Today we are releasing hate_crack to unleash the power of hashcat to the community. Unless you’re deeply into hash cracking, you most likely aren’t aware of the several different attack modes built into hashcat, such as:

• Mask Attack
• Fingerprint Attack
• Combinator Attack
• Hybrid Attack

Martin Bos covered several of these attacks in a previous post, describing his methodology for cracking the LinkedIn hash dump of 2012. If you don’t know Martin (formerly known as pure_hate), he is a long-standing member of Team Hashcat, has competed in several hash cracking contests, and has an unhealthy obsession with cracking hashes. The sharing of his methodology inspired the creation of this script, so that our team could up their hash cracking game. To get started, the first thing you will need is the latest version of hashcat. Follow the included build instructions or use your Google powers to get it running on your host Operating System. Next, you will need some wordlists to work with. For demonstration purposes, I used the lists provided in SecLists. Finally, download the latest version of hate_crack.

# git clone https://github.com/trustedsec/hate_crack.git

Inevitably, there are going to be duplicate words across whatever wordlists you choose to use, so deduplication is a good optimization step for your wordlists. Also, hashcat works much more efficiently if you separate your wordlists by password length. Luckily, the hashcat team has included several utilities to assist with these tasks. Included in the hate_crack repository is “wordlist_optimizer.py”, which is simply a wrapper script for these utilities. To create your own optimized wordlists, create a list of file names for your wordlists:

# ls -rt -d -1 $PWD/{*,.*} >../wordlists.txt
/Passwords/SecLists/Passwords/rockyou.txt
/Passwords/SecLists/Passwords/adobe100.txt
/Passwords/SecLists/Passwords/UserPassJay.txt
/Passwords/SecLists/Passwords/Sucuri_Top_Wordpress_Passwords.txt
/Passwords/SecLists/Passwords/SplashData-2015.txt
/Passwords/SecLists/Passwords/MostPopularLetterPasses.txt
/Passwords/SecLists/Passwords/KeyboardCombinations.txt
/Passwords/SecLists/Passwords/Basic_Spanish_List.txt
/Passwords/SecLists/Passwords/Ashley_Madison.txt
/Passwords/SecLists/Passwords/500-worst-passwords.txt
/Passwords/SecLists/Passwords/1337speak.txt
…

Next, point “wordlist_optimizer.py” to your “wordlists.txt” and give it the directory that you would like to save to your optimized wordlists.

# python wordlist_optimizer.py
usage: python wordlist_optimizer.py input file list output directory

# python wordlist_optimizer.py wordlists.txt ../optimized_wordlists

After you’ve got your optimized wordlists created, you’re almost ready to start cracking hashes. The last step is to modify “hate_crack/config.json” to point to your hashcat binaries, utilities, and wordlists:

{
  "hcatPath": "/Passwords/hashcat",
  "hcatBin": "hashcat",
  "hcatTuning": "--force",
  "hcatWordlists": "/Passwords/wordlists",
  "hcatOptimizedWordlists": "/Passwords/optimized_wordlists",
  "_comment": "Change extension to .bin for Linux and .app for OSX",
  "hcatExpanderBin": "expander.app",
  "hcatCombinatorBin": "combinator.app",
  "hcatPrinceBin": "pp64.app"
}

Make sure that “rockyou.txt” is in your “hcatWordlists” directory. Several of the hate_crack modules rely on it. Now, get your crack on! Before I leave you, be sure to check out hash-mode 1000 (NTLM). If you input an Active Directory dump in PWDUMP format and choose mode 1000, hate_crack will detect the format, split the LM/NT hashes out, crack them, and put them back together for you. Hack the Planet! You can download hate_crack from the TrustedSec GitHub page and is now open to the public.