1
00:00:00,820 --> 00:00:04,190
Welcome to part six of this module.

2
00:00:04,210 --> 00:00:10,010
This video is going to be an overview of the basic operations of hash cat hash.

3
00:00:10,010 --> 00:00:18,960
Cat is a password recovery tool that comes prepackaged with Kelly Linux so when you lose your plaintext

4
00:00:19,030 --> 00:00:25,590
password but somehow still have the encrypted hash you can recover your credentials.

5
00:00:26,260 --> 00:00:27,250
Right.

6
00:00:27,370 --> 00:00:35,140
More commonly hash cat is used to crack encrypted passwords which are typically pulled in bulk off databases.

7
00:00:35,160 --> 00:00:41,560
There is also a version which can be run in a Windows environment hash cat will attempt to convert encrypted

8
00:00:41,560 --> 00:00:48,890
hashes into plain text passwords and in some cases user names using a variety of methods.

9
00:00:48,970 --> 00:00:55,420
While there are many such tools out there that do this hash cat is arguably one of the best hash cat

10
00:00:55,450 --> 00:00:58,110
is located under applications.

11
00:00:58,150 --> 00:01:05,380
Password attacks hash cat hash cat can also be loaded from the terminal window by typing hash cat.

12
00:01:05,590 --> 00:01:07,960
I'm going to include Tak H for help.

13
00:01:12,130 --> 00:01:17,560
If you've been following along with these videos in order you may have heard me say more than once that

14
00:01:17,560 --> 00:01:21,610
a particular tool might be a class unto itself.

15
00:01:21,610 --> 00:01:26,230
Were I to cover every possible option and use case example.

16
00:01:26,230 --> 00:01:29,210
This is very true with hash cat.

17
00:01:29,230 --> 00:01:35,830
Just glancing at the help file can give you some idea of the sheer range of options and approaches you

18
00:01:35,830 --> 00:01:39,400
can take to cracking encrypted hashes.

19
00:01:39,400 --> 00:01:43,510
And this puts me in a difficult position as a teacher.

20
00:01:43,600 --> 00:01:49,360
The objective of this class is to teach penetration testing and ethical hacking.

21
00:01:49,360 --> 00:01:56,200
It is outside of the scope of this presentation to cover the complicated science that is involved with

22
00:01:56,200 --> 00:01:57,650
this tool.

23
00:01:57,670 --> 00:02:05,810
It is not humanly possible to encapsulate in one video every different type of hashing algorithm and

24
00:02:05,810 --> 00:02:13,000
salting technique or show every different use case example an approach that one could take to cracking

25
00:02:13,000 --> 00:02:14,540
with this tool.

26
00:02:14,560 --> 00:02:19,660
So the goal here is not to give you enough knowledge of hash cat that you can quit your day job and

27
00:02:19,660 --> 00:02:24,210
go work for the National Security Agency or signals intelligence.

28
00:02:24,220 --> 00:02:31,000
The goal is to give you enough of an understanding to use hash cat in your own penetration tests to

29
00:02:31,000 --> 00:02:32,700
crack passwords.

30
00:02:32,710 --> 00:02:39,430
Fortunately it is very possible to use this tool with just a surface understanding and achieve excellent

31
00:02:39,430 --> 00:02:40,210
results.

32
00:02:40,210 --> 00:02:46,720
And it's my hope that by the end of this tutorial you will grasp the fundamentals well enough that anything

33
00:02:46,720 --> 00:02:52,870
not covered will be easy for you to research and implement on your own.

34
00:02:52,910 --> 00:02:58,640
All right so we'll be using the command line version of hash cat that comes with Carly as well as the

35
00:02:58,640 --> 00:03:03,860
hash identifier to check out what kind of hashes will be up against cracking.

36
00:03:03,860 --> 00:03:07,910
We will also be using some word lists for this process.

