{"id":307,"date":"2026-04-08T07:46:43","date_gmt":"2026-04-08T05:46:43","guid":{"rendered":"https:\/\/pandack.fr\/?pandack_outil=hashcat"},"modified":"2026-04-08T07:46:43","modified_gmt":"2026-04-08T05:46:43","slug":"hashcat","status":"publish","type":"pandack_outil","link":"https:\/\/pandack.fr\/?pandack_outil=hashcat","title":{"rendered":"hashcat"},"content":{"rendered":"<h2>\ud83d\udccb Fiche Outil : hashcat<\/h2>\n<hr>\n<div class=\"callout callout--danger\">\n<div class=\"callout__title\">&gt; Attention : GPU vs VM Hashcat tire sa puissance de la carte graphique (**GPU**). Sur une machine virtuelle (Kali), il sera brid\u00e9 car il utilisera le processeur (CPU). Pour les gros volumes, il est recommand\u00e9 d&#039;installer Hashcat **sur ton Windows h\u00f4te** (si tu as une carte Nvidia\/AMD) et d&#039;y copier tes fichiers de hashs.<\/div>\n<div class=\"callout__content\"><\/div>\n<\/div>\n<p><strong>ressources<\/strong> : https:\/\/hashcat.net\/wiki\/doku.php?id=example_hashes<\/p>\n<hr>\n<div class=\"callout callout--info\">\n<div class=\"callout__title\">\ud83c\udfaf Objectif Principal<\/div>\n<div class=\"callout__content\">\n<p>Casser des hashs de mots de passe exfiltr\u00e9s lors d&rsquo;une intrusion. Hashcat effectue des milliards de comparaisons par seconde pour retrouver le mot de passe en clair correspondant \u00e0 l&#8217;empreinte chiffr\u00e9e.<\/p>\n<\/div>\n<\/div>\n<hr>\n<div class=\"callout callout--quote\">\n<div class=\"callout__title\">Syntaxe G\u00e9n\u00e9rale<\/div>\n<div class=\"callout__content\">\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\">hashcat -m &lt;CODE_HASH&gt; -a &lt;MODE_ATTAQUE&gt; &lt;FICHIER_HASHS&gt; [WORDLIST] [options]<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<hr>\n<h2>Syntaxe<\/h2>\n<ul>\n<li>Exemple de type de hash<\/li>\n<\/ul>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\"> hashcat -m 9600 -a 0 [fichierHASH] \/usr\/share\/wordlists\/rockyou.txt --force<\/code><\/pre>\n<\/div>\n<h2>R\u00e9f\u00e9rence des Codes (-m)<\/h2>\n<p>Le choix du code est critique. Voici les plus fr\u00e9quents en pentest :<\/p>\n<table>\n<thead>\n<tr>\n<th><strong>Type de Hash<\/strong><\/th>\n<th><strong>Code -m<\/strong><\/th>\n<th><strong>Contexte \/ Origine<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>NTLM<\/strong><\/td>\n<td><code>1000<\/code><\/td>\n<td>Windows (Dump SAM, NTDS.dit) &#8211; Le standard.<\/td>\n<\/tr>\n<tr>\n<td><strong>NetNTLMv2<\/strong><\/td>\n<td><code>5600<\/code><\/td>\n<td>Windows (Captur\u00e9 sur le r\u00e9seau via <strong>Responder<\/strong>).<\/td>\n<\/tr>\n<tr>\n<td><strong>Kerberoasting<\/strong><\/td>\n<td><code>13100<\/code><\/td>\n<td>Active Directory (Ticket TGS via <code>GetUserSPNs<\/code>).<\/td>\n<\/tr>\n<tr>\n<td><strong>AS-REP Roasting<\/strong><\/td>\n<td><code>18200<\/code><\/td>\n<td>Active Directory (Sans pr\u00e9-auth via <code>GetNPUsers<\/code>).<\/td>\n<\/tr>\n<tr>\n<td><strong>MD5<\/strong><\/td>\n<td><code>0<\/code><\/td>\n<td>Anciens CMS, bases de donn\u00e9es web obsol\u00e8tes.<\/td>\n<\/tr>\n<tr>\n<td><strong>SHA-256<\/strong><\/td>\n<td><code>1400<\/code><\/td>\n<td>Bases de donn\u00e9es Linux\/Web standards.