyou.txt: Location of the list of passwords used.

2. Brute-Force Attack

A brute-force attack is more intensive because it tries all possible combinations of characters. For example, to try alphabetic and numeric characters with a password length of up to 6 characters, use the command:

hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a

Description:

• ?a: Combination of numbers, uppercase letters, lowercase letters, and symbols.
• -a 3: Indicates a brute-force attack.

3. Hybrid Attack

A hybrid attack combines a dictionary attack and brute-force. For example, if you know that your passwords always end in a number, you could try:

hashcat -m 0 -a 6 hash.txt /usr/share/wordlists/rockyou.txt ?d?d

Description:

• -a 6: Hybrid attack mode.
• ?d?d: Shows two numbers at the end of each password.

Hashcat Performance Optimization

Hashcat can use either the CPU or the GPU to increase cracking speed. If your computer has a compatible GPU, you can run Hashcat with the GPU to speed up the process. To force Hashcat to use the GPU, use the following command:

hashcat -D 2 -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Description:

• -D 2: Instructs Hashcat to use the GPU.

Pausing and Resuming

Password cracking can take hours or even days. If you need to pause Hashcat, press Ctrl+C while it is running. You can resume it later with the command:

hashcat --session my_session --restore

You will need to save the session for this by adding --session <session_name> to the initial command.

Saving Cracking Results

Once finished, Hashcat will save the successfully found passwords in the output file you specified earlier, for example results.txt. The format is like this:

482c811da5d5b4bc6d497ffa98491e38:password123

You can open this file to see the cracking results.

Tips and Tricks for Using Hashcat

1. Choose the Right Password List: Use a list that has a high probability of being the target password. rockyou.txt is a popular one on Kali Linux.
2. Performance Tuning: Try to adjust the parameters according to your computer’s capacity, especially if you are using a laptop or device with limited power.
3. Understand the Hash Used: Identify the hash first before starting cracking to save time and effort.

Ethics and Legality in Using Hashcat

Hashcat is a very powerful tool and can be used for illegitimate purposes. However, it is important to remember that unauthorized password cracking is illegal and against the law in many countries. Make sure you only use Hashcat for security testing on systems that you own or have permission from the owner.

Conclusion

Hashcat in Kali Linux is a very effective tool for testing password security. By utilizing advanced cracking techniques, such as dictionary attacks, brute-force, and hybrid, you can find password vulnerabilities in your system. In addition, Hashcat supports a variety of hash algorithms, making it suitable for extensive testing. Make sure you follow the applicable ethics and laws in its use.

That’s a complete guide on how to use Hashcat in Kali Linux. Hopefully, it is useful for those of you who are studying cybersecurity or want to test password security on your system.

That’s all the articles from Admin, hopefully useful… Thank you for stopping by…