Hashcat

Resources

• Hash Modes:

Password Cracking

General Usage: hashcat -m [mode] [hashfile] [wordlist]

hashcat -m 0 hashfile.txt /usr/share/wordlists/rockyou.txt

NTLMv2 Hash

One of the ways you can obtain NTLMv2 hashes is by doing LLMNR Poisoning attack using Responder.

hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt

NTLM Hash

NTLM hashes can be obtained by dumping the contents of the SAM file.

For the hashes, you can use either the local SAM hash or the NT hash.

Dissecting local SAM Hash

An example of a local SAM Hash is Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::

• Administrator - User ID (Username)

• 500 - Relative Identified

• aad3b435b51404eeaad3b435b51404ee - LM Hash

• 7facdc498ed1680c4fd1448319a8c04f - NT Hash

hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt

Domain Cached Credentials (DCC)

DCC Hashes can be obtained by running secretsdump on a target machine.

DCC Hash Example: $DCC2$10240#Administrator#ddd300826b277e2e0fd47ca01b2f4904

hashcat -m 2100 hashes.txt /usr/share/wordlists/rockyou.txt

Kerberos Hash (KRB5)

Kerberos Hashes can be obtained by performing Kerberoasting attack.

hashcat -m 13100 krb.txt /usr/share/wordlists/rockyou.txt