THC-Hydra

Description

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add.

Platform	Linux
Author	Van Hauser / THC
License	GNU Affero General Public License
URL	https://github.com/vanhauser-thc/thc-hydra

Usage

Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]
 
Options:
  -R        restore a previous aborted/crashed session
  -I        ignore an existing restore file (don't wait 10 seconds)
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -y        disable use of symbols in bruteforce, see above
  -r        use a non-random shuffling method for option -x
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -o FILE   write found login/password pairs to FILE instead of stdout
  -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel per target (default: 16)
  -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)
  -w / -W TIME  wait time for a response (32) / between connects per thread (0)
  -c TIME   wait time per login attempt over all threads (enforces -t 1)
  -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode
  -O        use old SSL v2 and v3
  -K        do not redo failed attempts (good for -M mass scanning)
  -q        do not print messages about connection errors
  -U        service module usage details
  -m OPT    options specific for a module, see -U output for information
  -h        more command line options (COMPLETE HELP)
  server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)
 
Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smb2 smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
 
Hydra is a tool to guess/crack valid login/password pairs.
Licensed under AGPL v3.0. The newest version is always available at;
https://github.com/vanhauser-thc/thc-hydra
Please don't use in military or secret service organizations, or for illegal
purposes. (This is a wish and non-binding - most such people do not care about
laws and ethics anyway - and tell themselves they are one of the good ones.)
These services were not compiled in: afp mongodb ncp oracle sapr3.
 
Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
     % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)
     % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
     % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)
 
Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
  hydra -l admin -p password ftp://[192.168.0.0/24]/
  hydra -L logins.txt -P pws.txt -M targets.txt ssh

Examples

hydra -L /opt/passwords/facebook-f.last-100.txt -p Winter2022 -m workgroup:\{hiboxy\} x.x.x.x smb2

This will use the usernames in the specified file and spray the specified password against all of them using the hiboxy domain, the specified domain controller, and the smb2 protocol.

sec@slingshot:~$ hydra -L /opt/passwords/facebook-f.last-100.txt -p Winter2022 -m workgroup:{hiboxy} 10.130.10.4 smb2
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-15 20:00:21
[DATA] max 16 tasks per 1 server, overall 16 tasks, 100 login tries (l:100/p:1), ~7 tries per task
[DATA] attacking smb2://10.130.10.4:445/workgroup:{hiboxy}
[445][smb2] host: 10.130.10.4   login: janderson   password: Winter2022
[445][smb2] host: 10.130.10.4   login: alee   password: Winter2022
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-15 20:00:24

hydra -l bgreen -P /opt/passwords/simple.txt x.x.x.x ssh

This will attempt to brute force the bgreen account using the passwords in the provided file over the ssh protocol.

sec@slingshot:~$ hydra -l bgreen -P /opt/passwords/simple.txt 10.130.10.10 ssh
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-15 23:27:13
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 34 login tries (l:1/p:34), ~3 tries per task
[DATA] attacking ssh://10.130.10.10:22/
[22][ssh] host: 10.130.10.10   login: bgreen   password: Password1
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-15 23:27:18

hydra -C /opt/passwords/hiboxy-breach.txt x.x.x.x -m workgroup:\{hiboxy\} smb2

This command will use the user:password pairs in the provided file against the domain controller for the hiboxy domain using the smb2 protocol.

sec@slingshot:~$ hydra -C /opt/passwords/hiboxy-breach.txt 10.130.10.4 -m workgroup:{hiboxy} smb2
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-15 23:33:52
[DATA] max 16 tasks per 1 server, overall 16 tasks, 22 login tries, ~2 tries per task
[DATA] attacking smb2://10.130.10.4:445/workgroup:{hiboxy}
[445][smb2] host: 10.130.10.4   login: bking   password: ThaBoss1
[445][smb2] host: 10.130.10.4   login: jmartin   password: Quincy626
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-15 23:33:53

Blog Posts

pw-inspector

Description

A THC Hydra tool to reduce the password list (based on known password policies, etc.).

Platform	Linux
Author	Van Hauser
License	GNU Affero General Public License
URL	https://github.com/vanhauser-thc/thc-hydra/blob/master/pw-inspector.c

Usage

PW-Inspector v0.2 (c) 2005 by van Hauser / THC vh@thc.org [https://github.com/vanhauser-thc/thc-hydra]
 
Syntax: pw-inspector [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p -s
 
Options:
  -i FILE    file to read passwords from (default: stdin)
  -o FILE    file to write valid passwords to (default: stdout)
  -m MINLEN  minimum length of a valid password
  -M MAXLEN  maximum length of a valid password
  -c MINSETS the minimum number of sets required (default: all given)
Sets:
  -l         lowcase characters (a,b,c,d, etc.)
  -u         upcase characters (A,B,C,D, etc.)
  -n         numbers (1,2,3,4, etc.)
  -p         printable characters (which are not -l/-n/-p, e.g. $,!,/,(,*, etc.)
  -s         special characters - all others not within the sets above
 
PW-Inspector reads passwords in and prints those which meet the requirements.
The return code is the number of valid passwords found, 0 if none was found.
Use for security: check passwords, if 0 is returned, reject password choice.
Use for hacking: trim your dictionary file to the pw requirements of the target.
Usage only allowed for legal purposes.

Examples

Blog Posts

John the Ripper

Description

John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems.

Platform	All
Author	Openwall
License	GPLv3
URL	https://www.openwall.com/john/

Usage

John the Ripper 1.9.0-jumbo-1 OMP [linux-gnu 64-bit x86_64 AVX2 AC]
Copyright (c) 1996-2019 by Solar Designer and others
Homepage: http://www.openwall.com/john/
 
Usage: john [OPTIONS] [PASSWORD-FILES]
--single[=SECTION[,..]]    "single crack" mode, using default or named rules
--single=:rule[,..]        same, using "immediate" rule(s)
--wordlist[=FILE] --stdin  wordlist mode, read words from FILE or stdin
                  --pipe   like --stdin, but bulk reads, and allows rules
--loopback[=FILE]          like --wordlist, but extract words from a .pot file
--dupe-suppression         suppress all dupes in wordlist (and force preload)
--prince[=FILE]            PRINCE mode, read words from FILE
--encoding=NAME            input encoding (eg. UTF-8, ISO-8859-1). See also
                           doc/ENCODINGS and --list=hidden-options.
--rules[=SECTION[,..]]     enable word mangling rules (for wordlist or PRINCE
                           modes), using default or named rules
--rules=:rule[;..]]        same, using "immediate" rule(s)
--rules-stack=SECTION[,..] stacked rules, applied after regular rules or to
                           modes that otherwise don't support rules
--rules-stack=:rule[;..]   same, using "immediate" rule(s)
--incremental[=MODE]       "incremental" mode [using section MODE]
--mask[=MASK]              mask mode using MASK (or default from john.conf)
--markov[=OPTIONS]         "Markov" mode (see doc/MARKOV)
--external=MODE            external mode or word filter
--subsets[=CHARSET]        "subsets" mode (see doc/SUBSETS)
--stdout[=LENGTH]          just output candidate passwords [cut at LENGTH]
--restore[=NAME]           restore an interrupted session [called NAME]
--session=NAME             give a new session the NAME
--status[=NAME]            print status of a session [called NAME]
--make-charset=FILE        make a charset file. It will be overwritten
--show[=left]              show cracked passwords [if =left, then uncracked]
--test[=TIME]              run tests and benchmarks for TIME seconds each
--users=[-]LOGIN|UID[,..]  [do not] load this (these) user(s) only
--groups=[-]GID[,..]       load users [not] of this (these) group(s) only
--shells=[-]SHELL[,..]     load users with[out] this (these) shell(s) only
--salts=[-]COUNT[:MAX]     load salts with[out] COUNT [to MAX] hashes
--costs=[-]C[:M][,...]     load salts with[out] cost value Cn [to Mn]. For
                           tunable cost parameters, see doc/OPTIONS
--save-memory=LEVEL        enable memory saving, at LEVEL 1..3
--node=MIN[-MAX]/TOTAL     this node's number range out of TOTAL count
--fork=N                   fork N processes
--pot=NAME                 pot file to use
--list=WHAT                list capabilities, see --list=help or doc/OPTIONS
--devices=N[,..]           set OpenCL device(s) (see --list=opencl-devices)
--format=NAME              force hash of type NAME. The supported formats can
                           be seen with --list=formats and --list=subformats

Examples

john ~/labs/web01.hashes

This will run john in default mode and try to crack the hashes in the provided file.

