Naive Hashcat
Crack password hashes without the fuss. Naive hashcat is a plug-and-play script that is pre-configured with naive, emperically-tested, "good enough" parameters/attack types. Run hashcat attacks using ./naive-hashcat.sh without having to know what is going on "under the hood".
DISCLAIMER: This software is for educational purposes only. This software should not be used for illegal activity. The author is not responsible for its use. Don't be a dick.
Getting started
git clone https://github.com/brannondorsey/naive-hashcat
cd naive-hashcat
# if you are on MacOS/OSX, run this. If on linux or windows, skip...
./build-hashcat-osx.sh
# download the 134MB rockyou dictionary file
curl -L -o dicts/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
# cracks md5 hashes in hashcat-3.6.0/example0.hash by default
./naive-hashcat.sh
What it do?
./naive-hashcat.sh assumes that you have hashed passwords that you would like to know the plaintext equivalent of. Likely, you've come across a text file that contains leaked accounts/emails/usernames matched with a cryptographic hash of a corresponding password. Esentially something that looks like:
neli_dayanti@yahoo.co.id:01e870ebb01160f881ffaa6764acd01f
hastomoanggi@gmail.com:f15a413c1835014679a286ee84a212d4
yogipandu86@gmail.com:e4fdf3291654751def4e6816fddce608
fadlilamegy1@gmail.com:8ebd79c9b13240ab3767a64b4faae7be
ridho6kr@gmail.com:33816712db4f3913ee967469fe7ee982
yogaardamanta17@gmail.com:3e46fb7125915cdf34df21342004f82f
yogahadikusuma@gmail.com:bf0e20a03a01ae215deb9b36e173cd9a
(⬆⬆⬆ not real hashes btw, don't get any ideas...)
If you don't have such a file, pastebin.com is a popular text paste site that black-hat hackers 💙 love 💙 posting leaked account credentials to. And lucky 4 u, they have a trending feature that makes "interesting content" bubble to the top. If you can't find leaked creds atm, I've written a tool that archives trending pastes each hour.
Once you've got some hashes, save them to a file with one hash per line. For example, hashes.txt:
01e870ebb01160f881ffaa6764acd01f
f15a413c1835014679a286ee84a212d4
e4fdf3291654751def4e6816fddce608
8ebd79c9b13240ab3767a64b4faae7be
33816712db4f3913ee967469fe7ee982
3e46fb7125915cdf34df21342004f82f
bf0e20a03a01ae215deb9b36e173cd9a
To crack your hashes, pass this file as HASH_FILE=hashes.txt to the command below.
Usage
naive-hashcat.sh takes, at most, three parameters. All parameters are expressed using unix environment variables. The command below shows the default values set for each of the configurable environment variables that naive-hashcat.sh uses:
HASH_FILE=hashcat-3.6.0/examples0.hash POT_FILE=hashcat.pot HASH_TYPE=0 ./naive-hashcat.sh
HASH_FILE is a text file with one hash per line. These are the password hashes to be cracked.
POT_FILE is the name of the output file that hashcat will write cracked password hashes to.
HASH_TYPE is the hash-type code. It describes the type of hash to be cracked. 0 is md5. See the Hash types section below for a full list of hash type codes.
What naive-hashcat does
naive-hashcat.sh includes a small variety of dictionary, combination, rule-based, and mask (brute-force) attacks. If that sounds overwhelming, don't worry about it! The point of naive hashcat is that you don't have to know how it works. In this case, ignorance is bliss! In fact, I barely know what I'm doing here. The attacks I chose for naive-hashcat.sh are very naive, one-size-kinda-fits-all solutions. If you are having trouble cracking your hashes, I suggest checking out the awesome hashcat wiki, and using the hashcat tool directly.
At the time of this writing, naive-hashcat cracks ~60% of the hashes in examples0.hash.
Ok, I think its working... what do I do now?
So you've run ./naive-hashcat.sh on your HASH_FILE, and you see some passwords printing to the screen. These hash:password pairs are saved to the POT_FILE (hashcat.pot by default). Now you need to match the hashes from the original file you... um... found (the with lines like neli_dayanti@yahoo.co.id:01e870ebb01160f881ffaa6764acd01f) to the hash:password pairs in your pot file.
Run python match-creds.py --accounts original_file.txt --potfile hashcat.pot > creds.txt to do just that! This tool matches usernames/emails in original_file.txt with their corresponding cracked passwords in hashcat.pot and prints username:password:
neli_dayanti@yahoo.co.id:Password1
hastomoanggi@gmail.com:Qwerty1234
yogipandu86@gmail.com:PleaseForHeavenSakeUseAPasswordManager
Congratulations, you just hacked the private passwords/account information of many poor souls. And because everyone still uses the same password for everything you likely have the "master" password to tons of accounts.
