# Password Cracking Using Hashcat

## Errors on Hashcat

If you are running Hashcat on AMD based GPU like me you might get errors about ***AMD HIP SDK.***

For this, we can install [**AMD HIP SDK**](https://www.amd.com/en/developer/resources/rocm-hub/hip-sdk.html)

**Also, Hashcat Beta works well with this -->** [**https://hashcat.net/beta/**](https://hashcat.net/beta/)

***

For fast lookup I have added the most commonly seen ones in AD environments below

| Mode  | Hash                                | Description                                                                 |
| ----- | ----------------------------------- | --------------------------------------------------------------------------- |
| 1000  | NTLM                                | Extremely common, used for general domain authentication                    |
| 1100  | MsCache                             | Domain cached credentials, old version                                      |
| 2100  | MsCache v2                          | Domain cached credentials, new version                                      |
| 3000  | LM                                  | Old, rarely used anymore (still a part of NTLM)                             |
| 5500  | NetNTLMv1 / NetNTLMv1+ESS           | NTLM for authentication over the network                                    |
| 5600  | NetNTLMv2                           | NTLM for authentication over the network                                    |
| 7500  | Kerberos 5 AS-REQ Pre-Auth etype 23 | AS\_REQ is the initial user authentication request of Kerberoas             |
| 13100 | Kerberos 5 TGS-REP etype 23         | TGS\_REP is the reply of the Ticket Granting Server to the previous request |

#### Dictionary attack <a href="#user-content-dictionary-attack" id="user-content-dictionary-attack"></a>

Here is a very basic dictionary attack using the world famous [***rockyou***](https://www.kali.org/tools/wordlists/) wordlist.

```
hashcat.exe -m 5600ntlmv2-hash.txt rockyou.txt -o cracked-hash.txt
```

The limitation here is as with all wordlist attacks the fact that **if the password you are trying to crack is not in the list; you won't be able to crack it**. This leads us to the next type of attack, a rule-based attack.

#### Rules-based attack <a href="#user-content-rules-based-attack" id="user-content-rules-based-attack"></a>

Run [***rockyou***](https://gitlab.com/kalilinux/packages/wordlists) Wordlist with the [***OneRuletoRuleThemAllStill***](https://gist.github.com/smhuda/350b23cefcbdfa3d83e97e8dcb9e1efd) ruleset.

{% code overflow="wrap" %}

```
hashcat.exe -m 5600 -r OneRuletoRuleThemAllStill.rule ntlmvs-hash.txt rockyou.txt -o cracked-hash.txt
```

{% endcode %}

You are free to experiment with both lists and rules in this part. Only the sky is the limit (or your GPU / tolerance for hot computer smell)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.smhuda.com/pentesting/infrastructure-security/network-infrastructure/password-cracking-using-hashcat.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.