Hashcat is a command-line utility that finds unknown passwords from their known hashes.
First, we need to precisely define the "finding a password" problem. Let's assume we have a hash obtained from processing of an unknown password using the "phpass" algorithm.
The password hash is stored in
in.hash file and the hash is:
We're going to assume that we know the password mask. It is:
That means that the password consists of 3 alphanumeric characters.
Now we can try to find the password, matching the given hash and mask, by calling:
./hashcat -a 3 -m 400 in.hash ?a?a?a
The parameters are:
a 3 - use a brute-force attack. There are 5 other types of attacks.
m 400 - password is hashed with the phpass algorithm. There are 320 other alghoritms supported by Hashcat.
in.hash - name of a file containing the hashed password
?a?a?a - mask to use
As a result of the above call, the
hashcat.potfile will be created with the following content:
pas is the password which had been unknown to us and was just retrieved by hashcat.
To showcase how a similar problem can be resolved faster, we created the Golem version of Hashcat. It uses the computing power of many providers at the same time. Parallelized password recovery can be much quicker - instead of days or months, this Golem version is likely to solve the problem in hours.
How to make Hashcat work in parallel? The answer is quite simple: the keyspace concept. We can ask the tool to tell us what the size of the possibility space (keyspace) is for the given mask and algorithm:
hashcat --keyspace -a 3 ?a?a?a -m 400
As a result, we will receive an answer in the standard output. In our case it is
Now we can divide the
0..9025 space into separate fragments. Assuming we want to allow our app to use up to 3 separate workers (which means up to 3 providers), those parts would be:
To process only the part of the whole
0..9025 space, we use the
./hashcat -a 3 -m 400 in.hash --skip 3009 --limit 6016 ?a?a?a
The above call will process the
3009..6016 part. If there is any result in that range it will be written to the
provide each running Docker container with
in.hash file (the same for all fragments)
hashcat with proper
--limit values in each Docker container
hashcat.potfile from each Docker container to the requestor
check if any of the resultant potfiles contains a password. If yes, present it to the user.