37
00:03:08,060 --> 00:03:13,700
If you weren't sure what those are or how to find them or create them please see the two prior videos

38
00:03:13,700 --> 00:03:21,950
in this module uncool and crunch as these subjects are discussed at length so to start out with.

39
00:03:21,950 --> 00:03:29,870
I'm currently on the desktop directory and it contains the hashes that we'll be trying to crack and

40
00:03:29,930 --> 00:03:37,080
award lists that I've assembled to show you how I created these hashes.

41
00:03:37,190 --> 00:03:40,070
We're going to pull up a simple Web page.

42
00:03:40,070 --> 00:03:47,040
There are many different web pages that would serve and will generate a hash for demonstration so this

43
00:03:47,040 --> 00:03:49,550
web page generates empty five hashes.

44
00:03:49,560 --> 00:03:57,200
You can see from the list that I've already generated several which have gone into the hashes file so

45
00:03:57,200 --> 00:04:05,960
just to give an example I type password for twenty four thirty eight click the button.

46
00:04:07,440 --> 00:04:09,920
It'll take a moment and there we go.

47
00:04:11,470 --> 00:04:14,630
It generated an empty five hash for us.

48
00:04:14,630 --> 00:04:19,850
Now I've taken these hashes and I've placed them into two files on the desktop

49
00:04:29,570 --> 00:04:36,680
so having made some basic passwords we can go ahead and try to crack the hashes associated with them.

50
00:04:36,680 --> 00:04:42,470
Now remember that if you do this on your own if you're following along with this process it's important

51
00:04:42,500 --> 00:04:48,530
that when you copy paste the hash you don't leave any spaces in the text file.

52
00:04:48,650 --> 00:04:50,830
I'll open this one to show you what I'm talking about.

53
00:04:52,360 --> 00:04:56,280
Each hash will need to be its own individual line.

54
00:04:56,320 --> 00:05:02,230
You can't combine them or separate them out with colons or anything like that hash cat will not recognize

55
00:05:02,230 --> 00:05:10,920
that so this is one hash another hash and so forth you get the idea

56
00:05:20,230 --> 00:05:27,130
and I'm actually going to open up the individual hash and I'm going to copy it

57
00:05:32,610 --> 00:05:39,270
because now it's time to show off hash identifier and this has come up in prior modules so I'm not going

58
00:05:39,270 --> 00:05:48,490
to do a lengthy explanation of what this is.

59
00:05:48,620 --> 00:05:50,390
We will paste in the hash

60
00:05:57,010 --> 00:06:04,050
scroll up and we can see that it is almost certainly an empty five.

61
00:06:04,050 --> 00:06:05,660
Of course we know it's an empty five.

62
00:06:05,670 --> 00:06:12,840
But if we didn't know this would give us the most likely possible hash types that this hash could be

63
00:06:13,850 --> 00:06:20,240
a knowing which hashing algorithm or encryption algorithm we're up against will save us a tremendous

64
00:06:20,240 --> 00:06:26,520
amount of time as we go about cracking at this can seem useless at first glance.

65
00:06:26,530 --> 00:06:36,340
But if you try to crack a hash without knowing the correct type hash cat can sometimes handle this but

66
00:06:36,340 --> 00:06:42,970
it'll try to go through all of them and that will exponentially add on to the amount of time your process

67
00:06:42,970 --> 00:06:44,500
will take.

68
00:06:44,500 --> 00:06:47,130
So now that we've done that we know that it's empty fire.

69
00:06:47,140 --> 00:06:49,820
We're going to control C to get out of that.

70
00:06:49,840 --> 00:06:57,710
Now we need to bring up hash cat and we need the password list in order to make this work.

71
00:06:57,780 --> 00:07:04,930
We'll also be using the rules lists that hash cat has incited.

72
00:07:04,990 --> 00:07:13,830
Let's go ahead and type in the command hash cat Tak tak help to give us a list of all the basic switches

73
00:07:13,830 --> 00:07:23,180
and flags.