msf6 exploit(windows/smb/psexec) > john labs/web01.hashes
Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "LM-opencl"
Use the "--format=LM-opencl" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT-opencl"
Use the "--format=NT-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Using default target encoding: CP850
Loaded 38 password hashes with no different salts (LM [DES 256/256 AVX2])
Warning: poor OpenMP scalability for this hash type, consider --fork=2
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 78 candidates buffered for the current salt, minimum 512 needed for performance.
Proceeding with wordlist:/usr/local/share/john/password.lst, rules:Wordlist
                 (dmckenzie)
                 (ckhan)
                 (phorne)
                 (egeorge)
                 (pmartin)
                 (scook)
                 (kkennedy)
                 (srichardson)
                 (dbryant)
                 (sbates)
                 (cgentry)
                 (khansen)
                 (abates)
                 (nramos)
                 (dwilliams)
                 (rduarte)
                 (ksutton)
                 (kcooper)
                 (hhopkins)
                 (jrivera)
                 (vcollins)
                 (mmiller)
                 (awalker)
                 (tandersen)
                 (lstout)
                 (mlara)
                 (wrobinson)
                 (rgray)
                 (aparker)
                 (slopez)
                 (antivirus)
                 (SROCAdmin)
                 (WDAGUtilityAccount)
                 (DefaultAccount)
                 (Guest)
                 (Administrator)
Proceeding with incremental:LM_ASCII
MIMIGOT          (vberry:1)
KNENZ2G          (vberry:2)
38g 0:00:00:02 DONE 3/3 (2022-03-17 01:29) 15.01g/s 40495Kp/s 40495Kc/s 48036KC/s KNEIRS8..KNENZ2G
Warning: passwords printed above might be partial
Use the "--show --format=LM" options to display all of the cracked passwords reliably
Session completed

john ~/labs/web01.hashes –show

This command will show which passwords have already been cracked in the given file.

sec560@slingshot:~$ sudo john labs/web01.hashes --show
Administrator::500:aad3b435b51404eeaad3b435b51404ee:1ef98de8555541f1579f98084f32875b:::
Guest::501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount::503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount::504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::
SROCAdmin::1008:aad3b435b51404eeaad3b435b51404ee:2e920723943f81ec0af0fd735f737fef:::
antivirus::1009:aad3b435b51404eeaad3b435b51404ee:47f0ca5913c6e70090d7b686afb9e13e:::
slopez::1010:aad3b435b51404eeaad3b435b51404ee:87e968ead530264915a4b295c57c37d5:::
aparker::1011:aad3b435b51404eeaad3b435b51404ee:9b5684b030226a1203e4e7b718a3f9df:::
rgray::1012:aad3b435b51404eeaad3b435b51404ee:23d26a03aa7102abce4805d88e568a78:::
wrobinson::1013:aad3b435b51404eeaad3b435b51404ee:5deaec4b57b859c25cdd0513fb7bc750:::
mlara::1014:aad3b435b51404eeaad3b435b51404ee:d8d9eee954da5f2d42fe72f862fa493f:::
lstout::1015:aad3b435b51404eeaad3b435b51404ee:ca3f0e9ce3188b0602742da2976d6773:::
tandersen::1016:aad3b435b51404eeaad3b435b51404ee:bf459116e5854e34031997be8e13596d:::
awalker::1017:aad3b435b51404eeaad3b435b51404ee:fe1f27a2561b61511588b0d24e333a7c:::
mmiller::1018:aad3b435b51404eeaad3b435b51404ee:7a1f1fd59eb2b97041c74748ea6a68f8:::
vcollins::1019:aad3b435b51404eeaad3b435b51404ee:5bd9b7b6fce76d3aabfebee9debaa932:::
jrivera::1020:aad3b435b51404eeaad3b435b51404ee:baa90a3ad89d359009ce5425063dff3e:::
hhopkins::1021:aad3b435b51404eeaad3b435b51404ee:92929561b2758f409df2b4a24a59c6f4:::
kcooper::1022:aad3b435b51404eeaad3b435b51404ee:5ae44bf0a1e24c0b1ec96708f30e7b84:::
ksutton::1023:aad3b435b51404eeaad3b435b51404ee:a6051a02b7a2bfb4cd0e2c1a9cb4a694:::
rduarte::1024:aad3b435b51404eeaad3b435b51404ee:7ce56170c73f9582fa348db88de2c192:::
dwilliams::1025:aad3b435b51404eeaad3b435b51404ee:c6fd7d8bb36d8862c1b978896a6bec51:::
nramos::1026:aad3b435b51404eeaad3b435b51404ee:0f46bafd2c4acdac0003a1ff4da92625:::
abates::1027:aad3b435b51404eeaad3b435b51404ee:62a56ba1b94193d7f553b895bca28292:::
khansen::1028:aad3b435b51404eeaad3b435b51404ee:fc9fdcdbf09c5be4928287e4ad847dd7:::
vberry:MIMIGOTKNENZ2G:1029:97abc432e5e8e8a03b9ce0ab2b8f2634:d99438ebb5f67b113dab1f907e26979b:::
cgentry::1030:aad3b435b51404eeaad3b435b51404ee:059db5a4061f5a2cb5053e753f9664b4:::
sbates::1031:aad3b435b51404eeaad3b435b51404ee:4f8bfa5d78d7a6398915c9657cd49769:::
dbryant::1032:aad3b435b51404eeaad3b435b51404ee:858bf9272facf23b3593f609e5b64c06:::
srichardson::1033:aad3b435b51404eeaad3b435b51404ee:819dc07ca50e1729d72214e8e9ee8f3a:::
kkennedy::1034:aad3b435b51404eeaad3b435b51404ee:7c3acf216ef4ec061b9330e0ad103c35:::
scook::1035:aad3b435b51404eeaad3b435b51404ee:2d474458480f9aa524ba3ebb1f3f9e6e:::
pmartin::1036:aad3b435b51404eeaad3b435b51404ee:98f9db311936bea281e9a65f45dd1f62:::
egeorge::1037:aad3b435b51404eeaad3b435b51404ee:f482c3342543f49df31a5a240a0558cf:::
phorne::1038:aad3b435b51404eeaad3b435b51404ee:b9a04517b70e549f8b2e4153ee8f4107:::
ckhan::1039:aad3b435b51404eeaad3b435b51404ee:aff059fe35c553548f56db9c85b2d90c:::
dmckenzie::1040:aad3b435b51404eeaad3b435b51404ee:50a173c77e22c87c419cacb5e0629b52:::
 
38 password hashes cracked, 0 left

john –format=nt –wordlist=/opt/passwords/rockyou.txt ~/labs/web01.hashes

The following is the output when you run john with a wordlist.

sec560@slingshot:~$ sudo john --format=nt --wordlist=/opt/passwords/rockyou.txt ~/labs/web01.hashes
Using default input encoding: UTF-8
Loaded 36 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Remaining 35 password hashes with no different salts
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
Warrior07        (vcollins)
Tibbetts3        (slopez)
Patrique2238     (wrobinson)
Packardbell350   (mlara)
Oozle11          (aparker)
KAMTPS20!!tim    (rgray)
Chirmol01        (awalker)
BHLMSTz2         (mmiller)
Angels100%       (tandersen)
2soWht!a         (lstout)
10g 0:00:00:00 DONE (2022-03-17 01:46) 10.30g/s 14787Kp/s 14787Kc/s 475458KC/s  Ttwwl789..*7¡Vamos!
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed

zip2john file.zip

This will produce a crackable hash from an encrypted zip file and store it in a file named backup.hashes.

└─$ zip2john ./backup.zip > ./backup.hashes
ver 2.0 efh 5455 efh 7875 backup.zip/index.php PKZIP Encr: TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06 ts=5722 cs=5722 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/style.css PKZIP Encr: TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A ts=989A cs=989a type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

john –format=Raw-MD5 –wordlist=./wordlist8.txt ./passhash.txt

This command will attempt to crack a raw MD5 password hash using the wordlist.

└─$ john --format=Raw-MD5 --wordlist=./wordlist8.txt ./passhash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
qwerty789        (?)    
1g 0:00:00:00 DONE (2022-03-27 14:12) 50.00g/s 1891Kp/s 1891Kc/s 1891KC/s snapdragon..play2win
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

Blog Posts

hashcat

Description

World’s fastest password cracker

Platform	All
Author	Jens Steube
License	MIT
URL	https://hashcat.net/hashcat/

Usage

hashcat (v6.2.4) starting in help mode
 
Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...
 
