A Flexible Potfile Parsing Tool
Pronounced "Reg-X" as in Regex eXtractor
Unlike general-purpose tools like grep or ripgrep, RegX offers a more nuanced approach that was developed specifically for parsing hashcat potfiles that contain multiple hash algo's. While this can be done with grep, compiling and testing regular expressions, especially for more complex hashes, can be cumbersome and error prone. See examples below.
- Parse md5 (hex32) hashes:
- grep
egrep '[a-f0-9]{32}' file.txt
- RegX
./regx.bin -f file.txt -m hex32
- grep
- Parse bcrypt hashes:
- grep
egrep '\$2[a-zA-Z]{1}\$[0-9]{2}\$[[:print:]]{53}' file.txt
- RegX
./regx.bin -f file.txt -m 3200
- grep
- Parse Django (PBKDF2-SHA256) hashes:
- grep
egrep 'pbkdf2_sha256\$[0-9]{1,6}\$[[:print:]]{57}' file.txt
- RegX
./regx.bin -f file.txt -m 10000
- grep
- Parse Bitcoin hashes:
- grep
egrep '\$bitcoin\$[0-9]{1,3}\$[a-f0-9]{40,}\$[0-9]{2}\$[a-f0-9]{2,}\$[0-9]{2,}\$[0-9]{1,}\$[0-9]{1,}\$[0-9]{1,}\$[0-9]{1,}' file.txt
- RegX
./regx.bin -f file.txt -m 11300
- grep
As shown in the examples above, RegX's built-in support for popular hashcat algorithms makes parsing hashes seamless.
RegX also supports a wide range of regex patterns compatible with RE2, by using option: -r {regex_pattern}
More info on RE2: https://github.com/google/re2/wiki/Syntax
- Parse all hex 32 hashes (md5, md4, ntlm, etc), both salted and non-salted:
./regx.bin -f file.txt -m hex32
- Parse bcrypt hashes by hashcat mode {-m 3200}:
./regx.bin -f file.txt -m 3200
- Parse bcrypt hashes by algo name {-m bcrypt}:
./regx.bin -f file.txt -m bcrypt
- Parse a custom hex length hash (where {nth} equals length):
./regx.bin -f file.txt -m hex{nth}
- Use custom RE2 regex with -r {regex}:
./regx.bin -f file.txt -r '[a-fA-F0-9]{32}'
- Run
./regx.bin -help
to see a list of all options
- All HEX algos:
-m hex32
covers all HEX32 hashes such as md5, md5, ntlm, etc-m hex40
covers all HEX40 hashes such as sha1, mysql5, ripemd-160, etc- custom hex lengths can be given as well,
-m hex56
would cover sha224 hashes, etc
Mode: | Hashcat Mode: | HEX |
---|---|---|
crc32 | 11500 | hex8 |
crc64 | 28000 | hex16 |
md4 | 900 | hex32 |
md5 | 0 | hex32 |
ntlm | 1000 | hex32 |
ripemd-160 | 6000 | hex40 |
sha1 | 100 | hex40 |
mysql5 | 300 | hex40 |
sha224 | 1300 | hex56 |
sha256 | 1400 | hex64 |
sha384 | 10800 | hex96 |
sha512 | 1700 | hex128 |
metamask | 26600 | |
bitcoin | 11300 | |
pbkdf2sha256 | 10000 | |
bcrypt | 3200 | |
sha512crypt | 1800 | |
md5crypt | 500 | |
phpass | 400 |
- If you want the latest features, compiling from source is the best option since the release version may run several revisions behind the source code.
- This assumes you have Go and Git installed
git clone https://github.com/cyclone-github/regx.git
cd regx
go mod init regx
go mod tidy
go build -ldflags="-s -w" .
- Compile from source code how-to:
- Several antivirus programs on VirusTotal incorrectly detect compiled Go binaries as a false positive. This issue primarily affects the Windows executable binary, but is not limited to it. If this concerns you, I recommend carefully reviewing the source code, then proceed to compile the binary yourself.
- Uploading your compiled binaries to https://virustotal.com and leaving an up-vote or a comment would be helpful as well.