How to Crack a Password Using Hashcat

Written by morpheuslord | Published 2021/09/01
Tech Story Tags: security | cybersecurity | passwords | password-security | hacking | ethical-hacking | hackers | password | web-monetization

TLDRThe most important of all tools is **hashcat** - a free cross-platform password cracking utility that can crack thousands of passwords in just a few seconds. We also need a cloud server such as **Google Cloud** or **Linode server**. To achieve the most in password cracking, you need to do some OSINT or open-sourced intelligence which is cracking all the information about the target to get the most out of it.via the TL;DR App

Password cracking is a really important topic in ethical hacking. When comes to hackers, the first thing people think of is cracking a great number of passwords, which proves to be true. It may be website dump hashes, data breach hashes, wifi WPA2 hashes, or windows NTLM hashes, etc.

For all these passwords, here are tips on how you can be the most resourceful, accurate, and efficient when cracking a password.

Topics to Cover

  • Tools Required
  • How to Set Up a Cloud Server
  • Password Files
  • OSINT in Password Cracking
  • How to Protect Yourself

Tools required

The most important of all tools is hashcat - a free cross-platform password cracking utility that can crack thousands of passwords in just a few seconds. It is fast and accurate.

The second tool is git - a medium to transfer files from our cloud cracking server to our main hacking machine.

The third tool is hashidentifier.py. It's a python tool that does a great job in identifying the hash we are working with and with all these tools you also need high-speed internet.

These are the tools and programs required to complete this process.

Other than the above software requirements, we also need a cloud server such as Google Cloud or Linode server.

How to Set Up a Cloud Server

You might be asking:

Why do we need a cloud server for password cracking?

Because they tend to be really fast. Due to being mostly command lines, they don't have other background apps running which makes them easier and cost-effective to work with.

Other than that, you can choose the level of CPU, graphics card power, and the amount of storage you want. I would recommend at least medium-sized storage, a powerful CPU, a graphics card, and around 4-8 GB of RAM.

For all that you simply require a cloud worker setting.

Select Create VM example in the dashboard in case you are in Google Cloud or in Linode.

The cost of these VM stands anywhere from $5-10 per year. That's very cheap for a super high power system with great features which comes both in Linode and Google server.

Both server providers provide a $100 credit for a year and this makes it free for you to use for 1 year and then $5 per month after.

The expense of these VM stands somewhere in the range of $5-10 every year. That is exceptionally modest for a very high force framework with incredible provisions which comes both in Linode and Google worker.

Both worker suppliers give a $100 credit to a year and this makes it free for you to use for 1 year, and afterwards $5 for each month after.

Once you have your instance ready, copy-paste the following command.

  • To get an update and upgrade to the latest

Sudo apt update && upgrade

  • Install hashcat, git & python3

Sudo apt install git 
Sudo apt install hashcat 
Sudo apt install python3

Once everything is installed and working well, git clone the following repo for the hash identifier.

Git clone https://github.com/blackploit/hash-identifier

Once git is cloned now you can use this like a password cracking utility. However, there is a catch. You don't have a password file to do that.

Password files

For a password file, there are different options.

If you know the person's personal details and want to crack the password using those details, you can use a cupp program and a python tool. Alternatively, you can use a sequenced password generator that picks out all the password combinations for all types of password crackers.

Installing cupp:

Git clone https://github.com/Mebus/cupp

Code for sequenced password generator:

#python3

import random
import itertools

#+---------------------------------------------------+
#|welcome to a custom synchronised password generator|
#+---------------------------------------------------+
#<===============[Made by Morpheuslord]==============>
#              twitter= @morpheuslord2
#        email= [email protected]

Range_1 = int(input("enter your password range: "))
Range_2 = Range_1 + 1

lower="abcdefghijklmnopqrstuvwxyz"
upper="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
numbers="0123456789"
symbols="!@$%^&*{[()]}<>"

def guess_password(real):
    chars =  lower+upper+numbers+symbols
    attempts = 0
    #enter the range of your password the range your password
    #the range of passwords you want a list of
    for password_length in range(Range_1 , Range _2):
        for guess in itertools.product(chars, repeat=password_length):
            attempts += 1
            guess = ''.join(guess)
            if guess == real:
                return 'password is {}. found in {} guesses.'.format(guess, attempts)
            print(guess)
#enter a random password or enter '>>' with the corresponding
#password length for getting the most possible
#password combination
print(guess_password('>'))
#The password file wont be generated until you use it on windows or linux 
#currospondingly

In the print(guess_password())

You need to enter the > symbols according to your range. If your range is 11, there must be 11 symbols in single quotes in the brackets.

OSINT in password cracking

To achieve the most in password cracking, you need to do some OSINT or open-sourced intelligence which is cracking all the information about the target 🎯 to get the most out of it.

For eg:- If you have a password hash and want to crack it and if you need to check how many password characters there are in the login of the network.

For that, if you have an Android then when you are entering the password input check for the join button.

Once you meet the password length criteria the join button turns green for joining it so using that you can determine the length of the password and it makes things super easy to work with.

There is another scenario for this case if you are cracking a hash and you know the format of the password like a 4 digit letter and 2 digit password and 1 special character then you can use hashcat to do a mask attack which is a Brute force attack with a lot of new features.

How to Protect Yourself

As an average person using the internet for your daily work, you must consider keeping a password with a minimum of 11 characters to 15 characters and never reveal the actual character count to anyone else. Then enable 2-factor authentication and use all the ways you can use to safeguard your account.

In an enterprise environment, this is a big thing as from one employee account you can actually access a lot of data which can affect the company’s privacy and security issues, potentially leading to a huge loss.

Follow Me

Follow my Twitter account for the latest updates

Written by morpheuslord | I am a red team operator, and a security enthusiast I write blogs and articles related to cyber-sec topics.
Published by HackerNoon on 2021/09/01
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy