hashcat commands for RACF passwords
by Jim
First of all I recommend finding out the password rules in place, this may help.
Then start here for the initial steps. You then have two options to get the hashes into the hashcat format of $racf$*QWERTY1*5AA70358A9C369E0
rather than the John the Ripper format of QWERTY1:$QWERTY1$*QWERTY1*5AA70358A9C369E0
:
-
After running racf2john use a regex Find/Replace in Notepad++/BBEdit etc. of
^[^:]+:
and replace with nothing (or use grep and sed from a terminal if you prefer) -
If running Windows, use Nigel Pentland’s racfsnow which will, as well as crack passwords, also write the hashes out in both hashcat and John the Ripper output.
Install hashcat and a dictionary file. If MIXEDCASE is not enabled on the system in question then for added cracking speed I would recommend an all uppercase dictionary with words no longer than 8 characters. I suggest starting with one of the dictionaries from here which have already been edited to convert the contents to uppercase and remove words longer than 8 characters etc.
The below assumes basic knowledge of hashcat as well as having copied my racf.rule file to the rules subdirectory of hashcat. The command format below is for macOS/Unix, for Windows substitute ./hashcat
with hashcat64.exe
and swap any /
characters for a \
These examples are ordered from quickest to slowest.
Basic dictionary attack
./hashcat -m 8500 hashes.txt dictionary.txt
Dictionary with rule
./hashcat -m 8500 hashes.txt -r rules/racf.rule dictionary.txt
Hybrid attack - uses dictionary and appends 3 numerics - adjust the number of numerics as you see fit
./hashcat -m 8500 hashes.txt -a 6 dictionary.txt ?d?d?d
Mask attack for 8 character passwords using uppercase, digits and national characters
./hashcat -m 8500 hashes.txt -a 3 -1 [email protected]#£ ?1?1?1?1?1?1?1?1
replace @#£
with your own national characters as appropriate e.g. $
for £
, §
for @
etc.
For an incremental version that cycles through from e.g. 6 characters up to 8 then add --increment --increment-min=6
OA43999 version of the above:
./hashcat -m 8500 hashes.txt -a 3 -1 ?u?d#£@.<+|&!*-%_>?:=' ?1?1?1?1?1?1?1?1
Print any cracked passwords to a file
./hashcat -m 8500 hashes.txt --show --outfile=cracked.txt
If running on a unix based OS or using WSL or cmder on Windows I would recommend pulling out the cracked passwords, removing duplicates and then creating a new dictionary file. This file can then be moved between hashcat/John the Ripper and should help speed up any future cracking attempts
cut -d: -f 2- hashcat.pot | sort -u > cracked.dic
cat cracked.dic dictionary.txt > combined.txt
cut -d: -f 2- combined.txt | sort -u > dictionary.txt