You are here: Home » Password Attacks » oclHashcat

oclHashcat

Hashcat and oclHashcat were merged into one program – hashcat. Information below is not actual and saved only for legacy support.

oclHashcat Description

oclHashcat is a GPGPU-based multi-hash cracker using a brute-force attack (implemented as mask attack), combinator attack, dictionary attack, hybrid attack, mask attack, and rule-based attack.

This GPU cracker is a fusioned version of oclHashcat-plus and oclHashcat-lite, both very well-known suites at that time, but now deprecated. There also existed a now very old oclHashcat GPU cracker that was replaced w/ plus and lite, which - as said - were then merged into oclHashcat 1.00 again.

oclHashcat, starting with version 2.00, is released as open source software under the MIT license

Features:

  • Worlds fastest password cracker
  • Worlds first and only GPGPU based rule engine
  • Free
  • Open-Source
  • Multi-GPU (up to 128 gpus)
  • Multi-Hash (up to 100 million hashes)
  • Multi-OS (Linux & Windows native binaries)
  • Multi-Platform (OpenCL & CUDA support)
  • Multi-Algo (see below)
  • Low resource utilization, you can still watch movies or play games while cracking
  • Focuses highly iterated modern hashes
  • Focuses dictionary based attacks
  • Supports distributed cracking
  • Supports pause / resume while cracking
  • Supports sessions
  • Supports restore
  • Supports reading words from file
  • Supports reading words from stdin
  • Supports hex-salt
  • Supports hex-charset
  • Built-in benchmarking system
  • Integrated thermal watchdog
  • 150+ Algorithms implemented with performance in mind
  • … and much more

Homepage: http://hashcat.net/oclhashcat/

Author: atom

License: MIT

oclHashcat Help

Usage: oclHashcat [options]... hash|hashfile|hccapfile [dictionary|mask|directory]...
=======
Options
=======

* General:

  -m,  --hash-type=NUM               Hash-type, see references below
  -a,  --attack-mode=NUM             Attack-mode, see references below
  -V,  --version                     Print version
  -h,  --help                        Print help
       --quiet                       Suppress output

* Benchmark:

  -b,  --benchmark                   Run benchmark
       --benchmark-mode=NUM          Benchmark-mode, see references below

* Misc:

       --hex-charset                 Assume charset is given in hex
       --hex-salt                    Assume salt is given in hex
       --hex-wordlist                Assume words in wordlist is given in hex
       --force                       Ignore warnings
       --status                      Enable automatic update of the status-screen
       --status-timer=NUM            Seconds between status-screen update
       --status-automat              Display the status view in a machine readable format
       --loopback                    Add new plains to induct directory
       --weak-hash-threshold=NUM     Threshold when to stop checking for weak hashes, default is 100 salts

* Markov:

       --markov-hcstat=FILE          Specify hcstat file to use, default is hashcat.hcstat
       --markov-disable              Disables markov-chains, emulates classic brute-force
       --markov-classic              Enables classic markov-chains, no per-position enhancement
  -t,  --markov-threshold=NUM        Threshold when to stop accepting new markov-chains

* Session:

       --runtime=NUM                 Abort session after NUM seconds of runtime
       --session=STR                 Define specific session name
       --restore                     Restore session from --session
       --restore-disable             Do not write restore file

* Files:

  -o,  --outfile=FILE                Define outfile for recovered hash
       --outfile-format=NUM          Define outfile-format for recovered hash, see references below
       --outfile-autohex-disable     Disable the use of $HEX[] in output plains
       --outfile-check-timer=NUM     Seconds between outfile checks
  -p,  --separator=CHAR              Separator char for hashlists and outfile
       --show                        Show cracked passwords only
       --left                        Show un-cracked passwords only
       --username                    Enable ignoring of usernames in hashfile (recommended: also use --show)
       --remove                      Enable remove of hash once it is cracked
       --remove-timer=NUM            Update input hash file each NUM seconds
       --potfile-disable             Do not write potfile
       --debug-mode=NUM              Defines the debug mode (hybrid only by using rules), see references below
       --debug-file=FILE             Output file for debugging rules (see also --debug-mode)
       --induction-dir=FOLDER        Specify induction directory to use, default is $session.induct
       --outfile-check-dir=FOLDER    Specify the outfile directory which should be monitored, default is $session.outfiles
       --logfile-disable             Disable the logfile
       --truecrypt-keyfiles=FILE     Keyfiles used, seperate with comma

* Resources:

  -c,  --segment-size=NUM            Size in MB to cache from the wordfile
       --bitmap-min=NUM              Minimum number of bits allowed for bitmaps
       --bitmap-max=NUM              Maximum number of bits allowed for bitmaps
       --cpu-affinity=STR            Locks to CPU devices, seperate with comma
       --gpu-async                   Use non-blocking async calls (NV only)
  -d,  --gpu-devices=STR             Devices to use, separate with comma
  -w,  --workload-profile=NUM        Enable a specific workload profile, see references below
  -n,  --gpu-accel=NUM               Workload tuning: 1, 8, 40, 80, 160
  -u,  --gpu-loops=NUM               Workload fine-tuning: 8 - 1024
       --gpu-temp-disable            Disable temperature and fanspeed readings and triggers
       --gpu-temp-abort=NUM          Abort session if GPU temperature reaches NUM degrees celsius
       --gpu-temp-retain=NUM         Try to retain GPU temperature at NUM degrees celsius (AMD only)
       --powertune-enable            Enable automatic power tuning option (AMD OverDrive 6 only)
       --scrypt-tmto=NUM             Manually override automatically calculated TMTO value for scrypt

* Distributed:

  -s,  --skip=NUM                    Skip number of words
  -l,  --limit=NUM                   Limit number of words
       --keyspace                    Show keyspace base:mod values and quit

* Rules:

  -j,  --rule-left=RULE              Single rule applied to each word from left dict
  -k,  --rule-right=RULE             Single rule applied to each word from right dict
  -r,  --rules-file=FILE             Rules-file, multi use: -r 1.rule -r 2.rule
  -g,  --generate-rules=NUM          Generate NUM random rules
       --generate-rules-func-min=NUM Force NUM functions per random rule min
       --generate-rules-func-max=NUM Force NUM functions per random rule max
       --generate-rules-seed=NUM     Force RNG seed to NUM

* Custom charsets:

  -1,  --custom-charset1=CS          User-defined charsets
  -2,  --custom-charset2=CS          Example:
  -3,  --custom-charset3=CS          --custom-charset1=?dabcdef : sets charset ?1 to 0123456789abcdef
  -4,  --custom-charset4=CS          -2 mycharset.hcchr : sets charset ?2 to chars contained in file

* Increment:

  -i,  --increment                   Enable increment mode
       --increment-min=NUM           Start incrementing at NUM
       --increment-max=NUM           Stop incrementing at NUM

==========
References
==========

* Workload Profile:

    1 = Reduced performance profile (low latency desktop)
    2 = Default performance profile
    3 = Tuned   performance profile (high latency desktop)

* Benchmark Settings:

    0 = Manual Tuning
    1 = Performance Tuning, default

* Outfile Formats:

    1 = hash[:salt]
    2 = plain
    3 = hash[:salt]:plain
    4 = hex_plain
    5 = hash[:salt]:hex_plain
    6 = plain:hex_plain
    7 = hash[:salt]:plain:hex_plain
    8 = crackpos
    9 = hash[:salt]:crackpos
   10 = plain:crackpos
   11 = hash[:salt]:plain:crackpos
   12 = hex_plain:crackpos
   13 = hash[:salt]:hex_plain:crackpos
   14 = plain:hex_plain:crackpos
   15 = hash[:salt]:plain:hex_plain:crackpos

* Debug mode output formats (for hybrid mode only, by using rules):

    1 = save finding rule
    2 = save original word
    3 = save original word and finding rule
    4 = save original word, finding rule and modified plain

* Built-in charsets:

   ?l = abcdefghijklmnopqrstuvwxyz
   ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
   ?d = 0123456789
   ?s =  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
   ?a = ?l?u?d?s
   ?b = 0x00 - 0xff

* Attack modes:

    0 = Straight
    1 = Combination
    3 = Brute-force
    6 = Hybrid dict + mask
    7 = Hybrid mask + dict

* Hash types:

[[ Roll-your-own: Raw Hashes ]]

    900 = MD4
      0 = MD5
   5100 = Half MD5
    100 = SHA1
  10800 = SHA-384
   1400 = SHA-256
   1700 = SHA-512
   5000 = SHA-3(Keccak)
  10100 = SipHash
   6000 = RipeMD160
   6100 = Whirlpool
   6900 = GOST R 34.11-94
  11700 = GOST R 34.11-2012 (Streebog) 256-bit
  11800 = GOST R 34.11-2012 (Streebog) 512-bit

[[ Roll-your-own: Iterated and / or Salted Hashes ]]

     10 = md5($pass.$salt)
     20 = md5($salt.$pass)
     30 = md5(unicode($pass).$salt)
     40 = md5($salt.unicode($pass))
   3800 = md5($salt.$pass.$salt)
   3710 = md5($salt.md5($pass))
   2600 = md5(md5($pass)
   4300 = md5(strtoupper(md5($pass)))
   4400 = md5(sha1($pass))
    110 = sha1($pass.$salt)
    120 = sha1($salt.$pass)
    130 = sha1(unicode($pass).$salt)
    140 = sha1($salt.unicode($pass))
   4500 = sha1(sha1($pass)
   4700 = sha1(md5($pass))
   4900 = sha1($salt.$pass.$salt)
   1410 = sha256($pass.$salt)
   1420 = sha256($salt.$pass)
   1430 = sha256(unicode($pass).$salt)
   1440 = sha256($salt.unicode($pass))
   1710 = sha512($pass.$salt)
   1720 = sha512($salt.$pass)
   1730 = sha512(unicode($pass).$salt)
   1740 = sha512($salt.unicode($pass))

