Tool: hashcat
Have a dictionary ready
Dictionary merging and sorting

cat*.dic>file.txt

Use under Linux

sort -u file.txt>password.lst

1. Parameters used

That is: hashcat [options] cracked hash value or hash file, hccapx file [dictionary | mask | directory]
Hccapxfile corresponds to wireless packet, and its corresponding cracking hash type is "- m 2500 = WPA/WPA2".
– help view help
2. Options
(1) Basic options

-m, —hash-type=NUM           Hash category whose NUM Value refers to the hash category value under its help information, and its value is a number. If not specified m Value defaults to md5，for example-m 1800 yes sha512 Linux Encryption.
-a, --attack-mode=NUM         Attack mode, whose value refers to the following pair of parameters. “-a 0"Dictionary attack“-a 1" Combined attack“-a 3"Mask attack.
-V, —version                            Version information
-h, --help                                   Help information.
--quiet                                       Quiet mode, Suppress output

(2) Benchmarking

-b, --benchmark                       Test the computer cracking speed and display hardware related information

(3) Miscellaneous

--hex-salt                         salt The value is given in hexadecimal
--hex-charset                  Set the character set to be given in hexadecimal
--runtime=NUM              Run for several seconds( NUM Value)
--status                            Enable automatic update of status screen
--status-timer=NUM       The status screen updates the second value
--status-automat             Displays the status view in a machine-readable format
--session                         Followed by the session name, it is mainly used for recovery cracking after terminating the task.

(4) Documents

-o,  --outfile=FILE                   Define hash file recovery output file
--outfile-format=NUM            Define the hash file output format, see resources below
--outfile-autohex-disable       Hexadecimal output of plaintext is prohibited
-p,  --separator=CHAR         Is a Hash list/Output file definition separator character
--show                                     Show only cracked passwords
--left                                         Show only uncracked passwords
--username                            ignore hash User name in the table, right linux The file is cracked directly without sorting.
--remove                                Remove successfully cracked hash，When hash It is useful when reading from text to avoid manually removing cracked files hash
--stdout                                  console mode 
--potfile-disable                    Do not write pot file
--debug-mode=NUM           Define the debug mode (mixing only by using rules), see resources below
--debug-file=FILE                Output file for debugging rules (see debugging mode)
-e, --salt-file=FILE                Define salt file list
--logfile-disable                    prohibit logfile

(4) Resources

-c, --segment-size=NUM       Dictionary file cache size( M)
-n, --threads=NUM                 Number of threads
-s,  --words-skip=NUM          Number of words skipped
-l, --words-limit=NUM            Limit the number of words(Distributed)

(5) Rules

-r, --rules-file=FILE             Use rule file: -r 1.rule，
-g,  --generate-rules=NUM       Random generation rule
--generate-rules-func-min= Minimum value of each random rule
--generate-rules-func-max=Maximum value of each random rule
--generate-rules-seed=NUM  force RNG Number of seeds

(6) Custom character set

-1,  --custom-charset1=CS  User defined character set
-2, --custom-charset2=CS  for example:
-3, --custom-charset3=CS --custom-charset1=?dabcdef : set up?1 0123456789 abcdef
-4, --custom-charset4=CS   -2mycharset.hcchr : set up ?2 Included in mycharset.hcchr
 file

(7) Attack mode
*Case conversion attack:

--toggle-min=NUM              The minimum value of a letter in a dictionary
--toggle-max=NUM              The maximum value of a letter in a dictionary

***Use mask attack mode:**

--increment                   Use enhanced mode
--increment-min=NUM          Enhancement mode start value
--increment-max=NUM          Enhancement mode end value

***Array attack mode**

--perm-min=NUM                Filtration ratio NUM Count small words
--perm-max=NUM               Filtration ratio NUM Big words

***Lookup table attack mode:**

-t, --table-file=FILE             Table file
       --table-min=NUM               The minimum character value in the dictionary
       --table-max=NUM               The maximum character value in the dictionary

