Note that Hashcat is closed source. An open source alternative is John the Ripper .
Note also that there's a GPU-enabled version of hashcat, ocl-hashcat.
Why?
Whether you'll ever have a legitimate need for this stuff depends, but apart from the fun of it -- and the feelings of Power that cracking gives you -- being able to crack the odd password does serve as an eye opener to how easy this can be under the right circumstances. And who knows? You might find a justified use for it, especially if you're in academia where old computers and poor discipline abounds, and you are faced with computers that belong to you but were set up without any proper records.
Installation
sudo apt-get install p7zip-full sudo mkdir /opt/hashcat -p sudo chown $USER /opt/hashcat cd /opt/hashcat wget http://hashcat.net/files/hashcat-0.44.7z wget http://hashcat.net/files/hashcat-gui-0.5.1.7z wget http://runamux.net/search/download/file/95wr2RdM/rockyoutxt.bz2 7z x hashcat-0.44.7z 7z x hashcat-gui-0.5.1.7z bunzip2 rockyoutxt.bz2 echo 'export PATH=$PATH:/opt/hashcat/hashcat-0.44:/opt/hashcat/hashcat-gui-0.5.1' >> ~/.bashrc source ~/.bashrc
Test run
Let's generate a file of simple passwords to crack:
echo -n "city" | md5sum > test.list echo -n "n00b" | md5sum >> test.list echo -n "123654"| md5sum >> test.list echo -n "Chicago"| md5sum >> test.list cat test.listEdit the test.list file to remove all the ' - '. Note that you need to run hashcat-gui in your /opt/hashcat/hashcat-0.44/ folder. Start hashcat-gui:4ed5d2eaed1a1fadcc41ad1d58ed603e 16e029226d8960b2d7cba16cab5f7044 733d7be2196ff70efaf6913fc8bdcabf 9cfa1e69f507d007a516eb3e9f5074e2
cd /opt/hashcat/hashcat-0.44/ hashcat-gui64.bin
Once it has finished, you can look at the output
cat test.list.outUse the rule set best64 and it cracks all passwords and does it fast:733d7be2196ff70efaf6913fc8bdcabf:123654 9cfa1e69f507d007a516eb3e9f5074e2:Chicago 4ed5d2eaed1a1fadcc41ad1d58ed603e:city
My account password wasn't cracked by this though, but all that we can be certain that it means is that it would take someone more than 30 seconds to do so. Maybe 35 seconds, maybe 2 years -- we can't tell.733d7be2196ff70efaf6913fc8bdcabf:123654 9cfa1e69f507d007a516eb3e9f5074e2:Chicago 4ed5d2eaed1a1fadcc41ad1d58ed603e:city 16e029226d8960b2d7cba16cab5f7044:n00b
If you want to compare with John the Ripper you could do e.g.
mpirun -n 6 run/./john test.list --wordlist=rockyoutxt --format=raw-md5
to do list-based cracking and
mpirun -n 6 run/./john test.list--format=raw-md5
for brute-force.
John the Ripper works well for windows passwords as well (might write about that in another post)
Linux passwords
To crack actual linux user passwords, you'll need to access /etc/shadow and only root should be able to do that. Looking at /etc/password we have for example
I've made up the string above (using mkpasswd -m sha-512 -S MyySaltt which is salted using MyySaltt. ). Anyway, copy the hash, e.g.guest:$6$MyySaltt$eZXKl12CRRPZW1O/wKpodIB76f46NNVQ3o2Pyvh3m0QeHaW20WthUCkeLCZSPS6o9lks8g4Ua8v6OqbIXZw4r.:12567:0:88888:3:::
$6$MyySaltt$eZXKl12CRRPZW1O/wKpodIB76f46NNVQ3o2Pyvh3m0QeHaW20WthUCkeLCZSPS6o9lks8g4Ua8v6OqbIXZw4r.
to a file, e.g. nutest.list
Do
man cryptThe $6$ means that it's a SHA-512 hashed password.ID | Method --------------------------------------------------------- 1 | MD5 2a | Blowfish (not in mainline glibc; added in some | Linux distributions) 5 | SHA-256 (since glibc 2.7) 6 | SHA-512 (since glibc 2.7)
Now run hashcat:
hashcat-cli64.bin -n 6 -m 1800 nutest.list rockyoutxt -r /opt/hashcat/hashcat-0.44/rules/best64.rule
where 1800 means SHA-512 (do hashcat --help to see what code to use) and 6 is the number of threads (six core CPU). You should be able to easily crack this one...