74
00:07:23,240 --> 00:07:26,890
This is just to give you an idea of the options available.

75
00:07:27,020 --> 00:07:34,280
A couple of switches that will be focused on will be the tack em switch which denotes the hash type

76
00:07:34,760 --> 00:07:38,000
as well as TAC a which sets the attack mode.

77
00:07:38,030 --> 00:07:46,310
Note that the hash types are listed here zero for empty five and the switches right up here

78
00:07:49,400 --> 00:07:51,130
Tak M and Tak a.

79
00:07:51,600 --> 00:08:02,640
So for example Tak m 0 would be the hash type mode empty five and the attack type tack a and then a

80
00:08:02,640 --> 00:08:09,690
number signifies the method we are going to be worrying about some of the more advanced options listed

81
00:08:09,690 --> 00:08:13,950
below such as for example salting our password hashes.

82
00:08:14,070 --> 00:08:20,670
This is really advanced material and outside the scope of this tutorial but I do encourage you to study

83
00:08:20,670 --> 00:08:21,660
it on your own.

84
00:08:21,780 --> 00:08:29,200
If you have an interest the next option that we're going to be using is Tak R which is rules file.

85
00:08:29,280 --> 00:08:32,340
We'll see how to find rules files in a moment.

86
00:08:32,370 --> 00:08:34,740
Here are the attack modes.

87
00:08:34,740 --> 00:08:39,480
The first is straight which means it doesn't change anything in the word list.

88
00:08:39,480 --> 00:08:46,050
It goes word for word case for case from what your password file actually says.

89
00:08:46,050 --> 00:08:53,250
In other words if someone had a password of Corti with a capital letter and you don't have it in your

90
00:08:53,250 --> 00:09:01,030
list with a capital Q Even if you have the word Corti in your word list you won't be successful.

91
00:09:01,230 --> 00:09:06,780
A combination attack on the other hand is going to change it up a bit meaning it will go ahead and use

92
00:09:06,780 --> 00:09:14,190
capital letters put numbers together with words reverse them mash them all together and see what is

93
00:09:14,190 --> 00:09:20,670
the best fit the hash types that we saw listed above give the switches for each particular type of hash

94
00:09:21,300 --> 00:09:27,540
we know already from the hash identifier that our target is empty five so we'll be using zero if another

95
00:09:27,540 --> 00:09:28,680
result came back.

96
00:09:28,680 --> 00:09:33,880
For example my sequel we'd then go ahead and use 200.

97
00:09:33,900 --> 00:09:43,030
This is why knowing the type of hash is a major time saver so to get started we need the actual rules

98
00:09:43,030 --> 00:09:44,410
files.

99
00:09:44,410 --> 00:09:54,770
These are going to be stored in seedy user share cache cats rules

100
00:09:58,480 --> 00:09:59,700
Oh I'm sorry.

101
00:09:59,770 --> 00:10:01,660
My typing just gets worse and worse.

102
00:10:02,410 --> 00:10:02,900
Okay.

103
00:10:02,920 --> 00:10:03,490
Here we go.

104
00:10:05,350 --> 00:10:11,500
Once we issue our allies command we can see that there are several files in this rules directory all

105
00:10:11,500 --> 00:10:14,560
with the DOT rule file extension.

106
00:10:14,560 --> 00:10:22,180
There's quite a bit in here so such as the Unix ninja leet speak which is suited for people who like

107
00:10:22,180 --> 00:10:28,530
to spell letters using numbers three equals E and that sort of thing.

108
00:10:28,570 --> 00:10:34,180
There is a combinator rule which is what we're going to be using in this example.

109
00:10:34,180 --> 00:10:40,960
The beautiful thing about the combinator rule is that it allows us to use case sensitive not case sensitive

110
00:10:41,290 --> 00:10:45,900
and to randomize things a bit depending on which ruleset you use.