***Print attack mode:**

--pw-min=NUM                  If the length is greater than NUM，Then the candidate characters are printed
--pw-max=NUM                 If the length is less than NUM，Then the candidate characters are printed
--elem-cnt-min=NUM            Minimum number of elements per chain
--elem-cnt-max=NUM            Maximum number of elements per chain
--wl-dist-len                Calculates the output length distribution from the dictionary table
--wl-max=NUM             Load from dictionary file NUM Words, set 0 to prohibit loading.
--case-permute             Invert each word in the dictionary

(8) Reference
Output file format:

1 = hash[:salt]
2 = plain Plaintext
3 = hash[:salt]:plain
4 = hex_plain
5 = hash[:salt]:hex_plain
6 = plain:hex_plain
7 = hash[:salt]:plain:hex_plain
8 = crackpos
9 = hash[:salt]:crackpos
10 = plain:crackpos
11 = hash[:salt]:plain:crackpos
12 = hex_plain:crackpos
13 = hash[:salt]:hex_plain:crackpos
14 = plain:hex_plain:crackpos
15 = hash[:salt]:plain:hex_plain:crackpos
* Debug mode output file (for hybrid mode only, by using rules):

1 = save finding rule
2 = save original word
3 = save original word and finding rule
4 = save original word, finding rule andmodified plain

***Built in character set:**

?l = abcdefghijklmnopqrstuvwxyz Represents lowercase letters
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ Represents capital letters
?d = 0123456789 Representative number
?s = !"#$% & '() * +, -. /:; < = >? @ [\] ^ ` {|} ~ represents special characters
?a = ?l?u?d?s Combination of upper and lower case numbers and special characters
?b = 0x00 - 0xff

*Attack mode

0 = Straight (Dictionary cracking)
1 = Combination (Combined cracking)
2 = Toggle-Case (Case conversion)
3 = Brute-force(Mask (brute force cracking)
4 = Permutation(Sequence cracking)
5 = Table-Lookup(Look up table (crack)
6 = Hybrid dict + mask Dictionary masked cracking
7 = Hybrid mask + dict Mask+dictionary attack 
8 = Prince(Prince (crack)

3. Crack principle: easy before difficult
(1) Use the collected public dictionary to crack
(2) Use 1-8 digits to crack.
(3) Crack with 1-8 lowercase letters
(4) Use 1-8 capital letters to crack
(5) Use 1-8-bit mixed case + number + special characters to crack
3.1 cracking rules
(1) Dictionary attack

-a 0 password.lst

(2) 1 to 8 are digital mask attacks

-a 3 --increment --increment-min 1--increment-max 8 ?d?d?d?d?d?d?d?d –O

? d represents a number, which can be replaced by lowercase letter? l, uppercase letter? u, special character? s, uppercase and lowercase letter + special character? A, – O represents the optimal cracking mode, and this parameter can be added or not added.
(3) 8 is a digital attack

-a 3 ?d?d?d?d?d?d?d?d

Similarly, it can be set to uppercase, lowercase, special characters and other modes according to the number of digits.
(4) Custom character
At present, passwords with only numbers or letters are relatively rare. According to the analysis of password experts on leaked passwords, 90% of personal passwords are a combination of letters and numbers, and can be user-defined characters for brute force cracking. Hashcat supports four user-defined character sets, namely - 1 - 2 - 3 - 4. When defining, you only need - 2? L? D, and then you can specify "2" and "2" for small Write letters and numbers. At this time, you need to crack an 8-bit mixed lowercase letter and number:

Hashcat.exe -a 3 --force -2 ?l?d  hassh Value or hash file  ?2?2?2?2?2?2?2?2

For example, crack dz lowercase letter + digit mixed 8-digit password:

Hashcat -m 2611  -a 3 -2 ?l?d  dz.hash    ?2?2?2?2?2?2?2?2

(5) Dictionary + mask brute force cracking
Hashcat also supports a dictionary plus violence cracking method, which is to add a violent character sequence before and after the dictionary. For example, adding 3 as a number after the dictionary is very common. Use the sixth attack mode:

   a-6 (Hybrid dict + mask)

If it is added in front of the dictionary, use the attack mode in Section 7, that is (a-7 = Hybridmask + dict). The dictionary file plus the number 123 is cracked below:

H.exe -a 6 ffe1cb31eb084cd7a8dd1228c23617c8  password.lst ?d?d?d

If ffe1cb31eb084cd7a8dd1228c23617c8's password is password123, it is sufficient as long as password.lst contains 123.
(6) Mask + dictionary brute force cracking

H.exe -a 7  ffe1cb31eb084cd7a8dd1228c23617c8  password.lst ?d?d?d

If ffe1cb31eb084cd7a8dd1228c23617c8's password is 123password, it is sufficient as long as password.lst contains password.
(7) Case conversion attack, case conversion attack on words in password.lst

H.exe-a 2  ffe1cb31eb084cd7a8dd1228c23617c8  password.lst

4. Obtain and sort out the password hashes value
4.2 Linux hash value sorting

cat /etc/shadow>myshadow.txt

Tidy up myshadow.txt and keep only the encrypted part
You can also keep the user name part. If there is a user name, you need to add the – username parameter when cracking.
4.3 sorting of other hash values
Generally speaking, a type of password hash value is saved separately as a file. Some passwords have salt, so a complete hash value is required. For example, the password value of discuz! Forum is:

ffe1cb31eb084cd7a8dd1228c23617c8:f56463

The front value is similar to md5 encryption, and the back value is salt. If there is no salt value, the cracking results will be very different.

5. Crack the hash value
5.1 cracking for different encryption types
(1)**linux sha512crypt 6 6 6. SHA512 (Unix) * * encryption method:

hashcat  -m 1800 sha512linux.txt p.txt

(2)**linux sha256crypt 5 5 5. Sha256 (Unix) * * encryption method:

hashcat  -m 7400 sha256linux.txt p.txt

(3) * * md5crypt, MD5 (Unix), Cisco IOS under linux 1 1 1 (MD5) * * encryption method:

hashcat   -m 500  linuxmd5.txt p.txt

(4) bcrypt under linux 2 ∗ 2* 2 *, Blowfish encryption method:

hashcat   -m 3200  linuxmd5.txt p.txt

Note: if it is successful in the cracking process, it will be output directly. S can see the cracking status, p pause, s continue cracking, and q exit cracking.
5. Crack summary and skills
5.1 automatic optimization of GPU cracking mode
When cracking using GPU mode, you can use the - O parameter to automatically optimize
5.2 brute force cracking an md5 value
(1) 9-bit digital cracking

Hashcat64.exe-a 3 --force d98d28ca88f9966cb3aaefebbfc8196f ?d?d?d?d?d?d?d?d?d

To crack an md5 value alone, you need to add the force parameter
(2) 9-digit letter cracking

Hashcat64.exe-a 3 --force d98d28ca88f9966cb3aaefebbfc8196f ?l?l?l?l?l?l?l?l?l

5.3 crack discuz password with salt
(1) Digital cracking
7 digits, 7 seconds to crack and complete the task.

Hashcat64.exe-a 3 --force -m 2611 ffe1cb31eb084cd7a8dd1228c23617c8:f56463 ?d?d?d?d?d?d?d

8-bit digital cracking, 9 seconds to complete the task.:

Hashcat64.exe-a 3 --force -m 2611 ffe1cb31eb084cd7a8dd1228c23617c8:f56463 ?d?d?d?d?d?d?d?d

9-digit cracking, 9 seconds to complete the task.