- [ Options ] -
 
 Options Short / Long           | Type | Description                                          | Example
================================+======+======================================================+=======================
 -m, --hash-type                | Num  | Hash-type, references below (otherwise autodetect)   | -m 1000
 -a, --attack-mode              | Num  | Attack-mode, see references below                    | -a 3
 -V, --version                  |      | Print version                                        |
 -h, --help                     |      | Print help                                           |
     --quiet                    |      | Suppress output                                      |
     --hex-charset              |      | Assume charset is given in hex                       |
     --hex-salt                 |      | Assume salt is given in hex                          |
     --hex-wordlist             |      | Assume words in wordlist are given in hex            |
     --force                    |      | Ignore warnings                                      |
     --deprecated-check-disable |      | Enable deprecated plugins                            |
     --status                   |      | Enable automatic update of the status screen         |
     --status-json              |      | Enable JSON format for status output                 |
     --status-timer             | Num  | Sets seconds between status screen updates to X      | --status-timer=1
     --stdin-timeout-abort      | Num  | Abort if there is no input from stdin for X seconds  | --stdin-timeout-abort=300
     --machine-readable         |      | Display the status view in a machine-readable format |
     --keep-guessing            |      | Keep guessing the hash after it has been cracked     |
     --self-test-disable        |      | Disable self-test functionality on startup           |
     --loopback                 |      | Add new plains to induct directory                   |
     --markov-hcstat2           | File | Specify hcstat2 file to use                          | --markov-hcstat2=my.hcstat2
     --markov-disable           |      | Disables markov-chains, emulates classic brute-force |
     --markov-classic           |      | Enables classic markov-chains, no per-position       |
 -t, --markov-threshold         | Num  | Threshold X when to stop accepting new markov-chains | -t 50
     --runtime                  | Num  | Abort session after X seconds of runtime             | --runtime=10
     --session                  | Str  | Define specific session name                         | --session=mysession
     --restore                  |      | Restore session from --session                       |
     --restore-disable          |      | Do not write restore file                            |
     --restore-file-path        | File | Specific path to restore file                        | --restore-file-path=x.restore
 -o, --outfile                  | File | Define outfile for recovered hash                    | -o outfile.txt
     --outfile-format           | Str  | Outfile format to use, separated with commas         | --outfile-format=1,3
     --outfile-autohex-disable  |      | Disable the use of $HEX[] in output plains           |
     --outfile-check-timer      | Num  | Sets seconds between outfile checks to X             | --outfile-check=30
     --wordlist-autohex-disable |      | Disable the conversion of $HEX[] from the wordlist   |
 -p, --separator                | Char | Separator char for hashlists and outfile             | -p :
     --stdout                   |      | Do not crack a hash, instead print candidates only   |
     --show                     |      | Compare hashlist with potfile; show cracked hashes   |
     --left                     |      | Compare hashlist with potfile; show uncracked hashes |
     --username                 |      | Enable ignoring of usernames in hashfile             |
     --remove                   |      | Enable removal of hashes once they are cracked       |
     --remove-timer             | Num  | Update input hash file each X seconds                | --remove-timer=30
     --potfile-disable          |      | Do not write potfile                                 |
     --potfile-path             | File | Specific path to potfile                             | --potfile-path=my.pot
     --encoding-from            | Code | Force internal wordlist encoding from X              | --encoding-from=iso-8859-15
     --encoding-to              | Code | Force internal wordlist encoding to X                | --encoding-to=utf-32le
     --debug-mode               | Num  | Defines the debug mode (hybrid only by using rules)  | --debug-mode=4
     --debug-file               | File | Output file for debugging rules                      | --debug-file=good.log
     --induction-dir            | Dir  | Specify the induction directory to use for loopback  | --induction=inducts
     --outfile-check-dir        | Dir  | Specify the outfile directory to monitor for plains  | --outfile-check-dir=x
     --logfile-disable          |      | Disable the logfile                                  |
     --hccapx-message-pair      | Num  | Load only message pairs from hccapx matching X       | --hccapx-message-pair=2
     --nonce-error-corrections  | Num  | The BF size range to replace AP's nonce last bytes   | --nonce-error-corrections=16
     --keyboard-layout-mapping  | File | Keyboard layout mapping table for special hash-modes | --keyb=german.hckmap
     --truecrypt-keyfiles       | File | Keyfiles to use, separated with commas               | --truecrypt-keyf=x.png
     --veracrypt-keyfiles       | File | Keyfiles to use, separated with commas               | --veracrypt-keyf=x.txt
     --veracrypt-pim-start      | Num  | VeraCrypt personal iterations multiplier start       | --veracrypt-pim-start=450
     --veracrypt-pim-stop       | Num  | VeraCrypt personal iterations multiplier stop        | --veracrypt-pim-stop=500
 -b, --benchmark                |      | Run benchmark of selected hash-modes                 |
     --benchmark-all            |      | Run benchmark of all hash-modes (requires -b)        |
     --speed-only               |      | Return expected speed of the attack, then quit       |
     --progress-only            |      | Return ideal progress step size and time to process  |
 -c, --segment-size             | Num  | Sets size in MB to cache from the wordfile to X      | -c 32
     --bitmap-min               | Num  | Sets minimum bits allowed for bitmaps to X           | --bitmap-min=24
     --bitmap-max               | Num  | Sets maximum bits allowed for bitmaps to X           | --bitmap-max=24
     --cpu-affinity             | Str  | Locks to CPU devices, separated with commas          | --cpu-affinity=1,2,3
     --hook-threads             | Num  | Sets number of threads for a hook (per compute unit) | --hook-threads=8
     --hash-info                |      | Show information for each hash-mode                  |
     --example-hashes           |      | Alias of --hash-info                                 |
     --backend-ignore-cuda      |      | Do not try to open CUDA interface on startup         |
     --backend-ignore-opencl    |      | Do not try to open OpenCL interface on startup       |
 -I, --backend-info             |      | Show info about detected backend API devices         | -I
 -d, --backend-devices          | Str  | Backend devices to use, separated with commas        | -d 1
 -D, --opencl-device-types      | Str  | OpenCL device-types to use, separated with commas    | -D 1
 -O, --optimized-kernel-enable  |      | Enable optimized kernels (limits password length)    |
 -M, --multiply-accel-disable   |      | Disable multiply kernel-accel with processor count   |
 -w, --workload-profile         | Num  | Enable a specific workload profile, see pool below   | -w 3
 -n, --kernel-accel             | Num  | Manual workload tuning, set outerloop step size to X | -n 64
 -u, --kernel-loops             | Num  | Manual workload tuning, set innerloop step size to X | -u 256
 -T, --kernel-threads           | Num  | Manual workload tuning, set thread count to X        | -T 64
     --backend-vector-width     | Num  | Manually override backend vector-width to X          | --backend-vector=4
     --spin-damp                | Num  | Use CPU for device synchronization, in percent       | --spin-damp=10
     --hwmon-disable            |      | Disable temperature and fanspeed reads and triggers  |
     --hwmon-temp-abort         | Num  | Abort if temperature reaches X degrees Celsius       | --hwmon-temp-abort=100
     --scrypt-tmto              | Num  | Manually override TMTO value for scrypt to X         | --scrypt-tmto=3
 -s, --skip                     | Num  | Skip X words from the start                          | -s 1000000
 -l, --limit                    | Num  | Limit X words from the start + skipped words         | -l 1000000
     --keyspace                 |      | Show keyspace base:mod values and quit               |
 -j, --rule-left                | Rule | Single rule applied to each word from left wordlist  | -j 'c'
 -k, --rule-right               | Rule | Single rule applied to each word from right wordlist | -k '^-'
 -r, --rules-file               | File | Multiple rules applied to each word from wordlists   | -r rules/best64.rule
 -g, --generate-rules           | Num  | Generate X random rules                              | -g 10000
     --generate-rules-func-min  | Num  | Force min X functions per rule                       |
     --generate-rules-func-max  | Num  | Force max X functions per rule                       |
     --generate-rules-func-sel  | Str  | Pool of rule operators valid for random rule engine  | --generate-rules-func-sel=ioTlc
     --generate-rules-seed      | Num  | Force RNG seed set to X                              |
 -1, --custom-charset1          | CS   | User-defined charset ?1                              | -1 ?l?d?u
 -2, --custom-charset2          | CS   | User-defined charset ?2                              | -2 ?l?d?s
 -3, --custom-charset3          | CS   | User-defined charset ?3                              |
 -4, --custom-charset4          | CS   | User-defined charset ?4                              |
     --identify                 |      | Shows all supported algorithms for input hashes      | --identify my.hash
 -i, --increment                |      | Enable mask increment mode                           |
     --increment-min            | Num  | Start mask incrementing at X                         | --increment-min=4
     --increment-max            | Num  | Stop mask incrementing at X                          | --increment-max=8
 -S, --slow-candidates          |      | Enable slower (but advanced) candidate generators    |
     --brain-server             |      | Enable brain server                                  |
     --brain-server-timer       | Num  | Update the brain server dump each X seconds (min:60) | --brain-server-timer=300
 -z, --brain-client             |      | Enable brain client, activates -S                    |
     --brain-client-features    | Num  | Define brain client features, see below              | --brain-client-features=3
     --brain-host               | Str  | Brain server host (IP or domain)                     | --brain-host=127.0.0.1
     --brain-port               | Port | Brain server port                                    | --brain-port=13743
     --brain-password           | Str  | Brain server authentication password                 | --brain-password=bZfhCvGUSjRq
     --brain-session            | Hex  | Overrides automatically calculated brain session     | --brain-session=0x2ae611db
     --brain-session-whitelist  | Hex  | Allow given sessions only, separated with commas     | --brain-session-whitelist=0x2ae611db
 