111
00:10:45,940 --> 00:10:51,070
It's going to take either more or less time to crack the hash.

112
00:10:51,070 --> 00:10:58,240
I recommend looking up each one of these rule sets online and reading about what what they do and seeing

113
00:10:58,240 --> 00:11:06,970
their pros and cons for example best 64 would be for cracking usernames and passwords salted with a

114
00:11:06,970 --> 00:11:08,690
base 64.

115
00:11:08,800 --> 00:11:13,210
So if you found those you could potentially crack them a little faster.

116
00:11:13,210 --> 00:11:22,360
Remember also that you can always cut them out such as for example cat best 64 DOT rule

117
00:11:27,310 --> 00:11:34,630
if you're interested and you have the coding skills it is possible to create your own custom rule sets

118
00:11:35,140 --> 00:11:39,360
the hash cat Web site has excellent documentation to get you started.

119
00:11:39,430 --> 00:11:46,570
You may also be able to find and download other rule sets created by enthusiastic users for specific

120
00:11:46,600 --> 00:11:50,100
use case scenarios at any rate.

121
00:11:51,910 --> 00:11:58,300
Keep in mind as well that when cracking password hashes there are a few factors that are going to influence

122
00:11:58,300 --> 00:12:01,240
how fast the process is going to take hash.

123
00:12:01,260 --> 00:12:09,400
Cat works off your graphics processor unit not your CPSU so the better your graphics card the faster

124
00:12:09,400 --> 00:12:12,640
you're going to be able to crack passwords.

125
00:12:12,640 --> 00:12:18,260
It also depends upon the complexity of the password and the strength of your password list.

126
00:12:18,610 --> 00:12:23,220
I mentioned in the prior modules that bigger is not always better.

127
00:12:23,350 --> 00:12:31,140
Having a massive list may actually take far longer than a smaller one more tailored to your target.

128
00:12:31,240 --> 00:12:36,730
And finally it depends on which encryption algorithm you're going against.

129
00:12:36,760 --> 00:12:43,860
All of these factors combined to dictate the time that it is going to take to crack a password successfully.

130
00:12:44,170 --> 00:12:49,750
And you may not get all of them extremely strong passwords are going to be so resistant to this sort

131
00:12:49,750 --> 00:12:50,500
of approach.

132
00:12:50,500 --> 00:12:56,150
Just in terms of how long it would take you that they aren't worth the investment.

133
00:12:56,170 --> 00:13:00,010
This isn't a fault or limitation of hash cat.

134
00:13:00,010 --> 00:13:02,080
It's just the simple reality.

135
00:13:02,080 --> 00:13:09,340
Even if you have a 100 petabytes word list it's not going to be worth decades of your time to crack

136
00:13:09,370 --> 00:13:16,960
a 40 or more character long password that is all random characters even nation states with unlimited

137
00:13:16,960 --> 00:13:23,980
resources and supercomputers are often simply unable to do this at any rate.

138
00:13:24,040 --> 00:13:27,060
The command is going to look like this.

139
00:13:27,100 --> 00:13:33,920
So we type hash cat Tak M for what type of algorithm we're using.

140
00:13:34,130 --> 00:13:36,370
We know that it's empty five.

141
00:13:36,410 --> 00:13:39,280
So we put zero from the list above.

142
00:13:39,440 --> 00:13:44,630
Then tack a for the attack mode which is going to be straight.

143
00:13:44,810 --> 00:13:47,720
Scroll up if needed but its number is zero.

144
00:13:47,720 --> 00:13:54,890
So we enter zero and we put in the directory for where our password hashes actually reside.

145
00:13:54,890 --> 00:14:02,460
Which in my case is on the desktop after that is the directory of our password list and since I'm using

146
00:14:02,460 --> 00:14:07,860
a custom it will be on the root desktop directory.

