KaliTut

Kali Linux tutorial and Linux system tips

Basic and advanced use of oclHashcat (Hashcat)

Last Updated on by Leave a Comment

Basic and advanced use of oclHashcat (Hashcat) for hacking WPA/WPA2 passwords from the Handshake General information about oclHashcat (HASHCAT)
Hashcat Options
Hashcat comes in two versions:

  • Hashcat – Password recovery tool using the central processor
  • Oclhashcat – GPU-using tool

Many of the algorithms supported by Hashcat can be hacked in a shorter time when using the well-documented capabilities of the GPU. For this purpose the program oclHashcat is intended, at its use the considerable increase in such algorithms as MD5, SHA1 and others is reached. However, not all algorithms can be accelerated using the GPU. Bcrypt is a good example of this. Because of factors such as branching of data dependencies, serialization and memory (only some are mentioned), oclHashcat is not a comprehensive substitute for Hashcat.

oclHashcat and Hashcat are available for Linux, OSX and Windows. And if we are talking about the speed of hacking using a GPU, the speed of hash iteration on one computer on different OS (on Linux and Windows) will be identical, because the system is not affected by the GPU.

oclHashcat, as the authors themselves modestly note, is the fastest password recovery tool using a graphics processor. The program is free, although it contains a proprietary code base. Versions are available for Linux, OSX and Windows, there are options for using a central computing processor and for using a graphics processor. oclHashcat currently supports a huge number of hashing algorithms, including Microsoft LM Hashes, MD4, MD5, the SHA family, Unix Crypt formats, MySQL, Cisco PIX, and many others (there are hundreds of them). Slightly less, but many algorithms are supported by Hashcat.

Types of oclHashcat attacks
Hashcat offers a variety of attack patterns for efficient and comprehensive coverage of hashes. There are the following modes:

  • Brute-force attack (brute force)
  • Combinatorial attack
  • Dictionary attack
  • Fingerprint Attack
  • Hybrid attack
  • Mask attack
  • Permutation Attack
  • Rule based attack
  • Tabular Attack
  • Switch Layout Attack

The traditional brute force attack can be considered obsolete, and the Hashcat development team recommends a masked attack as a full replacement.

Hacking WPA / WPA2 passwords in oclHashcat (Hashcat)
Why use oclHashcat to hack WPA WPA2 handshakes?
Pyrit is the fastest when we need to crack WPA2 WPA handshakes. So why do we use oclHashcat (Hashcat) to crack WPA2 WPA handshakes?
Because we can?
Because oclHashcat (Hashcat) allows us to customize the attack with given rules and masks. oclHashcat (Hashcat) allows us to use the built-in character sets to attack the WPA2 WPA handshake file.

Moreover, there are reports that in systems with a large number of video cards, Pyrit is slower than oclHashcat. The author of the report speaks about poor scalability of Pyrit. I can not confirm or deny this.

A detailed description of all attacks available in oclHashcat (Hashcat) is given in the article ” Types of attacks oclHashcat (Hashcat) “. Therefore, if you do something incomprehensible in the preparation of masks, then refer to it.

We need to convert a handshake (.cap) file to the .hccap format, which is understood by oclHashcat (Hashcat), and before that the file needs to be cleaned. This must be done, because otherwise nothing happens.

Cleaning wapaclean .cap files
I will show the example of the file with the captured handshake Narasu_3E-83-E7-E9-2B-8D.cap.
To manually clean up .cap, use the following command in Kali Linux:

wpaclean

Notice that, contrary to logic, the output file goes first, and then the input . It would seem logical to be . Remember this, so as not to waste time on finding out the problem. 
In my case, the command looks like this:

wpaclean hs/out.cap hs/Narasu_3E-83-E7-E9-2B-8D.cap

Convert .cap files to .hccap format

We need to convert this file to a format understandable by oclHashcat.
To convert it to .hccap format using aircrack-ng, we need to use the -J option .

aircrack-ng  -J

Notice -J is the capital J, not the small j. In my case, the command is as follows:

aircrack-ng hs/out.cap -J hs/out

Dictionary attack on a handshake:

oclHashcat --force -m 2500 /root/hs/out.hccap /root/rockyou.txt

Here:

  • -m 2500 – attack on WPA / WPA2 password
  • /root/hs/out.hccap – our file, which we received after cleaning and converting
  • /root/rockyou.txt – dictionary that is being searched.

Attack brute force on the handshake:

oclHashcat -m 2500 -a 3 /root/hs/out.hccap ?d?d?d?d?d?d?d?d

Here:

  • -a 3 – brute force attack
  • /root/hs/out.hccap – our file, which we received after cleaning and converting
  • ? d? d? d? d? d? d? d? d – mask (eight digits)

Advanced tricks with oclHashcat
Testing multiple WPA handshakes at oclHashcat at a time
The .hccap file format allows you to have multiple networks within the same .hccap file.

This means that a single .hccap file can consist of many independent .hccap structures interlinked with each other.
For Linux / OSX systems, you should use a command like this:

cat single_hccaps/*.hccap > all_in_one/multi.hccap

In this particular example, the multi.hccap file will consist of all networks whose files were in the single_hccaps / directory.
* hashcat is able to download this multi.hccap file and hack all networks at the same time. Since several different networks have different “salts”, the hacking rate will decrease depending on the number of networks in the .hccap file. This is not a mistake – this is normal behavior. The main advantage is that you do not need to re-launch several attacks one after the other for each individual network / capture.
cap2hccap can also convert a .cap file with captures from multiple networks to a single (“multi”) .hccap file.

There are also third-party tools like analyze_hccap / craft_hccap / hccap2cap , which can help you understand and modify the contents of the .hccap file.

Note: concatenated networks do not have to be from the same .cap file – there is no such restriction from where the files should be. But, of course, they must be valid / complete captures.

