What is Reddit's opinion of hashcat?

From 3.5 billion Reddit comments

> salted and hashed passwords (pretty much useless to hackers)

Kind of misleading, they can be locally bruteforced and reveal your real password (at the time). The longer the password and more different types of characters (numbers, lowercase, uppercase, symbols, etc.) the longer/more computing power it takes to crack.

Not really. Just recently git moved from SHA-1 to SHA-256. This code is probably just brute-forcing with very poor efficiency if it doesn't use a dedicated compiled C module. If you really want to crack some hashed passwords use tools like hashcat. It proved to be quite efficient even on a typical home computer's GPU.

They will probably use a program like hashcat to try to brute force the weaker passwords. Note that this program doesn't work backwards from the hash; it generates password candidates, applies the salt, hashes them, and compares that hash against the known hashes from the database. It will probably be able to crack the weaker passwords (and most user-created passwords are weak).

You're not brute forcing the hash, you're brute forcing passwords. You then hash each generated password until you find one that matches the known hash. See e.g. hashcat.

Again, this is not correct. It's true that hashes are irreversible, but that's not how a brute force password cracker works. It works by generating potential passwords and hashing them, then looking for a matching hash. See e.g. hashcat.

The average user-created password is poor, so these types of programs are usually effective at retrieving passwords.

I've always liked this article though written for the layperson: How I became a password cracker.

It's a decent intro to using Hashcat and password guess generation, doing exactly the operations that you're trying. If you want to dive straight into the deep end, you can use Hashcat's maskprocessor.

Password cracking is most typically done offline. Instead of passing the password to a server, the hashes are attacked using a tool like: https://hashcat.net/hashcat/

It isn't your password being unencrypted. It's is your hash that is attacked.

This is why your help desk guy can't tell you what your forgotten password is. He doesn't know.

There are hashing algorithms that output some random looking string instead of the password itself. PASSWORD becomes PASSHASH.

Hashes are one way. That means there is no way to figure out what PASSWORD is from the characters PASSHASH.

Cracking works by using the same hashing algorithm. I just make a bunch of guesses for passwords and look at the hashes to see if there is a match.

Matching hash means that I found the password.

The application storing the hashes can make things harder for me by using a salt.

In the example above, I have an easy to guess password. I can use a word file of most popular passwords and make millions of guesses per second.

A popular word list is rockyou.txt. Link: https://wiki.skullsecurity.org/Passwords

In fact, I could just pre-hash all of those passwords. Then anyone using those passwords would be easy to pick out when I look at the hashes. This is what a rainbow table is. Pre-hashed word lists.

As the defender, I'm going to select BLUE as my salt. Now instead of PASSWORD, I'm going to hash BLUEPASSWORD. Instead of PASSHASH as an output I get DIFFHASH. This makes my password database a unique snowflake.

TL;DR Server lockouts defeat password guessing, so password hashes are what gets attacked.

You're absolutely correct. I write password permutation scripts using hashcat to try to confirm a password. I have a process running on a LUKS partition right now that has a set of known passwords and an 8-character permutation rules set. The user usually used one of these 23 passwords and usually had numbers and special characters before and after them.

I set the script to permute all ASCII characters before and after these passcodes, with every combination of 1 to 8 characters.

It currently has 5 years and 2 months remaining to exhaust the password combinations.

There are also common password strategies and rule sets, commonly used passwords, and all sorts of attack strategies. If the password is off by one character from any of those, it doesn't work. So... shrug. Sometimes you get lucky, but with any type of strong password you usually don't.

Unless you used uncommon spellings (not real words and not found in any hacker word lists), then the sentence can be composed and tested rather quickly. But with enough words, then it is going to take longer ... how long depends on how many words.

If the dictionary is a good one with ones from many languages ... say 1,493,677,782 words from all languages and books ever printed, and the words had some sort of ranking to determine the ones worth checking first ... like this list https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm ... then it might take a long time.

The problem is that with 81 characters, it is easier to eliminate many words from being checked to meet the length of each test.

I'd imagine that's the the worst way to make something quantum proof.

Instead, I would make the SEED from a secure random generator, then pass it through a BIP39 converter to provide a BIP39 word list as a backup that is easy to read and hard to mess up entering somewhere.

I wonder what the forum at https://hashcat.net/hashcat/ would answer to your question?