147
00:14:07,860 --> 00:14:16,230
You can use any list that you wish after the path for the word list will give it the TAC R directive

148
00:14:16,620 --> 00:14:20,080
which allows us to select our rules set.

149
00:14:20,280 --> 00:14:22,290
So we give it the directory.

150
00:14:22,290 --> 00:14:29,460
You remember that we're going to be using the combinator rule for this first test so everything should

151
00:14:29,460 --> 00:14:29,980
be good.

152
00:14:30,090 --> 00:14:32,250
We press enter.

153
00:14:32,250 --> 00:14:38,190
I should have added that if you run into an open S.L. problem you may need to use the tac tac force

154
00:14:38,190 --> 00:14:42,190
command at the end of the string.

155
00:14:42,200 --> 00:14:47,650
I also want to mention because I mentioned it in the prior modules.

156
00:14:47,870 --> 00:14:54,290
If you ever want to combine your password lists into one it's worth using a tool like de duper to take

157
00:14:54,290 --> 00:14:57,530
out any duplicate passwords and numbers.

158
00:14:57,530 --> 00:15:03,530
This would remove any redundant entries such as the word password being included multiple times and

159
00:15:03,530 --> 00:15:06,950
it will streamline the process for hash cat a lot more.

160
00:15:06,950 --> 00:15:14,060
Another thing to keep in mind is that whenever you use word lists you should be using lists that are

161
00:15:14,060 --> 00:15:17,120
in a language appropriate to your target.

162
00:15:17,120 --> 00:15:23,510
If you're trying to crack a set of passwords obtained from a German database for example you'll probably

163
00:15:23,510 --> 00:15:30,080
want to use a word list containing German words rather than English so as to increase your chances.

164
00:15:30,110 --> 00:15:31,430
This holds true.

165
00:15:31,430 --> 00:15:34,190
Anytime you're attacking something region specific.

166
00:15:34,730 --> 00:15:40,250
Finally if for some reason you're lacking word lists and I don't know why you would be since you're

167
00:15:40,250 --> 00:15:45,840
using Cally which comes with excellent default lists and tools to create them at your fingertips.

168
00:15:45,950 --> 00:15:51,500
You can always download word lists online for more information about this and how to create them please

169
00:15:51,500 --> 00:15:55,950
see the prior videos in this module such as cool and crunch.

170
00:15:56,390 --> 00:16:02,230
All right so as you can see hash cat successfully cracked five of the six passwords.

171
00:16:02,390 --> 00:16:08,630
I did a bit of time manipulation through the magic of video editing and tweaking my password file to

172
00:16:08,630 --> 00:16:12,020
make sure that this process would be quick for recording.

173
00:16:12,740 --> 00:16:18,280
But keep in mind it will take considerable time to crack complex hashes.

174
00:16:18,410 --> 00:16:25,420
As you can see hash cat cracked five of the six passwords which is pretty good for the first try.

175
00:16:25,460 --> 00:16:30,350
You might be wondering what went wrong with the 6 and it could be a lot of things.

176
00:16:30,380 --> 00:16:37,100
Perhaps the word list used was not strong enough in which case we might try again with a stronger word

177
00:16:37,100 --> 00:16:38,110
list.

178
00:16:38,150 --> 00:16:45,380
This will of course take longer Aysha hash Cat will have more words to throw at the hash but it's more

179
00:16:45,380 --> 00:16:47,610
likely to yield a result.

180
00:16:47,660 --> 00:16:52,190
It could also be that the combinator rules set that we used didn't work.

181
00:16:52,190 --> 00:16:59,930
In any case hash cat will write all of our results into what is called the hash cat dot pot file which

182
00:16:59,930 --> 00:17:06,720
will show off after the next example when we have all of our passwords.

183
00:17:06,860 --> 00:17:07,740
All right.

184
00:17:07,970 --> 00:17:12,680
So next up let's take a look at using brute force mode.

185
00:17:12,680 --> 00:17:19,630
This mode requires masks rather than a dictionary or word list as a brief overview.

