Several attack modes of hashcat

2024-12-24 12:15:01

There are multiple attack modes for hashcat, check the full help with the parameter –help, you can see the "Attack Modes" table, as shown below:

#	Mode
0	Straight
1	Combination
3	Brute-force
6	Hybrid Wordlist + Mask
7	Hybrid Mask + Wordlist

1.Straight

This attack pattern is also known as "Dictionary Attack". Nothing to say, just given a dictionary, hashcat will read the contents of the dictionary line by line, calculate the hash value of each row, and compare it to the target hash value.

Example:

  hashcat -a 0 -m 400 example400.hash example.dict

2.Combination

Baidu told me that Combination is a noun that means: "Combination; Complex; password combinations; Pantyhose". This attack mode is as simple as combining the contents of two password dictionaries. Using this attack pattern requires no more and no less, no less, two password dictionaries to be specified. Suppose we have two password dictionaries dict1.txt and a dict2.txt that have the following contents:

  hunting
  kitty
  rainbow

and

  paris
  rock

then command:

  hashcat -m 0 -a 1 hash.txt dict1.txt dict2.txt

The dictionary that actually tried was:

  huntingparis
  huntingrock
  kittyparis
  kittyrock
  rainbowparis
  rainbowrock

The words in the dict1.txt are on the left, and the words in the dict2.txt are on the right, a total of 3×2=6.

The parameters associated with this model are:

  -j, --rule-left
  -k, --rule-right

The rule after -j acts on the left, and the rule after -k acts on the right, if you add the parameter -j '$-', then the dictionary you actually try is:

  hunting-paris
  hunting-rock
  kitty-paris
  kitty-rock
  rain-bowparis
  rain-bowrock

Add the argument -j '^!', and the dictionary you actually try is:

  !huntingparis
  !huntingrock
  !kittyparis
  !kittyrock
  !rainbowparis
  !rainbowrock

Add the -k '^>' argument and the dictionary you actually try is:

  hunting>paris
  hunting>rock
  kitty>paris
  kitty>rock
  rain>bowparis
  rain>bowrock

What are these rules? "$" and "^" are used in a similar way to regular expressions, so are they regular? Actually, no, the rules of hashcat are implemented by themselves, which is another big piece of content, see Rule-based Attack for details

3.Brute-force

Try a wide variety of combinations of given character sets. According to the official hashcat wiki, this method has become obsolete and has been replaced by Mask-Attack in all directions, so no research is done.

4.Mask Attack

This is a relatively new attack method, as shown below:

  hashcat -a 3 -m 0 md5.hash ?l?l?l?l?l

While the "Attack Modes" table shows that -a 3 corresponds to Brute-force, in reality, -a 3 uses Mask Attack. Mask Attack can be seen as an advanced Brute-force.

The -m parameter is used to specify the type of the hash function, and the md5.hash file stores the value of md5. The key is the last string "?l?l?l?l?l", which is called a mask.

A mask is a string of placeholders. "?l" is a placeholder, where "?" It is a keyword used to modify the "l" after it, and "?l" together represent a set of characters, in addition to "?l", it can also have "?u", "?d", "?h", "? H, ?s, ?a, and ?b, the following table shows the set of characters.

?	Charset
l	abcdefghijklmnopqrstuvwxyz
u	ABCDEFGHIJKLMNOPQRSTUVWXYZ
d	0123456789
h	0123456789abcdef
H	0123456789ABCDEF
s	! “#$%&'()*+,-./:; <=>?@[\]^_`~{\|}
a	?l?u?d?s
b	0x00 – 0xff

In this way, we understand that "?l?l?l?l?l" is actually equivalent to a cipher dictionary:

aaaaa
aaaab
...
zzzzz

In the same way, "?l?u?d" is equivalent to a cipher dictionary:

  aA0
  aA1
  ...
  bA0
  ...
  zZ9

The character sets in the table above are built-in to hashcat, and we can also specify the character sets ourselves:

  --custom-charset1=字符集合1
  --custom-charset2=字符集合2
  --custom-charset3=字符集合3
  --custom-charset4=字符集合4

The parameter –custom-charsetN can be abbreviated to -N, e.g. –custom-charset1 can be abbreviated to -1. The set of characters specified with -N is represented in the mask with the placeholder "? N", for example:

  -1 abc123 ?1?1?1

It is equivalent to a password dictionary:

  aaa
  aab
  ...
  aa3
  ...
  333

-N can be followed by a .hcchr file that stores a collection of characters, in addition to a string representing a collection of characters. hashcat comes with a number of .hcchr files, in the charsets/ directory of the installation package.

