Hashcat examples

Rule based attack

Use a wordlist and best64 rules to try and crack a wordpress hash. Using rockyou.txt as an example.

-m Specifies the hash type

hashcat -m 400 wordpress.hash -r rules/best64.rule wordlist/rockyou.txt

wordpress.hash is a text file that contains the password hash. You can list multiple hashes in the file

Example contents of file

bob@localhost:~$ cat wordpress.hash 
$P$BeJ2ZWVgSx/rR8ifcTFyjq1ouCCWwu0
bob@localhost:~$

Brute force

Attempt every 8 numeric combination for a WPA2 key.

hashcat -m 2500 -a3 capture.hccapx ?d?d?d?d?d?d?d?d

Hashcat built in Charsets

You can swap out the ?d from the above command with any of the built in character sets below.

  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  d | 0123456789
  h | 0123456789abcdef
  H | 0123456789ABCDEF
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff

More information
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Rule based attacks are recommended
https://hashcat.net/wiki/doku.php?id=rule_based_attack

Generate Password list using Crunch

Install crunch and then generate a word list with the following command. The 8 8 tells crunch to generate combinations that have a minimum and maximum length of 8. All the numbers from 1-0 tells crunch to use these characters, -o writes to output file.

Change options if desired.

crunch 8 8 1234567890 -o 8numberchars.lst

Further reading. https://tools.kali.org/password-attacks/crunch

Hydra – SSH Example

Hydra is a network login cracker. You’ll need a password list and username(s) to get started.

Install Hydra

sudo apt-get install -y hydra 

Launch against device
Change the IP address to the target IP
Change ubnt to target Username
Change password.lst to your password list file

SSH Example

hydra -l ubnt -P password.lst 192.168.1.20 ssh

Run hydra -h to get the full help.

Alfred@localhost:~$ hydra -h
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
 Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]
 Options:
   -R        restore a previous aborted/crashed session
   -I        ignore an existing restore file (don't wait 10 seconds)
   -S        perform an SSL connect
   -s PORT   if the service is on a different default port, define it here
   -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
   -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
   -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
   -y        disable use of symbols in bruteforce, see above
   -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
   -u        loop around users, not passwords (effective! implied with -x)
   -C FILE   colon separated "login:pass" format, instead of -L/-P options
   -M FILE   list of servers to attack, one entry per line, ':' to specify port
   -o FILE   write found login/password pairs to FILE instead of stdout
   -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
   -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
   -t TASKS  run TASKS number of connects in parallel per target (default: 16)
   -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)
   -w / -W TIME  wait time for a response (32) / between connects per thread (0)
   -c TIME   wait time per login attempt over all threads (enforces -t 1)
   -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
   -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode 
   -O        use old SSL v2 and v3
   -q        do not print messages about connection errors
   -U        service module usage details
   -h        more command line options (COMPLETE HELP)
   server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
   service   the service to crack (see below for supported protocols)
   OPT       some service modules support additional input (-U for module help)
 Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
 Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
 v3.0. The newest version is always available at http://www.thc.org/thc-hydra
 Don't use in military or secret service organizations, or for illegal purposes.
 These services were not compiled in: afp ncp oracle sapr3.
 Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
 E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
      % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)
      % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
      % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)
 Examples:
   hydra -l user -P passlist.txt ftp://192.168.0.1
   hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
   hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
   hydra -l admin -p password ftp://[192.168.0.0/24]/
   hydra -L logins.txt -P pws.txt -M targets.txt ssh