hashcat_utils [hashcat wiki] [Link]

id=hashcat_utils

▪ hashcat
▪ Forums
▪ Wiki
▪ Tools
▪ Events

hashcat-utils

Description

Hashcat-utils are a set of small utilities that are useful in advanced password cracking.

They all are packed into multiple stand-alone binaries.

All of these utils are designed to execute only one specific function.

Since they all work with STDIN and STDOUT you can group them into chains.

hashcat-utils is released [[Link] as open source software under the MIT [[Link]
hashcat/hashcat-utils/blob/master/LICENSE] license.

Current Version

The current version is 1.9.

Download

The programs are available for Linux and Windows on both 32-bit and 64-bit architectures, as well as .app binaries for 64-
bit OSX/macOS. The project is released as MIT-licensed open source software.

hashcat-utils does not have a dedicated homepage, but this download link always has the latest release:

▪ hashcat-utils [[Link]

List of Utilities

Each of them is described in detail in the following sections.

cap2hccapx

Tool used to generate .hccapx files from network capture files (.cap or .pcap) to crack WPA/WPA2 authentications. The
.hccapx files are used as input by the hash type -m 2500 = WPA/WPA2.

The additional options allow you to specify a network name (ESSID) to filter out unwanted networks and to give
cap2hccapx a hint about the name of a network (ESSID) and MAC address of the access point (BSSID) if no beacon was
captured.

Syntax:

$ ./[Link]
usage: ./[Link] [Link] [Link] [filter by essid] [additional network essid:bssid]

cleanup-rules

1 sur 15 11/06/25 14:29

hashcat_utils [hashcat wiki] [Link]

Strips rules from STDIN that are not compatible with a specified platform.

Syntax:

usage: ./[Link] mode

… where mode is 1 = CPU, 2 = GPU.

Example ('<' is a rules directive that only works with legacy CPU hashcat):

$ cat [Link]
l
<3

$ cleanup-rules 1 < [Link]

l
<3

$ cleanup-rules 2 < [Link]

l

combinator

Syntax:

$ ./[Link]
usage: ./[Link] file1 file2

This program is a stand-alone implementation of the Combinator Attack.

Each word from file2 is appended to each word from file1 and then printed to STDOUT.

Since the program is required to rewind the files multiple times it cannot work with STDIN and requires real files.

Another option would be to store all the content from both files in memory. However in hash-cracking we usually work with
huge files, resulting in a requirement that the size of the files we use does matter.

$ cat [Link]
nes
tor

$ combinator [Link] [Link]

nesnes
nestor
tornes
tortor

See Combinator Attack for more examples.

combinator3

Like combinator, but accepts three files as input, producing the combination of all three lists as output.

$ cat [Link]
nes
tor

$ combinator3 [Link] [Link] [Link]

nesnesnes
nesnestor
nestornes
nestortor
tornesnes
tornestor
tortornes
tortortor

2 sur 15 11/06/25 14:29

hashcat_utils [hashcat wiki] [Link]

combinatorX

An expanded combinator tool that can combine up to eight elements, with custom separators between each element, and
with session / restore support and other useful flags.

Note that combinatorX cannot use the same direct file on disk for more than two lists. This is due to how the files are read
from disk at a low level. A workaround for this is to copy the lists to separate files.

Simple example:

$ cat [Link]
the
quick

$ cat [Link]
brown
fox

$ cat [Link]
jumped
over

$ combinatorX -1 [Link] -2 [Link] -3 [Link]

thebrownjumped
thebrownover
thefoxjumped
thefoxover
quickbrownjumped
quickbrownover
quickfoxjumped
quickfoxover

combipow

Produces all “unique combinations” from a short list of inputs.

$ cat wordlist
a
b
c
XYZ
123

$ combipow wordlist
a
b
ab
c
ac
bc
abc
XYZ
aXYZ
bXYZ
abXYZ
cXYZ
acXYZ
bcXYZ
abcXYZ
123
a123
b123
ab123
c123
ac123
bc123
abc123
XYZ123
aXYZ123
bXYZ123
abXYZ123
cXYZ123
acXYZ123
bcXYZ123
abcXYZ123

3 sur 15 11/06/25 14:29

hashcat_utils [hashcat wiki] [Link]

cpu_rules

TBD

ct3_to_ntlm

Syntax:

usage: ./ct3_to_ntlm.bin 8-byte-ct3-in-hex 8-byte-salt-in-hex [24-byte-ESS-in-hex]

There are two different versions for NetNTLMv1 - one with ESS, and one without.

