Available in hashcat's latest GitHub, and coming soon in the next hashcat release ... a couple of nice-to-haves that improve quality of life for power users.
By me:
Kernel.Feature...: Pure Kernel (password length 0-8 bytes)
By chick3nman (at my request, true keyspace instead of hashcat's workload-related "keyspace"):
--total-candidates
By matrix (at my request, JSON):
$ hashcat -II --machine-readable
New Open-Source Tool Spotlight 
Hashcat supports over 300 optimized hashing algorithms and runs on CPUs, GPUs, and accelerators across Linux, Windows, and macOS. Five attack modes make it a versatile password recovery tool. #hashcat #passwordsecurity
Project link on #GitHub 
https://github.com/hashcat/hashcat
#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity
— 
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 
70000 | argon2id [Bridged: reference implementation + tunings] | Raw Hash
hashcat's latest pre-release (GitHub bleeding edge, or hashcat.net/beta) now has ...
Argon2 support! 
https://github.com/hashcat/hashcat/commit/96e3b6581df894b77722ac9c048519444bacd901
https://github.com/hashcat/hashcat/commit/d9918d7e44020a526aa7bdc0e364f9c159a0c324
Read the commit comments for more on the interesting architectural enhancements involved.
Benchmarks:
NVIDIA Driver Version: 575.51.03
CUDA Version: 12.9
$ hashcat --version
v6.2.6-1075-gd9918d7e4
GPU (2x 4090s), CUDA 3.0:
$ hashcat -b -m 34000
[...]
* Hash-Mode 34000 (Argon2) [Iterations: 12]
[...]
Speed.#01........: 1720 H/s (104.11ms) @ Accel:360 Loops:6 Thr:32 Vec:1
Speed.#02........: 1718 H/s (104.28ms) @ Accel:360 Loops:6 Thr:32 Vec:1
Speed.#*.........: 3438 H/s
Same GPUs, OpenCL:
$ hashcat -b -m 34000 --backend-ignore-cuda
[...]
Speed.#02........: 1724 H/s (104.21ms) @ Accel:360 Loops:6 Thr:32 Vec:1
Speed.#03........: 1721 H/s (104.38ms) @ Accel:360 Loops:6 Thr:32 Vec:1
Speed.#*.........: 3445 H/s
CPU (EPYC 7642 48C/96T 2.3GHz, Intel OpenCL 2.1 (Linux)) :
$ hashcat -b -D 1 -m 34000
[...]
Speed.#03........: 38 H/s (629.80ms) @ Accel:96 Loops:3 Thr:32 Vec:8
(Apple Metal test: deferred, throwing some errors for me, will update when working)
And high praise from atom for the PR:
https://github.com/hashcat/hashcat/pull/4284
This is an amazing contribution.
100 Stars from my side for this.
Many thanks to Pelle & Ewald from the NFI and thanks to Ondrej Mosnáček for creating the original warp-based GPU implementation!!
Following my Security Fest talk yesterday I've released Hashcatalyst, a wrapper that helps automate non-distributed workflows by chaining multiple attacks with no downtime.
Well, this cracking attack is going to take 5.5 days on 2x 4090s.
Top #hashcat tip:
Want per-position duplication in your rules to leverage your GPU?
It's not available in a single op, but you can emulate it by incrementally duplicating the first N chars, and then incrementally deleting the position and frequency of the redundant characters
After seeing yescrypt hashes appear in CMIYC a while back, I started developing a yescrypt cracker in pure Go. Since then, yescrypt has become the default /etc/shadow hash for many popular linux distros such as Debian, Ubuntu, RHEL, Fedora, and Arch (to name a few), but hash cracking support for this algo has been limited to JtR -- until now.
Here's a sneak peek of the yescrypt_cracker POC:
The hashcat.net site is down -- side effect of maintenance by hosting provider. Being worked.
Current release can be downloaded from GitHub:
https://github.com/hashcat/hashcat/releases/tag/v6.2.6
Convenience Wayback links to popular wiki pages:
Rules:
https://web.archive.org/web/20250211234251/https://hashcat.net/wiki/doku.php?id=rule_based_attack
Example hashes:
https://web.archive.org/web/20250216060927/https://hashcat.net/wiki/doku.php?id=example_hashes
FAQ
Nvidia RTX 5090 hashcat benchmarks.
@CCC : aus dem Artikel:
"Ein einfacher Satz wie „IchLiebeEsGegenFaschistenZuDemonstrieren!“ ist sicherer als „Mb2.r5oHf-0t“.
Lange Sätze sind leicht zu merken und zu tippen, aber schwer zu knacken."
Das ist FALSCH.
Wenn einmal in einem "Dictionary" (Worterbuch), wie z.b. "Rockyou" [1] macht die länge nichts aus.
[1] Z.b. https://dekisoft.com/rockyou-txt-gz-password-list-download/
Am sichersten braucht man eine Password Manager mit einem random generierties Passwort für jedem Account.