And remember
- use a password manager
- don't pwn people
- don't go to jail
🏴 Happy hacking ☠
P.S. ./naive-hashcat.sh can take anywhere from a few minutes to a few hours to terminate depending on your hardware. It will constantly stream results to the POT_FILE, and you are free to use the contents of that file for further processing with match-creds.py before cracking is finished.
GPU Cracking
Hashcat ships with OpenCL and runs on available GPU hardware automatically when available.
Hash types
Below is a list of hash-type codes supported by hashcat. If you don't know the type of hash you have, you can use hashid to try and identify it. Include the appropriate hash-type using the HASH_TYPE environment variable.
# | Name | Category
======+==================================================+======================================
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
5100 | Half MD5 | Raw Hash
100 | SHA1 | Raw Hash
1300 | SHA-224 | Raw Hash
1400 | SHA-256 | Raw Hash
10800 | SHA-384 | Raw Hash
1700 | SHA-512 | Raw Hash
5000 | SHA-3 (Keccak) | Raw Hash
600 | BLAKE2b-512 | Raw Hash
10100 | SipHash | Raw Hash
6000 | RIPEMD-160 | Raw Hash
6100 | Whirlpool | Raw Hash
6900 | GOST R 34.11-94 | Raw Hash
11700 | GOST R 34.11-2012 (Streebog) 256-bit | Raw Hash
11800 | GOST R 34.11-2012 (Streebog) 512-bit | Raw Hash
10 | md5($pass.$salt) | Raw Hash, Salted and/or Iterated
20 | md5($salt.$pass) | Raw Hash, Salted and/or Iterated
30 | md5(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
40 | md5($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
3800 | md5($salt.$pass.$salt) | Raw Hash, Salted and/or Iterated
3710 | md5($salt.md5($pass)) | Raw Hash, Salted and/or Iterated
4010 | md5($salt.md5($salt.$pass)) | Raw Hash, Salted and/or Iterated
4110 | md5($salt.md5($pass.$salt)) | Raw Hash, Salted and/or Iterated
2600 | md5(md5($pass)) | Raw Hash, Salted and/or Iterated
3910 | md5(md5($pass).md5($salt)) | Raw Hash, Salted and/or Iterated
4300 | md5(strtoupper(md5($pass))) | Raw Hash, Salted and/or Iterated
4400 | md5(sha1($pass)) | Raw Hash, Salted and/or Iterated
110 | sha1($pass.$salt) | Raw Hash, Salted and/or Iterated
120 | sha1($salt.$pass) | Raw Hash, Salted and/or Iterated
130 | sha1(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
140 | sha1($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
4500 | sha1(sha1($pass)) | Raw Hash, Salted and/or Iterated
4520 | sha1($salt.sha1($pass)) | Raw Hash, Salted and/or Iterated
4700 | sha1(md5($pass)) | Raw Hash, Salted and/or Iterated
4900 | sha1($salt.$pass.$salt) | Raw Hash, Salted and/or Iterated
14400 | sha1(CX) | Raw Hash, Salted and/or Iterated
1410 | sha256($pass.$salt) | Raw Hash, Salted and/or Iterated
1420 | sha256($salt.$pass) | Raw Hash, Salted and/or Iterated
1430 | sha256(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
1440 | sha256($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
1710 | sha512($pass.$salt) | Raw Hash, Salted and/or Iterated
1720 | sha512($salt.$pass) | Raw Hash, Salted and/or Iterated
1730 | sha512(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
1740 | sha512($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
50 | HMAC-MD5 (key = $pass) | Raw Hash, Authenticated
60 | HMAC-MD5 (key = $salt) | Raw Hash, Authenticated
150 | HMAC-SHA1 (key = $pass) | Raw Hash, Authenticated
160 | HMAC-SHA1 (key = $salt) | Raw Hash, Authenticated
1450 | HMAC-SHA256 (key = $pass) | Raw Hash, Authenticated
1460 | HMAC-SHA256 (key = $salt) | Raw Hash, Authenticated
1750 | HMAC-SHA512 (key = $pass) | Raw Hash, Authenticated
1760 | HMAC-SHA512 (key = $salt) | Raw Hash, Authenticated
14000 | DES (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack
14100 | 3DES (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack
14900 | Skip32 (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack
15400 | ChaCha20 | Raw Cipher, Known-Plaintext attack
400 | phpass | Generic KDF
8900 | scrypt | Generic KDF
11900 | PBKDF2-HMAC-MD5 | Generic KDF
12000 | PBKDF2-HMAC-SHA1 | Generic KDF
10900 | PBKDF2-HMAC-SHA256 | Generic KDF
12100 | PBKDF2-HMAC-SHA512 | Generic KDF
23 | Skype | Network Protocols
2500 | WPA/WPA2 | Network Protocols
4800 | iSCSI CHAP authentication, MD5(CHAP) | Network Protocols
5300 | IKE-PSK MD5 | Network Protoc