I would use HashCat in order to crack a captured handshake, as it comes with Kali Linux. Use a mask attack (-a 3) and specifiy your charset (?d?d?u?d?d?d?d?d). Hashcat: https://hashcat.net/hashcat/ All options: https://hashcat.net/wiki/doku.php?id=hashcat Mask Attak Wiki: https://hashcat.net/wiki/doku.php?id=mask_attack

If you can't remember the password used to encrypt it you can always try cracking it with hashcat. The process may not be successful depending on your hardware's power and how complex your password was.

https://hashcat.net/hashcat/

https://docs.neo.org/docs/en-us/basic/concept/wallets.html#db3-files

Seems like your .db3 file has the private key encrypted with your password that you had set.

You might be able to brute your password with https://hashcat.net/hashcat/ using AES Crypt (SHA256) and Mask Attack / Hybrid attack with all your known passwords that you could have possibly used or use a commonly used password .txt file

While it's no surprise that LE/intel make use of Hashcat it's still nice to see it confirmed.

Hashcat was created by Jens Steube about a decade ago and is still (very) actively maintained; its support for 270+ algorithms is unparalleled. It can be used 'crack password hashes' -- those hashes presumably having been obtained during pentesting or red teaming, or in LE/intel context perhaps via hacking, forensic extraction, or database acquisition (e.g. leaked or privately traded databases that contain password hashes).

Notably, Hashcat also supports password-protected archives (.zip/.rar/.7z/...), encrypted disk volumes (LUKS, FileVault, BitLocker, TrueCrypt, VeraCrypt, ...) and various application-specific formats (e.g. DBMS-specific algorithms and Telegram Desktop/Mobile PINs).

Generally speaking, the effectiveness of a brute-force attack against a given secret will inherently depend on:

• the size and randomness of the secret: the longer & the more random/unpredictable, the more secure it is against brute-force attacks.
• the efficiency of the algorithm that produced it: the more effort it takes to generate a single output, the more effort it takes to find an input that match a known output. E.g. MD5 is extremely fast, while PBKDF2 is designed specifically to slow down brute-force attacks.
• the hardware that runs the attack: the amount and type of memory and processing units (GPU/CPU/APU) and overall hardware design determine the maximum performance (i.e., maximum number of attempts per second).
• picking the right combination of dictionaries and permutations / rule sets (luck may play a role).

Some fun, off memory (could be typo's):

1)

~$ airmon-ng check kill ~$ airmon-ng start wlan0 ~$ airodump-ng wlan0mon

2) Wait till AP's populate then ctrl-c that airodump-ng terminal

3) filter by preference based on previous broad capture:

~$ airodump-ng --bssid <bssid> -c <channel> -w <filename> wlan0mon (Leave this running)

4) new terminal

~$ aireplay-ng -b <bssid> - d <essid> -0 5(0 for Infinite)

Wait for the deauth and that handshake capture in the top right of the airodump-ng terminal.

Now it's time to crack that bad boy (Use Hashcat - formerly OCLHashcat - for hardware accelerated cracking). Use windows (I know) for the best GPU driver / CUDA support.

1) convert pcap to hccapx

Using Hashcat_Utils -> in CMD: cd into hashcat-5.1.0

:/> cap2hccapx.exe input.pcap output.hccapx

2) Crack: (Use appropriate binary for x64 vs x86)

Dictionary Attack:

:/> Hashcat64.exe -m 2500 -a 0 capture.hccapx wordlist.txt

Mask (#0-#9)(8- 10 char) (Very common default wifi keys):

:/> Hashcat64.exe -m 2500 -a 3 ?d?d?d?d?d?d?d?d?d?d --increment capture.hccapx

Mask (8 char, capital first letter, rest lower case):

:/> Hashcat64.exe -m 2500 -a 3 ?u?l?l?l?l?l?l?l

Mask's are very powerful, learn more about them here: https://hashcat.net/wiki/doku.php?id=mask_attack

If all goes well you're in. (This is POC, i claim no responsibility for what you do with this information)

Pce

That's correct. If you're using python you can use itertools to quickly get all permutations of the given type. You can also use hashcat to crack hashes.

https://hashcat.net/hashcat is the tool you are looking for, see mask_attacks (it is one of the most sophisticated open source tool for dictionary and bruteforce attacks). Unfortunately they don't added support for ethereum presale wallets yet, but you can track the progress here https://github.com/hashcat/hashcat/issues/1279

Hashcat is a program that can crack passwords

One tutorial video https://www.youtube.com/watch?v=ZuhtaCgY0wc

Also has support for cracking bitcoin wallets, I wish you good luck, hopefully you didn't pick a strong password for once

Hashcat. But if you want to find a solution before all mankind or even the universe comes to an end you'll need at least roughly an idea what has been hashed (ie. length of input, charset, salted y/n etc.).

