How to Crack MD5 Hashes Using hashcat

In this tutorial we will show you how to create a list of MD5 password hashes and crack them using hashcat.

We will perform a dictionary attack using the rockyou wordlist on a Kali Linux box.

Creating a list of MD5 hashes to crack

To create a list of MD5 hashes, we can use of md5sum command.

The full command we want to use is:

echo -n "Password1" | md5sum | tr -d " -" >> hashes

Here we are piping a password to md5sum so a hash is produced. Unnecessary output is then stripped and it is stored in a file in a file called "hashes".

"echo -n 'Password1'" is used to print the phrase "Password1". The -n portion removes the new line added to the end of "Password1". This is important as we don't want the new line characters to be hashed with our password.

The part “tr –d ‘ -‘ “ removes any characters that are a space or hyphen from the output like so:

Before:

# echo -n "Password1" | md5sum
2ac9cb7dc02b3c0083eb70898e549b63  -

After:

# echo -n "Password1" | md5sum | tr -d " -"
2ac9cb7dc02b3c0083eb70898e549b63

For demonstration purposes, we'll create multiple MD5 hashes containing different strength passwords and output them to a file called hashes:

echo -n "Password1" | md5sum | tr -d " -" >> hashes
echo -n "HELLO" | md5sum | tr -d " -" >> hashes
echo -n "MYSECRET" | md5sum | tr -d " -" >> hashes
echo -n "Test1234" | md5sum | tr -d " -" >> hashes
echo -n "P455w0rd" | md5sum | tr -d " -" >> hashes
echo -n "GuessMe3" | md5sum | tr -d " -" >> hashes
echo -n "S3CuReP455Word" | md5sum | tr -d " -" >> hashes
echo -n "HighlyUnlik3lyToB3Cr4ck3d…" | md5sum | tr -d " -" >> hashes

Once you have run these commands will look something like this:

# cat hashes
2ac9cb7dc02b3c0083eb70898e549b63
eb61eead90e3b899c6bcbe27ac581660
958152288f2d2303ae045cffc43a02cd
2c9341ca4cf3d87b9e4eb905d6a3ec45
75b71aa6842e450f12aca00fdf54c51d
98bffa1e0b3872aa0813b0a62a2003ab
b5af0b804ff7238bce48adef1e0c213f
5a53193b4cca4ccdabf3ccb1fa514162

If you already have a list of words then the following bash script can be used to automate the MD5 generation, reading each line in a file, then generating a file off the resulting hashes. Replace 'wordlist' with the file path of your word list.

for i in $(cat wordlist); do echo -n "$i"| md5sum | tr -d " -" >> hashes; done

If you do not have md5sum on your machine, you can copy and paste the hashes above and save it in a file called "hashes". If you want to hash different passwords than the ones above and you don't have md5sum installed, you can use MD5 generators online such as this one by Sunny Walker.

Running hashcat to Crack MD5 Hashes

Now we can start using hashcat with the rockyou wordlist to crack the MD5 hashes. The rockyou wordlist comes pre-installed with Kali. If you are not using Kali you can use another wordlist, or download it from here.

The command to start our dictionary attack on the hashes is:

hashcat –m 0 hashes /usr/share/wordlists/rockyou.txt
Argument Function
-m 0 Tells hashcat which mode to use. 0 is MD5.
Hashes Our file containing the our MD5 password hashes.
/usr/share/wordlists/rockyou.txt Points hashcat to the wordlist containing the passwords to hash and compare.

When you run the command, you should get an output like below:

# hashcat -m 0 hashes /usr/share/wordlists/rockyou.txt

Initializing hashcat v2.00 with 2 threads and 32mb segment-size...

Added hashes from file hashes: 8 (1 salts)


2ac9cb7dc02b3c0083eb70898e549b63:Password1  

eb61eead90e3b899c6bcbe27ac581660:HELLO      

958152288f2d2303ae045cffc43a02cd:MYSECRET   

75b71aa6842e450f12aca00fdf54c51d:P455w0rd   

2c9341ca4cf3d87b9e4eb905d6a3ec45:Test1234   

[s]tatus [p]ause [r]esume [b]ypass [q]uit =>


Input.Mode: Dict (/usr/share/wordlists/rockyou.txt)

Index.....: 1/5 (segment), 3627099 (words), 33550339 (bytes)

Recovered.: 5/8 hashes, 0/1 salts

Speed/sec.: 9.90M plains, 9.90M words

Progress..: 3627099/3627099 (100.00%)

Running...: --:--:--:--

Estimated.: --:--:--:--




[s]tatus [p]ause [r]esume [b]ypass [q]uit =>


Input.Mode: Dict (/usr/share/wordlists/rockyou.txt)

Index.....: 2/5 (segment), 3351795 (words), 33550340 (bytes)

Recovered.: 5/8 hashes, 0/1 salts

Speed/sec.: 16.43M plains, 16.43M words

Progress..: 3351795/3351795 (100.00%)

Running...: 00:00:00:01

Estimated.: --:--:--:--


...

[s]tatus [p]ause [r]esume [b]ypass [q]uit =>


Input.Mode: Dict (/usr/share/wordlists/rockyou.txt)

Index.....: 5/5 (segment), 553095 (words), 5720149 (bytes)

Recovered.: 5/8 hashes, 0/1 salts

Speed/sec.: 9.23M plains, 9.23M words

Progress..: 553095/553095 (100.00%)

Running...: --:--:--:--

Estimated.: --:--:--:--



Started: Thu Jul 14 05:37:50 2016           

Stopped: Thu Jul 14 05:37:53 2016

Towards the top of the output you can see the hashes that were cracked side-by-side with the plaintext password and hash.

From the output we can determine the following passwords we hashed were not in the rockyou wordlist:

  • GuessMe3
  • S3CuReP455Word
  • HighlyUnlik3lyToB3Cr4ck3d

Unless told otherwise, any hash that hashcat cracks will be stored in a hashcat.pot file. This will be created in directory where you ran hashcat.

The contents of your "hashcat.pot" file from this tutorial should look like the following:

#cat hashcat.pot
2ac9cb7dc02b3c0083eb70898e549b63:Password1
eb61eead90e3b899c6bcbe27ac581660:HELLO
958152288f2d2303ae045cffc43a02cd:MYSECRET
75b71aa6842e450f12aca00fdf54c51d:P455w0rd
2c9341ca4cf3d87b9e4eb905d6a3ec45:Test1234

Summary

This has been a basic tutorial on how to crack MD5 hashes using hashcat. We've MD5 hashed passwords and using hashcat, cracked five out of the total eight. The attack technique that we used within hashcat was a dictionary attack with the rockyou wordlist.

Author image

William Hurer-Mackay

Will is a Computer Networks Engineering graduate of the University of Northampton who is undertaking 4ARMED's Security Tester internship programme aimed at bringing new recruits into the cyber security sector.

Related Blog Articles