<\/td>\n<\/tr>\n<tr>\n<td><strong>sha512crypt<\/strong><\/td>\n<td><code>1800<\/code><\/td>\n<td>Linux (Fichier <code>\/etc\/shadow<\/code>, <code>$6$<\/code>).<\/td>\n<\/tr>\n<tr>\n<td><strong>bcrypt<\/strong><\/td>\n<td><code>3200<\/code><\/td>\n<td>Web moderne (<code>$2a$<\/code>, <code>$2y$<\/code>). Tr\u00e8s lent \u00e0 casser.<\/td>\n<\/tr>\n<tr>\n<td><strong>WPA\/WPA2<\/strong><\/td>\n<td><code>22000<\/code><\/td>\n<td>Handshakes WiFi (Aircrack-ng\/Bettercap).<\/td>\n<\/tr>\n<tr>\n<td><strong>Office 2013+<\/strong><\/td>\n<td><code>9600<\/code><\/td>\n<td>Documents Excel\/Word chiffr\u00e9s.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<div class=\"callout callout--tip\">\n<div class=\"callout__title\">Identifier un code inconnu<\/div>\n<div class=\"callout__content\">\n<ul>\n<li><strong>Via l&rsquo;aide :<\/strong> <code>hashcat -hh | grep -i &quot;NomDuService&quot;<\/code><\/li>\n<\/ul>\n<ul>\n<li><strong>Via le Wiki :<\/strong> Chercher le d\u00e9but du hash (ex: <code>$krb5tgs$<\/code>) sur <a href=\"https:\/\/hashcat.net\/wiki\/doku.php?id=example_hashes\" target=\"_blank\" rel=\"noopener\">hashcat.net\/wiki<\/a> &amp; <a href=\"https:\/\/hashes.com\/en\/tools\/hash_identifier\" target=\"_blank\" rel=\"noopener\">Hashes.com<\/a><\/li>\n<\/ul>\n<ul>\n<li><strong>Outil tiers :<\/strong> Utiliser <code>hash-identifier<\/code> ou <code>nth<\/code> (Name-That-Hash).<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<h2>Param\u00e8tre (Flag)<\/h2>\n<table>\n<thead>\n<tr>\n<th><strong>Option (Flag)<\/strong><\/th>\n<th><strong>Description<\/strong><\/th>\n<th><strong>Note \/ Exemple<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong><code>-m<\/code><\/strong><\/td>\n<td><strong>Hash Type<\/strong>. Le code num\u00e9rique du type de hash.<\/td>\n<td><strong>Obligatoire.<\/strong> Voir tableau ci-dessus.<\/td>\n<\/tr>\n<tr>\n<td><strong><code>-a<\/code><\/strong><\/td>\n<td><strong>Attack Mode<\/strong>. Le type d&rsquo;attaque.<\/td>\n<td><code>0<\/code> = Dictionnaire (Wordlist).<\/p>\n<p><code>3<\/code> = Masque (Bruteforce pur).<\/td>\n<\/tr>\n<tr>\n<td><strong><code>-o<\/code><\/strong><\/td>\n<td><strong>Output<\/strong>. Fichier de sortie.<\/td>\n<td>\u00c9crit les mots de passe trouv\u00e9s dans un fichier.<\/td>\n<\/tr>\n<tr>\n<td><strong><code>--show<\/code><\/strong><\/td>\n<td>Affiche les r\u00e9sultats _d\u00e9j\u00e0_ trouv\u00e9s.<\/td>\n<td>Ne relance pas le calcul.<\/td>\n<\/tr>\n<tr>\n<td><strong><code>-r<\/code><\/strong><\/td>\n<td><strong>Rules<\/strong>. Applique des r\u00e8gles de mutation.<\/td>\n<td>Ex: <code>best64.rule<\/code> (transforme \u00ab\u00a0pass\u00a0\u00bb en \u00ab\u00a0Pass123!\u00a0\u00bb).<\/td>\n<\/tr>\n<tr>\n<td><strong><code>-O<\/code><\/strong><\/td>\n<td><strong>Optimized<\/strong>. Active le kernel optimis\u00e9.<\/td>\n<td>Plus rapide, mais limite la longueur des mots de passe.<\/td>\n<\/tr>\n<tr>\n<td><strong><code>--status<\/code><\/strong><\/td>\n<td>Affiche une barre de progression.<\/td>\n<td>Mise \u00e0 jour automatique durant le crack.<\/td>\n<\/tr>\n<tr>\n<td><strong><code>--force<\/code><\/strong><\/td>\n<td>Ignore les avertissements (ex: utilisation sur une VM).<\/td>\n<td>Utile si Hashcat refuse de se lancer.