Hashcat usage method and technical sharing

2024-12-24 12:26:55

There are four basic ways to decrypt hashcat:
1. Dictionary decryption

2. Combined string decryption

3. Brute force decryption (deprecation) – mask attack (mask decryption)
4. There are also rule-based decryption methods for hybrid decryption
, and there are also case-toggle methods, but they can be classified as rule-based decryption

Dictionary decryption

-a 0 -m type hashfile dictionary1 dictionary2
seems to be able to be accelerated with GPU

Combined string decryption

Suppose the dictionary reads something like this
: 11,
22,
33

Then the combination is:
1111
1122
1133
2222
2233
3333

Specify the left or right side of the character

     -j,  --rule-left=RULE              Single rule applied to each word on the left dictionary

    -k,  --rule-right=RULE             Single rule applied to each word on the right dictionary123

Take a chestnut:
Dictionary 1:

    11
    2212

Dictionary 2:

    33
    4412

commands:

    -j '$-'
    -k '!$'12

In the $proxy dictionary above, -j '$-' means add a -,-k '$!' to the right of the word means add one to the left of the word!
So the resulting combination is:

    11-33!
    22-33!
    11-44!
    22-44!1234

Mask Attack

This thing,The official explanation is relatively simple,That is, mask attack is stronger than brute-force in reducing the number of password tables,As for the algorithm to reduce the number of passwords, there is no too much introduction (based on hcmask files),Just a simple mention of reducing the number of passwords through some conventional password forms,For example: "Kele1997",Brute force decryptionwill enumerate all the possibilities, etc.. However, when the mask attack is attacked, the program will try to capitalize only the first letter, because most passwords rarely have the second or third position, and these rules are used to reduce the number of password candidates

Officially, Mask Attack has no drawbacks over Brute-Force, as Mask Attack can generate all Brute-Force passwords

Charset character set

内置字符集
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?h = 0123456789abcdef
?H = 0123456789ABCDEF
?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff123456789

There are charsets in the program's directory that contain all sorts of weird characters, and you can use them if you add them to your password

hashcat has four parameters for specifying a custom character set
: –custom-charset1=CS
–custom-charset2=CS
–custom-charset3=CS–custom-charset4=CS,

these four parameters can be abbreviated -1, -2, -3 and -4 instead. You can specify a custom character set for decryption

The following command sets the first custom charset (-1) to russian language specific chars:
-1 charsets/special/Russian/ru_ISO-8859-5-special.hcchr

Password length increments

Instead of specifying a fixed length of the password, we can do this by specifying the –increment parameter

 -i, --increment                |      | Enable mask increment mode                           |     --increment-min            | Num  | Start mask incrementing at X                         | --increment-min=4     --increment-max            | Num  | Stop mask incrementing at X                   123

Hashcat mask files

-a 3 hash.txt mask_file.hcmask loads the hcmask file and uses the mask in the file to decrypt it

Hashcat comes with several hcmask files, which are placed under the program directory mask/

Hexadecimal characters

--hex-charset The string after it is 16

Hybrid decryption

The generated password is a combination of characters generated by a dictionary and brute force decryption,
for example: example.dict

    password
    hello12

hashcat64 -a 6 example.dict ?d?d?d?d
?d
?

    password0000
    password0001
    password0002
    .
    .
    .
    password99991234567

hashcat64 -a 6 ?d?d?d?d example.dict
result:

0000password
0001password
.
.
.
9999password123456

Using rules to emulate Hybrid attack

Use the maskprocessor to use the rules to generate the rules required for brute-force decryption, and then the generated rule file can be loaded using hashcat -r and mixed with dictionaries into a password candidate
: example.dict

hello
password12

hash -o bf.rule '$?d $?d $?d $?d

The generated rule looks like this: bf.rule

$0 $0 $0 $0
$0 $0 $0 $1
$0 $0 $0 $2
$0 $0 $0 $3
$0 $0 $0 $4
.
.
.
$9 $9 $9 $9123456789

Then use hashcat -a 6 example.dict -r bf.rule -m...
The final generation looks like this:

    hello0 0 0 0
    password0 0 0 0
    hello0 0 0 1
    password0 0 0 1
    hello0 0 0 2
    password0 0 0 2
    .
    .
    .
    hello9 9 9 9
    password9 9 9 91234567891011