If you don't have an ESS:

NETNTLM_bs_fmt_plug.c: {"$NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233", "cory21"},

You can use it like this:

./ct3_to_ntlm.bin C4A70D3BEBD70233 1122334455667788

51ad

If you have ESS:

./ct3_to_ntlm.bin 7D01513435B36DCA 1122334455667788

1FA1B9C4ED8E570200000000000000000000000000000000
34d5

Forum discussion here [[Link]

cutb

This program (new in hashcat-utils-0.6) is designed to cut up a wordlist (read from STDIN) to be used in Combinator attack.
Suppose you notice that passwords in a particular dump tend to have a common padding length at the beginning or end of
the plaintext, this program will cut the specific prefix or suffix length off the existing words in a list and pass it to STDOUT.

Syntax:

$ ./[Link]
usage: ./[Link] offset [length] < infile > outfile

Example wordlist file:

$ cat wordlist
apple1234
theman
fastcars

Example positive offset and fixed length (first 4 characters):

$ ./[Link] 0 4 < wordlist

appl
them
fast

Example positive offset, no length (returns remaining characters in string):

$ ./[Link] 4 < wordlist

e1234
an
cars

Example negative offset (last 4 characters in string):

4 sur 15 11/06/25 14:29

hashcat_utils [hashcat wiki] [Link]

$ ./[Link] -4 < wordlist

1234
eman
cars

Example negative offset, fixed length:

$ ./[Link] -5 3 < wordlist

e12
hem
tca

Suggested uses:

1. Combinator attack (-a 1)

2. Hybrid attack (-a 6 or -a 7)

Remember to run sort -u on the output before using it in an attack!

deskey_to_ntlm

TBD

Syntax:

usage: ./deskey_to_ntlm.pl 8-byte-key-in-hex

Forum announcement and discussion here [[Link]

expander

This program has no parameters to configure.

Each word going into STDIN is parsed and split into all its single chars, mutated and reconstructed and then sent to
STDOUT.

There are a couple of reconstructions generating all possible patterns of the input word by applying the following iterations:

▪ All possible lengths of the patterns within a maximum of 4 (defined in LEN_MAX macro, which you can increase in
the source).
▪ All possible offsets of the word.
▪ Shifting the word to the right until a full cycle.
▪ Shifting the word to the left until a full cycle.

Important: make sure you unique the output afterwards.

Example:

$ echo pass1 | ./[Link] | sort -u

1
1p
1pas
a
as
ass
ass1
p
pa
pas
pass
s
s1
s1p
s1pa
ss
ss1
ss1p

5 sur 15 11/06/25 14:29

hashcat_utils [hashcat wiki] [Link]

This program is the heart of the Fingerprint Attack.

export_potfile

Attempt to extract plaintexts from potfile records containing mixed hash types. Operates on stdin. Assumes last colon-
separated string is the plaintext and that any plaintexts containing colons are HEX-encoded.

gate

Each wordlist going into STDIN is parsed and split into equal sections and then passed to STDOUT based on the amount
you specify. The reason for splitting is to distribute the workload that gets generated.

For example if you have an i7 CPU and want to use your dictionary with a program that is unable to handle multiple cores,
you can use gate to split your dictionary into multiple smaller pieces and then run that program in multiple instances.

Syntax:

$ ./[Link]
usage: ./[Link] mod offset < infile > outfile

The two important parameters are “mod” and “offset”.

▪ The mod value is the number of times you want to split your dictionary.
▪ The offset value is which section of the split is getting that feed.

Here is an example input dictionary:

$ cat numbers
1
2
3
4
5
6
7
8
9
10
11
12
13
14

We want to split a dictionary into two equal dictionaries:

$ ./[Link] 2 1 < numbers

2
4
6
8
10
12
14

$ ./[Link] 2 0 < numbers

1
3
5
7
9
11
13

generate-rules

Stand-alone utility to generate random rules.

6 sur 15 11/06/25 14:29

hashcat_utils [hashcat wiki] [Link]

Usage: ./[Link] number [seed]

This command generates 10 random rules, using “42” as a seed:

./[Link] 10 42
$ $} z3
*61 t
l
o2*
L2
*6B *98 D1
x0A f x32
s^L
s[5 s'#
swU }

hcstatgen

A tool used to generate .hcstat files for use with older hashcat's –markov-hcstat parameter, and with the
statsprocessor.

NOTE: The output generated by hcstatgen is no longer supported by current hashcat and does not support longer
passwords (up to length 256). Use hcstat2gen instead.