Hashcat64.exe-a 3 --force -m 2611 ffe1cb31eb084cd7a8dd1228c23617c8:f56463 ?d?d?d?d?d?d?d?d?d

5.4 letter cracking
(1) 6-digit lowercase letters

Hashcat64.exe-a 3 --force -m 2611 ffe1cb31eb084cd7a8dd1228c23617c8:f56463 ?l?l?l?l?l?l

(2) 7-digit lowercase letters

Hashcat64.exe-a 3 --force -m 2611 ffe1cb31eb084cd7a8dd1228c23617c8:f56463 ?l?l?l?l?l?l?l

(3) 8-digit lowercase letters

Hashcat64.exe-a 3 --force -m 2611 ffe1cb31eb084cd7a8dd1228c23617c8:f56463 ?l?l?l?l?l?l?l?l

Complete the cracking task in about 9 minutes
(4) 9-digit lowercase letters

Hashcat64.exe-a 3 --force -m 2611 ffe1cb31eb084cd7a8dd1228c23617c8:f56463 ?l?l?l?l?l?l?l?l?l-O

5.5 letters plus numbers

Hashcat64.exe-a 3 --force -m 2611 -2 ?d?l ffe1cb31eb084cd7a8dd1228c23617c8:f56463?2?2?2?2?2?2?2

(3) 7-digit capital letters

Hashcat64.exe-a 3 –force –m 2611 ffe1cb31eb084cd7a8dd1228c23617c8:f56463 ?u?u?u?u?u?u?u

(4) 6 to 8 digits

Hashcat64.exe-a 3 –force –m 2611 ffe1cb31eb084cd7a8dd1228c23617c8:f56463--increment --increment-min 6 --increment-max 8 ?l?l?l?l?l?ll?l

5.6 using custom cracking
(1) Use numbers and letters to mix 6 bits to crack

Hashcat64.exe-a 3 --force -m 2611 -2 ?d?l ffe1cb31eb084cd7a8dd1228c23617c8:f56463?2?2?2?2?2?2 -O

(2) Use the mixed 7 digits of numbers and letters to crack, and the cracking time is 4 minutes and 16 seconds

Hashcat64.exe-a 3 --force -m 2611 -2 ?d?l ffe1cb31eb084cd7a8dd1228c23617c8:f56463?2?2?2?2?2?2?2 –O

(3) Use numbers and letters to mix 8 bits to crack

Hashcat64.exe-a 3 --force -m 2611 -2 ?d?l ffe1cb31eb084cd7a8dd1228c23617c8:f56463?2?2?2?2?2?2?2?2 -O

5.7 dictionary cracking mode

Hashcat64.exe-a 0 --force -m 2611 ffe1cb31eb084cd7a8dd1228c23617c8:f56463 password.lst

Use the dictionary under the dictionary folder to crack:

Hashcat32.exe-m 300 mysqlhashes.txt –remove -o mysql-cracked.txt ..\dictionaries\*

5.8 session saving and recovery cracking
(1) Use mask file rules to crack passwords

hashcat-m 2611 -a 3 --session mydz dz.hash masks/rockyou-7-2592000.hcmask

(2) Resume session

hashcat--session mydz --restore

5.9 mask cracking

mask The rule file is located in masks Next, for example D:\PentestBox\hashcat-4.1.0\masks，Execution cracking is set to:
masks/8char-1l-1u-1d-1s-compliant.hcmask
masks/8char-1l-1u-1d-1s-noncompliant.hcmask
masks/rockyou-1-60.hcmask
masks/rockyou-2-1800.hcmask
masks/rockyou-3-3600.hcmask
masks/rockyou-4-43200.hcmask
masks/rockyou-5-86400.hcmask
masks/rockyou-6-864000.hcmask
masks/rockyou-7-2592000.hcmask

5.10 crack with rule file

Hashcat -m 300 mysqlhashes.txt–remove -o mysql-cracked.txt ..\dictionaries\* -r rules\best64.rule

hashcat -m 2611 -a 0 dz.hashpassword.lst  -r rules\best64.rule  -O