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Exemple<\/h2>\n<h4>1. Attaque Dictionnaire (NTLM)<\/h4>\n<p>Cas classique apr\u00e8s un dump de base SAM.<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\">hashcat -m 1000 -a 0 hashs.txt \/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n<\/div>\n<h4>2. Attaque Kerberoasting (Active Directory)<\/h4>\n<p>Casse un ticket TGS r\u00e9cup\u00e9r\u00e9.<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\">hashcat -m 13100 -a 0 kerberoast.txt \/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n<\/div>\n<h4>3. Attaque avec R\u00e8gles (Mutation)<\/h4>\n<p>Essaye la wordlist + des variations (majuscules, chiffres, caract\u00e8res sp\u00e9ciaux).<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\">hashcat -m 1000 hashs.txt \/usr\/share\/wordlists\/rockyou.txt -r \/usr\/share\/hashcat\/rules\/best64.rule<\/code><\/pre>\n<\/div>\n<h4>4. Afficher les r\u00e9sultats<\/h4>\n<p>Voir ce qui a \u00e9t\u00e9 cass\u00e9 pr\u00e9c\u00e9demment.<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\">hashcat -m 1000 hashs.txt --show<\/code><\/pre>\n<\/div>\n<h2>Suivi &amp; Recommandation <\/h2>\n<p>Le processus de cracking doit suivre une logique d&rsquo;efficience (du plus rapide au plus lent).<\/p>\n<h4>\u00c9tape 1 : Pr\u00e9paration &amp; Extraction<\/h4>\n<p>R\u00e9cup\u00e9rer le hash et le nettoyer. Hashcat n&rsquo;accepte que le hash pur, sans nom d&rsquo;utilisateur ni m\u00e9tadonn\u00e9es (sauf exceptions comme NetNTLMv2).<\/p>\n<ul>\n<li>_Cas Document Office :_ Extraire le hash avec <code>office2john.py<\/code> avant de le donner \u00e0 Hashcat.<\/li>\n<\/ul>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\">  python3 \/usr\/share\/john\/office2john.py fichier.xlsx &gt; hash.txt\n  # Nettoyer hash.txt pour ne garder que la cha\u00eene commen\u00e7ant par $office$...<\/code><\/pre>\n<\/div>\n<h4>\u00c9tape 2 : Identification<\/h4>\n<p>D\u00e9terminer le code <code>-m<\/code> exact. Une erreur ici rend le cracking impossible.<\/p>\n<h4>\u00c9tape 3 : Strat\u00e9gie d&rsquo;Attaque (Ordre d&rsquo;ex\u00e9cution)<\/h4>\n<ol>\n<li><strong>Attaque Rapide (Wordlist simple)<\/strong><\/li>\n<\/ol>\n<p>    &#8211; Utiliser <code>rockyou.txt<\/code>. Cela casse les mots de passe triviaux ou par d\u00e9faut.<br \/>\n    &#8211; _Temps estim\u00e9 :_ Quelques secondes\/minutes.<\/p>\n<ol>\n<li><strong>Attaque Moyenne (Wordlist + R\u00e8gles)<\/strong><\/li>\n<\/ol>\n<p>    &#8211; Ajouter <code>-r ...\/rules\/best64.rule<\/code>. Cela trouve les variations comme \u00ab\u00a0Soleil2023!\u00a0\u00bb.<br \/>\n    &#8211; _Temps estim\u00e9 :_ 10 \u00e0 30 minutes.<\/p>\n<ol>\n<li><strong>Attaque Lourde (Masque \/ Bruteforce)<\/strong><\/li>\n<\/ol>\n<p>    &#8211; Mode <code>-a 3<\/code>. \u00c0 utiliser en dernier recours pour les mots de passe courts (7-8 caract\u00e8res).<br \/>\n    &#8211; _Temps estim\u00e9 :_ Heures ou Jours.<\/p>\n<h4>\u00c9tape 4 : Post-Cracking<\/h4>\n<p>Une fois le mot de passe affich\u00e9 (ex: <code>Password123!<\/code>), l&rsquo;utiliser imm\u00e9diatement pour tenter une connexion via <code>nxc smb<\/code> ou <code>evil-winrm<\/code>.