Key Takeaways

  • Hashcat is the fastest password cracker (GPU-based)
  • Wordlist quality matters more than brute force
  • Rule-based attacks multiply wordlist effectiveness
  • bcrypt/Argon2 are the only secure password hashes
Contents

1. Password Cracking Fundamentals

Password cracking is the process of recovering passwords from stored hashes. It's essential for penetration testing (validating password policies), incident response (analyzing breach data), and forensics (accessing encrypted evidence).

Attack Types

2. Understanding Hash Types

# Common hash types and Hashcat modes
# MD5                 -m 0        32 hex chars
# SHA1                -m 100      40 hex chars
# SHA256              -m 1400     64 hex chars
# NTLM                -m 1000     32 hex chars (Windows)
# NetNTLMv2           -m 5600     Challenge-response
# bcrypt              -m 3200     $2a$..., $2b$...
# Argon2              -m 12800    $argon2i$..., $argon2id$...
# Kerberos TGS        -m 13100    $krb5tgs$...
# Kerberos AS-REP     -m 18200    $krb5asrep$...

# Identify hash type
hashid 'e99a18c428cb38d5f260853678922e03'
# or use hash-identifier

3. Hashcat Mastery

Hashcat - GPU Password Cracker
# Basic dictionary attack
hashcat -m 0 hashes.txt wordlist.txt

# With rules (highly recommended!)
hashcat -m 0 hashes.txt wordlist.txt -r rules/best64.rule

# Brute force (mask attack)
hashcat -m 0 hashes.txt -a 3 ?a?a?a?a?a?a  # 6 chars, any

# Mask syntax:
# ?l = lowercase, ?u = uppercase, ?d = digit
# ?s = special, ?a = all, ?b = binary

# Example masks:
hashcat -m 0 hashes.txt -a 3 ?u?l?l?l?l?l?d?d   # Password99
hashcat -m 0 hashes.txt -a 3 Company?d?d?d?d    # Company2024

# Hybrid attack (dictionary + mask)
hashcat -m 0 hashes.txt -a 6 wordlist.txt ?d?d?d?d  # word + 4 digits
hashcat -m 0 hashes.txt -a 7 ?d?d wordlist.txt      # 2 digits + word

# Show cracked passwords
hashcat -m 0 hashes.txt --show

Hashcat Performance Tips

# Optimize for speed
hashcat -O -w 3 -m 0 hashes.txt wordlist.txt
# -O = optimized kernels (faster)
# -w 3 = workload high (all GPU power)

# Benchmark your GPU
hashcat -b

# Example speeds (RTX 4090):
# MD5:      ~160 GH/s
# NTLM:     ~160 GH/s
# bcrypt:   ~180 kH/s (intentionally slow!)
# SHA256:   ~25 GH/s

4. John the Ripper

# John the Ripper (CPU-based, more formats)
john --wordlist=wordlist.txt hashes.txt

# Auto-detect hash type
john hashes.txt

# Specify format
john --format=raw-md5 hashes.txt
john --format=NT hashes.txt

# With rules
john --wordlist=wordlist.txt --rules=Jumbo hashes.txt

# Show cracked
john --show hashes.txt

# Incremental (brute force)
john --incremental hashes.txt

# Extract hashes from various formats
# Linux shadow file
unshadow /etc/passwd /etc/shadow > hashes.txt

# Windows SAM
samdump2 SYSTEM SAM > hashes.txt

5. Wordlists & Rules

Essential Wordlists

Custom Wordlist Generation

# CeWL - scrape website for words
cewl https://target.com -d 2 -m 5 -w custom.txt

# Cupp - interactive profiler
cupp -i
# Enter target's name, DOB, pet names, etc.

# Crunch - pattern generator
crunch 8 8 -t @@@@2024 -o passwords.txt
# @=lowercase, ,=uppercase, %=numbers, ^=symbols

# Combine and deduplicate
cat wordlist1.txt wordlist2.txt | sort -u > combined.txt

Rule Writing

# Hashcat rules (rules/custom.rule)
:           # Original word
l           # Lowercase
u           # Uppercase
c           # Capitalize
$1          # Append 1
$!          # Append !
^1          # Prepend 1
d           # Duplicate
r           # Reverse
sa@         # Replace a with @
ss$         # Replace s with $

# Example transformations of "password":
# c$1       -> Password1
# c$!       -> Password!
# c$2$0$2$4 -> Password2024
# sa@ss$    -> p@$$word

6. Advanced Techniques

Prince Attack (Wordlist Combination)

# Combine words from wordlist
hashcat -m 0 hashes.txt -a 8 wordlist.txt
# "love" + "you" = "loveyou"

Keyboard Walk Detection

# Common patterns: qwerty, 123456, zxcvbn
# Create targeted wordlists for keyboard patterns
kwp basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes.route

7. Online Attack Tools

# Hydra - online password attacks
hydra -l admin -P wordlist.txt ssh://192.168.1.100
hydra -l admin -P wordlist.txt 192.168.1.100 http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"
hydra -l admin -P wordlist.txt ftp://192.168.1.100

# Medusa
medusa -h 192.168.1.100 -u admin -P wordlist.txt -M ssh

# Burp Suite Intruder for web apps

8. Password Security Defense

Password Storage Best Practices
  • Use Argon2id (winner of Password Hashing Competition)
  • Or bcrypt with cost factor 12+
  • Never use: MD5, SHA1, SHA256 (unsalted/fast)
  • Unique salt per password (automatic with bcrypt/argon2)
  • Enforce strong passwords: 15+ chars, no common patterns
  • Block breached passwords: Check against HaveIBeenPwned
// PHP - Secure password hashing
$hash = password_hash($password, PASSWORD_ARGON2ID);
// Verification
if (password_verify($input, $hash)) { /* valid */ }

// Python
from argon2 import PasswordHasher
ph = PasswordHasher()
hash = ph.hash(password)
ph.verify(hash, password)  # Raises exception if invalid

FAQ

How long does it take to crack a password?
Depends on the hash and complexity. MD5 8-char lowercase: seconds. bcrypt 12-char complex: years to never. Hash algorithm is the key factor.
Is password cracking illegal?
Cracking passwords you're authorized to test (pentests, your own) is legal. Cracking others' passwords without permission is illegal (CFAA, etc.).

AD Security Pentest Guide Crypto Attacks