Syntax:

usage: ./[Link] [Link] < infile

Nothing much else to say here. Each outfile will be exactly 32.1MB in size.

See also hcstat2gen.

hcstat2gen

A tool for generating custom Markov statistics, for use (after LZMA compression) with hashcat's --markov-hcstat
(soon to be --markov-hcstat2) parameter.

hcstat2gen is like its predecessor hcstatgen, but updated [[Link]

c59432a760852bcfbda50a5790d5cb8976d3fce2] in sync with hashcat 4.0 to support a maximum password length up to 256
(and also added a filetype header).

To conserve space, hashcat now expects hcstat2 files to be compressed as LZMA. If the file is not compressed, you will
see a “Could not uncompress data” error.

Syntax:

usage: ./[Link] outfile < dictionary

Common usage example:

./[Link] hcstat2_output_raw.bin </path/to/[Link]

lzma --compress --format=raw --stdout -9e hcstat2_output_raw.bin > output.hcstat2

If your lzma does not support –stdout, try:

lzma --compress --format=raw hcstat2_output_raw.bin --suffix=hcstat2

Each raw outfile should be about 132MB in size (with variable size after compression).

Note that this newer format is not yet supported by statsprocessor.

See also hcstatgen.

7 sur 15 11/06/25 14:29

hashcat_utils [hashcat wiki] [Link]

keyspace

Calculates keyspace in a hashcat-aware manner.

./[Link], keyspace utility for hashcat

Usage: ./[Link] [options] mask

=======
Options
=======

-m, --hash-type=NUM Hash-type

--hex-charset Assume charset is given in hex
--markov-hcstat=FILE Specify hcstat file to use, default is [Link]
-t, --markov-threshold=NUM Threshold for markov-chains
-1, --custom-charset1=CS User-defined charsets
-2, --custom-charset2=CS Examples:
-3, --custom-charset3=CS --custom-charset3=?dabcdef : sets charset ?3 to 0123456789abcdef
-4, --custom-charset4=CS --custom-charset4=?l?u : sets charset ?4 to all lower and upper case letters
-h, --help Print help

len

Each word going into STDIN is parsed for its length and passed to STDOUT if it matches a specified word-length range.

Syntax:

usage: ./[Link] min max < infile > outfile

Here is an example input dictionary:

$ cat dict
1
123
test
pass
hello
world

We want only these words that have the length 2, 3 or 4:

$ ./[Link] 2 4 < dict

123
test
pass

mli2

Merges two lists.

Like rli2, the two lists must be sorted (in LC_ALL=C order).

Syntax:

Usage: ./[Link] infile mergefile

Example:

$ cat [Link]
123
1234
999
aceofspades
cards
password
veryfast

$ cat [Link]

8 sur 15 11/06/25 14:29

hashcat_utils [hashcat wiki] [Link]

123
1234
999
extra

$ mli2 [Link] [Link]

123
1234
999
aceofspades
cards
extra
password
veryfast

If you use mli2 on unsorted lists, you will get unmerged results.

If you use mli2 on sorted but non-uniq'd lists, you will get sorted but non-uniq'd results.

morph

Basically morph generates insertion rules for the most frequent chains of characters from the dictionary that you provide
and that, per position.

Syntax:

usage: ./[Link] dictionary depth width pos_min pos_max

- Dictionary = Wordlist used for frequency analysis.

- Depth = Determines what “top” chains that you want. For example 10 would give you the top 10 (in fact, it seems to start
with value 0 so that 10 would give the top 11).

- Width = Max length of the chain. With 3 for example, you will get up to 3 rules per line for the most frequent 3 letter
chains.

- pos_min = Minimum position where the insertion rule will be generated. For example 5 would mean that it will make rule
to insert the string only from position 5 and up.

-pos_max = Maximum position where the insertion rule will be generated. For example 10 would mean that it will make rule
to insert the string so that it's end finishes at a maximum of position 10.

permute

This program is a stand-alone implementation of the Permutation Attack.

It has no parameters to configure.

Each word going into STDIN is parsed and run through “The Countdown QuickPerm Algorithm” by Phillip Paul Fuchs (see:
[Link] [[Link] (Internet Archive [[Link]
[Link]/])

See Permutation Attack for examples.

permute_exist

TBD

Syntax:

Usage: ./permute_exist.bin word < infile > outfile

prepare

9 sur 15 11/06/25 14:29

hashcat_utils [hashcat wiki] [Link]

This program is made as an dictionary optimizer for the Permutation Attack.

Due to the nature of the permutation algorithm itself, the input words “BCA” and “CAB” would produce exactly the same
password candidates.

