Hashrat is a 'C' program that generates hashes with the md5, sha1, sha256, sha512, whirlpool, jh-244, jh256, jh-384 and jh-512 hash functions, and also the HMAC versions of those functions. It can output in 'traditional' format (same as md5sum and shasum and the like), or its own format. Hashes can be output in octal, decimal, hexadecimal, uppercase hexadecimal or base64. It supports directory recursion, storing hashes in extended filesystem attributes, hashing entire devices, generating a hash for an entire directory, finding duplicate files, and searching for files matching a specified hash. It has a 'CGI' mode that can be used as a web-page to lookup hashes.


Hashrat is made available under the Gnu Public License version 3, and comes with no warranties or guarentees.


Cryptographic hashes are algorithms that produce an output string that's a kind of 'fingerprint' of a given input. They're highly unlikely to produce the same string for any two inputs. While there must be other inputs in existance that share a hash with your chosen input, the likelyhood of ever finding those inputs is vanishingly small. Thus, the 'fingerprints' produced by a cryptographic hash can be considered unique, and used to identify a document or other input.

1) Password Generator

I mostly use hashrat for generating passwords. I already have a number of simple passwords/passphrases that I can remember, and when generating a password for a website I combine the website name with the password, then I hash the whole lot. Including the website name means that the resulting hash will be unique to the website. So, for example:

sh-4.2# /usr/bin/hashrat -64 -sha1 -lines

produces a different string to

sh-4.2# /usr/bin/hashrat -64 -sha1 -lines

This output string can then be used as a password for the website. Obviously this system only works in environments that support cut-and-paste. However, in order to ensure my passwords are unique to me, and won't be the same as anyone else who is using hashrat and entering, I add a 'pin number' to the end of the input string, so now I've got:

Obviously, you shouldn't use 'password' as your password or '12345' as your pin. But using this method I can generate a unique, strong password for any website I visit, leveraging existing passwords that I can easily remember. If the website is hacked, and their password database stolen, it's highly unlikely that a strong password like these hashes will ever be broken. For the crackers, there's an early payoff through checking for passwords that are common names or dictionary words, and there's much less value to trying to brute-force complex, passwords like these. Even if they do, they only have a password that is a unique string for the given site, not a password that might be usable at other websites I frequent. Hashrat also has a 'cgi mode' where it can be run as a cgi program and thus used through a web-browser.

2) File integrity checker

Hashrat can be used to detect changes to a list of files. First hashrat is run in 'hashing mode', generating the list, then it's run in 'checking mode' checking whether the hashes of the files have changed (which would mean the files themselves must have been altered).

3) Find duplicate files

Hashrat can be run in a mode where it searches for duplicate files, (files containing the same data) and outputs a list of duplicates found.

4) Find file matching a hash

Hashrat can take a list of files on stdin, or and output any files found that match this list. Alternatively it can upload such lists to a memcached server, and then multiple hashrats on multiple systems can check against those entries in the memcached server. File/Hash lists can be in hashrat format, 'traditional' md5sum format, bsdsum format, or Open IOC files (from which hashes will be extracted if present).