RV College of Engineering®

(Autonomous Institution Affiliated to VTU, Belagavi)

Experiential Learning Report

Cracking password hashes using

hashcat and crunch
Submitted by:

Guduru Dinesh (1RV22CD020)

K.M.S Siddharth (1RV22CD024)

Saksham Singh (1RV22CD050)

Submitted to Dr.Mohana
(Department of Computer Science and Engineering)

Department of Computer Science and Engineering

1
 Contents

1. Introduction.

2. Literature Review.

3. Objectives.

4. Theoretical background

5. Methodology.

6. Implementation and Result.

7. Conclusion

8. Resources

2
 INTRODUCTION
In today's world the importance of password security cannot be
overstated. With our growing reliance on services, protecting information
has become a top priority. However the strongest and carefully
constructed passwords can be vulnerable to malicious hacking
techniques, especially password cracking.

This is where specialised tools like Hashcat and Crunch come into play.
They provide the means to decipher and exploit hashed passwords with
ease highlighting the urgency of addressing this issue.

Why password Hash Cracking is crucial:

1. Safeguarding Personal Data: Passwords act as the line of

defence for sensitive information. If these passwords are
compromised it can lead to access to emails financial records or
social media accounts. This puts individuals at risk of identity theft
and privacy breaches.

2. Protecting Corporate Security: In the business world strong

password security is crucial for safeguarding assets and
confidential information. Breaches in password security can have
consequences such, as data leaks or financial losses.

3. Ensuring Network Security: Weak or compromised passwords

provide hackers with entry points into computer networks and
internal systems. This can lead to data breaches, service
disruptions and significant financial damages.

4. The Threat of Credential Stuffing Attacks:

3
 Password cracking plays a role, in stuffing attacks, where hackers
reuse compromised login credentials on multiple websites and
services. This can result in a domino effect compromising
accounts, across platforms.

5. Weak Passwords: Many individuals still employ weak, easily

guessable passwords, making them susceptible to brute force and
dictionary attacks. Educating users about password security and
using tools like Hashcat and Crunch can reveal the flaws in their
password choices.

6. Hashed Passwords: Modern security practices store passwords

as cryptographic hashes rather than plaintext. However, these
hashes can be reversed if attackers have access to the hashed
values, making the cracking of hashes a central concern in
cybersecurity.

7. Password Policy Evaluation: By analysing password hashes and

cracking them, security professionals can assess the effectiveness
of password policies within organisations. This evaluation can lead
to improvements in security practices.

4
 OBJECTIVES
1. Understanding Password Cracking Techniques:

● To provide a comprehensive understanding of the various

password cracking techniques, including dictionary attacks,
brute force attacks, and rule-based attacks.

● To explain the underlying principles of these techniques and

how they exploit weaknesses in password security.

2. Evaluating the Effectiveness of Hashcat and Crunch:

● To assess the capabilities of Hashcat and Crunch as

specialised password cracking tools.

● To analyse their features, capabilities, and limitations in

different password cracking scenarios.

3. Assessing the Security Implications of Weak Passwords:

● To investigate the security implications of weak and easily

guessable passwords.

4. Recommending Best Practices for Password Management:

● To identify and recommend best practices for individuals and

organisations in password creation and management.

5. Evaluating Hash Algorithms and Salting:

● To understand the significance of salting in password storage

and its effectiveness in thwarting password cracking
attempts.

5
 LITERATURE REVIEW
● Scholars have extensively analysed various password hashing
algorithms, such as MD5, SHA-1, SHA-256, and bcrypt, to
understand their vulnerabilities and security implications. These
studies highlight the importance of selecting strong algorithms for
password storage.

● The development and use of password cracking tools have been a

subject of interest in both academic and practical contexts.
Researchers have explored the capabilities of tools like Hashcat,
which offers multiple modes for cracking hashed passwords,
including dictionary attacks, brute force attacks, and rule-based
attacks.

● Tools like Crunch have garnered attention for their role in

generating custom wordlists tailored to specific password cracking
scenarios. Researchers have documented their experiences and
findings regarding the efficient use of Crunch for wordlist
generation.

● Studies have focused on the security implications of weak and

easily guessable passwords. The research reveals the risks
associated with weak passwords and emphasises the need for
strong, complex password policies.

● The practice of salting passwords before hashing them has been a

significant research area. Scholars have investigated how salting
enhances password security and its effectiveness in preventing
password cracking attempts.

6
 PASSWORD HASHING

Hashing is the process of converting an alphanumeric string into a

fixed-size string by using a hash function. A hash function is a
mathematical function that takes in the input string and generates
another alphanumeric string.

The length of a hash is always a constant, irrespective of the length of

the input. For example, if we use the MD5 algorithm and hash two
strings like “Password123” and “HelloWorld1234”, the final hash will
have a fixed length.

