Hashcat password cracker goes open source

The password recovery tool, used by penetration testers worldwide, is now available under an open source license.

The Hashcat password recovery tool and cracker is now available to developers under an open source license, sending the Github community into meltdown with the news.

screen-shot-2015-12-09-at-09-49-26.png

Hashcat and oclHashcat are popular tools used by penetration testers and security experts for advanced password recovery and cracking. The tools are based on both CPUs and GPUs and are available across multiple platforms.

On December 4, Jens 'Atom' Steube, maker of the tool, announced the opening of the Hashcat code to the open source community through an MD5 hash posted to Twitter, cracked as "hashcat open source":

screen-shot-2015-12-09-at-09-47-42.png
screen-shot-2015-12-09-at-09-47-56.png

In a forum post, Atom said while there have been many discussions in the past concerning the tool becoming open source there were a number of challenges to overcome. The tool is used by many penetration testers and forensic scientists who implement their own GPU kernels and in order to protect the details of their work, Atom has created an open interface with generic hashing that can be combined with a researcher's particular strain of code.

An MIT license, which allows for the integration of Hashcat into many Linux distributions -- such as Ubuntu -- has been chosen, and a Kali Linux package is in the works as a future release.

Atom writes:

"After the switch to open source it will be much easier to integrate external libraries. Indeed, it was barely possible before due to license problems. A few crypto libraries have very restrictive licences, and some of them don't allow the integration of their code within binary files or only with very special prerequisites.

At this point, hashcat/oclHashcat do not need any external libraries, but sometimes even just the parsing of the hash itself is very complicated and often even more challenging than the GPU kernel itself. GPG is a good example of this, it probably could be added easily if hashcat/oclHashcat were open source."

An interesting snippet for Mac users is that while there is currently no native support for Hashcat on the OS X operating system -- due to Apple restrictions on offline kernel compiling -- going open source will allow developers to compile kernels using Apple protocols which remove the red tape. Hence, OS X support for oclHashcat is now possible.

Atom also used the announcement to assure users he is not leaving the project anytime soon.

The code for both Hashcat and the oclHashcat variant are now both available on code repository website Github, where the announcement caused some serious excitement and the topic trending for some time.

The news comes alongside the latest release of Hashcat, version 2.0, which has been updated with a variety of bug fixes and new algorithms.

"We plan to eventually combine hashcat and oclHashcat into one single project, called 'hashcat,'" Atom says. "Basically, the idea is to let the current oclHashcat code (where - yes, you did guess it correctly - we put most of the development focus) be the basis for the "merge" and in this way integrate hashcat into oclHashcat and rename the resulting cracker into just "hashcat".

This will be an important but also very demanding/difficult change and won't happen too soon (but maybe with united forces, now that we did go open source, it could happen within a reasonable amount of time)."

Atom has previously worked with Kaspersky Lab by supporting the firm's research into the Gauss malware by creating the oclGaussCrack, as well as assisting in cracking the EquationGroup's protocols.

Read on: Top picks