Where are all the decoded passwords. What is the .pot file
The .pot file stores hashes that have already been hacked / shown and which therefore do not need to be hacked / shown again.

On Windows, this file is located in the same directory as the executable files oclHashcat, its name is oclHashcat.pot . Typical file content:

$office$*2013*100000*256*16*f557b3c23e7223e5d966aced27ad1fd4*54c6c24e58b72353f952b1fe0de746b1*c3db501ad0ac82d88ad4e8664f474eb7077eb2c81636a672aa717cfa93cba7d8:345678
$pdf$2*3*128*-1596*1*16*5692983949d33f4b4ddf6c31bd00e3f4*32*88d671fd4103cc46fc9ac48181e31b5300000000000000000000000000000000*32*6bc706ffd3413af9be7912f5966277f05254b4904513993bea4820386ca60e5f:
$pdf$2*3*128*-3904*1*16*07652f72cd2857abf65708f646ca08fa*32*3352ac091478d852687f11eae257db8400000000000000000000000000000000*32*c730fdb8cf5ff7b59c244b61b745f71ac5ba427b1b9102da468e77127f1e69d6:234567
$pdf$2*3*128*-3904*1*16*07c1fb5b68b1661cf11ade3c2585810d*32*96ef8a8c8437a050236543ceb51d586e00000000000000000000000000000000*32*cccd4459a76caf008768ac15754f5f1869423ea8e0fde12d66fb0631d35acc6d:234567
$pdf$2*3*128*-3904*1*16*516b008c0274e68d88b69562344c20d2*32*a4af4d09fa1621294392016793c1a97900000000000000000000000000000000*32*d6413e32df2e0dfead36ac3600f43a10093ac1e4319df18349417fa789898a1b:
$pdf$2*3*128*-3904*1*16*da6015d029a61a8d9e03f75bd15708c1*32*4c7c8c3f5c924568eb1027577f40031d00000000000000000000000000000000*32*3b0385c9dc4642158ab4e29308152b8868103928aa499af91fdbb48dc84cabd6:4567890
$7z$0$19$0$$8$0a80e901a82740da0000000000000000$3348097732$128$122$e1a779ef1123455b50f903575eebebdcc1dcd8a3e2a3d9e97efd783ccd3e1be06dcec7334f5c7bd21b4ad168694927924be55c96e56fdb3209b3f04244d6d18ea3f691774bc1376b1f2b5291b52988e62b030dbfad3ce36d70bbeb2433eda2a1110cd82e72dbc324a41e45a4959fb958c77a3033899feea67daa06a3fa341c33:234567

The reason for this is, for example, that otherwise the output file ( –outfile , -o ) could contain the output of the same identical hashes over and over (if different attacks lead to the same candidate passwords that give matching results).

This also has an effect on breaking hashes with salt. If oclHashcat notices that all hacked hashes are associated with a particular salt, then it is safe not to create new assumptions for this salt. This means, for example, if you have 2 hashes with different salts and one is cracked, the speed doubles. Now if you restart the session for any reason, the profile marks one cracked hash as cracked, and therefore the salt is marked as cracked. Therefore, your launch will double the guessing speed.

You can completely disable potfile support using –potfile-disable . However, it is strongly recommended not to disable it. If you have, for example, a huge list of hashes with salt, and you do not use –remove and for any reason you have to restart the hacking session, all your guessing speed bonuses are lost.

Remember that using a .pot file is quite different depending on the idea you are using –remove with . Having a list of hashes with only non-cracked hashes is great, but with a profile you can do the same if you use –left toggle . For example, if your hacking session is over and you want to have a list of remaining ones (not hacked), you can simply run:

./oclHashcat64.bin --left -o leftlist.txt -m 0 hash.txt

Now you will have both: the original list and the list of remaining ones.

It is also safe to copy (or add) data from one profile to another.
Using the .pot file is much more prosaic – I’m looking there for passwords that I forgot to write down / save from previous hacks.

How to Convert .hccap to .cap

You can convert WPA/WPA2 hccap hashcat files back to (p) cap files. This will help us the program hccap2cap . Her official website: https://github.com/philsmd/hccap2cap

Hccap2cap installation

Dependencies

  • gcc compiler
  • aircrack-ng / wireshark, etc. To open / test the resulting .cap file

Clone the repository:

git clone https://github.com/philsmd/hccap2cap.git

Compile:

cd hccap2cap
gcc -o hccap2cap hccap2cap.c

Using:

./hccap2cap

If you do not have an hccap file at hand, you can download an example:

wget http://hashcat.net/misc/example_hashes/hashcat.hccap

Run the program to convert the file:

./hccap2cap hashcat.hccap hashcat_converted.cap

Check the results:

wireshark hashcat_converted.cap
oclHashcat

Distributed computing with oclHashcat (Hashcat)
The oclHashcat help has the following options for distributed (on different computers) calculations:

   -s, --skip = NUM Skip word count
   -l, --limit = NUMBER Be limited to the number of words 
        --keyspace Show key space database (word count 
          in the dictionary or the number of options for the mask)

Not very much, but, in fact, if you know how to write Bash scripts a bit and are familiar with SSH, then you are quite capable of implementing distributed hacking with oclHashcat.

The algorithm is as follows:

  • connect to remote computers and conduct a benchmark using the algorithm of interest to us
  • if you need to use files (hash files, dictionaries), then upload these files to remote machines
  • launch an attack on remote machines, manipulating the -s and -l options in accordance with the benchmarks data

If you are not ready for independent programming, then there are ready-made free solutions:
polycat

  • https://github.com/Atticuss/polycat

PassCrackNet

Hashtopus

Disthc

Leave a Reply

Your email address will not be published. Required fields are marked *