- [ Hash modes ] -
 
      # | Name                                                | Category
  ======+=====================================================+======================================
    900 | MD4                                                 | Raw Hash
      0 | MD5                                                 | Raw Hash
    100 | SHA1                                                | Raw Hash
   1300 | SHA2-224                                            | Raw Hash
   1400 | SHA2-256                                            | Raw Hash
  10800 | SHA2-384                                            | Raw Hash
   1700 | SHA2-512                                            | Raw Hash
  17300 | SHA3-224                                            | Raw Hash
  17400 | SHA3-256                                            | Raw Hash
  17500 | SHA3-384                                            | Raw Hash
  17600 | SHA3-512                                            | Raw Hash
   6000 | RIPEMD-160                                          | Raw Hash
    600 | BLAKE2b-512                                         | Raw Hash
  11700 | GOST R 34.11-2012 (Streebog) 256-bit, big-endian    | Raw Hash
  11800 | GOST R 34.11-2012 (Streebog) 512-bit, big-endian    | Raw Hash
   6900 | GOST R 34.11-94                                     | Raw Hash
   5100 | Half MD5                                            | Raw Hash
  17700 | Keccak-224                                          | Raw Hash
  17800 | Keccak-256                                          | Raw Hash
  17900 | Keccak-384                                          | Raw Hash
  18000 | Keccak-512                                          | Raw Hash
   6100 | Whirlpool                                           | Raw Hash
  10100 | SipHash                                             | Raw Hash
     70 | md5(utf16le($pass))                                 | Raw Hash
    170 | sha1(utf16le($pass))                                | Raw Hash
   1470 | sha256(utf16le($pass))                              | Raw Hash
  10870 | sha384(utf16le($pass))                              | Raw Hash
   1770 | sha512(utf16le($pass))                              | Raw Hash
     10 | md5($pass.$salt)                                    | Raw Hash, Salted and/or Iterated
     20 | md5($salt.$pass)                                    | Raw Hash, Salted and/or Iterated
   3800 | md5($salt.$pass.$salt)                              | Raw Hash, Salted and/or Iterated
   3710 | md5($salt.md5($pass))                               | Raw Hash, Salted and/or Iterated
   4110 | md5($salt.md5($pass.$salt))                         | Raw Hash, Salted and/or Iterated
   4010 | md5($salt.md5($salt.$pass))                         | Raw Hash, Salted and/or Iterated
  21300 | md5($salt.sha1($salt.$pass))                        | Raw Hash, Salted and/or Iterated
     40 | md5($salt.utf16le($pass))                           | Raw Hash, Salted and/or Iterated
   2600 | md5(md5($pass))                                     | Raw Hash, Salted and/or Iterated
   3910 | md5(md5($pass).md5($salt))                          | Raw Hash, Salted and/or Iterated
   3500 | md5(md5(md5($pass)))                                | Raw Hash, Salted and/or Iterated
   4400 | md5(sha1($pass))                                    | Raw Hash, Salted and/or Iterated
  20900 | md5(sha1($pass).md5($pass).sha1($pass))             | Raw Hash, Salted and/or Iterated
  21200 | md5(sha1($salt).md5($pass))                         | Raw Hash, Salted and/or Iterated
   4300 | md5(strtoupper(md5($pass)))                         | Raw Hash, Salted and/or Iterated
     30 | md5(utf16le($pass).$salt)                           | Raw Hash, Salted and/or Iterated
    110 | sha1($pass.$salt)                                   | Raw Hash, Salted and/or Iterated
    120 | sha1($salt.$pass)                                   | Raw Hash, Salted and/or Iterated
   4900 | sha1($salt.$pass.$salt)                             | Raw Hash, Salted and/or Iterated
   4520 | sha1($salt.sha1($pass))                             | Raw Hash, Salted and/or Iterated
  24300 | sha1($salt.sha1($pass.$salt))                       | Raw Hash, Salted and/or Iterated
    140 | sha1($salt.utf16le($pass))                          | Raw Hash, Salted and/or Iterated
  19300 | sha1($salt1.$pass.$salt2)                           | Raw Hash, Salted and/or Iterated
  14400 | sha1(CX)                                            | Raw Hash, Salted and/or Iterated
   4700 | sha1(md5($pass))                                    | Raw Hash, Salted and/or Iterated
   4710 | sha1(md5($pass).$salt)                              | Raw Hash, Salted and/or Iterated
  21100 | sha1(md5($pass.$salt))                              | Raw Hash, Salted and/or Iterated
  18500 | sha1(md5(md5($pass)))                               | Raw Hash, Salted and/or Iterated
   4500 | sha1(sha1($pass))                                   | Raw Hash, Salted and/or Iterated
   4510 | sha1(sha1($pass).$salt)                             | Raw Hash, Salted and/or Iterated
   5000 | sha1(sha1($salt.$pass.$salt))                       | Raw Hash, Salted and/or Iterated
    130 | sha1(utf16le($pass).$salt)                          | Raw Hash, Salted and/or Iterated
   1410 | sha256($pass.$salt)                                 | Raw Hash, Salted and/or Iterated
   1420 | sha256($salt.$pass)                                 | Raw Hash, Salted and/or Iterated
  22300 | sha256($salt.$pass.$salt)                           | Raw Hash, Salted and/or Iterated
  20720 | sha256($salt.sha256($pass))                         | Raw Hash, Salted and/or Iterated
   1440 | sha256($salt.utf16le($pass))                        | Raw Hash, Salted and/or Iterated
  20800 | sha256(md5($pass))                                  | Raw Hash, Salted and/or Iterated
  20710 | sha256(sha256($pass).$salt)                         | Raw Hash, Salted and/or Iterated
  21400 | sha256(sha256_bin($pass))                           | Raw Hash, Salted and/or Iterated
   1430 | sha256(utf16le($pass).$salt)                        | Raw Hash, Salted and/or Iterated
  10810 | sha384($pass.$salt)                                 | Raw Hash, Salted and/or Iterated
  10820 | sha384($salt.$pass)                                 | Raw Hash, Salted and/or Iterated
  10840 | sha384($salt.utf16le($pass))                        | Raw Hash, Salted and/or Iterated
  10830 | sha384(utf16le($pass).$salt)                        | Raw Hash, Salted and/or Iterated
   1710 | sha512($pass.$salt)                                 | Raw Hash, Salted and/or Iterated
   1720 | sha512($salt.$pass)                                 | Raw Hash, Salted and/or Iterated
   1740 | sha512($salt.utf16le($pass))                        | Raw Hash, Salted and/or Iterated
   1730 | sha512(utf16le($pass).$salt)                        | Raw Hash, Salted and/or Iterated
     50 | HMAC-MD5 (key = $pass)                              | Raw Hash, Authenticated
     60 | HMAC-MD5 (key = $salt)                              | Raw Hash, Authenticated
    150 | HMAC-SHA1 (key = $pass)                             | Raw Hash, Authenticated
    160 | HMAC-SHA1 (key = $salt)                             | Raw Hash, Authenticated
   1450 | HMAC-SHA256 (key = $pass)                           | Raw Hash, Authenticated
   1460 | HMAC-SHA256 (key = $salt)                           | Raw Hash, Authenticated
   1750 | HMAC-SHA512 (key = $pass)                           | Raw Hash, Authenticated
   1760 | HMAC-SHA512 (key = $salt)                           | Raw Hash, Authenticated
  11750 | HMAC-Streebog-256 (key = $pass), big-endian         | Raw Hash, Authenticated
  11760 | HMAC-Streebog-256 (key = $salt), big-endian         | Raw Hash, Authenticated
  11850 | HMAC-Streebog-512 (key = $pass), big-endian         | Raw Hash, Authenticated
  11860 | HMAC-Streebog-512 (key = $salt), big-endian         | Raw Hash, Authenticated
  11500 | CRC32                                               | Raw Checksum
  18700 | Java Object hashCode()                              | Raw Checksum
  25700 | MurmurHash                                          | Raw Checksum
  14100 | 3DES (PT = $salt, key = $pass)                      | Raw Cipher, Known-Plaintext attack
  14000 | DES (PT = $salt, key = $pass)                       | Raw Cipher, Known-Plaintext attack
  26401 | AES-128-ECB NOKDF (PT = $salt, key = $pass)         | Raw Cipher, Known-Plaintext attack
  26402 | AES-192-ECB NOKDF (PT = $salt, key = $pass)         | Raw Cipher, Known-Plaintext attack
  26403 | AES-256-ECB NOKDF (PT = $salt, key = $pass)         | Raw Cipher, Known-Plaintext attack
  15400 | ChaCha20                                            | Raw Cipher, Known-Plaintext attack
  14500 | Linux Kernel Crypto API (2.4)                       | Raw Cipher, Known-Plaintext attack
  14900 | Skip32 (PT = $salt, key = $pass)                    | Raw Cipher, Known-Plaintext attack
  11900 | PBKDF2-HMAC-MD5                                     | Generic KDF
  12000 | PBKDF2-HMAC-SHA1                                    | Generic KDF
  10900 | PBKDF2-HMAC-SHA256                                  | Generic KDF
  12100 | PBKDF2-HMAC-SHA512                                  | Generic KDF
   8900 | scrypt                                              | Generic KDF
    400 | phpass                                              | Generic KDF
  16100 | TACACS+                                             | Network Protocols
  11400 | SIP digest authentication (MD5)                     | Network Protocols
   5300 | IKE-PSK MD5                                         | Network Protocols
   5400 | IKE-PSK SHA1                                        | Network Protocols
  25100 | SNMPv3 HMAC-MD5-96                                  | Network Protocols
  25000 | SNMPv3 HMAC-MD5-96/HMAC-SHA1-96                     | Network Protocols
  25200 | SNMPv3 HMAC-SHA1-96                                 | Network Protocols
  26700 | SNMPv3 HMAC-SHA224-128                              | Network Protocols
  26800 | SNMPv3 HMAC-SHA256-192                              | Network Protocols
  26900 | SNMPv3 HMAC-SHA384-256                              | Network Protocols
  27300 | SNMPv3 HMAC-SHA512-384                              | Network Protocols
   2500 | WPA-EAPOL-PBKDF2                                    | Network Protocols
   2501 | WPA-EAPOL-PMK                                       | Network Protocols
  22000 | WPA-PBKDF2-PMKID+EAPOL                              | Network Protocols
  22001 | WPA-PMK-PMKID+EAPOL                                 | Network Protocols
  16800 | WPA-PMKID-PBKDF2                                    | Network Protocols
  16801 | WPA-PMKID-PMK                                       | Network Protocols
   7300 | IPMI2 RAKP HMAC-SHA1                                | Network Protocols
  10200 | CRAM-MD5                                            | Network Protocols
  16500 | JWT (JSON Web Token)                                | Network Protocols
  19600 | Kerberos 5, etype 17, TGS-REP                       | Network Protocols
