Home/Labs/Password Cracking
MediumKali LinuxCredentials

Password Cracking Lab

Crack real password hashes using John the Ripper and Hashcat with wordlists, masks, and rule-based attacks.

โฑ 60 minutes๐Ÿ“‹ 9 steps๐Ÿ›  john, hashcat, hashid

๐ŸŽฏ Lab Objectives

  • Identify hash types from their format and length
  • Perform dictionary attacks using rockyou.txt and custom wordlists
  • Use John the Ripper for versatile offline cracking
  • Use Hashcat with GPU acceleration for high-speed cracking
  • Apply rules to mutate wordlists (capitalise, add numbers, leet speak)
  • Run mask attacks for known-pattern passwords
  • Crack Linux shadow file hashes and Windows NTLM hashes

Hash Theory

A hash is a one-way function โ€” you can turn a password into a hash, but you can't reverse it mathematically. Password cracking works by hashing your guesses and comparing them to the target hash until you find a match.

Hash TypeLengthExample PrefixSpeed (GPU)
MD532 hex chars5f4dcc3b5...Very fast (GH/s)
SHA-140 hex chars5baa61e4c...Fast
SHA-25664 hex chars5e884898d...Moderate
NTLM32 hex chars(no prefix)Very fast
bcrypt60 chars$2a$ / $2b$Very slow (by design)
SHA-512 crypt~100 chars$6$Slow

Step 1 โ€” Identifying Hash Types

1

Use hashid and hash-identifier to fingerprint unknown hashes

# Install hashid if not present
pip3 install hashid

# Identify a single hash
hashid '5f4dcc3b5aa765d61d8327deb882cf99'

# Output:
Analyzing '5f4dcc3b5aa765d61d8327deb882cf99'
[+] MD2
[+] MD5
[+] MD4

# Identify with Hashcat mode number
hashid -m '5f4dcc3b5aa765d61d8327deb882cf99'

# Also works from a file of hashes
hashid -m hashes.txt

# Recognise common prefixes manually:
# $1$  = MD5crypt
# $2a$ = bcrypt
# $5$  = SHA-256crypt
# $6$  = SHA-512crypt (Linux shadow)
# $nt$ = NTLM

Step 2 โ€” Setting Up Wordlists

2

Locate and prepare the rockyou.txt wordlist

# rockyou.txt ships with Kali โ€” may be compressed
ls /usr/share/wordlists/

# Decompress if needed
sudo gunzip /usr/share/wordlists/rockyou.txt.gz

# Count lines (14 million passwords)
wc -l /usr/share/wordlists/rockyou.txt

# Other useful wordlists
ls /usr/share/wordlists/dirbuster/
ls /usr/share/seclists/   # install: sudo apt install seclists

# Create a custom wordlist for a target
cewl https://targetsite.com -d 3 -m 5 -w custom.txt

Step 3 โ€” John the Ripper

3

Crack hashes with John โ€” versatile and auto-detects hash types

# Create a test hash file
echo "5f4dcc3b5aa765d61d8327deb882cf99" > hashes.txt   # MD5 of "password"

# Auto-detect and crack with rockyou
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

# Force a specific format
john hashes.txt --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt

# Show cracked passwords
john hashes.txt --show

# Run incremental brute force (slow but thorough)
john hashes.txt --incremental

# Resume an interrupted session
john --restore

# Useful format names
# raw-md5, raw-sha1, raw-sha256, bcrypt, nt, sha512crypt
john --list=formats | grep -i md5

Step 4 โ€” Hashcat Basics

4

GPU-accelerated cracking with Hashcat

# Hashcat attack modes:
# 0 = Dictionary   3 = Brute-force/Mask
# 1 = Combination  6 = Wordlist + Mask
# 7 = Mask + Wordlist

# MD5 dictionary attack (-m 0 = MD5, -a 0 = dictionary)
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

# SHA-1 (-m 100)
hashcat -m 100 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

# NTLM (-m 1000)
hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

# bcrypt (-m 3200) โ€” slow, be patient
hashcat -m 3200 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

# SHA-512crypt Linux (-m 1800)
hashcat -m 1800 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

# Show results after cracking
hashcat -m 0 hashes.txt --show

# Benchmark your hardware
hashcat -b

Step 5 โ€” Rule-Based Attacks

Rules transform wordlist entries on-the-fly: capitalize, append numbers, substitute characters (l33t speak). This dramatically increases coverage without a larger wordlist.