Here is the MD5 hash for “Password123”.

If we use the input string as “HelloWorld1234”, this will be the result:

7
Now there is a similar algorithm called encoding. A popular encoding
algorithm is base64. Here is how the same “Password123” will look if we
encode it with base64:

So what is the difference between hashing and encoding? When we

encode a string, it can be easily decoded to get the source string. But if
we hash a string, we can never get to the source string (maybe with
quantum computers, but that's another topic for discussion).

When we sign up for a website, they will hash our password before
saving it . When we try to log in again, the same hashing algorithm is
used to generate a hash for our input. It is then compared with the
original hash saved in the database.

This approach is also what gives rise to hashing attacks. A simple way to
attack hashes is to have a list of common passwords hashed together.
This list is called a Rainbow table.

There are several reasons why someone might want to crack hashed
passwords. One of the most common reasons is for malicious purposes,
such as stealing sensitive information or gaining unauthorised access to
a system.

In some cases, hackers will use brute force attacks or dictionary attacks
to crack weak passwords and gain access to user accounts. Another
reason why someone might want to crack hashed passwords is for
ethical hacking purposes, such as testing the security of a system or
application.

8
 HASHCAT
Hashcat is a powerful password cracking tool that is widely used in the
cybersecurity industry. It is designed to crack encrypted passwords using
a variety of techniques, including brute force attacks and dictionary
attacks.

Hashcat can also be used to crack hashes from multiple types of

algorithms, making it one of the most versatile password cracking tools
available.

Tool Link:https://github.com/hashcat/hashcat

Versatility of Hashcat:

1. Wide Range of Supported Algorithms: Hashcat boasts support

for an extensive array of hashing algorithms. These include
widely-used algorithms like MD5, SHA-1, and SHA-256, as well as
more secure and modern algorithms like bcrypt and Argon2. This
versatility allows security professionals and researchers to test the
security of various systems and applications that employ different
hashing methods.

2. Multiple Attack Modes: Hashcat offers various attack modes,

making it adaptable to different scenarios. The key attack modes
include dictionary attacks, brute force attacks, rule-based attacks,
and hybrid attacks. Each mode is designed to tackle specific
password challenges efficiently. For example, dictionary attacks
use wordlists or custom dictionaries to crack passwords, while
brute force attacks systematically try every possible combination.

3. Combinator Attack: Hashcat's "combinator" attack mode allows it

to combine multiple wordlists, increasing its versatility in handling
complex password challenges. This feature is particularly useful
when users concatenate multiple words or phrases to create
passwords.

9
 4. Performance and Parallel Processing: Hashcat is designed to
leverage the computational power of modern GPUs and CPUs. It
can efficiently utilise multiple cores and processors, making it
highly effective in cracking hashes at scale.

5. Regular Updates: Hashcat is actively maintained and updated by

its developers, ensuring compatibility with the latest hashing
algorithms and hardware advancements. This commitment to
ongoing development enhances its versatility and effectiveness.

Notable features of Hashcat include:

● Fully open source.

● Support for more than 200 hashing algorithms.
● Support for Windows, Linux, and Mac.
● Support for cracking multiple hashes in parallel.
● Built-in benchmarking system.

Hashcat's ability to support a wide range of hashing algorithms and

attack modes, coupled with its performance optimizations and active
community, makes it an indispensable tool for security professionals,
penetration testers, and researchers seeking to assess and enhance
password security across diverse systems and applications. Its versatility
makes it a valuable asset in the field of cybersecurity.

10
 WORDLIST
Wordlists are essential tools in the field of password cracking. These
lists consist of words, phrases, or combinations of characters that
attackers or security professionals use to guess passwords during the
cracking process. Wordlists serve a critical role in several ways:

● Dictionary Attacks: Wordlists are primarily used in dictionary

attacks, where the attacker systematically tests each word or
phrase in the list against hashed passwords. If a password
matches any entry in the wordlist, it is considered cracked.

● Customization: Users can create custom wordlists tailored to

specific target scenarios. These lists may include commonly used
passwords, personal information related to the target, or words
specific to the application or organisation being assessed.

● Variety: Wordlists encompass a wide range of words and phrases,

including common dictionary words, slang, keyboard patterns, and
common substitutions (e.g., "P@ssw0rd" for "Password"). This
variety ensures that a broad spectrum of password possibilities is
tested.

● Rainbow Tables: Wordlists are essential in the creation of rainbow

tables, which are precomputed tables used to crack hashes more
quickly. Rainbow tables store pairs of plaintext and corresponding
hash values for efficient password recovery.

Wordlists are both a foundational and adaptable component in

password cracking, enabling security professionals to assess and
strengthen password security by identifying weak or easily
guessable passwords. Whether used for ethical hacking,
penetration testing, or security research, wordlists play a crucial
role in evaluating and enhancing password security.