Placeholder "??" The set of characters represented is "?" Itself. In addition, the rest of the characters, when used as placeholders, represent the characters themselves, such as "?lwerner?d", which is equivalent to a cipher dictionary:

  awerner0
  awerner1
  ...
  zwerner9

With the above knowledge, it is easy to understand mask. A mask consists of several placeholders, each of which is a collection of characters, and a mask is a combination of the sets of placeholder characters. The number of placeholders is equal to the length of the password. What are the advantages of such a design compared to simply giving a set of characters and password length?

Let's say we know that someone's password has 7 digits, the first digit is an uppercase letter, the next 3 digits are lowercase letters, and the last 3 digits are numbers. If it is a traditional brute force attack, it requires the character set a-z, A-Z, and 0-9, a total of 62 characters, and a maximum of 62^7=3 521 614 606 208 attempts, which is trillion-level. The password described by mask is "\u\l\l\l\d\d\d", which is easy to calculate, with a total of (26^4)×(10^3)=456 976 000 possibilities, which is at the level of 100 million, which is 4 orders of magnitude less than the previous method.

Taking a step back, even if we don't know the distribution of passwords, it is easy to simulate the effect of traditional brute force cracking with a mask.

Now the question is how many placeholders are dead when the mask is fixed, and what if we don't know the length of the password. If the password is only 3 digits, and we have 4 placeholders, we can't solve it, wouldn't it be a loss. Do you want to start with 1 and write all the masks of all lengths? That's a lot of trouble.

There are two workarounds, one is to use a mask file, write multiple masks in one file, and then specify this file in the command line. Note that the mask file needs to end with .hcmask.

For example, the content of test.hcmask is:

  ?l
  ?l?l
  ?l?l?l
  ?l?l?l?l

Use the file with the following command:

  hashcat -m 0 -a 3 --show md5.hash test.hcmask

Another workaround is to add the parameter –increment, which tells hashcat to try with a placeholder as we gave the mask, then two, three, until we give the given length. For example, we write the placeholder "abc" for this and then calculate the md5 value for the following string:

  a:0cc175b9c0f1b6a831c399e269772661
  b:92eb5ffee6ae2fec3ad71c777531578f
  c:4a8a08f09d37b73795649038408b5f33
  ab:187ef4436122d1cc2f40dc2b92f0eba0
  ac:e2075474294983e013ee4dd2201c7a73
  ba:07159c47ee1b19ae4fb9c40d480856c4
  bc:5360af35bde9ebd8f01f492dc059593c
  ca:5435c69ed3bcc5b2e4d580e393e373d3
  cb:d0d7fdb6977b26929fb68c6083c0b439
  abc:900150983cd24fb0d6963f7d28e17f72
  abc:900150983cd24fb0d6963f7d28e17f72
  bac:79ec16df80b57696a03bb364410061f3
  bca:b64eab8ce39e013604e243089c687e4f
  cba:3944b025c9ca7eec3154b44666ae04a0
  cab:16ecfd64586ec6c1ab212762c2c38a90

":" is the original string to be used to calculate the hash value, and ":" is followed by the calculated hasn value. Save the above in the file md5.hash and run the following command:

  hashcat -m 0 -a 3 --show --username md5.hash abc

Add the parameter –username because we have the original string in front of each hash value, if we don't add this parameter, hashcat will show that the correct hash value was not found, add this parameter, hashcat will think that the string before the hash value is the username of the hash value, so that the hash value can be loaded smoothly.

