What is Hashcat?

Hashcat is the world's fastest password recovery engine, based on GPU processing. Unlike other tools that use the processor (CPU), Hashcat leverages the thousands of cores in a GPU to test millions of combinations per second. In Bug Bounty, it is used to validate the impact of Information Disclosure (e.g., access to databases, backups, or .env files).

Why is it necessary?

  • Speed: Cracks simple algorithms (MD5, SHA1) at speeds of Gigahashes per second.
  • Versatility: Supports over 300 hash types (MD5, BCrypt, WPA2, MS Office files, etc.).
  • Scalability: Allows highly customized attacks using rules and masks.

Installation and Configuration

Hashcat comes pre-installed on Kali Linux and Parrot OS, but to achieve maximum performance, proprietary drivers must be installed (NVIDIA/AMD) to enable OpenCL or CUDA.

Linux (Debian/Ubuntu)

sudo apt update
sudo apt install hashcat -y

Hardware Verification

It is vital to check that Hashcat detects your GPU; otherwise, it will use the CPU and be extremely slow:

hashcat -I

Basic Mode (Walkthrough)

To crack a hash, you need three things: the hash, the algorithm type, and a wordlist.

Basic Syntax

hashcat -m [Algorithm_ID] -a [Attack_Type] [Hash_File] [Wordlist]

Real example (MD5): If you have an MD5 hash in hash.txt and want to use the famous rockyou.txt wordlist:

hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Essential Parameters

Attack Strategies for Quick Bounties

1. "Smart" Wordlists + Rules

Don't waste time with pure rockyou.txt. Employees often use the company name + the year.

# Applying the 'OneRuleToRuleThemAll' rule to mutate passwords based on the target name
hashcat -m 0 hash.txt -a 0 company_names.txt -r /usr/share/hashcat/rules/OneRuleToRuleThemAll.rule

2. The Power of Rules (Mental Pipelining)

In Bug Bounty, users often use variations of common passwords. Instead of a giant wordlist, use a small one and apply rules. The best64.rule applies common mutations (initial capital, adding "123" at the end, etc.).

hashcat -m 0 -a 0 hash.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

3. Hardware Optimization Mode

To keep your hunting laptop from exploding:

  • -w 1: Low (you can continue browsing).
  • -w 3: High (dedicates almost all GPU to cracking).
  • -O: Optimizes kernels (indispensable for gaining speed).

Quick Mode Reference

| Target            | Mode (-m)    | Discovery Context               |
| ----------------- | ------------ | ------------------------------- |
| Bcrypt / Django   | 3200 / 10000 | Modern databases (Web Apps).    |
| JWT (HMAC-SHA256) | 16500        | Misconfigured session tokens.   |
| WPA2              | 22000        | Physical/WiFi security testing. |
| MSSQL 2012+       | 17300        | Exposed internal DBs.           |
| VNC               | 3000         | Misconfigured remote access.    |

Real Exploitation Scenarios

  • Leaked Git Config: You find an old commit with an admin hash. You use Hashcat to obtain the plain password and achieve an Account Takeover (ATO).
  • Insecure Direct Object Reference (IDOR): You download another user's backup containing their password hash. By cracking it, you demonstrate critical impact to the triager.
  • JWT Secret Brute Force: If a JSON Web Token secret is weak, Hashcat can find it in seconds, allowing you to forge tokens for any user.

Scope Limitation: Many programs prohibit cracking hashes of other real users. Always read the program rules. If you find a hash, report it as "Information Disclosure" and ask if you can attempt to crack it to demonstrate "Account Takeover" impact.

Connect with me

Support Me ☕

If you found this useful, I would appreciate it if you would follow me and support the content.