The popular password cracking tool Hashcat is not an open source software, the announcement was first made on December 4 on Twitter via an MD5 hash that posted the following message:
“hashcat open source”
@hashcat “hashcat open source” 🙂 Thanks for the good news! I fully expected this, hence cracked with a focused 10-line wordlist.
— Solar Designer (@solardiz) 4 Dicembre 2015
The main Hashcat developer, Jens ‘atom’ Steube, has later published a post on the Hashcat official forum to announce the availability of the source code for both Hashcat and oclHashcat software.
Hashcat is the a fast and advanced GPGPU-based password recovery utility, meanwhile oclHashcat is the respective GPU-based version.
Why Does Hashcat go Open Source?
Steube, who is a strong supporter of open source software, decided to release the software to allow software and security experts to review the code and improve it, for example integrating external libraries.
The software is under the MIT license to allow an easy integration or packaging for the most common Linux distributions.
“Actually, I am a big fan of open source software, and I’ve always held the idea of eventually going open source at some point in the future. The difficult questions were when would we be ready to do so, and when would be the best time to do it.” states the post.
Up until now, Hashcat is not supported on OS X because Apple does not allow “offline” compiling of kernel code. Now that the Hashcat project goes open source, users will be able to compile the GPU kernels and use oclHashcat also on OS X.
“Currently there is no native support for OSX. The main reason for this is that Apple does not support “offline” compiling of the kernel code. Technically, the missing piece is what AMD allows through CL_CONTEXT_OFFLINE_DEVICES_AMD in its OpenCL runtime. This would allow the compilation of GPU kernels for devices which are not currently attached to the development system. With an open source project, you can easily compile the kernels using the Apple OpenCL Runtime “just in time”, also known as JIT, and hence lift that restriction. This means that support for oclHashcat on OSX would be possible for the first time.” Steube explains.
“One of the main [password cracking tool] user-groups are penetration-testers. Their job is to evaluate the security in given areas including evaluation of password security. Also forensic-examiners use these tools in order to gain access to required evidence. These cases and tasks are often highly sensitive and apply to strict rules,” explained Marco Preuss. “OpenSource offers the possibility of developing customized extensions without leaking any potential sensitive information to external developers of such tools. This applies if different hash-algorithms are required to be audited while pentesting or specific requirements are set in forensic cases e.g. criminal evidence collection for an upcoming lawsuit.”
Steube will continue to support the Hashcat project
“No way I’d do that! I’ll stay here, providing the same effort as before,” the developer said.
Every but could be submitted to the development team, along with new features.
(Security Affairs – Hashcat project, hacking)