House cat to Hashcat

by Jason Downey, Security Consultant

 

The Basics 

Password cracking is a key tool in every penetration tester’s toolbox and is something blue teamers should do on a regular basis to ensure there are no weak passwords in their environment. Seeing as how password hashes are a core piece of several different kinds of authentication technologies, cracking hashes won’t stop working anytime soon. 

Hashcat is the number-one tool used to perform password cracking attacks and is way more customizable than I think most people realize. Especially for those of us in consulting pentesting where everything is on a time-limit, being able to utilize Hashcat more efficiently could be the difference in moving to the next step in the kill chain or being stuck on the network unauthenticated.  

When we first start using Hashcat we all pretty much use the same basics. We load up the rockyou wordlist and throw in one of the built-in rules like Best64 or OneRuleToRuleThemAll and let it rip. While this will be successful from time to time, it should not be the only step you take in your path to cracking passwords. I want to share with you all some tips and tricks that I have learned to make my password cracking more effective in less time.

 

Start With Simple 

There is no reason to throw a 15GB wordlist with a bunch of rules first unless you’re headed off to bed for the night. Instead, start with some very frequently used passwords with a good ruleset and try to get that low hanging fruit first. There are a few commonly known password schemas that we see across environments again and again. The SeasonYear! schema, dictionary words that end basic patterns such as 1! or !1, sports related passwords such as GoPackers, or iterations of the company name like RedSiege123!. Take the time to build a basic root wordlist and start there. For a quick and dirty example checkout weakpasswords.net by @nyxgeek. It auto updates every day to cover the current season year as well as a few common iterations of the word Password.  

You can build some really cool and functional wordlists using a tool like CeWL – https://github.com/digininja/CeWL to crawl your target’s website, by using Census data to build lists of common names, using crunch  – https://github.com/jim3ma/crunch to generate different combinations of characters, or just grabbing known password lists from SecLists – https://github.com/danielmiessler/SecLists or weakpass.com.  

Now keep in mind, while those tools and some of those premade password lists can be pretty thorough, they are often bloated and/or filled with old password combinations, making the password cracking process inefficient. But for those that are getting started they can make for a great starting point for building your own wordlist. One thing to keep in mind, is your wordlist should ONLY contain root words. There is no need to have Hugs, Hugs1, Hugs12, and Hugs123, etc. in your wordlist. It is much more efficient to have just those root words in your list and use some of the techniques we cover later. 

 

Wear The Mask 

Hashcat has a functionality called masking where instead of pre-creating a wordlist or doing a pure bruteforce attack, you can specify combinations of characters you want to use. This is wildly useful if you have found a way to enumerate your target’s password policy or have already cracked other passwords and seen similar password types. Here are the built-in masking character sets in Hashcat: 

 

•   ?l = abcdefghijklmnopqrstuvwxyz 
•   ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ 
•   ?d = 0123456789
•   ?h = 0123456789abcdef 
•   ?H = 0123456789ABCDEF 
•   ?s = «space»!”#$%&'()*+,-./:;<=>?@[\]^_`{|}~  
•   ?a = ?l?u?d?s 
•   ?b = 0x00 – 0xff 

 

As an example, if we know our target’s password policy is a minimum of eight characters, requires an uppercase letter, and requires a number, we can specify a mask which will match their password policy and build common password combinations. Using the chart above we can specify ?u?l?l?l?d?d?d?d. This mask will only use uppercase letters for the first character, lowercase letters for characters 2 – 4, and digits for characters 5 – 8. This will match four letter words with four digits to match the current year or potential birth years. AKA passwords like Hugs2023 or Hack1986. You can add a ?s mask on the end and run another round and cover passwords like Hugs2023! and Hugs2023$.  

 

Play By The Rules 

To be honest, I find building rules in Hashcat to be 1/3 math, 1/3 alchemy, and 1/3 dark magic, but all I know is I start using rules and I get results. Rule files are stored in the rules subdirectory within your Hashcat folder and luckily there are some great examples included with the default Hashcat installation. A few of my personal favorites are best64, d3ad0ne, and  T0XIC_3_rule. While these do a pretty good job of covering a lot of the basics, knowing how to make custom rules can lead to some pretty cool results once a pattern or trend is identified. Hashcat rules are very powerful, and I would advise you to look over the whole list of rules here https://hashcat.net/wiki/doku.php?id=rule_based_attack.  

 

When designing custom rules, remember that our human brain wants us to make something that is quick and easy to remember, but also something that we feel won’t be easy for an attacker to guess. As an example, we all know Password1 is a bad password. But what about Password11drowssaP as our password? It is eighteen characters, contains multiple numbers and multiple uppercase letters, and for a regular user, is something that will be easy to remember. However, while it might meet the criteria of a good password by traditional standards, a good ruleset would crack that in a heartbeat. The rule function f duplicates any given word pattern and reflects it back at the end of the word. So, our Previous Hugs2023! would be Hugs2023!!3292sguH. Or we can use rules to duplicate the last letter three times with the Z3 rule function. This is useful when folks are forced to change passwords every so often and there is nothing in place to compare it to their previous passwords. If my original password was RedSiege123, the Z3 function would use RedSiege123333, which means if I had been using the password for a year and was forced to change it every 90 days, this would get cracked. There are way too many cool combinations to cover so be sure to play around with a few and see what works best for you! 

 

Here is a quick example of how a sample rule file might look: 

:
$2023
r
f
Z5
c $1986

This rule file will begin with the : function and run the wordlist as is, append 2023 to the end of every word, reverse every word, reflect the word and append it to the end, repeat the last character in each word five times, and lastly it will capitalize the first letter and append 1986 to the end. Different rules can be combined to make your password cracking as targeted as you want it to be, don’t sleep on this functionality! 

 

Closing Out 

These techniques will help you level up your Hashcat game and get more passwords cracked with less cycles. A little bit of preparation building out these techniques now will save you hours and hours of cracking time in the future, especially if you can share useful mask combinations or rulesets with your respective teams.  Happy Cracking!

 

About Security Consultant Jason Downey:

Jason Downey has over ten years of professional experience in IT and information security ranging in a variety of roles in network security roles with additional experience in systems administration. Jason has spoken in front of various audiences ranging from youth initiatives to major security conferences, while creating informational content on SiegeCasts and forward-facing marketing channels. Jason excels at a variety of penetration testing tactics and is well known for his vishing and social engineering expertise.

Certifications:
GPEN, GCIH, CCNA R&S, CCNA Security, CEH, CHFI

Connect on Twitter