Password Hashing with Hashcat

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search


This article briefly describes how you can hash any accessed user credentials on a student matriculation website to crack passwords using the advanced password recovery tool named Hashcat. A User or admin within the course of this project - a teacher who supervises small coaching or tuition might utilize this student registration.

Additional Features

  • Login / Logout
  • Registration
  • Change Password
  • Add New Student
  • Delete Student
  • View Student Details
  • Edit Student Data
  • Export Student Data in Excel file
  • View short student data


Hashcat GPU Driver requirements:

  • AMD GPUs on Linux require "RadeonOpenCompute (ROCm)" Software Platform (3.1 or later)
  • AMD GPUs on Windows require "AMD Radeon Adrenalin 2020 Edition" (20.2.2 or later)
  • Intel CPUs require "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
  • NVIDIA GPUs require "NVIDIA Driver" (440.64 or later) and "CUDA Toolkit" (9.0 or later)

Software Requirements:

  • XAMPP Server
  • LAMP Server

An outline of the technology is as follows

  • Front end: HTML, CSS, JavaScript
  • HTML: HTML is used to create and save web document. E.g. Notepad/Notepad++
  • CSS : (Cascading Style Sheets) Create attractive Layout
  • Bootstrap : responsive design mobile freindly site
  • JavaScript: it is a programming language, commonly use with web browsers.
  • Back end: PHP, MySQL
  • PHP: Hypertext Preprocessor (PHP) is a technology that allows software developers to create dynamically generated web pages, in HTML, XML, or other document types, as per client request. PHP is open-source software.
  • MySQL: MySql is a database, widely used for accessing querying, updating, and managing data in databases.
  • script that is pre-configured with naive, emperically-tested, "good enough" parameters/attack types. Run hashcat attacks using ./ to hash the passwords.
Important: Continue with the next section, depending on whether the GPU requirements are fullfilled.
Note: Hashcat ships with OpenCL and runs on available GPU hardware automatically when available!

Download and extract the Hashcat binaries on the test device.

Deployment only accepts three arguments. The expression of all arguments uses unix environment variables. The following command displays the predetermined default values for each of the environment variables that can be customized by

 HASH_FILE=/examples0.hash POT_FILE=hashcat.pot HASH_TYPE=0 ./ 
  • HASH_FILE is a text file with one hash per line. These are the password hashes to be cracked.
  • POT_FILE is the name of the output file that hashcat will write cracked password hashes to.
  • HASH_TYPE is the hash-type code. It describes the type of hash to be cracked. 0 is md5.

  • LIGHT/ DICTIONARY ATTACK - begin with a very simple and naive dictionary attack. This is blazing fast and it cracks ~20% of hashes
 "$HASHCAT" -m "$HASH_TYPE" -a 0 "$HASH_FILE" dicts/rockyou.txt --potfile-path "$POT_FILE"
  • DICTIONARY ATTACK WITH RULES - now lets move on to a rule based attack, d3ad0ne.rule is a great one to start with
 "$HASHCAT" -m "$HASH_TYPE" -a 0 "$HASH_FILE" dicts/rockyou.txt -r hashcat/rules/d3ad0ne.rule --potfile-path "$POT_FILE"
  • Rockyou is good and well-known leaked password file, and not too slow
 "$HASHCAT" -m "$HASH_TYPE" -a 0 "$HASH_FILE" dicts/rockyou.txt -r hashcat/rules/rockyou-30000.rule --potfile-path "$POT_FILE"
  • MEDIUM- dive is an excellent rule file, but it takes a bit longer to run, so we will run it after d3ad0ne and rockyou
 "$HASHCAT" -m "$HASH_TYPE" -a 0 "$HASH_FILE" dicts/rockyou.txt -r hashcat/rules/dive.rule --potfile-path "$POT_FILE"
 "$HASHCAT" -m "$HASH_TYPE" -a 3 "$HASH_FILE" hashcat/masks/rockyou-1-60.hcmask --potfile-path "$POT_FILE"
  • COMBINATION ATTACK- this one can take 12+ hours, don't use it by default
 "$HASHCAT" -m "$HASH_TYPE" -a 1 "$HASH_FILE" dicts/rockyou.txt dicts/rockyou.txt --potfile-path "POT_FILE"


Hashcat is a very powerful tool. If hashcat can crack them, so can an attacker. Cracking stolen password hashes to take active steps throughout a network or to provide admin user rights is a common task for penetration testers on engagement.

Prevention Methods

Note: However, these techniques won't ensure website security, but what counts is that they will greatly increase security and make it less appealing to attackers than it was previously.
  • Using HTTPS, a protocol that enables secure communication over your computer network and guarantees that no outsiders will be able to tap into your material, is the ideal approach to add a security socket layer (SSL) to your website.
  • In contrast to other attacks (like a SQL Injection), an XSS, or cross-site scripting, attack is intended to target users of a service or server rather than the program or server itself--> Using an advanced SDL, or security development lifecycle, in your Web application will be the strongest defense against an XSS attack. Simply said, an SDL's goal is to reduce the amount of coding errors in your program.Require users to enter their credentials again in order to access specific website pages. The user must enter their login credentials again even if they have a cookie that automatically logs them into your site. This will significantly lower the likelihood of an XSS attack.


Betül Aras


DISCLAIMER: This software is for educational purposes only. This software should not be used for illegal activity. The author is not responsible for its use.