  19800 | Kerberos 5, etype 17, Pre-Auth                      | Network Protocols
  19700 | Kerberos 5, etype 18, TGS-REP                       | Network Protocols
  19900 | Kerberos 5, etype 18, Pre-Auth                      | Network Protocols
   7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth               | Network Protocols
  13100 | Kerberos 5, etype 23, TGS-REP                       | Network Protocols
  18200 | Kerberos 5, etype 23, AS-REP                        | Network Protocols
   5500 | NetNTLMv1 / NetNTLMv1+ESS                           | Network Protocols
  27000 | NetNTLMv1 / NetNTLMv1+ESS (NT)                      | Network Protocols
   5600 | NetNTLMv2                                           | Network Protocols
  27100 | NetNTLMv2 (NT)                                      | Network Protocols
   4800 | iSCSI CHAP authentication, MD5(CHAP)                | Network Protocols
   8500 | RACF                                                | Operating System
   6300 | AIX {smd5}                                          | Operating System
   6700 | AIX {ssha1}                                         | Operating System
   6400 | AIX {ssha256}                                       | Operating System
   6500 | AIX {ssha512}                                       | Operating System
   3000 | LM                                                  | Operating System
  19000 | QNX /etc/shadow (MD5)                               | Operating System
  19100 | QNX /etc/shadow (SHA256)                            | Operating System
  19200 | QNX /etc/shadow (SHA512)                            | Operating System
  15300 | DPAPI masterkey file v1                             | Operating System
  15900 | DPAPI masterkey file v2                             | Operating System
   7200 | GRUB 2                                              | Operating System
  12800 | MS-AzureSync PBKDF2-HMAC-SHA256                     | Operating System
  12400 | BSDi Crypt, Extended DES                            | Operating System
   1000 | NTLM                                                | Operating System
   9900 | Radmin2                                             | Operating System
   5800 | Samsung Android Password/PIN                        | Operating System
  13800 | Windows Phone 8+ PIN/password                       | Operating System
   2410 | Cisco-ASA MD5                                       | Operating System
   9200 | Cisco-IOS $8$ (PBKDF2-SHA256)                       | Operating System
   9300 | Cisco-IOS $9$ (scrypt)                              | Operating System
   5700 | Cisco-IOS type 4 (SHA256)                           | Operating System
   2400 | Cisco-PIX MD5                                       | Operating System
   8100 | Citrix NetScaler (SHA1)                             | Operating System
  22200 | Citrix NetScaler (SHA512)                           | Operating System
   1100 | Domain Cached Credentials (DCC), MS Cache           | Operating System
   2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2      | Operating System
   7000 | FortiGate (FortiOS)                                 | Operating System
  26300 | FortiGate256 (FortiOS256)                           | Operating System
    125 | ArubaOS                                             | Operating System
    501 | Juniper IVE                                         | Operating System
     22 | Juniper NetScreen/SSG (ScreenOS)                    | Operating System
  15100 | Juniper/NetBSD sha1crypt                            | Operating System
  26500 | iPhone passcode (UID key + System Keybag)           | Operating System
    122 | macOS v10.4, macOS v10.5, macOS v10.6               | Operating System
   1722 | macOS v10.7                                         | Operating System
   7100 | macOS v10.8+ (PBKDF2-SHA512)                        | Operating System
   3200 | bcrypt $2*$, Blowfish (Unix)                        | Operating System
    500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)           | Operating System
   1500 | descrypt, DES (Unix), Traditional DES               | Operating System
   7400 | sha256crypt $5$, SHA256 (Unix)                      | Operating System
   1800 | sha512crypt $6$, SHA512 (Unix)                      | Operating System
  24600 | SQLCipher                                           | Database Server
    131 | MSSQL (2000)                                        | Database Server
    132 | MSSQL (2005)                                        | Database Server
   1731 | MSSQL (2012, 2014)                                  | Database Server
  24100 | MongoDB ServerKey SCRAM-SHA-1                       | Database Server
  24200 | MongoDB ServerKey SCRAM-SHA-256                     | Database Server
     12 | PostgreSQL                                          | Database Server
  11100 | PostgreSQL CRAM (MD5)                               | Database Server
   3100 | Oracle H: Type (Oracle 7+)                          | Database Server
    112 | Oracle S: Type (Oracle 11+)                         | Database Server
  12300 | Oracle T: Type (Oracle 12+)                         | Database Server
   7401 | MySQL $A$ (sha256crypt)                             | Database Server
  11200 | MySQL CRAM (SHA1)                                   | Database Server
    200 | MySQL323                                            | Database Server
    300 | MySQL4.1/MySQL5                                     | Database Server
   8000 | Sybase ASE                                          | Database Server
   8300 | DNSSEC (NSEC3)                                      | FTP, HTTP, SMTP, LDAP Server
  25900 | KNX IP Secure - Device Authentication Code          | FTP, HTTP, SMTP, LDAP Server
  16400 | CRAM-MD5 Dovecot                                    | FTP, HTTP, SMTP, LDAP Server
   1411 | SSHA-256(Base64), LDAP {SSHA256}                    | FTP, HTTP, SMTP, LDAP Server
   1711 | SSHA-512(Base64), LDAP {SSHA512}                    | FTP, HTTP, SMTP, LDAP Server
  24900 | Dahua Authentication MD5                            | FTP, HTTP, SMTP, LDAP Server
  10901 | RedHat 389-DS LDAP (PBKDF2-HMAC-SHA256)             | FTP, HTTP, SMTP, LDAP Server
  15000 | FileZilla Server >= 0.9.55                          | FTP, HTTP, SMTP, LDAP Server
  12600 | ColdFusion 10+                                      | FTP, HTTP, SMTP, LDAP Server
   1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR)               | FTP, HTTP, SMTP, LDAP Server
    141 | Episerver 6.x < .NET 4                              | FTP, HTTP, SMTP, LDAP Server
   1441 | Episerver 6.x >= .NET 4                             | FTP, HTTP, SMTP, LDAP Server
   1421 | hMailServer                                         | FTP, HTTP, SMTP, LDAP Server
    101 | nsldap, SHA-1(Base64), Netscape LDAP SHA            | FTP, HTTP, SMTP, LDAP Server
    111 | nsldaps, SSHA-1(Base64), Netscape LDAP SSHA         | FTP, HTTP, SMTP, LDAP Server
   7700 | SAP CODVN B (BCODE)                                 | Enterprise Application Software (EAS)
   7701 | SAP CODVN B (BCODE) from RFC_READ_TABLE             | Enterprise Application Software (EAS)
   7800 | SAP CODVN F/G (PASSCODE)                            | Enterprise Application Software (EAS)
   7801 | SAP CODVN F/G (PASSCODE) from RFC_READ_TABLE        | Enterprise Application Software (EAS)
  10300 | SAP CODVN H (PWDSALTEDHASH) iSSHA-1                 | Enterprise Application Software (EAS)
    133 | PeopleSoft                                          | Enterprise Application Software (EAS)
  13500 | PeopleSoft PS_TOKEN                                 | Enterprise Application Software (EAS)
  21500 | SolarWinds Orion                                    | Enterprise Application Software (EAS)
  21501 | SolarWinds Orion v2                                 | Enterprise Application Software (EAS)
     24 | SolarWinds Serv-U                                   | Enterprise Application Software (EAS)
   8600 | Lotus Notes/Domino 5                                | Enterprise Application Software (EAS)
   8700 | Lotus Notes/Domino 6                                | Enterprise Application Software (EAS)
   9100 | Lotus Notes/Domino 8                                | Enterprise Application Software (EAS)
  26200 | OpenEdge Progress Encode                            | Enterprise Application Software (EAS)
  20600 | Oracle Transportation Management (SHA256)           | Enterprise Application Software (EAS)
   4711 | Huawei sha1(md5($pass).$salt)                       | Enterprise Application Software (EAS)
  20711 | AuthMe sha256                                       | Enterprise Application Software (EAS)
  22400 | AES Crypt (SHA256)                                  | Full-Disk Encryption (FDE)
  27400 | VMware VMX (PBKDF2-HMAC-SHA1 + AES-256-CBC)         | Full-Disk Encryption (FDE)
  14600 | LUKS                                                | Full-Disk Encryption (FDE)
  13711 | VeraCrypt RIPEMD160 + XTS 512 bit                   | Full-Disk Encryption (FDE)
  13712 | VeraCrypt RIPEMD160 + XTS 1024 bit                  | Full-Disk Encryption (FDE)
  13713 | VeraCrypt RIPEMD160 + XTS 1536 bit                  | Full-Disk Encryption (FDE)
  13741 | VeraCrypt RIPEMD160 + XTS 512 bit + boot-mode       | Full-Disk Encryption (FDE)
  13742 | VeraCrypt RIPEMD160 + XTS 1024 bit + boot-mode      | Full-Disk Encryption (FDE)
  13743 | VeraCrypt RIPEMD160 + XTS 1536 bit + boot-mode      | Full-Disk Encryption (FDE)
  13751 | VeraCrypt SHA256 + XTS 512 bit                      | Full-Disk Encryption (FDE)
  13752 | VeraCrypt SHA256 + XTS 1024 bit                     | Full-Disk Encryption (FDE)
  13753 | VeraCrypt SHA256 + XTS 1536 bit                     | Full-Disk Encryption (FDE)
  13761 | VeraCrypt SHA256 + XTS 512 bit + boot-mode          | Full-Disk Encryption (FDE)
  13762 | VeraCrypt SHA256 + XTS 1024 bit + boot-mode         | Full-Disk Encryption (FDE)
  13763 | VeraCrypt SHA256 + XTS 1536 bit + boot-mode         | Full-Disk Encryption (FDE)
  13721 | VeraCrypt SHA512 + XTS 512 bit                      | Full-Disk Encryption (FDE)
  13722 | VeraCrypt SHA512 + XTS 1024 bit                     | Full-Disk Encryption (FDE)
  13723 | VeraCrypt SHA512 + XTS 1536 bit                     | Full-Disk Encryption (FDE)
  13771 | VeraCrypt Streebog-512 + XTS 512 bit                | Full-Disk Encryption (FDE)
  13772 | VeraCrypt Streebog-512 + XTS 1024 bit               | Full-Disk Encryption (FDE)
  13773 | VeraCrypt Streebog-512 + XTS 1536 bit               | Full-Disk Encryption (FDE)
  13781 | VeraCrypt Streebog-512 + XTS 512 bit + boot-mode    | Full-Disk Encryption (FDE)
  13782 | VeraCrypt Streebog-512 + XTS 1024 bit + boot-mode   | Full-Disk Encryption (FDE)
  13783 | VeraCrypt Streebog-512 + XTS 1536 bit + boot-mode   | Full-Disk Encryption (FDE)
  13731 | VeraCrypt Whirlpool + XTS 512 bit                   | Full-Disk Encryption (FDE)
  13732 | VeraCrypt Whirlpool + XTS 1024 bit                  | Full-Disk Encryption (FDE)
  13733 | VeraCrypt Whirlpool + XTS 1536 bit                  | Full-Disk Encryption (FDE)
  23900 | BestCrypt v3 Volume Encryption                      | Full-Disk Encryption (FDE)