I'd recommend searching all available hash databanks first before even trying hashcat. Usually the solutions for those games are quite simple and therefore chances are good the hash is already in a db like

John The Ripper. It's just a password bruteforcing tool. There's also HashCat and less commonly used Cain and Abel

They just take long strings known as "hashes" (which are created from passwords using special algorithms) and go through loads of guesses to try and match a password to the hash in order to guess what the password is.

Hope that makes sense!

I'm so glad you liked our CTF! I love seeing people participate and enjoy the challenges. Cracking passwords can be fiddly, but it's rewarding when done well. We want to demonstrate the importance of password security, good hashing algorithms, and keeping these things safe! These hashes are so easy you can probably write your own cracker in python or something, but if you want to do it for real check out https://hashcat.net/hashcat/

Yup! There’s this program called Hashcat that’s relatively easy to use, it takes a list of hashes, then you can decide to use a wordlist, combinations of characters, or a mix of a wordlist and characters, to attempt to crack the hashes. https://hashcat.net/hashcat/
Edit: An example would be hashcat -a 3 hashes.txt ?l?l?l?l?l?l?l?l - that would crack all hashes that are from aaaaaaaa to zzzzzzzz

Ok first, what kind of wallet is it? If it's an online wallet don't even think about it, if it's an offline wallet you might have a chance. But it makes a huge difference if it's 10 or 6 chars. To bruteforce a 10 char password with upper- and lowercase, digits and symbols it can take up 20 years, with a ultra high end pc, no joke. If you still consider doing it, i would recommend an approach with a pre-generated wordlist. Take a look at mentalist and hashcat, it's not that hard, you probably can do it yourself.

Not sure if your GPU is supported but I use hashcat since I use it regularly for my work. It's a quick way to benchmark and test new GPUs.

https://hashcat.net/hashcat/

just run

hashcat -b

Caveat - it's a very specific tool for calculating hashes so it probably will not simulate certain GPU functions like shaders.

Use zip2john and rar2john to extract the hashes (both are part of john), and then john (CPU) or hashcat (GPU → faster) to crack it.

1. /r/linuxquestions
2. No SHA1 "database" has been released. In fact, no such database exists. The attacks that have been released in the past few days have nothing to do with breaking an existing hash.
3. Use hashcat and a big password list. There's no way to brute force it in realistic amounts of time.

You can't decrypt cryptographic hashes, you crack them. Hash functions are one way functions, meaning they can't be reversed. This means the only way to "reverse" a password hash is to guess the password. The more you know about the origins of the hash the easier it may be to do. In general a good approach is to use hashcat with a wordlist in combination with rules.

I was gonna type something up explaining it but I found a post on reddit sort of explaining what you'd do.

But the TL;DR is use Hashcat to iterate through different possible combinations of salts (essentially a password) to bruteforce the hash to get a valid answer. That is, even if he used a salt and not just straight sha1 with no salt.

Heres an example of a sha1 hash >1cdb4c4e3f5c7dbb4c1f1052a85d1f4b6675c75f

and the hash value of that is

>ExampleSha1Hash

https://www.reddit.com/r/HowToHack/comments/83ofgm/use_hashcat_to_decrypt_sha1_wordlist/

The article is nonsense of course, if you want to brute force passwords you'd use hashcat. The only thing I think might be interesting here is what if hashcat doesn't support the algorithm you need to crack?

How do you write Java code that can use the GPU for the cracking work?

If you have the hash of the password you could try a rainbow table or https://hashcat.net/hashcat/.
Not sure if it's worth it to go trough all this trouble. Especially if you know the password has a length of greater than 10 characters.

Rainbow tables are just precomputed hashes that you can load into a database, setup an index on quickly query. The thing is you need to have the hash, and know what kind of algorithm was used to generate it. So if you are trying to gain access to an online account you lost access to this isn't going to help you.

Here are some rainbow tables you can download, be warned they can be very, very large. You can also check out hashcat, if you know enough of the password, it really is only 8 characters, and you have access to somewhat decent hardware it may be faster to use that than the rainbow table route.

Hashcat (https://hashcat.net/hashcat/) is a prominent tool to brute force passwords. Unfortunately I think it is specific to certain file types, and unless you know that you used no capital letters or special keys you are out of luck.