# Apply built-in best64 rules (hashcat)
hashcat -m 0 -a 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# OneRuleToRuleThemAll โ€” popular community rule
hashcat -m 0 -a 0 hashes.txt rockyou.txt -r OneRule.rule

# Stack multiple rules
hashcat -m 0 -a 0 hashes.txt rockyou.txt \
  -r /usr/share/hashcat/rules/best64.rule \
  -r /usr/share/hashcat/rules/toggles1.rule

# John with rules
john hashes.txt --wordlist=rockyou.txt --rules=KoreLogic

Step 6 โ€” Mask Attacks (Brute-Force with Pattern)

When you know the password policy (e.g., 8 chars, uppercase + lowercase + digit), use masks to target only that space.

# Mask charset placeholders:
# ?l = lowercase (a-z)
# ?u = uppercase (A-Z)
# ?d = digit (0-9)
# ?s = special (!@#$...)
# ?a = all of the above

# 8-char all-lowercase brute force
hashcat -m 0 -a 3 hashes.txt ?l?l?l?l?l?l?l?l

# Pattern: Capital + 5 lowercase + 2 digits (Password01 style)
hashcat -m 0 -a 3 hashes.txt ?u?l?l?l?l?l?d?d

# 6-char any character
hashcat -m 0 -a 3 hashes.txt ?a?a?a?a?a?a

# Custom charset: only digits 0-9 (PIN codes)
hashcat -m 0 -a 3 hashes.txt -1 ?d ?1?1?1?1?1?1

Step 7 โ€” Cracking /etc/shadow

7

Unshadow and crack Linux password hashes

# After getting /etc/passwd and /etc/shadow from a target:

# Combine them (John requires this format)
unshadow /etc/passwd /etc/shadow > unshadowed.txt

# Crack with John
john unshadowed.txt --wordlist=/usr/share/wordlists/rockyou.txt

# For Hashcat โ€” extract just the hashes
# SHA-512crypt ($6$) is mode 1800
grep '$6$' /etc/shadow | cut -d: -f2 > sha512_hashes.txt
hashcat -m 1800 sha512_hashes.txt /usr/share/wordlists/rockyou.txt

Step 8 โ€” Windows NTLM Hashes

8

Crack hashes dumped from Windows SAM database or domain controller

# NTLM hashes from secretsdump or Meterpreter hashdump look like:
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
# The NTLM hash is the last 32-char section before :::

# Extract and crack with Hashcat (-m 1000 = NTLM)
hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt

# Check if hash is blank password (no cracking needed)
# aad3b435b51404eeaad3b435b51404ee = LM empty hash
# 31d6cfe0d16ae931b73c59d7e0c089c0 = NTLM empty hash (blank password!)

# Pass-the-Hash (use hash without cracking it!)
# With CrackMapExec:
crackmapexec smb 10.10.10.1 -u Administrator -H 31d6cfe0d16ae931b73c59d7e0c089c0

๐Ÿ“‹ Password Cracking Cheat Sheet

TaskCommand
Identify hashhashid -m '<hash>'
John wordlistjohn hash.txt --wordlist=rockyou.txt
John show crackedjohn hash.txt --show
Hashcat MD5 dicthashcat -m 0 -a 0 hash.txt rockyou.txt
Hashcat NTLMhashcat -m 1000 -a 0 hash.txt rockyou.txt
Hashcat bcrypthashcat -m 3200 -a 0 hash.txt rockyou.txt
Hashcat SHA-512crypthashcat -m 1800 -a 0 hash.txt rockyou.txt
With ruleshashcat -m 0 -a 0 hash.txt wl.txt -r best64.rule
Mask attackhashcat -m 0 -a 3 hash.txt ?u?l?l?l?d?d
Unshadow Linuxunshadow passwd shadow > out.txt
โœ…
Lab Complete! You can now crack most common hash types. Next, learn Wireshark to capture credentials from network traffic.
Next: Wireshark โ†’ โ† All Labs