  16700 | FileVault 2                                         | Full-Disk Encryption (FDE)
  27500 | VirtualBox (PBKDF2-HMAC-SHA256 & AES-128-XTS)       | Full-Disk Encryption (FDE)
  27600 | VirtualBox (PBKDF2-HMAC-SHA256 & AES-256-XTS)       | Full-Disk Encryption (FDE)
  20011 | DiskCryptor SHA512 + XTS 512 bit                    | Full-Disk Encryption (FDE)
  20012 | DiskCryptor SHA512 + XTS 1024 bit                   | Full-Disk Encryption (FDE)
  20013 | DiskCryptor SHA512 + XTS 1536 bit                   | Full-Disk Encryption (FDE)
  22100 | BitLocker                                           | Full-Disk Encryption (FDE)
  12900 | Android FDE (Samsung DEK)                           | Full-Disk Encryption (FDE)
   8800 | Android FDE <= 4.3                                  | Full-Disk Encryption (FDE)
  18300 | Apple File System (APFS)                            | Full-Disk Encryption (FDE)
   6211 | TrueCrypt RIPEMD160 + XTS 512 bit                   | Full-Disk Encryption (FDE)
   6212 | TrueCrypt RIPEMD160 + XTS 1024 bit                  | Full-Disk Encryption (FDE)
   6213 | TrueCrypt RIPEMD160 + XTS 1536 bit                  | Full-Disk Encryption (FDE)
   6241 | TrueCrypt RIPEMD160 + XTS 512 bit + boot-mode       | Full-Disk Encryption (FDE)
   6242 | TrueCrypt RIPEMD160 + XTS 1024 bit + boot-mode      | Full-Disk Encryption (FDE)
   6243 | TrueCrypt RIPEMD160 + XTS 1536 bit + boot-mode      | Full-Disk Encryption (FDE)
   6221 | TrueCrypt SHA512 + XTS 512 bit                      | Full-Disk Encryption (FDE)
   6222 | TrueCrypt SHA512 + XTS 1024 bit                     | Full-Disk Encryption (FDE)
   6223 | TrueCrypt SHA512 + XTS 1536 bit                     | Full-Disk Encryption (FDE)
   6231 | TrueCrypt Whirlpool + XTS 512 bit                   | Full-Disk Encryption (FDE)
   6232 | TrueCrypt Whirlpool + XTS 1024 bit                  | Full-Disk Encryption (FDE)
   6233 | TrueCrypt Whirlpool + XTS 1536 bit                  | Full-Disk Encryption (FDE)
  12200 | eCryptfs                                            | Full-Disk Encryption (FDE)
  10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4)                       | Documents
  10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1          | Documents
  10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2          | Documents
  10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8)                       | Documents
  25400 | PDF 1.4 - 1.6 (Acrobat 5 - 8) - edit password       | Documents
  10600 | PDF 1.7 Level 3 (Acrobat 9)                         | Documents
  10700 | PDF 1.7 Level 8 (Acrobat 10 - 11)                   | Documents
   9400 | MS Office 2007                                      | Documents
   9500 | MS Office 2010                                      | Documents
   9600 | MS Office 2013                                      | Documents
  25300 | MS Office 2016 - SheetProtection                    | Documents
   9700 | MS Office <= 2003 $0/$1, MD5 + RC4                  | Documents
   9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1     | Documents
   9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2     | Documents
   9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1       | Documents
   9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2       | Documents
   9800 | MS Office <= 2003 $3/$4, SHA1 + RC4                 | Documents
  18400 | Open Document Format (ODF) 1.2 (SHA-256, AES)       | Documents
  18600 | Open Document Format (ODF) 1.1 (SHA-1, Blowfish)    | Documents
  16200 | Apple Secure Notes                                  | Documents
  23300 | Apple iWork                                         | Documents
   6600 | 1Password, agilekeychain                            | Password Managers
   8200 | 1Password, cloudkeychain                            | Password Managers
   9000 | Password Safe v2                                    | Password Managers
   5200 | Password Safe v3                                    | Password Managers
   6800 | LastPass + LastPass sniffed                         | Password Managers
  13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES)         | Password Managers
  23400 | Bitwarden                                           | Password Managers
  16900 | Ansible Vault                                       | Password Managers
  26000 | Mozilla key3.db                                     | Password Managers
  26100 | Mozilla key4.db                                     | Password Managers
  23100 | Apple Keychain                                      | Password Managers
  11600 | 7-Zip                                               | Archives
  12500 | RAR3-hp                                             | Archives
  23800 | RAR3-p (Compressed)                                 | Archives
  23700 | RAR3-p (Uncompressed)                               | Archives
  13000 | RAR5                                                | Archives
  17220 | PKZIP (Compressed Multi-File)                       | Archives
  17200 | PKZIP (Compressed)                                  | Archives
  17225 | PKZIP (Mixed Multi-File)                            | Archives
  17230 | PKZIP (Mixed Multi-File Checksum-Only)              | Archives
  17210 | PKZIP (Uncompressed)                                | Archives
  20500 | PKZIP Master Key                                    | Archives
  20510 | PKZIP Master Key (6 byte optimization)              | Archives
  23001 | SecureZIP AES-128                                   | Archives
  23002 | SecureZIP AES-192                                   | Archives
  23003 | SecureZIP AES-256                                   | Archives
  13600 | WinZip                                              | Archives
  18900 | Android Backup                                      | Archives
  24700 | Stuffit5                                            | Archives
  13200 | AxCrypt 1                                           | Archives
  13300 | AxCrypt 1 in-memory SHA1                            | Archives
  23500 | AxCrypt 2 AES-128                                   | Archives
  23600 | AxCrypt 2 AES-256                                   | Archives
  14700 | iTunes backup < 10.0                                | Archives
  14800 | iTunes backup >= 10.0                               | Archives
   8400 | WBB3 (Woltlab Burning Board)                        | Forums, CMS, E-Commerce
   2612 | PHPS                                                | Forums, CMS, E-Commerce
    121 | SMF (Simple Machines Forum) > v1.1                  | Forums, CMS, E-Commerce
   3711 | MediaWiki B type                                    | Forums, CMS, E-Commerce
   4521 | Redmine                                             | Forums, CMS, E-Commerce
  24800 | Umbraco HMAC-SHA1                                   | Forums, CMS, E-Commerce
     11 | Joomla < 2.5.18                                     | Forums, CMS, E-Commerce
  13900 | OpenCart                                            | Forums, CMS, E-Commerce
  11000 | PrestaShop                                          | Forums, CMS, E-Commerce
  16000 | Tripcode                                            | Forums, CMS, E-Commerce
   7900 | Drupal7                                             | Forums, CMS, E-Commerce
   4522 | PunBB                                               | Forums, CMS, E-Commerce
   2811 | MyBB 1.2+, IPB2+ (Invision Power Board)             | Forums, CMS, E-Commerce
   2611 | vBulletin < v3.8.5                                  | Forums, CMS, E-Commerce
   2711 | vBulletin >= v3.8.5                                 | Forums, CMS, E-Commerce
  25600 | bcrypt(md5($pass)) / bcryptmd5                      | Forums, CMS, E-Commerce
  25800 | bcrypt(sha1($pass)) / bcryptsha1                    | Forums, CMS, E-Commerce
     21 | osCommerce, xt:Commerce                             | Forums, CMS, E-Commerce
  18100 | TOTP (HMAC-SHA1)                                    | One-Time Passwords
   2000 | STDOUT                                              | Plaintext
  99999 | Plaintext                                           | Plaintext
  21600 | Web2py pbkdf2-sha512                                | Framework
  10000 | Django (PBKDF2-SHA256)                              | Framework
    124 | Django (SHA-1)                                      | Framework
  12001 | Atlassian (PBKDF2-HMAC-SHA1)                        | Framework
  19500 | Ruby on Rails Restful-Authentication                | Framework
  27200 | Ruby on Rails Restful Auth (one round, no sitekey)  | Framework
  20200 | Python passlib pbkdf2-sha512                        | Framework
  20300 | Python passlib pbkdf2-sha256                        | Framework
  20400 | Python passlib pbkdf2-sha1                          | Framework
  24410 | PKCS#8 Private Keys (PBKDF2-HMAC-SHA1 + 3DES/AES)   | Private Key
  24420 | PKCS#8 Private Keys (PBKDF2-HMAC-SHA256 + 3DES/AES) | Private Key
  15500 | JKS Java Key Store Private Keys (SHA1)              | Private Key
  22911 | RSA/DSA/EC/OpenSSH Private Keys ($0$)               | Private Key
  22921 | RSA/DSA/EC/OpenSSH Private Keys ($6$)               | Private Key
  22931 | RSA/DSA/EC/OpenSSH Private Keys ($1, $3$)           | Private Key
  22941 | RSA/DSA/EC/OpenSSH Private Keys ($4$)               | Private Key
  22951 | RSA/DSA/EC/OpenSSH Private Keys ($5$)               | Private Key
  23200 | XMPP SCRAM PBKDF2-SHA1                              | Instant Messaging Service
  22600 | Telegram Desktop < v2.1.14 (PBKDF2-HMAC-SHA1)       | Instant Messaging Service
  24500 | Telegram Desktop >= v2.1.14 (PBKDF2-HMAC-SHA512)    | Instant Messaging Service
  22301 | Telegram Mobile App Passcode (SHA256)               | Instant Messaging Service
     23 | Skype                                               | Instant Messaging Service
  26600 | MetaMask Wallet                                     | Cryptocurrency Wallet
  21000 | BitShares v0.x - sha512(sha512_bin(pass))           | Cryptocurrency Wallet
  11300 | Bitcoin/Litecoin wallet.dat                         | Cryptocurrency Wallet
  16600 | Electrum Wallet (Salt-Type 1-3)                     | Cryptocurrency Wallet
  21700 | Electrum Wallet (Salt-Type 4)                       | Cryptocurrency Wallet
  21800 | Electrum Wallet (Salt-Type 5)                       | Cryptocurrency Wallet
  12700 | Blockchain, My Wallet                               | Cryptocurrency Wallet
  15200 | Blockchain, My Wallet, V2                           | Cryptocurrency Wallet
  18800 | Blockchain, My Wallet, Second Password (SHA256)     | Cryptocurrency Wallet
  25500 | Stargazer Stellar Wallet XLM                        | Cryptocurrency Wallet
  16300 | Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256        | Cryptocurrency Wallet
  15600 | Ethereum Wallet, PBKDF2-HMAC-SHA256                 | Cryptocurrency Wallet
  15700 | Ethereum Wallet, SCRYPT                             | Cryptocurrency Wallet
  22500 | MultiBit Classic .key (MD5)                         | Cryptocurrency Wallet
  22700 | MultiBit HD (scrypt)                                | Cryptocurrency Wallet
 
