Hashcat, the fastest Password Cracking utility is now Open Source

Hashcat, the popular password recovery tool has been released as open source under the MIT license. You can contribute to it.


The popular password cracking tool Hashcat is not an open source software, the announcement was first made on December 4 on Twitter via an MD5 hash that posted the following message:

"hashcat open source"
@hashcat "hashcat open source" :-) Thanks for the good news! I fully expected this, hence cracked with a focused 10-line wordlist.

— Solar Designer (@solardiz) 4 Dicembre 2015

The source code for both utilities Hashcat and oclHashcat is now available on the GitHub repository.

The main Hashcat developer, Jens 'atom' Steube, has later published a post on the Hashcat official forum to announce the availability of the source code for both Hashcat and oclHashcat software.

Hashcat is the a fast and advanced GPGPU-based password recovery utility, meanwhile oclHashcat is the respective GPU-based version.

hashcat ntlm

Why Does Hashcat go Open Source?

Steube, who is a strong supporter of open source software, decided to release the software to allow software and security experts to review the code and improve it, for example integrating external libraries.

The software is under the MIT license to allow an easy integration or packaging for the most common Linux distributions.

"Actually, I am a big fan of open source software, and I've always held the idea of eventually going open source at some point in the future. The difficult questions were when would we be ready to do so, and when would be the best time to do it." states the post.

Up until now, Hashcat is not supported on OS X because Apple does not allow "offline" compiling of kernel code. Now that the Hashcat project goes open source, users will be able to compile the GPU kernels and use oclHashcat also on OS X.

"Currently there is no native support for OSX. The main reason for this is that Apple does not support "offline" compiling of the kernel code. Technically, the missing piece is what AMD allows through CL_CONTEXT_OFFLINE_DEVICES_AMD in its OpenCL runtime. This would allow the compilation of GPU kernels for devices which are not currently attached to the development system. With an open source project, you can easily compile the kernels using the Apple OpenCL Runtime "just in time", also known as JIT, and hence lift that restriction. This means that support for oclHashcat on OSX would be possible for the first time." Steube explains.

Steube in the past worked with the experts at Kaspersky Lab, assisting them in cracking hashes related to the Gauss malware and the Equation group.

Experts at Kaspersky Lab published a blog post early this week to explain the benefits of password cracking tools going open source.

"One of the main [password cracking tool] user-groups are penetration-testers. Their job is to evaluate the security in given areas including evaluation of password security. Also forensic-examiners use these tools in order to gain access to required evidence. These cases and tasks are often highly sensitive and apply to strict rules," explained Marco Preuss. "OpenSource offers the possibility of developing customized extensions without leaking any potential sensitive information to external developers of such tools. This applies if different hash-algorithms are required to be audited while pentesting or specific requirements are set in forensic cases e.g. criminal evidence collection for an upcoming lawsuit."

Steube will continue to support the Hashcat project

"No way I'd do that! I'll stay here, providing the same effort as before," the developer said.

Every but could be submitted to the development team, along with new features.