The result is that only one hash is solved:

  900150983cd24fb0d6963f7d28e17f72:abc

Now add the parameter –increment and run it again:

  hashcat -m 0 -a 3 --show --increment --username md5.hash abc

This time, two more hashes were solved:

  0cc175b9c0f1b6a831c399e269772661:a
  187ef4436122d1cc2f40dc2b92f0eba0:ab

As you can see, –increment comes into play. But at the same time, we also know that with this parameter, hashcat will only try A, Ab and ABC in order, and will not arrange and combine placeholders in order, trying all kinds of possibilities.

5.Hybrid Attack

Hybrid Attack is similar to Combinator Attack, Combinator Attack is a combination of two dictionaries, and Hybrid Attack is a hybridization of a dictionary and a mask, and the two are similar.

Let's say we already have a dictionary example.dict that looks like this:

  hello
  werner

then command:

  hashcat -m 0 -a 6 md5.hash example.dict ?d?d

Equivalent to simply using a dictionary:

  hello00
  hello01
  ...
  hello99
  werner00
  werner01
  ...
  werener99

then command:

  hashcat -m 0 -a 7 md5.hash ?d? dexample.dict

Equivalent to simply using a dictionary:

  00hello
  01hello
  ...
  99hello
  00werner
  01werner
  ...
  99werener

Previous:How to use hashcat software to explode various hashes

Next:Hashcat usage method and technical sharing

Latest article

How to Filter Duplicate Content from 2T Dictionary Large Text

2025-03-17 12:01:01

2.66T dictionary has a high success rate in cracking passwords

2025-03-17 11:37:54

easily remove ppt password and enjoy unhindered use of ppt!

2025-02-18 21:34:05

ppt password removal has tricks to make work more efficient!

2025-02-18 21:34:05

handle ppt password removal and start an easy office journey!

2025-02-18 21:34:05

ppt password removal: simple and easytofollow operation guide!

2025-02-18 21:34:05

blocked by ppt password? learn to remove and move forward easily!

2025-02-18 21:34:05

removing ppt password is extremely simple. these methods are very practical!

2025-02-18 21:34:05

looking for methods to remove ppt password? here they are all!

2025-02-18 21:34:05

easily learn ppt password removal and break through password restrictions!

2025-02-18 21:34:05

Popular tags

PDF (16)

Download (14)

hashcat (9)

dictionary (6)

Excel (3)

Excle (2)

RAR (1)

iSumsoftRARPasswordRefixer (1)

PPT (1)

Word (1)

Experience sharing (1)

zip (1)

Access (1)

ppt (1)

hash (1)

cuda (1)

GPU (1)

tutorial (1)

Free Rar Password_unlocke (1)

zip (1)

excel (1)

rar (1)

word (1)

Any ZIP Password Recovery (1)

office (1)

Hashcat (1)

Hash (1)

brute force (1)

Decryption speed (1)

Word (1)

7Z (1)

ZIP (1)

RAR (1)

teaching (1)

gpu (1)

Sticky posts

Can you unlock the file's opening password 100%?

2024-04-01 14:55:50

Decrypted files exceed the maximum system support and cannot be uploaded. How to handle this?

2024-04-01 21:10:02

What is the difference between retrieving an open password and removing protection or editing permissions?

2024-04-08 21:16:39

How long does it take for the document password online recovery platform to produce results?

2024-04-10 07:50:27

What kind of graphics card should I choose to build a professional PDF XLS DOC password cracking device?

2024-04-15 11:22:56

Cracking Dictionary400W commonly used password download, weak password cracking dictionary download

2024-05-15 15:13:45

Download cracked password dictionary (large collection 3GB), download a collection of cracked dictionaries

2024-05-15 15:38:57

What is brute force cracking? What are the methods of violent cra

2024-06-13 11:52:11

What should I do if decryption fails and cannot be cracked?

2024-08-10 09:38:45

How to choose the price for online cracking?

2025-01-23 22:09:05

Several attack modes of hashcat

2024-12-24 12:15:01

There are multiple attack modes for hashcat, check the full help with the parameter –help, you can see the "Attack Modes" table, as shown below:

1.Straight

2.Combination

3.Brute-force

4.Mask Attack

5.Hybrid Attack

Latest article

Popular tags

Sticky posts

設置語言