186
00:17:19,640 --> 00:17:26,210
A mask is basically you telling the brute force mode what kind of characters you want to use and how

187
00:17:26,210 --> 00:17:29,060
long you believe the password is.

188
00:17:29,060 --> 00:17:37,430
For example if we wanted to brute force a password that we had reason to believe was a seven digit ZIP

189
00:17:37,430 --> 00:17:43,850
code we'd use question mark D seven times in a row.

190
00:17:43,970 --> 00:17:52,540
Question mark lowercase L would specify lowercase letters question mark lowercase you for uppercase

191
00:17:53,090 --> 00:18:00,730
question Mark S for special characters and question mark a for all character sets.

192
00:18:00,910 --> 00:18:07,750
For example we could use question mark D seven times with each one representing a single digit

193
00:18:15,890 --> 00:18:21,050
you can also make custom character sets although explaining this would be well outside of the scope

194
00:18:21,050 --> 00:18:21,980
of this tutorial

195
00:18:26,500 --> 00:18:33,850
so this time we're going to select attack mode 3 and we're going to give it the second hash file which

196
00:18:33,850 --> 00:18:35,440
in my case is on the desktop.

197
00:18:36,990 --> 00:18:42,080
We're going to be using question mark a to specify all character sets.

198
00:18:42,090 --> 00:18:49,080
Our goal is to crack a second file containing hashes that we believe to be strings of letters numbers

199
00:18:49,140 --> 00:18:50,550
and characters.

200
00:18:50,610 --> 00:18:52,720
We'll start out using just three.

201
00:18:52,800 --> 00:18:54,820
Then we'll move up to 4.

202
00:18:54,840 --> 00:19:02,850
There is a third password containing five characters but I may skip it if this old computer can't handle

203
00:19:02,850 --> 00:19:03,390
it.

204
00:19:03,390 --> 00:19:10,240
Keep in mind this process takes exponentially longer for the more characters you try to crack.

205
00:19:10,500 --> 00:19:17,760
A 3 character password will fall remarkably fast but a 10 or more character password might take months

206
00:19:17,760 --> 00:19:19,100
or even years to crack.

207
00:19:19,260 --> 00:19:24,180
And that is assuming you've got exceedingly good hardware that certainly isn't going to happen in this

208
00:19:24,180 --> 00:19:27,150
virtual box environment on this old work laptop

209
00:19:29,670 --> 00:19:30,460
huh.

210
00:19:30,460 --> 00:19:36,430
The open S.L. error I was talking about again a fault of this old computer.

211
00:19:36,430 --> 00:19:40,990
We're going to use Tac tac force and we'll try this again.

212
00:19:43,900 --> 00:19:51,360
So to do this we'll run hash cat and once again we're specifying Tech M for MDG 5.

213
00:19:51,370 --> 00:19:59,410
Keep in mind if your hash with some other type you'd need to specify the appropriate number A.L. M for

214
00:19:59,410 --> 00:20:02,770
example would be tack M 1000.

215
00:20:02,770 --> 00:20:09,190
Then we specify tack a and select Attack Mode 3.

216
00:20:09,470 --> 00:20:15,630
We specify the hash path and then question mark a three times.

217
00:20:15,740 --> 00:20:19,150
Now you will see me use the TAC Task Force command again.

218
00:20:19,400 --> 00:20:27,710
And the reason for that is well frankly opens S.L. and Kelly Linux don't play well together again.

219
00:20:27,710 --> 00:20:33,590
This is an old laptop as I said and if I tried running a command without forcing it hash cat just spits

220
00:20:33,590 --> 00:20:36,240
out that error and throws up its hands.

221
00:20:36,410 --> 00:20:42,590
If you run into this problem you'll also need to use the TAC task force but realistically this is a

222
00:20:42,590 --> 00:20:49,220
strong indication that you need better hardware for cracking complex passwords.

