Password Cracking Using Hashcat

Errors on Hashcat

If you are running Hashcat on AMD based GPU like me you might get errors about AMD HIP SDK.

For this, we can install AMD HIP SDK

Also, Hashcat Beta works well with this --> https://hashcat.net/beta/

For fast lookup I have added the most commonly seen ones in AD environments below

ModeHashDescription

1000

NTLM

Extremely common, used for general domain authentication

1100

MsCache

Domain cached credentials, old version

2100

MsCache v2

Domain cached credentials, new version

3000

LM

Old, rarely used anymore (still a part of NTLM)

5500

NetNTLMv1 / NetNTLMv1+ESS

NTLM for authentication over the network

5600

NetNTLMv2

NTLM for authentication over the network

7500

Kerberos 5 AS-REQ Pre-Auth etype 23

AS_REQ is the initial user authentication request of Kerberoas

13100

Kerberos 5 TGS-REP etype 23

TGS_REP is the reply of the Ticket Granting Server to the previous request

Dictionary attack

Here is a very basic dictionary attack using the world famous rockyou wordlist.

hashcat.exe -m 5600ntlmv2-hash.txt rockyou.txt -o cracked-hash.txt

The limitation here is as with all wordlist attacks the fact that if the password you are trying to crack is not in the list; you won't be able to crack it. This leads us to the next type of attack, a rule-based attack.

Rules-based attack

Run rockyou Wordlist with the OneRuletoRuleThemAllStill ruleset.

hashcat.exe -m 5600 -r OneRuletoRuleThemAllStill.rule ntlmvs-hash.txt rockyou.txt -o cracked-hash.txt

You are free to experiment with both lists and rules in this part. Only the sky is the limit (or your GPU / tolerance for hot computer smell)

PreviousRemote Access SheetNextCalculate IP Addresses from CIDR

Last updated