<\/p>\n<h2>Hashcat (OLD)<\/h2>\n<h3>Type de HASH<\/h3>\n<p>Faire une recherche pour conna\u00eetre le type de HASH (ex : kerberos\u201d)<\/p>\n<p>sur Hashcat r\u00e9cup\u00e9rer le code de hash en question<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\">hashcat --h | grep -i \u201cKerberos\u201d<\/code><\/pre>\n<\/div>\n<p><img  alt=\"\" loading=\"lazy\" class=\"lws-optimize-lazyload\" data-src=\"http:\/\/..\/..\/..\/00%20Divers\/00-1%20Images\/image%202.png\"><\/p>\n<p>A ce moment l\u00e0, il faudra r\u00e9cuperer le bon code concernant notre hash<\/p>\n<div class=\"callout callout--info\">\n<div class=\"callout__title\">&gt; La commande [NTH](NTH.md) permet \u00e9glalement de r\u00e9cuperer le HASH<\/div>\n<div class=\"callout__content\"><\/div>\n<\/div>\n<h3>HASH PASS<\/h3>\n<p>lancer la commande pour hasher le mot de passe<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\">hashcat -m CODE SELECTFICHIER \/usr\/share\/wordlists\/rockyou.txt --force<\/code><\/pre>\n<\/div>\n<p>exemple :<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\">hashcat -m 13100 kerberoast_hash.txt \/usr\/share\/wordlists\/rockyou.txt --force<\/code><\/pre>\n<\/div>\n<p>Apr\u00e8s le hash nous auront \u00e0 ce moment deux possibilit\u00e9 :<\/p>\n<ul>\n<li>hacked : mot de passe trouv\u00e9<\/li>\n<li>Exhausted : mot de passe non trouv\u00e9<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>L&rsquo;outil de cassage de mots de passe le plus rapide et complet, utilisant l&rsquo;acc\u00e9l\u00e9ration GPU.<\/p>\n","protected":false},"template":"","meta":{"footnotes":""},"phase_pentest":[26],"categorie_fonctionnelle":[],"port_numero":[19],"protocole":[189],"tag_outil":[65,190],"class_list":["post-307","pandack_outil","type-pandack_outil","status-publish","hentry","phase_pentest-exploitation","port_numero-n-a","protocole-n-a","tag_outil-bruteforce","tag_outil-cracking"],"_links":{"self":[{"href":"https:\/\/pandack.fr\/index.php?rest_route=\/wp\/v2\/pandack_outil\/307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pandack.fr\/index.php?rest_route=\/wp\/v2\/pandack_outil"}],"about":[{"href":"https:\/\/pandack.fr\/index.php?rest_route=\/wp\/v2\/types\/pandack_outil"}],"version-history":[{"count":0,"href":"https:\/\/pandack.fr\/index.php?rest_route=\/wp\/v2\/pandack_outil\/307\/revisions"}],"wp:attachment":[{"href":"https:\/\/pandack.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=307"}],"wp:term":[{"taxonomy":"phase_pentest","embeddable":true,"href":"https:\/\/pandack.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fphase_pentest&post=307"},{"taxonomy":"categorie_fonctionnelle","embeddable":true,"href":"https:\/\/pandack.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategorie_fonctionnelle&post=307"},{"taxonomy":"port_numero","embeddable":true,"href":"https:\/\/pandack.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fport_numero&post=307"},{"taxonomy":"protocole","embeddable":true,"href":"https:\/\/pandack.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fprotocole&post=307"},{"taxonomy":"tag_outil","embeddable":true,"href":"https:\/\/pandack.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftag_outil&post=307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}