- [ Brain Client Features ] -
 
  # | Features
 ===+========
  1 | Send hashed passwords
  2 | Send attack positions
  3 | Send hashed passwords and attack positions
 
- [ Outfile Formats ] -
 
  # | Format
 ===+========
  1 | hash[:salt]
  2 | plain
  3 | hex_plain
  4 | crack_pos
  5 | timestamp absolute
  6 | timestamp relative
 
- [ Rule Debugging Modes ] -
 
  # | Format
 ===+========
  1 | Finding-Rule
  2 | Original-Word
  3 | Original-Word:Finding-Rule
  4 | Original-Word:Finding-Rule:Processed-Word
 
- [ Attack Modes ] -
 
  # | Mode
 ===+======
  0 | Straight
  1 | Combination
  3 | Brute-force
  6 | Hybrid Wordlist + Mask
  7 | Hybrid Mask + Wordlist
  9 | Association
 
- [ Built-in Charsets ] -
 
  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz [a-z]
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ [A-Z]
  d | 0123456789                 [0-9]
  h | 0123456789abcdef           [0-9a-f]
  H | 0123456789ABCDEF           [0-9A-F]
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff
 
- [ OpenCL Device Types ] -
 
  # | Device Type
 ===+=============
  1 | CPU
  2 | GPU
  3 | FPGA, DSP, Co-Processor
 
- [ Workload Profiles ] -
 
  # | Performance | Runtime | Power Consumption | Desktop Impact
 ===+=============+=========+===================+=================
  1 | Low         |   2 ms  | Low               | Minimal
  2 | Default     |  12 ms  | Economic          | Noticeable
  3 | High        |  96 ms  | High              | Unresponsive
  4 | Nightmare   | 480 ms  | Insane            | Headless
 