[[ Roll-your-own: Authenticated Hashes ]]

     50 = HMAC-MD5 (key = $pass)
     60 = HMAC-MD5 (key = $salt)
    150 = HMAC-SHA1 (key = $pass)
    160 = HMAC-SHA1 (key = $salt)
   1450 = HMAC-SHA256 (key = $pass)
   1460 = HMAC-SHA256 (key = $salt)
   1750 = HMAC-SHA512 (key = $pass)
   1760 = HMAC-SHA512 (key = $salt)

[[ Generic KDF ]]

    400 = phpass
   8900 = scrypt
  11900 = PBKDF2-HMAC-MD5
  12000 = PBKDF2-HMAC-SHA1
  10900 = PBKDF2-HMAC-SHA256
  12100 = PBKDF2-HMAC-SHA512

[[ Network protocols, Challenge-Response ]]

     23 = Skype
   2500 = WPA/WPA2
   4800 = iSCSI CHAP authentication, MD5(Chap)
   5300 = IKE-PSK MD5
   5400 = IKE-PSK SHA1
   5500 = NetNTLMv1
   5500 = NetNTLMv1 + ESS
   5600 = NetNTLMv2
   7300 = IPMI2 RAKP HMAC-SHA1
   7500 = Kerberos 5 AS-REQ Pre-Auth etype 23
   8300 = DNSSEC (NSEC3)
  10200 = Cram MD5
  11100 = PostgreSQL Challenge-Response Authentication (MD5)
  11200 = MySQL Challenge-Response Authentication (SHA1)
  11400 = SIP digest authentication (MD5)

[[ Forums, CMS, E-Commerce, Frameworks, Middleware, Wiki, Management ]]

    121 = SMF (Simple Machines Forum)
    400 = phpBB3
   2611 = vBulletin < v3.8.5
   2711 = vBulletin > v3.8.5
   2811 = MyBB
   2811 = IPB (Invison Power Board)
   8400 = WBB3 (Woltlab Burning Board)
     11 = Joomla < 2.5.18
    400 = Joomla > 2.5.18
    400 = WordPress
   2612 = PHPS
   7900 = Drupal7
     21 = osCommerce
     21 = xt:Commerce
  11000 = PrestaShop
    124 = Django (SHA-1)
  10000 = Django (PBKDF2-SHA256)
   3711 = Mediawiki B type
   7600 = Redmine

[[ Database Server ]]

     12 = PostgreSQL
    131 = MSSQL(2000)
    132 = MSSQL(2005)
   1731 = MSSQL(2012)
   1731 = MSSQL(2014)
    200 = MySQL323
    300 = MySQL4.1/MySQL5
   3100 = Oracle H: Type (Oracle 7+)
    112 = Oracle S: Type (Oracle 11+)
  12300 = Oracle T: Type (Oracle 12+)
   8000 = Sybase ASE

[[ HTTP, SMTP, LDAP Server]]

    141 = EPiServer 6.x < v4
   1441 = EPiServer 6.x > v4
   1600 = Apache $apr1$
  12600 = ColdFusion 10+
   1421 = hMailServer
    101 = nsldap, SHA-1(Base64), Netscape LDAP SHA
    111 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
   1711 = SSHA-512(Base64), LDAP {SSHA512}

[[ Checksums ]]

  11500 = CRC32

[[ Operating-Systems ]]

   3000 = LM
   1000 = NTLM
   1100 = Domain Cached Credentials (DCC), MS Cache
   2100 = Domain Cached Credentials 2 (DCC2), MS Cache 2
  12800 = MS-AzureSync PBKDF2-HMAC-SHA256
   1500 = descrypt, DES(Unix), Traditional DES
  12400 = BSDiCrypt, Extended DES
    500 = md5crypt $1$, MD5(Unix)
   3200 = bcrypt $2*$, Blowfish(Unix)
   7400 = sha256crypt $5$, SHA256(Unix)
   1800 = sha512crypt $6$, SHA512(Unix)
    122 = OSX v10.4
    122 = OSX v10.5
    122 = OSX v10.6
   1722 = OSX v10.7
   7100 = OSX v10.8
   7100 = OSX v10.9
   7100 = OSX v10.10
   6300 = AIX {smd5}
   6700 = AIX {ssha1}
   6400 = AIX {ssha256}
   6500 = AIX {ssha512}
   2400 = Cisco-PIX
   2410 = Cisco-ASA
    500 = Cisco-IOS $1$
   5700 = Cisco-IOS $4$
   9200 = Cisco-IOS $8$
   9300 = Cisco-IOS $9$
     22 = Juniper Netscreen/SSG (ScreenOS)
    501 = Juniper IVE
   5800 = Android PIN
   8100 = Citrix Netscaler
   8500 = RACF
   7200 = GRUB 2
   9900 = Radmin2