223
00:20:49,220 --> 00:20:55,250
Also keep in mind that just because hash cat and Cali seem to hate each other with a passion The program

224
00:20:55,250 --> 00:21:01,040
is still available for other operating systems that handle open S.L. A lot better.

225
00:21:01,040 --> 00:21:03,630
You can even use windows if you really need to.

226
00:21:04,190 --> 00:21:04,980
OK.

227
00:21:05,120 --> 00:21:10,840
We can see that it cracked the first of the three passwords didn't take long at all.

228
00:21:12,680 --> 00:21:19,280
Next we'll try the 4 character password that I know is in the file so to do this we're going to add

229
00:21:19,310 --> 00:21:22,080
another question mark a.

230
00:21:22,100 --> 00:21:27,230
So now we're attacking four characters using the all character set.

231
00:21:27,230 --> 00:21:29,290
And again this may take some time.

232
00:21:29,630 --> 00:21:33,760
So I will make a small edit to this recording.

233
00:21:34,040 --> 00:21:37,350
Or maybe not let's actually just give it a minute.

234
00:21:37,350 --> 00:21:42,180
I think this might finish quickly.

235
00:21:42,380 --> 00:21:46,190
Status huh.

236
00:21:46,190 --> 00:21:46,790
All right.

237
00:21:47,590 --> 00:21:53,170
It's still checking but the password has fallen recorded right here.

238
00:21:53,490 --> 00:21:56,130
So our secret password fell quite quickly.

239
00:21:56,130 --> 00:21:58,130
It was all numbers.

240
00:21:58,170 --> 00:22:04,940
The third will not be successful as it is a five character long password.

241
00:22:04,950 --> 00:22:09,390
And we told hash cat to only check for four characters.

242
00:22:09,390 --> 00:22:11,690
I could add a fifth question mark a.

243
00:22:11,730 --> 00:22:16,490
And try to crack the final one but I think you get the idea of how this works.

244
00:22:16,590 --> 00:22:24,570
Now I mentioned earlier that hash cat stores cracked passwords in a pot file unless you specify otherwise.

245
00:22:24,630 --> 00:22:31,140
I should also mention that this pot file has a different file extension and is located in different

246
00:22:31,140 --> 00:22:35,910
places depending on which version of hash cat you're running.

247
00:22:35,910 --> 00:22:43,020
I just about pulled my hair out looking for hash cat dog pot but for this current version it is in fact

248
00:22:43,230 --> 00:22:57,610
hash cat dot pot file so it is located in city till the forward slash period hash Katz the file was

249
00:22:57,610 --> 00:23:04,840
created the first time you crack a hash and will be added to forever after it would cap the file

250
00:23:07,660 --> 00:23:14,470
we can see the passwords hash cactus cracked I actually removed the file between demonstrations so the

251
00:23:14,470 --> 00:23:19,540
first set of plaintext passwords that you saw me crack are not contained here.

252
00:23:19,540 --> 00:23:26,890
The reason is that once hash cat cracks a particular file and ends the session it doesn't always want

253
00:23:26,890 --> 00:23:27,990
to start again.

254
00:23:28,060 --> 00:23:35,140
If passwords related to the file are already stored in the pot file if you wish to crack a file a second

255
00:23:35,140 --> 00:23:41,890
time or if you find you're having difficulty in starting a pash cat against a target that has already

256
00:23:41,890 --> 00:23:44,470
been mostly cracked.

257
00:23:44,500 --> 00:23:52,520
I recommend you backup the hash cat dot pot file somewhere else and then delete it out of this directory.

258
00:23:52,600 --> 00:23:55,500
That should fix the issue.

259
00:23:55,610 --> 00:24:02,780
Keep in mind also that will using masks lesser passwords may still fall to hash cat even when trying

260
00:24:02,780 --> 00:24:04,650
to crack greater ones.

