Password Cracking with Hashcat

Become a cyber pro by building your skills in the National Cyber League!

Humans are bad at passwords.

It’s true. We’re terrible at making them, we’re terrible at remembering them, and we’re terrible at assessing their quality. It’s difficult to emphasize just how terrible we are without demonstrating how easy they are to break— so that’s exactly what we’re going to do.

Let’s take a look at perhaps the most powerful password cracking tool of our time: hashcat. Used by hackers and security professionals alike, hashcat serves as both a formidable enemy and a bleak reminder of just how terrible we humans are at handling security on our own.

Prerequisites

This is not an introduction to password cracking. That can be found here. Instead, this is a more advanced guide, therefore, we have some prerequisites.

You should be able to recognize data formats such as hexadecimal and base64.
You should have a basic familiarity with command-line tools. In particular, you should know how to pass flags and other arguments to command-line tools.
Ideally, you should have a computer with a dedicated graphics processing unit (GPU) and up-to-date drivers. Hashcat works best with a dedicated GPU, but it isn’t strictly necessary for competitions such as National Cyber League (NCL). This also means that hashcat won’t perform well in most virtual machines, though there are exception.
Examples in this blog target Windows 10, since it’s easiest to get a dedicated GPU working on Windows. If you’d rather use a different platform, you’ll need to have enough familiarity with both platforms to be able to translate commands. If you’re using a version of Windows prior to 10, some of the instructions in this blog won’t work for you. Typically, if you were to run these commands in Kali, for example, you would need to replace each occurrence of .\\hashcat.exe with hashcat, and you may need to add additional flags to the command, such as -f.

Background

If you’re already familiar with the basics of encryption and the need for password hashing, you may want to skip this section.

What is a password hash?

Modern applications rarely store passwords in plaintext—that is, in an unencrypted form. Instead, they use a form of encryption called hashing. Passwords provided by users are first hashed before they’re stored in a database.

Hashing is a one-way cryptographic process. The same input will always result in the same output, but it’s not possible to go the other direction without a lot of work. When a user attempts to log in, the application will hash the attempted password and check whether it matches the stored hash. If they’re the same, the user has entered the correct password.

An ideal hashing algorithm produces output that appears random. It’s easy to get the hash if you know the password, but there’s no clear way to get the password from the hash. In order to determine the password, an attacker has to try to encrypt every possible password, comparing the resulting hash with the hash that they want to crack. They can improve their odds a bit by limiting their attempts to passwords that humans would likely use—e.g., dictionary words—but this still takes time, and it doesn’t guarantee success if a strong password is used. When we talk about cracking a hash or cracking a password, we’re usually referring to the process of automatically attempting a large number of passwords until we find one that matches the hash we have.

For a long time, these process was deemed sufficient. A hacker that compromised an application’s database was left with a list of hashes. They couldn’t easily obtain the passwords from the hashes, so they were left with useless gibberish.

Over time, people realized that this process alone was still insufficient for three reasons:

Humans are notoriously bad at coming up with random data, which also means we’re bad at coming up with our own passwords. This means a lot of people choose the same passwords, which means a lot of users have the same hash. We know roughly how common each popular password is—for example, the single most popular password is 123456. By matching plaintext password frequency with hash frequency, hackers can get a pretty good idea of which hashes correspond to which passwords. The fifth most popular password probably corresponds to the fifth most frequent hash, or something in that vicinity.
If half of the users in a database share the same hash, and a hacker manages to crack that hash, they will have the password for a lot of accounts. The number of hashes a hacker has to crack is a lot lower than the number of users.