Brute force advanced password recovery with HashCat

Hashcat is a free brute force attack tool (aka password cracker) to perform security audits on database password hashes or recover forgotten passwords, it is available for Linux and Windows, unlike the better known command line only dictionary attack tool John The Ripper, HashCat comes with an interface (aka GUI, Graphical User Interface). After downloading Hashcat you will need a password list (aka wordlist), you can download one from OpenWall. A common approach to recover a forgotten password is to try and guess it using dictionary words, the time to crack the password is linked to its length in bits, the most difficult to crack passwords will have been made up using a lump of special characters, punctuation signs and capital/small letters.

Brute force tool HashCat

Brute force tool HashCat

HashCat is not only a dictionary attack tool, it can use precomputed hashes, using a pre-computed dictionary made up of hashes saves time when cracking passwords because the the words have already been converted into hashing algorithms which is how passwords are stored. This kind of brute force attack can be slowed down when cryptography uses a technique to force all password entries to be recomputed at each try, in cryptography this is called salt.

The more you know about the the password constitution the quicker it will be to crack it, HashCat lets you specify password length, you will also want to determine the hash mode, encryption software use different hashing algorithms for password storage, the algorithm used is normally found within the software technical specifications. Computer graphic cards with a processor (Graphics Processing Unit, GPU) can notably speed up password cracking efforts, HashCat takes advantage of them being able to use up to 16 GPUs. Finding out a hard to guess password out of a hashing algorithm is not easy with just a single desktop computer, when the opponent has access to supercomputers or botnets, if the passwords is weak, a couple of days might be all one needs.

Visit Hashcat homepage

Leave a Reply