Mehr info (Englisch): https://infosec.exchange/@ErikvanStraten/113022180851761038; mit Android Screenshot: https://infosec.exchange/@ErikvanStraten/113549056619471557.
Passkeys sind leider noch ungeignet: https://infosec.exchange/@ErikvanStraten/113832302818012852.
Password "cracking" mit hashcat und NVidia Video-Karte: https://gist.github.com/ZephrFish/b849331aafa015ddd7786ca20ce718d7.
Edit 17:25: beispiele aus RockYou2021.txt (~90MB) in https://infosec.exchange/@ErikvanStraten/113923644127405769.
(Verzeihe Fälle-Fehler, ein Holländer hier).
For folks (kindly) reporting that the hashcat.net cert has expired - apologies, and it's been escalated (no ETA yet, though)
Da ich mich derzeit damit beschäftige,
Hat jemand eine step by step Anleitung wie man bei #linux #mint die Hardwarebeschleunigung für #amd #RadeonRX7000 karten in #handbrake aktiviert bekommt?
Irgendwas scheine ich falsch zu machen. In ffmpeg läuft es, hashcat sieht und nutzt sie auch. Aber Handbrake und alpaca weigern sich..
Nutze bei beiden die flatpak Version...
Team #Hashcat is pleased to present our much anticipated write-up for this year's #CrackMeIfYouCan contest at #Defcon32
Essential Cybersecurity Tools for Hacking and Ethical Hacking
#BurpSuite #Hashcat #Metasploit
#Nmap #OWASPZAP #SQLmap #Wireshark #SnoopGod #SnoopGodLinux https://snoopgod.com/2024/05/30/essential-cybersecurity-tools-for-hacking-and-ethical-hacking/
I was wondering if there is already #GPU #accelerated #bruteforcers for hash-to-curve
https://datatracker.ietf.org/doc/rfc9380/ out there?
and going beyond just "simple" h2c, 2hashdh prf H(pwd, H2c(pwd)^k) seems to be popular, might as well also inquire about their support. #opaque is one case where this is being used.
does anyone know?
philsmd has released a new Windows binary for 7z2hashcat (which extracts hashes from password-protected 7Zip files, so they can be cracked). This release fixes a bug that could sometimes prevent the fool from extracting hashes from multi-file 7z archives.
.@blacktraffic Great question!
Here are some reasons why #RainbowTables are obsolete for #password #cracking:
In any given password database, 92-98% of the passwords are going to be created by highly predictable humans (as opposed to being randomly generated.) Because of this, modern password cracking is heavily optimized for exploiting the human element of password creation, concentrating on probabilistc methods that achieve the largest plaintext yield in the least amount of time. As such, modern password cracking tools and techniques have evolved to become highly dynamic, requiring agility, flexibility, and scalability.
This is evident when looking at how #Hashcat has evolved over the last decade. Hashcat used to be heavily optimized for raw speed, but today it is optimized for maximum flexibilty (plus, lite, and cpu merged into a single code base, dropped the 15-character limit, introduced pure kernels, brain, and slow candidate mode, etc.) This need for dynamicity is also why we largely still use GPUs today, rather than having moved on to devices with potentially higher throughput, such as FPGAs or even ASICs.
With this in mind, it's rather easy to see that rainbow tables are the antithesis of modern password cracking. Rainbow tables are static, rigid, and not at all scalable. They directly compete with unordered incremental brute force, which in the context of modern password cracking, is largely viewed a last resort and generally only useful for finding randonly-generated passwords (although, can also be useful in identifying new patterns that rules and hybrid attacks failed to crack.) They also do not scale. If you have a handful of hashes, rainbow tables will likely be faster than brute forcing on GPU. But if you are working with even a modestly large hash set, rainbow tables will be slower than just performing brute force on GPU, even if you are using GPU rainbow tables.
Overall, rainbow tables are an optimization for an edge case: cracking a small amount of hashes of an algorithm for which we have tables, within the length and character sets for which we have tables, that fall within that 2-8% of hashes that we cannot crack with probabilistic methods. And even then, most people who are #security conscious enough to use use random passwords aren't going to make them only 8 or 9 characters long, so the percentage of those passwords that will actually be found in your tables will be much lower.
The questions you have to ask yourself: is that worth the disk space and the bandwidth to download and store rainbow tables, and do you really care about that 2-8%, keeping in mind that only a small percentage of that is going to fall within the tables you have? If the answer is "yes", then continue to use rainbow tables. However, the for the vast majority of us, the answer for the past 11 years has been a resounding "no." And that's why rainbow tables are, by and large, a relic of a bygone era.
With that said, rainbow tables do still have some utility outside of #passwords. For instance, cracking DES or A5/1 #encryption. There's also the cousin of rainbow tables, lossy hash tables (LHTs), which have some utility as well for things like old Microsoft Office and Adobe Acrobat encryption keys.
Read it here:
