Introduction
Password cracking is an offline process where you attempt to recover plaintext from captured hashes or protected files. In penetration tests, weak or reused passwords are common, so success usually comes from smart wordlists and realistic mutations rather than raw brute force. Hashcat is the main tool for this workflow because it supports many algorithms and scales well on GPUs.
Hashing, Salting, and Encryption
Hashing turns input into a fixed-length digest and is designed to be one-way, so cracking depends on guessing candidates and comparing their hashes. Slow password hashes like PBKDF2 or bcrypt increase cost, while fast hashes like MD5 or SHA1 remain common in legacy systems and breach dumps, and salting reduces rainbow table value without preventing offline attacks. Encryption is reversible with a key and appears in data-at-rest or transport use cases, so it is a different problem from password hashing. The list below summarizes common encryption families, and the commands that follow show how salting changes a digest.
- Symmetric: AES, DES, 3DES, Blowfish
- Asymmetric: RSA, ECDSA, Diffie-Hellman
echo -n "p@ssw0rd" | md5sum
echo -n "p@ssw0rd123456" | md5sum
Hash Identification and Tooling
Correct identification is critical because Hashcat modes are strict and a mismatch wastes time. Prefixes and separators often reveal the algorithm, and hashid gives a best-effort guess, but context helps narrow candidates. When the guess is noisy, hashcat --example-hashes is a fast way to confirm the exact mode, and the prefix list below covers the most common Unix formats.
$1$ : MD5
$2a$ : Blowfish
$2y$ : Blowfish (8-bit safe)
$5$ : SHA256
$6$ : SHA512
hashid '$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f' -m
hashid hashes.txt
hashcat --example-hashes | less
Hashcat Workflow
Hashcat commands always combine an attack mode (-a), a hash mode (-m), and a source such as a wordlist or mask. The official release is recommended because it stays current with kernels and mode updates, and hashcat -h is enough to confirm syntax. Avoid --force because it disables safety checks that protect accuracy and stability.
Core Modes and Quick Benchmarks
Hashcat modes map to how candidates are generated, and you can benchmark a mode to estimate run time before you commit. Straight (0) and combination (1) are the fastest, while mask (3) and hybrid (6 and 7) become expensive as keyspace grows. Benchmarking with -b gives a quick baseline for your hardware and selected hash type, and the list below covers the most common modes.
0: Straight (wordlist)1: Combination3: Brute force (mask)6: Wordlist + mask (hybrid suffix)7: Mask + wordlist (hybrid prefix)
hashcat -b -m 0
Dictionary, Combination, and Hybrid Attacks
Dictionary attacks use a wordlist and succeed quickly when users pick common passwords, while combination and hybrid attacks model how people join words and add predictable affixes. Use --stdout to preview combinations and keep keyspace manageable, and press s during a run to check progress. These modes are efficient when the environment favors words plus small policy-driven changes.
hashcat -a 0 -m 1400 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -a 1 --stdout wordlist1 wordlist2
hashcat -a 1 -m 0 hashes.txt wordlist1 wordlist2
hashcat -a 6 -m 0 hashes.txt /usr/share/wordlists/rockyou.txt '?d?s'
hashcat -a 7 -m 0 hashes.txt -1 01 '20?1?d' /usr/share/wordlists/rockyou.txt
Mask Attacks
Mask attacks generate candidates that fit a known pattern, which is ideal when you know length or format from policy or leaks. Hashcat uses placeholders such as ?l for lowercase and ?d for digits, and you can define custom sets with -1 to limit search. If length is uncertain, --increment grows the mask gradually without rewriting it, and the table below covers the placeholders you will use most.
| Placeholder | Meaning |
|---|---|
?l | lowercase letters (a-z) |
?u | uppercase letters (A-Z) |
?d | digits (0-9) |
?s | symbols |
?a | ?l?u?d?s |
hashcat -a 3 -m 0 hashes.txt -1 01 'ILFREIGHT?l?l?l?l?l20?1?d'
Wordlists and Rules
Wordlists and rules are where most real-world wins come from because they model how users actually create passwords. Public lists give coverage, but the best results come from adding organization-specific terms, usernames, and years. Rules expand a small list into realistic variants without storing them all on disk.
Custom Wordlists
Custom wordlists are built from target context such as company names, project terms, or personal data gathered via OSINT. Baseline lists like CrackStation and SecLists are good starting points, but tools like Crunch, CUPP, KWP, Princeprocessor, and CeWL let you generate focused candidates. Hashcat also stores cracked passwords in a potfile, which is useful to seed new lists and find password reuse, and the links below are solid starting points.
- https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
- https://github.com/danielmiessler/SecLists
crunch 17 17 -t ILFREIGHT201%@@@@ -o wordlist
python3 cupp.py -i
kwp -s 1 basechars/full.base keymaps/en-us.keymap routes/2-to-10-max-3-direction-changes.route
./pp64.bin -o wordlist.txt < words
cewl -d 5 -m 8 -e http://inlanefreight.com/blog -w wordlist.txt
cut -d: -f 2- ~/.hashcat/hashcat.potfile
Rules and Mutations
Rules apply transformations such as capitalization, l33t substitutions, and suffixes, which mirrors how users evolve passwords. A simple rule file can encode year suffixes and common substitutions, and you can preview the output with --stdout. Rule-based attacks often outperform raw masks when the base word is likely, and the functions below are a good starter set.
c: capitalize the first lettersXy: substitute X with y (for exampleso0replacesowith0)$X: append a character X
echo 'c so0 si1 se3 ss5 sa@ $2 $0 $1 $9' > rule.txt
hashcat -r rule.txt test.txt --stdout
hashcat -a 0 -m 100 hashes.txt /usr/share/wordlists/rockyou.txt -r rule.txt
hashcat -a 0 -m 100 hashes.txt /usr/share/wordlists/rockyou.txt -g 1000
Cracking Common Hashes
Different environments produce different hash types, so context drives your attack plan. Database leaks are usually fast hashes, Linux systems use SHA512crypt by default, and Active Directory introduces NTLM and NetNTLMv2. Start with straight or rule-based attacks, then escalate to hybrids if the keyspace is still realistic.
Databases and Linux Shadow
Database dumps commonly include MD5, SHA1, or bcrypt hashes, depending on application age. Fast hashes crack quickly with large wordlists, while bcrypt is slow and rewards focused lists and rules. Linux stores hashes in /etc/shadow, where $6$ indicates SHA512crypt.
hashcat -m 100 sha1_hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 1800 nix_hashes.txt /usr/share/wordlists/rockyou.txt
Active Directory Hashes
Active Directory engagements often yield NTLM or NetNTLMv2 through dumps or capture tools like Responder. NTLM is fast and frequently cracks with common lists, while NetNTLMv2 is slower but still feasible with targeted attacks. Cleartext passwords are valuable for lateral movement and password spraying, so cracking is worth the effort even when pass-the-hash is possible.
hashcat -a 0 -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -a 0 -m 5600 netntlmv2_hashes.txt /usr/share/wordlists/rockyou.txt
Cracking Protected Files
Protected files require an extraction step before Hashcat can attack them. The John utilities (office2john, zip2john, keepass2john, pdf2john) convert files into hash formats that Hashcat understands. Once extracted, the process is the same: pick the correct mode and apply your targeted lists.
Office, ZIP, KeePass, and PDF
Office documents use different modes by version, with 9600 covering Office 2013, while ZIP and 7z archives use modes like 17200 and 11600. KeePass databases use mode 13400 and are high-value targets because they often store privileged credentials, and PDFs vary by Acrobat version with 10500 covering Acrobat 5-8. These hashes can be slow, so start with strong, context-driven lists before attempting large keyspaces.
python office2john.py document.docx > office_hashes.txt
hashcat -m 9600 office_hashes.txt /usr/share/wordlists/rockyou.txt
zip2john /path/to/archive.zip > zip_hashes.txt
hashcat -a 0 -m 17200 zip_hashes.txt /usr/share/wordlists/rockyou.txt
python keepass2john.py Master.kdbx > keepass_hashes.txt
hashcat -a 0 -m 13400 keepass_hashes.txt /usr/share/wordlists/rockyou.txt
python pdf2john.py inventory.pdf | awk -F":" '{ print $2 }' > pdf_hashes.txt
hashcat -a 0 -m 10500 pdf_hashes.txt /usr/share/wordlists/rockyou.txt
Wireless Cracking Basics
Wireless cracking becomes an offline problem once you capture handshake material, which is why it still matters in assessments. WPA and WPA2 handshakes prove knowledge of the key without sending it, so you must convert captures into a crackable format, and 22000 is the recommended modern format. Targeted wordlists are critical because the keyspace is the same as the pre-shared key policy.
./cap2hccapx.bin capture.cap handshake.hccapx
hashcat -a 0 -m 2500 --deprecated-check-disable handshake.hccapx /usr/share/wordlists/rockyou.txt
hcxpcapngtool capture.cap -o handshake.hc22000
hashcat -a 0 -m 22000 handshake.hc22000 /usr/share/wordlists/rockyou.txt
Operational Tips and Alternative Tools
Efficient cracking depends on workflow: use sessions so you can pause and resume, and rely on the potfile to avoid re-cracking known hashes. --show quickly lists recovered passwords and helps you pivot during a live assessment, while -O and -w tune performance. John the Ripper is a good fallback for quick tests or when GPU support is limited.
hashcat -O -w 3 -a 0 -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat --session lab1 --restore
hashcat --show -m 0 hashes.txt
john -w=/usr/share/wordlists/rockyou.txt hashes.txt
Reference
This article is based on my personal study notes from the Information Security Foundations track.
Full repository: https://github.com/lameiro0x/pentesting-path-htb