261
00:24:04,670 --> 00:24:12,980
What I mean by this is if you specify six characters for all character sets passwords less than six

262
00:24:12,980 --> 00:24:19,200
characters long can still be attacked as long as you go ahead and increment your attack by using the

263
00:24:19,200 --> 00:24:19,660
attack.

264
00:24:19,670 --> 00:24:29,750
I switch in other words if you specify six characters but use tack I hash cat will start with all single

265
00:24:29,750 --> 00:24:37,760
characters then all combinations of two then all combinations of three and so on until it reaches the

266
00:24:37,760 --> 00:24:38,840
total number.

267
00:24:38,930 --> 00:24:44,770
And this will take a lot longer but you'll cast a much wider net so to say so.

268
00:24:44,780 --> 00:24:45,710
For example

269
00:24:48,340 --> 00:24:57,510
if we added another two A's and then we said and then we add the tack I

270
00:25:00,390 --> 00:25:01,790
this is what it would look like.

271
00:25:01,860 --> 00:25:07,600
But again this will be very slow particularly on a virtual machine like this one.

272
00:25:07,710 --> 00:25:10,500
So I'm not going to do it but you get the idea.

273
00:25:10,530 --> 00:25:19,140
Now we can typically increment up to seven characters using commodity hardware and a fast hashing algorithm.

274
00:25:19,140 --> 00:25:25,710
Obviously having hash cat running on an operating system that it is installed to on a dedicated partition

275
00:25:25,740 --> 00:25:31,290
using 100 percent of the system resources really is a requirement.

276
00:25:31,290 --> 00:25:37,620
Doing it in virtual box like this just for demonstration purposes is one thing but you're really not

277
00:25:37,620 --> 00:25:43,320
going to get anywhere unless you have full system resources at your disposal.

278
00:25:43,440 --> 00:25:51,220
But after about seven characters things start to get dicey even for the hardware machines.

279
00:25:51,330 --> 00:25:58,200
Eight characters is possible but cracking them will usually take days or even weeks.

280
00:25:58,230 --> 00:26:05,160
Nine characters is also possible but only if you have specialty hardware anything greater than nine

281
00:26:05,160 --> 00:26:10,230
is usually the realm of three letter agencies operated by nation states.

282
00:26:10,230 --> 00:26:15,280
But it certainly isn't impossible if you have the resources and patience.

283
00:26:15,300 --> 00:26:20,070
Just keep in mind that the cracking process may be measured in years.

284
00:26:20,070 --> 00:26:24,930
In any case this has been a basic introduction to the workings of hash cat.

285
00:26:24,930 --> 00:26:29,550
Don't be discouraged if it doesn't work right away for you on Cowley.

286
00:26:29,550 --> 00:26:31,860
A lot of people have a hard time with it.

287
00:26:32,040 --> 00:26:38,370
Play around with the different attack modes and practice cracking a few simple hashes and empty five

288
00:26:38,370 --> 00:26:40,860
and perhaps one other format.

289
00:26:40,860 --> 00:26:46,380
Once you've done this for yourself you'll see that we'll hash cat has a thousand and one approaches

290
00:26:46,740 --> 00:26:48,730
to the science of cracking.

291
00:26:48,750 --> 00:26:56,150
It really is just as straightforward as all the other tools that seem to model themselves in their structure.

292
00:26:56,190 --> 00:27:03,640
Imitating hash cat in any case and this always kind of goes without saying but has to be said anyway.

293
00:27:03,660 --> 00:27:09,390
Never attempt to use this tool or any other tool presented in this class against any target that you

294
00:27:09,390 --> 00:27:13,380
do not personally own or have written permission to penetration test.

295
00:27:13,380 --> 00:27:14,890
Or you could be breaking the law.

296
00:27:14,910 --> 00:27:19,530
I hope you enjoyed this tutorial and I hope that hash Cat works very well for you.

297
00:27:19,530 --> 00:27:20,170
Thank you.