[[ Enterprise Application Software (EAS) ]]

   7700 = SAP CODVN B (BCODE)
   7800 = SAP CODVN F/G (PASSCODE)
  10300 = SAP CODVN H (PWDSALTEDHASH) iSSHA-1
   8600 = Lotus Notes/Domino 5
   8700 = Lotus Notes/Domino 6
   9100 = Lotus Notes/Domino 8
    133 = PeopleSoft

[[ Archives ]]

  11600 = 7-Zip
  12500 = RAR3-hp

[[ Full-Disk encryptions (FDE) ]]

   62XY = TrueCrypt 5.0+
     X  = 1 = PBKDF2-HMAC-RipeMD160
     X  = 2 = PBKDF2-HMAC-SHA512
     X  = 3 = PBKDF2-HMAC-Whirlpool
     X  = 4 = PBKDF2-HMAC-RipeMD160 + boot-mode
      Y = 1 = XTS  512 bit (Ciphers: AES or Serpent or Twofish)
      Y = 2 = XTS 1024 bit (Ciphers: AES or Serpent or Twofish or AES-Twofish or Serpent-AES or Twofish-Serpent)
      Y = 3 = XTS 1536 bit (Ciphers: All)
   8800 = Android FDE < v4.3
  12200 = eCryptfs

[[ Documents ]]

   9700 = MS Office <= 2003 MD5 + RC4, oldoffice$0, oldoffice$1
   9710 = MS Office <= 2003 MD5 + RC4, collider-mode #1
   9720 = MS Office <= 2003 MD5 + RC4, collider-mode #2
   9800 = MS Office <= 2003 SHA1 + RC4, oldoffice$3, oldoffice$4
   9810 = MS Office <= 2003 SHA1 + RC4, collider-mode #1
   9820 = MS Office <= 2003 SHA1 + RC4, collider-mode #2
   9400 = MS Office 2007
   9500 = MS Office 2010
   9600 = MS Office 2013
  10400 = PDF 1.1 - 1.3 (Acrobat 2 - 4)
  10410 = PDF 1.1 - 1.3 (Acrobat 2 - 4) + collider-mode #1
  10420 = PDF 1.1 - 1.3 (Acrobat 2 - 4) + collider-mode #2
  10500 = PDF 1.4 - 1.6 (Acrobat 5 - 8)
  10600 = PDF 1.7 Level 3 (Acrobat 9)
  10700 = PDF 1.7 Level 8 (Acrobat 10 - 11)

[[ Password Managers ]]

   9000 = Password Safe v2
   5200 = Password Safe v3
   6800 = Lastpass
   6600 = 1Password, agilekeychain
   8200 = 1Password, cloudkeychain
  11300 = Bitcoin/Litecoin wallet.dat
  12700 = Blockchain, My Wallet

oclHashcat Usage Example

oclHashcat accepts the WPA/WPA2 hashes in it's own “hccap” file. Assuming you already captured a 4-way handshake using airodump-ng, Wireshark or tcpdump, the next step will be converting the .cap file to a format oclHashcat will understand.

1. Run it through “wpaclean”.

2. Convert it with “aircrack-ng” using the -J option

Example working code for wpaclean.

wpaclean <out.cap> <in.cap>

Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion.

Example working code aircrack .cap conversion to .hccap

aircrack-ng <out.cap> -J <out.hccap>

Note the -J is a capitol J not lower case j.

3.1 Dictionary attack

Grab some wordlist, like Rockyou.

Put it into oclHashcat folder.

Rename your converted capture file “capture.hccap”.

oclhashcat -m 2500 capture.hccap rockyou.txt

3.2 Brute-Force Attack

Rename your converted capture file “capture.hccap”.

oclhashcat -m 2500 -a3 capture.hccap ?d?d?d?d?d?d?d?d

This will pipe len8 digits only to oclHashcat, replace the ?d as needed.

How to install oclHashcat

GPU Driver requirements:

  • NV users require ForceWare 346.59 or later
  • AMD users require Catalyst 15.7 or later

Installation on Kali 2.0

AMD users & NV users

sudo apt-get install oclhashcat

Installation on BlackArch

AMD users

sudo pacman -Ss oclhashcat

NV users

sudo pacman -Ss cudahashcat

oclHashcat Screenshots

oclhashcat

oclHashcat Tutorials

Coming soon…

Related tools