- [ License ] -
 
  hashcat is licensed under the MIT license
  Copyright and license terms are listed in docs/license.txt
 
- [ Basic Examples ] -
 
  Attack-          | Hash- |
  Mode             | Type  | Example command
 ==================+=======+==================================================================
  Wordlist         | $P$   | hashcat -a 0 -m 400 example400.hash example.dict
  Wordlist + Rules | MD5   | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
  Brute-Force      | MD5   | hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a
  Combinator       | MD5   | hashcat -a 1 -m 0 example0.hash example.dict example.dict
  Association      | $1$   | hashcat -a 9 -m 500 example500.hash 1word.dict -r rules/best64.rule
 
If you still have no idea what just happened, try the following pages:
 
* https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild
* https://hashcat.net/faq/
 
If you think you need help by a real human come to the hashcat Discord:
 
* https://discord.gg/HFS523HGBT

Examples

hashcat -w 3 -a 0 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt

This will run hashcat with a workload profile of 3 (second highest) with an attack mode of 0 (as is) against the specified hash file using the provided dictionary.

sec@slingshot:~$ hashcat -w 3 -a 0 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt
hashcat (v6.2.4) starting
 
* Device #1: Outdated POCL OpenCL driver detected!
 
This OpenCL driver may fail kernel compilation or produce false negatives.
You can use --force to override, but do not report related errors.
 
OpenCL API (OpenCL 1.2 pocl 1.1 None+Asserts, LLVM 6.0.0, SPIR, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
===========================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, skipped
 
OpenCL API (OpenCL 1.2 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, 1940/3944 MB (493 MB allocatable), 2MCU
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 37 digests; 36 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
 
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
 
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
 
Host memory required for this attack: 0 MB
 
Dictionary cache hit:
* Filename..: /opt/passwords/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
 
31d6cfe0d16ae931b73c59d7e0c089c0:                        
5bd9b7b6fce76d3aabfebee9debaa932:Warrior07               
87e968ead530264915a4b295c57c37d5:Tibbetts3               
5deaec4b57b859c25cdd0513fb7bc750:Patrique2238            
d8d9eee954da5f2d42fe72f862fa493f:Packardbell350          
9b5684b030226a1203e4e7b718a3f9df:Oozle11                 
23d26a03aa7102abce4805d88e568a78:KAMTPS20!!tim           
fe1f27a2561b61511588b0d24e333a7c:Chirmol01               
7a1f1fd59eb2b97041c74748ea6a68f8:BHLMSTz2                
bf459116e5854e34031997be8e13596d:Angels100%              
ca3f0e9ce3188b0602742da2976d6773:2soWht!a                
Approaching final keyspace - workload adjusted.          
 
                                                           
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
Hash.Target......: /home/sec560/labs/web01.hashes
Time.Started.....: Thu Mar 17 02:07:12 2022 (11 secs)
Time.Estimated...: Thu Mar 17 02:07:23 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/opt/passwords/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:  1243.6 kH/s (0.03ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 11/36 (30.56%) Digests
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 0/14344384 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#2....: $HEX[0861365f313233] -> $HEX[042a0337c2a156616d6f732103]
 
Started: Thu Mar 17 02:07:00 2022
Stopped: Thu Mar 17 02:07:24 2022

hashcat -w 3 -a 0 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt -r /usr/local/share/doc/hashcat/rules/best64.rule

This is similar to the above command except it uses the permutation rule best64.rule to check permutations of the provided word list.

sec@slingshot:~$ hashcat -w 3 -a 0 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt -r /usr/local/share/doc/hashcat/rules/best64.rule
hashcat (v6.2.4) starting
 
* Device #1: Outdated POCL OpenCL driver detected!
 
This OpenCL driver may fail kernel compilation or produce false negatives.
You can use --force to override, but do not report related errors.
 
OpenCL API (OpenCL 1.2 pocl 1.1 None+Asserts, LLVM 6.0.0, SPIR, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
===========================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, skipped
 
OpenCL API (OpenCL 1.2 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, 1940/3944 MB (493 MB allocatable), 2MCU
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 37 digests; 36 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77
 
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
 
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
 
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
 
INFO: Removed 11 hashes found as potfile entries or as empty hashes.
 
Host memory required for this attack: 0 MB
 
Dictionary cache hit:
* Filename..: /opt/passwords/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 1104517568
 
5ae44bf0a1e24c0b1ec96708f30e7b84:Smitten77               
92929561b2758f409df2b4a24a59c6f4:Alphabet23              
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit =>
 
Approaching final keyspace - workload adjusted.          
 
                                                           
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
Hash.Target......: /home/sec560/labs/web01.hashes
Time.Started.....: Thu Mar 17 02:14:29 2022 (2 mins, 14 secs)
Time.Estimated...: Thu Mar 17 02:16:43 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/opt/passwords/rockyou.txt)
Guess.Mod........: Rules (/usr/local/share/doc/hashcat/rules/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:  8011.9 kH/s (1.14ms) @ Accel:256 Loops:77 Thr:1 Vec:8
Recovered........: 13/36 (36.11%) Digests
Progress.........: 1104517568/1104517568 (100.00%)
Rejected.........: 0/1104517568 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-77 Iteration:0-77
Candidate.Engine.: Device Generator
Candidates.#2....: $HEX[0861365f313233] -> $HEX[04a156616d6f]
 
Started: Thu Mar 17 02:14:28 2022
Stopped: Thu Mar 17 02:16:45 2022

hashcat -w 3 -a 6 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt ?d?d

This is similar to the above commands except it uses attack mode 6 which is masking, and instead of specifying predefined permutation rules, it uses a custom mask at the end of the command.

sec@slingshot:~$ hashcat -w 3 -a 6 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt ?d?d
hashcat (v6.2.4) starting
 
* Device #1: Outdated POCL OpenCL driver detected!
 
This OpenCL driver may fail kernel compilation or produce false negatives.
You can use --force to override, but do not report related errors.
 
OpenCL API (OpenCL 1.2 pocl 1.1 None+Asserts, LLVM 6.0.0, SPIR, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
===========================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, skipped
 
OpenCL API (OpenCL 1.2 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, 1940/3944 MB (493 MB allocatable), 2MCU
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 37 digests; 36 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
 
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
 
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
 
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
 
INFO: Removed 13 hashes found as potfile entries or as empty hashes.
 
Host memory required for this attack: 0 MB
 
Dictionary cache hit:
* Filename..: /opt/passwords/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 1434438400
 
7ce56170c73f9582fa348db88de2c192:Gathering81             
Approaching final keyspace - workload adjusted.          
 
                                                           
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
Hash.Target......: /home/sec560/labs/web01.hashes
Time.Started.....: Thu Mar 17 02:20:46 2022 (1 min, 9 secs)
Time.Estimated...: Thu Mar 17 02:21:55 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/opt/passwords/rockyou.txt), Left Side
Guess.Mod........: Mask (?d?d) [2], Right Side
Guess.Queue.Base.: 1/1 (100.00%)
Guess.Queue.Mod..: 1/1 (100.00%)
Speed.#2.........: 20964.9 kH/s (0.55ms) @ Accel:256 Loops:100 Thr:1 Vec:8
Recovered........: 14/36 (38.89%) Digests
Progress.........: 1434438400/1434438400 (100.00%)
Rejected.........: 0/1434438400 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-100 Iteration:0-100
Candidate.Engine.: Device Generator
Candidates.#2....: $HEX[0861365f3132333132] -> $HEX[042a0337c2a156616d6f7321033638]
 
Started: Thu Mar 17 02:20:34 2022
Stopped: Thu Mar 17 02:21:55 2022

hashcat -m 1000 –username –show –outfile-format 2 labs/web01.hashes

This command will show all the NT hashes that we’ve cracked so far for the provided hash file.

sec@slingshot:~$ hashcat -m 1000 --username --show --outfile-format 2 labs/web01.hashes
Guest:
DefaultAccount:
slopez:Tibbetts3
aparker:Oozle11
rgray:KAMTPS20!!tim
wrobinson:Patrique2238
mlara:Packardbell350
lstout:2soWht!a
tandersen:Angels100%
awalker:Chirmol01
mmiller:BHLMSTz2
vcollins:Warrior07
hhopkins:Alphabet23
kcooper:Smitten77
rduarte:Gathering81

hashcat -m 13100 -a 6 /tmp/tickets /opt/passwords/passwords.txt ?d?d?d?d

This will attempt to crack a kerberos service ticket hash using the password list and appending 4 digits to the end.

Blog Posts

Tag: password cracking