Indispensable for pen testers, the Hashcat tool also makes it possible to check the strength of passwords. But how does this password cracker work?
In the world of cybersecurity, there are essential tools. This is the case of Hashcat. Our colleagues from IDG tell us a little more about this solution.
What is Hashcat?
Hashcat is a password cracker known for its efficiency. It is widely used by pen testers and system administrators. But it is also popular with cyber criminals and cyber spies. Password cracking is different from trying to guess a website login password, which usually only allows a limited number of tries before the account is locked. A person who successfully enters a system protected by encrypted passwords (“hashes”) will often try to crack the hashes to recover these passwords.
Passwords are no longer stored in clear text (in any case, they should not be). Rather, they are encrypted using a unidirectional function called “hashing”. The transformation of a password like “Password1” into hash is very fast. But what can we do with this hash? A brute force attack to reverse the hash function and recover the password is difficult to calculate. It would take almost as much time as the thermal death of the universe! Fortunately, or unfortunately depending on his point of view, none of us will probably live as long. But there are several solutions to reverse a hash to recover the original password without resorting to a brute force attack, which is unlikely to work. And that’s where Hashcat comes in. How? It turns out that humans are so predictable in their password choices that Hashcat can often recover a password.
In addition to obvious uses for criminal and espionage purposes, cracking passwords is legitimately justified in several situations. For example, a system administrator wants to preemptively check the security of user passwords. If Hashcat can crack them, then a potential attacker will too. Authorized pen-testers frequently seek to crack hashes of stolen passwords to attempt lateral movement within a network or to elevate privileges to the administrator level. As pen-testers work under contract and spot loopholes in their customers’ networks to improve their security, this use case of Hashcat is perfectly legitimate. In fact, the real advantage of this tool is that it is used as much by illegal attackers as by legitimate defenders. So the best way to prevent an attacker from using Hashcat against a network is to test his own defenses to make sure that such an attack cannot succeed.
How Hashcat works
In its most basic usage, Hashcat guesses the password, the hash, and then compares the hash obtained to the password it is trying to crack. If the hashes match, then the password is discovered. Otherwise, you have to repeat the guessing operation. Not all attacks are brute force attacks, such as dictionary attacks, combiner attacks, mask attacks, and rule-based attacks. Hashcat can also harness the power of GPU to conduct brute force attacks if you have the hardware and the time.
Some examples of using Hashcat
– Dictionary attack
Since humans tend to use very bad passwords, dictionary attack is the most obvious to try first. It is often based on the word list rockyou.txt. It contains more than 14 million passwords organized by frequency of use. At the top of the list are common passwords like “123456”, “12345”, “123456789”, “password”, “iloveyou”, “princess”, “1234567”, and “rockyou”. Then come less common passwords like “xCvBnM”, “” ie168 “,” abygurl69 “,” a6_123 “, and” * 7¡Vamos “! There are many other free password lists on the Internet, which target specific languages. Hashcat allows you to choose the list of reference words. For example, in France, the Richelieu project provides health facility security teams with a list of the most common passwords to assess their vulnerabilities. available under CC BY 4.0 license and available on GitHub, contains 20,000 most used French.
– Combiner attack
Another observation: passwords are often compound words. And Hashcat exploits this habit in so-called combiner attacks. Hashcat takes lists of two words (also called “dictionaries”) and creates a new list of each word combined with every other word.
Here is an example from the Hashcat documentation based on the combination of two dictionaries:
Hashcat then associates each word with every other word, and tests the following passwords:
The tool can also add punctuation marks like hyphens (-), exclamation marks (!) And other special characters to create a final list of words with passwords like “yellow car!” “And” Vélobleu! », Etc.
– Mask attack
Many users use passwords by adopting a certain type of sequence. For example, a capital letter followed by six letters plus a number at the end is a fairly common format for older passwords like “Bananas1”. Instead of trying to force all possible passwords, Hashcat allows you to search for all passwords in this format, which greatly reduces the number of possible guesses, if, indeed, the password in question is in this format.
The Hashcat documentation explains why a mask attack is often faster in terms of magnitude than a brute force attack:
– In traditional brute force attacks, the character set must contain all uppercase letters, all lowercase letters and all numbers (also called “mixalpha-numeric”). If the password contains 9 characters, the iteration must contain 62 ^ 9 (13.537.086.546.263.552) combinations. Suppose the cracking speed is 100M / s, it will take more than four years to complete the operation.
– Mask attack exploits human habits and the way they understand passwords. The password above corresponds to a simple but common pattern. A name and a year are attached. We can also configure the attack to try capital letters only on the first position, because it is very rare to see a capital letter in second or third position. In short, with a mask attack, we can reduce the keyboard space to 52 * 26 * 26 * 26 * 26 * 10 * 10 * 10 * 10 (237,627,520,000) combinations. With the same cracking speed of 100M / s, it only takes 40 minutes.
– Rules-based attack
If the easiest options don’t work and if you have a clear idea of how the target builds their password, the Hashcat tool offers, to conduct a rules-based attack, press a syntax close to the programming language, in which you can specify the type of passwords to test. “Rule-based attack is one of the most complex modes of attack,” says the Hashcat website. “A rule-based attack is like using a programming language to generate passwords. It involves functions to modify, cut or extend the sequences of words and conditional operators to skip some, etc. From this point of view, a rule-based attack is the most flexible, precise and effective of attacks. ” If the learning curve to start with Hashcat is small, learning the syntax of Hashcat rules quickly becomes difficult.
– Brute force attack
Finally, if all else fails, there is nothing left to do but pray and hope that the Hashcat brute force attack succeeds before our Sun becomes a nova and engulfs the Earth. But you never know: you can be lucky!