To get an impression of the strenght of your possible passwords, check https://howsecureismypassword.net/.

Good luck.

disclaimer: I'm a total layman and don't have a computer science background.

Would you be willing to do a hashcat benchmark on RVII for me? Get the binary from https://hashcat.net/hashcat/ unpack, run the hashcat64.exe binary with -b parameter and copy and paste the output here? Thanks!

Would you be willing to do a hashcat benchmark on RVII for me? Get the binary from https://hashcat.net/hashcat/ unpack, run the hashcat64.exe binary with -b parameter and copy and paste the output here? Thanks!

I don't really use file encryption myself, so I can't really help you with recommendations. Windows comes along with Bitlocker, which from what I can tell is a very decent encryption tool. I use LastPass as a password manager, and that comes along with encryption options for data. I've heard about DiskCryptor and VeraCrypt being good, but I have absolutely no experience with them.

Honestly though, the best way to encrypt things on a hard drive is to just lock it up in a cupboard. Unless you are sharing the hard drives with a bunch of people you don't want accessing your files, then you don't need to use encryption. You are just creating problems for your future self.

I heard that hashcat is a good program to break down rar and 7zip encryptions. There are several of them though, a quick google search should give you some decent recommendations.

Consider adding a keyfile to drastically hamper a bruteforce session by someone using Hashcat to crack your container. Do not keep the keyfile anywhere near the container as this could be used alongside the bruteforce session. If you are paranoid about quantum computers cracking the container, just increase your keysize. Do not use dictionary words (this excludes using a so called diceware passphrase).

https://hashcat.net/hashcat/

forums i use are hashkiller and insidepro, i normally post a hash for 1$ or 2$ depending on the hash, sometimes people post in bulk if they need them.

Afaik cracking the hashes isn't illegal as long as you aren't aware of what they are being used for, so the less you know the better.

I recommend taking bitcoin as well.

I'm not mining. I'm attempting to bruteforce an ethereum wallet that is encrypted with scrypt. Currently Hashcat https://hashcat.net/hashcat/ does this using CPU only without the huge memory requirements that GPUS would need( 320GB per GPU), but the hashrate is very slow (25H/s on a 16 core Xeon workstation). I figured I could use FPGA to increase the core count / performance significantly.

Thanks for the reply

>Any specific preferences for that? Is the software CUDA (nVidia GPUs preferred) or OpenCL (works with both, but better with AMD GPUs)?

I use Hashcat link, looks like it uses OpenCL and they ditched CUDA in Jan 2016.

> Yes. But SLI specifically, as in 2 same GPUs connected with a bridge - wont do a lot for you. RTS games and EVE are not too GPU dependent. And for CUDA/OpenCL, you dont have to use the same GPUs and connect them with a bridge.

Noted thanks

SHA-512 is a very fast hashing algorithm (and not an encryption algorithm), and as such is not well suited to storing passwords. Hashcat can do hundreds of millions of SHA-512 hashes per second, so if a password is common it will be broken in less then a second.

So: MD5/SHA etc. are shit for storing passwords. You want to use slow algorithms, not fast. SHA-512 isn't designed to be hard to brute-force.

Slow (better) hashing algorithms like BCrypt, PBKDF2, SCrypt, etc. can be configured to take much longer to compute. An average computer might only be able to compute 100 to 200 hashes a second.

I won't be letting NSA know since they've probable been aware of what I wrote for a many years already.

When it comes to password security, you want to protect every password, even the weak ones. If someone has a 6-character mixed-case alphanumeric password, you still want to keep it from being found out.

The attacker already knows the algorithm, and if they have the password hash, they probably also have the salt. So now they just need to run different password combinations through SHA256, and compare it with the password hash they are trying to crack. If the hashes match, they have found the password. This can be relatively trivial for weak passwords.

For example, a 6-character mixed-case alphanumeric ([a-zA-Z0-9]) character set has 56,800,235,584 combinations. The GPU in my desktop can brute force this for salted SHA256 in 31 seconds (1,700,000,000 attempts/sec). Contrast that with salted bcrypt (12 iterations), which will take 30 years (60 attempts/sec).

The problem isn't that SHA256 is vulnerable (no known vulnerabilities at full 64 rounds), it's that SHA256 is fast. When it comes to password hashing, fast is bad. This is why key-stretching algorithms like bcrypt, scrypt, and argon2 were invented.

Sub note: for both tests, the GPU utilization was at 97%, which means the GPU hashing code I tested with is very efficient.