A popular password wordlist is rockyou.txt. It contains a list of

commonly used passwords and is popular among pen testers.

11
 Crunch
Crunch is a powerful command-line tool used in the world of password
cracking. It allows users to create custom wordlists that can be used to
crack even the most complex passwords. Essentially, crunch takes a set
of user-defined parameters and generates a list of possible passwords
based on those parameters.

With crunch, users can create wordlists tailored specifically to the target
they are trying to crack, increasing their chances of success.

Tool Link:https://www.kali.org/tools/crunch/

Key Features:

● Customization: Crunch allows users to specify various

parameters, including character sets, minimum and maximum
word lengths, and character permutations. This high degree of
customization ensures that wordlists generated by Crunch can
target specific password patterns or policies.

● Character Sets: Users can define character sets, such as

lowercase letters, uppercase letters, digits, and special symbols, to
include in the wordlist. This flexibility accommodates the diversity
of characters found in passwords.

● Pattern Generation: Crunch generates wordlists systematically,

covering all possible combinations within the specified criteria. This
includes generating words with incremental lengths, combining
character sets, and applying permutations based on the defined
rules.

● Combinator Mode: The "combinator" mode is a standout feature

of Crunch, enabling the combination of multiple wordlists into a
single, larger wordlist. This capability is useful for targeting
complex password creation patterns.

12
 Combining hashcat and
crunch
Combining Hashcat and Crunch forms a dynamic synergy in the realm of
password security assessment. Hashcat, a robust password cracking
tool, joins forces with Crunch, a versatile wordlist generator, to enhance
the efficiency and effectiveness of password recovery efforts.

How It Works:

1. Wordlist Generation: Crunch, with its customization options,

creates wordlists tailored to specific password scenarios. Users
define character sets, word lengths, and other parameters to
generate wordlist files.

2. Hashcat Integration: Hashcat, on the other hand, is a specialized

tool designed for hashing algorithm attacks. It supports various
hash types, including MD5, SHA-1, SHA-256, bcrypt, and more.

3. Combining Wordlists and Hashcat: By combining

Crunch-generated wordlists with Hashcat, security professionals
can perform targeted dictionary attacks, rule-based attacks, or
brute force attacks on hashed passwords. Hashcat leverages the
customised wordlists to crack passwords efficiently.

Advantages:

1. Enhanced Targeting: The combination enables security experts

to target specific password patterns, policies, and complexities by
generating tailored wordlists, ultimately increasing the chances of
successful password recovery.

2. Efficiency: Crunch's wordlist generation ensures a focused

approach, reducing the time and computational resources required
for password cracking attempts. This combination is particularly
efficient when dealing with known patterns.

13
 Implementation and
Working

Crunch:

Where min and max are numbers

Crunch can generate a wordlist depending on our parameters. Crunch's output can
be transmitted to the screen, a file, or another program.

The following parameters are required:

min-len

The min-len is the minimum length string which we wish crunch to start at. This
option is essential even for parameters which will not use the value.

max-len

It is the maximum length string which we need crunch to end at. Even though the
value will not be used, this option is essential.

charset string

We can specify character sets for crunch to use on the command line, and if we
leave it, blank, crunch will use the default character sets. The order should be lower
case characters, upper case characters, numbers, and then symbols. If we do
not follow this order then we will not get the desired output. We have to specify the
values for the character type or a plus sign.

14
Create Custom Wordlist using Crunch:

We have to follow the following steps in order to create a custom wordlist:

Step 1: In order to a create custom wordlist, first we have to start our Kali Linux,
open the terminal, and then type Crunch to check crunch is installed or not and it is
the most current version.

Step 2: We will use the command man command to view the crunch manual and
options available.

Step 3: Crunch has the following fundamental syntax:

○ min= The minimum password length.

○ max= The maximum password length.
○ characterset= It is the character set to be used in generating the passwords.
○ -t <pattern> = The specified pattern of the generated passwords. This word
generates passwords with lengths of up to 11 characters (7 variable, 4
fixed), all ending in 0728.
○ -o <outputfile>= This is the file which we wish our wordlist written to.

15
Step 4: We can use the following command if we know the target's password is 8
characters long and ends with 1 & 2:

16
Generate Wordlist with Specific Pattern:
Crunch offers -t option to generate a wordlist using a particular pattern based on our
requirement.

With the help of the -t option, we can generate 4 kinds of patterns as we specified
below:

○ Lowercase alphabets: With the help of the @, we can generate the pattern
of lowercase alphabets.
○ Uppercase alphabets: With the help of the , we can generate the pattern of
uppercase letters.
○ Numeric character: With the help of the %, we can generate the pattern of
numeric characters.
○ Special character symbol: With the help of the ^ we can generate the
pattern of a special character symbol.