$ echo BCA | ./[Link]

BCA
CBA
ABC
BAC
CAB
ACB

$ echo CAB | ./[Link]

CAB
ACB
BCA
CBA
ABC
BAC

The best way to sort out these “dupes” is to reconstruct the input word reordered by the ASCII value of each char of the
word:

Input:

1. B ⇒ 0x42
2. C ⇒ 0x43
3. A ⇒ 0x41

Output: ABC

Input:

1. C ⇒ 0x43
2. A ⇒ 0x41
3. B ⇒ 0x42

Output: ABC

Now we can safely sort -u afterwards:

$ wc -l [Link]
14344391 [Link]

$ ./[Link] < [Link] | sort -u > [Link]

$ wc -l [Link]
9375751 [Link]

Sorted out 4968640 words (34.6%) which would produce dupes in permutation attack.

remaining

Syntax:

use: ./[Link] wordlist_base.txt wordlist_search.txt

This program takes 2 wordlists:

▪ A wordlist (search): Each word is matched against the other wordlist. Don't make this too big, it's cached in
memory.
▪ A wordlist (base): Prints what remains after above word was “subtracted”. This is something like [Link] or
better

There's high chances to create duplicates, you need to sort -u the result yourself.

10 sur 15 11/06/25 14:29

hashcat_utils [hashcat wiki] [Link]

Result is ideal for using in -a 1 combinator attack mode. You may want to do two attacks:

▪ one for having the result on the left

▪ one for having the result on the right

Example:

Content wordlist (base):

isajack3935
jackysch_5131
HBjackas5
mom1jackhopes

Content wordlist (search):

jack
jacky

… produces candidates:

isa
3935
ysch_5131
HB
as5
mom1
hopes
sch_5131

req

req has been replaced by req-include and req-exclude, below.

req-exclude

Like req-include, but it excludes words that match specific criteria.

req-include

Each word going into STDIN is parsed and passed to STDOUT if it matches an specified password group criteria.

Sometimes you know that some password must include a lower-case char, a upper-case char and a digit to pass a specific
password policy.

That means checking passwords that do not match this policy will definitely not result in a cracked password. So we should
skip it.

This program is not very complex and it cannot fully match all the common password policy criteria, but it does provide a
little help.

The following password groups are defined:

Name Item Chars

LOWER 1 abcdefghijklmnoprstuvwxyz

UPPER 2 ABCDEFGHIJKLMNOPRSTUVWXYZ

DIGIT 4 0123465789

SYMBOL 8 0x20 to 0x7e NOT IN lower, upper, digit

OTHER 16 All others, not matching the above

To configure a password group out of the single entries you just add the item numbers of all the single entries together.

11 sur 15 11/06/25 14:29

hashcat_utils [hashcat wiki] [Link]

For example if you want to pass to STDOUT only the words that match at least one lower and at least one digit, you would
just lookup the table and search for “lower”, which is “1” and then “digit”, which is “4” and add them together so it makes “5”.

$ echo hello | ./[Link] 5

$ echo hello1 | ./[Link] 5
hello1
$ echo Hello1 | ./[Link] 5
Hello1

rli

rli compares a single file against another file(s) and removes all duplicates:

rli
usage: rli infile outfile removefiles...

Let's say we have two files [Link]:

password
123
cards
999
aceofspades
1234
veryfast

And [Link]:

123
999
1234

If we run the following command:

rli [Link] OUT_FiLE.txt [Link]

OUT_FiLE.txt will have:

password
cards
aceofspades
veryfast

It also supports multiple files: [Link] has “password” in it, we run:

rli [Link] OUT_FiLE.txt [Link] [Link]

OUT_FiLE.txt:

cards
aceofspades
veryfast

rli can be very useful to clean your dicts and to have one unique set of dictionaries.

But the dictionary size cannot exceed host memory size. Read rli2 below for large files.

rli2

Unlike rli, rli2 is not limited. But it requires infile and removefile to be sorted (in LC_ALL=C order) and uniqued
before, otherwise it won't work as it should.

For example using [Link] and [Link] files from above, if we run:

12 sur 15 11/06/25 14:29

hashcat_utils [hashcat wiki] [Link]

rli2 [Link] [Link]

This will output:

password
123
cards
999
aceofspades
1234
veryfast

No change. But if we sort and unique [Link] and [Link] as:

sort [Link] > [Link]

sort [Link] > [Link]

And running:

rli2 [Link] [Link]

Will do it accurately:

aceofspades
cards
password
veryfast

Note that rli2 can't do multiple files. And if you haven't already notice, rli2 outputs to STDOUT not a file. You can always
pipe to a file to work-around that.

rules_optimize

TBD

seprule

TBD

splitlen

This program is designed to be a dictionary optimizer for the now-deprecated oclHashcat.

