hashcat is the world’s fastest and most advanced password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking.
Hashcat is best supported on Nvidia GPUs and you require Nvidia Cuda toolkit installed as pre-requisite.Cuda toolkit is available for CentOS,Debian,Fedora,KylinOS,OpenSUSE,RHEL,Rocky,SLES,Ubuntu,WSL-Ubuntu,Windows 10,11,2022 server.below are links for Ubuntu,WSL-Ubuntu and windows.for other versions refer Nvidia cuda toolkit website.For particular Linux version please choose the max. Cuda version supported by your Nvidia GPU(Compute capabilities).
Ubuntu 20.04(Click/Scan QR)
Ubuntu 22.04(Click/Scan QR)
WSL Ubuntu 2.0(Click/Scan QR)
wget https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-ubuntu2204.pin
sudo mv cuda-ubuntu2204.pin /etc/apt/preferences.d/cuda-repository-pin-600
wget https://developer.download.nvidia.com/compute/cuda/12.4.1/local_installers/cuda-repo-ubuntu2204-12-4-local_12.4.1-550.54.15-1_amd64.deb
sudo dpkg -i cuda-repo-ubuntu2204-12-4-local_12.4.1-550.54.15-1_amd64.deb
sudo cp /var/cuda-repo-ubuntu2204-12-4-local/cuda-*-keyring.gpg /usr/share/keyrings/
sudo apt-get update
sudo apt-get -y install cuda-toolkit-12-4
for more installation procedure refer to
Currently Nvidia toolkit is officially supported on windows 10/11/2022 Server & For windows even latest version is compatible with older GPUs like Nvidia 1050Ti so give it a try
Windows 10/11/2022(Click/Scan QR)
git clone https://github.com/CryptoXploit/Hashcat.git
https://github.com/CryptoXploit/Hashcat/archive/refs/heads/main.zip
Extract the folder to directory.you can see there are Test Wallets folder which contains our test wallets and these wallet hashes are hash.txt & wallethashbtc.txt(bitcoin core wallet.dat wallet1.dat hash & wallet1-5 multi wallet hash files) and wallethashelectrum.txt(electrum test wallet hash)
lets start the tool.first we will try to crack wallet1.dat hash
you can check help file and options using
C:\Python27\hashcat-win-6.2.6>hashcat.exe -h
Interesting things for us to know are-
-m switch for hashtype mode
these are our crypto currency wallet related hash type modes
29600 | Terra Station Wallet (AES256-CBC(PBKDF2($pass))) | Cryptocurrency Wallet
26600 | MetaMask Wallet | Cryptocurrency Wallet
21000 | BitShares v0.x – sha512(sha512_bin(pass)) | Cryptocurrency Wallet
28501 | Bitcoin WIF private key (P2PKH), compressed | Cryptocurrency Wallet
28502 | Bitcoin WIF private key (P2PKH), uncompressed | Cryptocurrency Wallet
28503 | Bitcoin WIF private key (P2WPKH, Bech32), compressed | Cryptocurrency Wallet
28504 | Bitcoin WIF private key (P2WPKH, Bech32), uncompressed | Cryptocurrency Wallet
28505 | Bitcoin WIF private key (P2SH(P2WPKH)), compressed | Cryptocurrency Wallet
28506 | Bitcoin WIF private key (P2SH(P2WPKH)), uncompressed | Cryptocurrency Wallet
11300 | Bitcoin/Litecoin wallet.dat | Cryptocurrency Wallet
16600 | Electrum Wallet (Salt-Type 1-3) | Cryptocurrency Wallet
21700 | Electrum Wallet (Salt-Type 4) | Cryptocurrency Wallet
21800 | Electrum Wallet (Salt-Type 5) | Cryptocurrency Wallet
12700 | Blockchain, My Wallet | Cryptocurrency Wallet
15200 | Blockchain, My Wallet, V2 | Cryptocurrency Wallet
18800 | Blockchain, My Wallet, Second Password (SHA256) | Cryptocurrency Wallet
25500 | Stargazer Stellar Wallet XLM | Cryptocurrency Wallet
16300 | Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256 | Cryptocurrency Wallet
15600 | Ethereum Wallet, PBKDF2-HMAC-SHA256 | Cryptocurrency Wallet
15700 | Ethereum Wallet, SCRYPT | Cryptocurrency Wallet
22500 | MultiBit Classic .key (MD5) | Cryptocurrency Wallet
27700 | MultiBit Classic .wallet (scrypt) | Cryptocurrency Wallet
22700 | MultiBit HD (scrypt) | Cryptocurrency Wallet
28200 | Exodus Desktop Wallet (scrypt) | Cryptocurrency Wallet
-a attack mode
there are numerous attack modes-
[ Attack Modes ] –
# | Mode
===+======
0 | Straight
1 | Combination
3 | Brute-force
6 | Hybrid Wordlist + Mask
7 | Hybrid Mask + Wordlist
9 | Association
characterset for bruteforce
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz [a-z]
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ [A-Z]
d | 0123456789 [0-9]
h | 0123456789abcdef [0-9a-f]
H | 0123456789ABCDEF [0-9A-F]
s | !”#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 – 0xff
-D openCL device types.you can use CPU+GPU or single GPU or Multiple GPU.find out which device you want to use 1 is for CPU or 2 is for GPU or 3 is for FPGA, DSP, Co-Processor
-w workload profiles.you can choose workload profiles 1-4 where 1-low,2-default,3-high,4-nightmare.they have different runtime,power consumption,desktop impact.see help
-o outfile where the recovered hash would be written
remember that hashcat supports reading hashes from file whether single or multiple.so we need to supply hash file
we will be testing 2 attack modes bruteforce & dictionary based attack
lets test bruteforce first-
C:\Python27\hashcat-win-6.2.6>hashcat.exe -m 11300 -a 3 hash.txt ?s?l?l?let -D 2 -w 3 -o FOUND.txt
here we have used charset ?s means special,?l means lowercase chars and in the end partial password “et”
we can see that key has been cracked within seconds and the tool has created the file FOUND.txt and upon opening it we can see the cracked hash
now lets test bruteforce on 4 different hashes
C:\Python27\hashcat-win-6.2.6>hashcat.exe -m 11300 -a 3 wallethashbtc.txt -1 ?l?u ?1?l?l?s -S -D 2 -w 3 -o FOUND.txt
the interesting thing in this command is that we used -1 parameter which is used to define custom charset.here we are looking for passphrase “Pas$”.to make it completely unknown that whether its “Pas$” or “pas$”.we have to define custom charset config because at the first initial step we need to check both UPPERCASE & LOWERCASE together.so we need to check total 4640064 combinations for 4 chars.so using -1 parameter we defined both LOWERCASE & UPPERCASE and then placed the -1 parameter in the scan switches.
we can see that even before 64% it recovered the hash. Check FOUND.txt
Our next test is based on dictionary attack. The wallet hash is a dictionary word chosen from a dictionary we will supply a dictionary e.g.rockyou.txt
C:\Python27\hashcat-win-6.2.6>hashcat.exe -m 11300 -a 0 wallethashbtc.txt rockyou.txt -D 2 -w 3 -o found.txt
here the attack mode will change to -a 0 which is for dictionary attack
we can see total dictionary words are 667408 and in less than 83% it recovered two of the hashes. Check FOUND.txt
our last test is based on Electrum wallet. Remember there are 5 types of salts related with electrum wallet. Remember one thing when you extract the electrum hash using electrum2john,you must remove “electrum_wallet:” from the starting of the hash or else hashcat will throw signature mismatch error.
16600 | Electrum Wallet (Salt-Type 1-3)
21700 | Electrum Wallet (Salt-Type 4)
21800 | Electrum Wallet (Salt-Type 5)
our wallethashelectrum.txt contains $electrum$4 means salt-type 4 so we have to use -m mode as 21700.
lets fire up the command
C:\Python27\hashcat-win-6.2.6>hashcat.exe -m 21700 -a 3 wallethashelectrum.txt ?s?l?l?l?lT?d -S -D 2 -w 3 -o FOUND.txt
we are searching special,lower,lower,lower,lower,T,decimal
we can see that it generated 150802080 combination and cracked the hash in some seconds, in less than 0.13%.lets check FOUND.txt for the recovered password.at the end of file there is “$ecreT1“.it is the recovered password.
