Watch out complex passwords, there's a new combinator tool in town.
Vavaldi just released Targinator, a feature-rich wordlist combinator that combines a wordlist with target hints in all possible positions, plus supports applying hashcat-style rules to either or both wordlists being combined.
https://forum.hashpwn.net/post/652
#hashcracking #combinator #hashcat #infosec #vavaldi #flagg #cyclone #hashpwn
Following my Security Fest talk yesterday I've released Hashcatalyst, a wrapper that helps automate non-distributed workflows by chaining multiple attacks with no downtime.
Well, this cracking attack is going to take 5.5 days on 2x 4090s.
🐈⬛ Hashcat – A Practical Guide to Password Auditing
Hashcat is a powerful GPU-accelerated password recovery tool used by security professionals to test the strength of passwords in authorized environments.
🧠 What Hashcat is used for:
• Auditing password hashes (e.g., from Windows, Linux, web apps)
• Testing password policies and complexity
• Identifying weak or reused credentials in simulated lab setups
🔐 Key Features:
• Supports a wide variety of hash types (MD5, SHA1, NTLM, bcrypt, etc.)
• Multiple attack modes: dictionary, brute-force, mask, hybrid, rule-based
• Highly customizable and efficient with GPU acceleration
• Works well for red teamers and defenders validating password hygiene
🎯 When to use it:
• During penetration tests (with permission)
• In password policy assessments
• For internal security audits and training exercises
Disclaimer: This guide is for educational and ethical use only. Only audit password hashes on systems you own or have explicit authorization to test.
#Hashcat #CyberSecurity #PasswordAuditing #EthicalHacking #InfoSec #EducationOnly #RedTeamTools #CredentialSecurity #GPUCracking #SecurityAssessment
Top #hashcat tip:
Want per-position duplication in your rules to leverage your GPU?
It's not available in a single op, but you can emulate it by incrementally duplicating the first N chars, and then incrementally deleting the position and frequency of the redundant characters
New version of #hashgen published.
Changelog:
v1.1.0; 2025-03-19
added modes: #base58, #argon2id, #bcrypt w/custom cost factor
https://forum.hashpwn.net/post/89
#hashgenerator #hashcracking #hashcat #hashpwn #cyclone #golang
So I want to make a script that generates a whole slew of generic NTLMv2 hashes for me to try to crack with Hashcat.
I'm doing NTLMv2 because it's actually relavent to my job right now and seems to be the only one I can't find a python script for.
Any recs for how I can do this?
Installing the official Nvidia CUDA-toolkit on linux distros can be a pain. Here's a script that automates this so you can get back to cracking hashes.
https://forum.hashpwn.net/post/451
#nvidia #cuda #cudatoolkit #hashpwn #hashcracking #cyclone #hashcat
After seeing yescrypt hashes appear in CMIYC a while back, I started developing a yescrypt cracker in pure Go. Since then, yescrypt has become the default /etc/shadow hash for many popular linux distros such as Debian, Ubuntu, RHEL, Fedora, and Arch (to name a few), but hash cracking support for this algo has been limited to JtR -- until now.
Here's a sneak peek of the yescrypt_cracker POC:
https://forum.hashpwn.net/post/446
#yescrypt #hashcracking #cyclone #hashpwn #hashcat #cmiyc #jtr #johntheripper #golang
Good breakdown from Elcomsoft on 5090 relevance to password cracking.
tl;dr better in theory, not yet in practice (perf/$). Not yet sure if driver or hashcat improvements could eventually take better advantage of new hardware features, though.
https://blog.elcomsoft.com/2025/02/nvidia-blackwell-is-out-should-you-upgrade/
The hashcat.net site is down -- side effect of maintenance by hosting provider. Being worked.
[Edit: back up a week later]
Current release (GitHub): https://github.com/hashcat/hashcat/releases/tag/v6.2.6
Convenience Wayback links:
Main page:
https://web.archive.org/web/20250211000850/hashcat.net/hashcat/
Rules:
https://web.archive.org/web/20250211234251/https://hashcat.net/wiki/doku.php?id=rule_based_attack
Example hashes :
https://web.archive.org/web/20250216060927/https://hashcat.net/wiki/doku.php?id=example_hashes
Recent beta:
https://web.archive.org/web/20250130114639/https://hashcat.net/beta/
Did you know that Gitea uses pbkdf2 hashes, but they have to be converted for hashcat to crack them?
Hashcat's own unix-ninja has written a tool for that!
https://www.unix-ninja.com/p/cracking_giteas_pbkdf2_password_hashes
Great coverage by Jan Doskočil of NSEC3 hash enumeration, and cracking with hashcat. Also good info about the limits of making that harder (some resolvers cap the work factor they will resolve!)
https://infosec.exchange/@jpmens@mastodon.social/114019491327504188
Via @jpmens
#sydbox 3.32.0 is released! We now officially support #GPU access for #ROCm and #nVIDIA! See the release mail here: https://is.gd/kN1rUt and here is a profile auto-generated by #pandora for #hashcat accessing an #nVIDIA #GPU using #cuda libraries: https://dpaste.com/6DQ97T2DM #exherbo #linux #security
Łamanie haseł szybsze o 35%. Wyniki najnowszej karty NVIDIA RTX 5090.
Właśnie pojawił się benchmark pokazujący szybkość najnowszego flagowca od NVIDII – RTX 5090 FE. Całość oczywiście w kontekście flagowego ;) narzędzia do odzyskiwania/łamania haseł – hashcata. Przykładowe porównania z RTX 4090: Zapewne jeszcze czekają nas aktualizacje sterowników, co wpłynie na szybkość działania hashcata. Czy te szybkości wpływają na obecne rekomendacje...
#WBiegu #5090 #Awareness #Hashcat #Hasła #Nvidia
https://sekurak.pl/lamanie-hasel-szybsze-o-35-wyniki-najnowszej-karty-nvidia-rtx-5090/
Nvidia RTX 5090 hashcat benchmarks.
Updated source code of phantom_extractor has been released which now supports hashcat modes 30010, 26650 and 26651.
https://forum.hashpwn.net/post/75
#phantom #wallet #crypto #hashpwn #cyclone #hashcracking #recovery #hashcat
Do we have any updated #password cracking benchmarks with #Hashcat on the new NVIDIA RTX 5000-series GPUs?
Ping: @tychotithonus
1236 emails envoyés à autant d’utilisateurisses dont j’ai pu casser le mot de passe lors d’un audit.
Si tout se passe bien, demain j’aurais de la lecture.
🚀 New Release: crackmon v0.2.0
Details: Hashcat wrapper for bypassing current session if crack rate falls below threshold.
