How to Use Hashcat in Kali Linux

How to Use Hashcat in Kali Linux


2 min read

Hashcat is an advanced password-cracking tool that can help ethical hackers and security researchers recover lost or forgotten passwords by cracking password hashes. Kali Linux has hashcat pre-installed, making it easy to get started with password cracking.

In this beginner's guide, we will walk through the basics of using hashcat on Kali Linux, covering:

Installing and Setting Up Hashcat

  • Hashcat comes pre-installed on Kali Linux, so no need to install it separately.

  • Run hashcat from the terminal to verify it is working. You should see the hashcat help output.

  • For faster performance, install CUDA if you have a compatible Nvidia GPU:

      apt install cuda

Preparing a Password Hash File

  • Gather password hashes from your allowed penetration testing scope.

  • Save hashes in a simple text file, one hash per line.

  • Popular formats: MD5, SHA1, SHA256, SHA512, NTLM, etc.

  • Use sample hashes for testing if no real ones are available.

Selecting a Wordlist for Dictionary Attack

  • Hashcat works by making educated guesses using a dictionary file or "wordlist".

  • Kali includes many useful wordlists at /usr/share/wordlists.

  • Use rockyou.txt as a common starting point. It has millions of real leaked passwords.

Running the Hashcat Attack

Basic hashcat command structure:

hashcat -m [hash mode] -a [attack mode] [hash file] [wordlist]

For example, to crack MD5 hashes with rockyou.txt:

hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

That will run a straight dictionary attack, trying every word in the wordlist.

Interpreting and Using Cracked Hashes

  • Hashcat shows cracked hashes in real-time. Yay!

  • Export full output using -o cracked.txt argument for later review.

  • Change attack modes and add rules/masks for smarter guessing.

  • Use cracked hashes to infiltrate systems and demonstrate security risk!

And that's the basics of using the powerful hashcat password cracker on Kali Linux! Now you can test password strength and identify weak credentials that need updating.

Remember to only use hashcat against systems you have explicit permission to test. Password cracking can help improve security, but be ethical!