In order to generate a wordlist that includes 6 numeric characters on the right side of
the string "preeti" for example, preeti123456, we have to execute the following
command.

Here -t denotes the % pattern which is used to edit 3 numeric characters.

17
HASHCAT:

Website used to generate hashes:

https://www.browserling.com/tools/all-hashes

Let’s create two hashes: A MD5 hash and a SHA1 hash for the string
“Password123”.

we are using a weak password to help you understand how easy it is to

crack these passwords.

Here are the generated hashes for the input strings:

We can store these hashes under the names md5.txt and sha1.txt to use
them when working with Hashcat.

To crack a password using Hashcat, here is the general syntax:

We have used two flags, -m and -a . The -m flag is used to specify the
hash type and the -a flag is to specify the attack mode.

few popular hashes and thier codes:

18
Attack Modes:

Let’s crack our md5 hash first. We will crack this hash using the
Dictionary mode. This is a simple attack where we provide a list of words
(RockYou) from which Hashcat will generate and compare hashes.

We can specify the hash mode as “md5” using the value 0. But Hashcat
can also identify the hash type automatically for common hash
algorithms.

For the attack mode, we will be using the dictionary mode (0) using the
flag -a. Here is the full command:

19
Now let’s crack our SHA hash. The hash mode value for SHA1 is 100.
Here is the command:

Dictionary attack (-a 0):

As we saw in our example above, a dictionary attack is performed by
using a wordlist. A dictionary attack is also the default option in Hashcat.
The better the wordlist is, the greater the chances of cracking the
password.

Combinator attack (-a 1):

The combinator attack will try different combinations of words from our
wordlist. For example, if our wordlist contains the words “pass”, ”123",
and ”hello”, Hashcat will generate the following wordlist.

20
21
Defending against hashcat
● The first and obvious step is to set strong passwords. The stronger
the password is, the harder it is to crack it.You can check if your
password has been exposed to the internet
here.(https://haveibeenpwned.com/)

● A more effective way is to add salts to password hashes.

○ A salt is an additional string added to the existing password
so the hash generated is different from the normal hash of a
string.
○ For example, if a string “sdf909” is added to a password
“Password123”, Rainbow table attacks will immediately fail
since they don't have hashes with the salt added to them.

● To crack a salted password, the attacker should know both the

hash and salt values. This makes it harder to crack hashes using
methods such as Rainbow tables.

● We can further strengthen salting by using dynamic salts instead of

static salts. We can write a function that generates a salt value for
every string making it exponentially harder to crack a salted
password.

The most important thing to remember about hacking is that no one

wants to do more work than they have to do. For example, calculating
rainbow tables is a lot of work. If there's an easier way to get your
password, that's probably what a nefarious actor will try first (like
phishing!).

That means that enabling basic cyber security best practices is probably
the easiest way to prevent getting hacked. In fact, Microsoft recently
reported that just enabling 2FA will end up blocking 99.9% of automated
attacks.

22
 Conclusion
In the ever-evolving landscape of cybersecurity, password security
remains a paramount concern. The combination of Hashcat and Crunch
emerges as a formidable duo, offering a robust solution for password
cracking and security assessment. This synergy leverages the strengths
of both tools to enhance the efficiency and effectiveness of password
recovery efforts.

Hashcat, with its support for multiple hashing algorithms and attack
modes, provides the means to crack a diverse range of hashed
passwords. Crunch, on the other hand, empowers security experts to
create tailored wordlists, enabling a targeted and precise approach to
password cracking.

Together, these tools address the challenges posed by password

security, allowing for the evaluation of password strength, resilience, and
adherence to security policies. Whether used in penetration testing,
security audits, or research, the combination of Hashcat and Crunch
offers a potent means of enhancing password security and fortifying
defences against unauthorised access.

As the cybersecurity landscape continues to evolve, the collaboration

between Hashcat and Crunch remains a valuable asset in the arsenal of
ethical hackers, security professionals, and researchers dedicated to
safeguarding digital assets and fortifying the barriers against
password-based vulnerabilities.

Remember, your password is the first line of defence against cyber

attacks and it is up to you to protect your personal information and online
identity.

23
 Resources
Here are some resources to help you learn more about password
cracking and password security:

- OWASP Password Storage Cheat Sheet: A comprehensive guide on

how to securely store passwords.

- Hashcat Wiki: The official wiki of the popular password cracking tool,
hashcat.

- John the Ripper Wiki: The official wiki of another popular password
cracking tool, John the Ripper.

- Password Cracking Competition: An annual competition that tests

password cracking skills.

- NIST Password Guidelines: Guidelines from the National Institute of

Standards and Technology on creating strong passwords.

- Have I Been Pwned: A website that allows you to check if your email
address has been involved in a data breach.

24