Note: this optimization is no longer needed by modern hashcat.

oclHashcat has a very specific way of loading dictionaries, unlike CPU hashcat. The best way to organize your dictionaries
for use with oclHashcat is to sort each word in your dictionary by its length into specific files, into a specific directory, and
then to run oclHashcat in directory mode.

Syntax:

$ ./[Link]
usage: ./[Link] outdir < infile

All you need to do is to create a new directory, for example “ldicts”.

$ mkdir ldicts
$ ./[Link] ldicts < [Link]

Results in:

$ ls -l ldicts/
total 129460

13 sur 15 11/06/25 14:29

hashcat_utils [hashcat wiki] [Link]

-rw-r--r-- 1 root root 90 Oct 12 15:54 01

-rw-r--r-- 1 root root 1005 Oct 12 15:54 02
-rw-r--r-- 1 root root 9844 Oct 12 15:54 03
-rw-r--r-- 1 root root 89495 Oct 12 15:54 04
-rw-r--r-- 1 root root 1555014 Oct 12 15:54 05
-rw-r--r-- 1 root root 13634586 Oct 12 15:54 06
-rw-r--r-- 1 root root 20050168 Oct 12 15:54 07
-rw-r--r-- 1 root root 26694333 Oct 12 15:54 08
-rw-r--r-- 1 root root 21910390 Oct 12 15:54 09
-rw-r--r-- 1 root root 22150645 Oct 12 15:54 10
-rw-r--r-- 1 root root 10392420 Oct 12 15:54 11
-rw-r--r-- 1 root root 7219550 Oct 12 15:54 12
-rw-r--r-- 1 root root 5098436 Oct 12 15:54 13
-rw-r--r-- 1 root root 3727905 Oct 12 15:54 14
-rw-r--r-- 1 root root 0 Oct 12 15:54 15

NOTE: splitlen does not append, it overwrites the files in the outdir. Thats why you should use empty directories.

strip-bsn

Strips all \0 bytes from stdin.

strip-bsr

Strips all \r bytes from stdin.

tmesis

tmesis will take a wordlist and produce insertion rules that would insert each word of the wordlist to preset positions.

For example, the word ‘password’ will create insertion rules that would insert ‘password’ from position 0 to position F (15),
and will mutate the string ‘123456’ as follows:

password123456
1password23456
12password3456
123password456
1234password56
12345password6
123456password

Hints:

* Use tmesis to create rules to attack hashlists that came from the source. Run initial analysis on the cracked passwords,
collect the top 10-20 words that appear on the passwords, and use tmesis to generate rules from them.

* Use tmesis generated rules in combination with [Link].

* tmesis does not handle multibyte unicode characters as single characters, but rather as individual bytes. This means that
it can be used to insert multibyte characters as well.

tmesis-dynamic

Syntax:

Usage: ./[Link] substring [Link] [Link]

tmesis-dynamic will take 2 wordlists and produces a new one, using a user-defined substring as a “key”.

Each word of wordlist 1 which matches that user-defined substring substitutes that substring with each word of wordlist 2.

For example, these wordlists:

14 sur 15 11/06/25 14:29

hashcat_utils [hashcat wiki] [Link]

$ cat [Link]
isajack3935
jackysch_5131
HBjackas5
mom1jackhopes

$ cat [Link]
123456
password
jill
hashcat

… produce the following candidates when supplied with the key “jack”:

$ ./[Link] jack [Link] [Link]

isa1234563935
isapassword3935
isajill3935
isahashcat3935
123456ysch_5131
passwordysch_5131
jillysch_5131
hashcatysch_5131
HB123456as5
HBpasswordas5
HBjillas5
HBhashcatas5
mom1123456hopes
mom1passwordhopes
mom1jillhopes
mom1hashcathopes

topmorph

TBD

Syntax:

Usage: ./[Link] dictionary depth width pos_min pos_max

Limitations

Some programs from hashcat-utils have a minimum and maximum allowed word-length range (like in “len” example).

E.g. see splitlen.c:

#define LEN_MIN 1
#define LEN_MAX 64

You can change them and then recompile the hashcat-utils. However we usually do not need plain words of greater length
in password cracking.

Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain [http://
[Link]/licenses/publicdomain/]

15 sur 15 11/06/25 14:29