Password Cracking

Passwords protect almost everything. When a hash leaks — from a database breach, a misconfigured service, or a captured authentication exchange — password cracking turns that hash back into plaintext. This lesson covers how it works and how professionals do it legally in an engagement.

Hashes, not passwords

Systems rarely store your actual password. They store a hash — the output of a one-way mathematical function that converts your password into a fixed-length string. When you log in, the system hashes what you typed and compares it to what is stored. If they match, you are in.

The word "one-way" is important. You cannot mathematically reverse a hash to recover the original password. What you can do is compute hashes of candidate passwords and compare them to the target hash until you find a match. That is password cracking — not decryption, not reversing a hash, but educated guessing at enormous speed.

Modern GPUs can compute billions of hashes per second. A 6-character lowercase password in MD5 can be cracked in under a second on consumer hardware. The only thing standing between a leaked hash and a cracked password is the length and complexity of the original password — and whether the system used a strong hashing algorithm to begin with.

Hash types — identifying what you are dealing with

Before cracking a hash, you need to know what algorithm produced it. Different algorithms produce different output lengths and formats. Getting this wrong means your cracking tool spends hours computing the wrong hash type and finds nothing.

bcrypt and Argon2 are deliberately slow algorithms — they are designed to take significantly longer to compute, which multiplies the time needed to crack them. A hash that takes 0.001ms to compute in MD5 takes 100ms in bcrypt. That difference means billions of guesses per second for MD5 becomes ten thousand per second for bcrypt. Password storage algorithm choice matters enormously.

Three cracking approaches — and when each is right

Cracking with John the Ripper

John the Ripper — universally called just "John" — is one of the oldest and most versatile password cracking tools. It auto-detects hash types, supports hundreds of formats, and has an intelligent cracking mode that combines dictionary and rule-based attacks automatically. It is the tool most pen testers reach for first because it just works with minimal configuration.

The scenario: You are on an internal engagement. You found the /etc/shadow file on a Linux server through a misconfiguration — it was readable by your low-privilege user. You copied the hashes to your Kali machine and now need to crack them to identify which accounts use weak passwords. The client has authorised credential testing as part of the engagement scope.

# First — identify what hash format we are dealing with
# hash-identifier reads a hash and tells you the most likely algorithm
# Knowing the format lets John use the correct cracking mode
hash-identifier

# Alternatively, use the hashid tool for more detailed format analysis
# -m flag tells hashid to also output the hashcat mode number (useful later)
hashid -m '$6$rounds=5000$example$hashedvalue...'

# Run John with a dictionary attack using the rockyou wordlist
# --wordlist points to our dictionary file — rockyou.txt has 14 million entries
# --format=sha512crypt tells John the exact hash format to use
#   (sha512crypt is the format used in modern /etc/shadow files)
# hashes.txt contains the hashes we extracted from the target system
john --wordlist=/usr/share/wordlists/rockyou.txt \
     --format=sha512crypt \
     hashes.txt

# Show cracked passwords after the run completes
# --show displays all passwords John has cracked so far
# John stores cracked results in ~/.john/john.pot between sessions
john --show hashes.txt

Using default input encoding: UTF-8
Loaded 4 password hashes with 4 different salts (sha512crypt [SHA512 256/256 AVX2 4x])
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status

msfadmin         (msfadmin)
password         (user)
123456           (service)

3g 0:00:00:08 DONE (2024-11-12 09:34) 0.3759g/s 1284p/s
Session completed.

--- john --show ---
msfadmin:msfadmin:1001:1001:,,,:/home/msfadmin:/bin/bash
user:password:1002:1002:,,,:/home/user:/bin/bash
service:123456:1003:1003:,,,:/home/service:/bin/bash

3 password hashes cracked, 1 left.

Cracking with hashcat — GPU power

John runs on the CPU. Hashcat runs on the GPU — and the difference in speed is dramatic. A modern gaming GPU can compute hundreds of billions of MD5 hashes per second. For hash types that are computationally cheap like MD5 and NTLM, hashcat is the tool of choice. For slow hashes like bcrypt, the speed advantage shrinks considerably because the algorithm itself is the bottleneck.

Hashcat identifies hash types by number rather than name — a hashcat mode. MD5 is mode 0. NTLM is mode 1000. SHA-256 is mode 1400. The hashid tool with the -m flag tells you the right mode number to use.

# Hashcat dictionary attack against an MD5 hash
# All operations run on GPU for maximum speed

# -m 0  specifies hash mode — 0 is MD5
#        other common modes: 1000 = NTLM, 1800 = sha512crypt, 3200 = bcrypt
# -a 0  specifies attack mode — 0 is dictionary (wordlist) attack
#        other attack modes: 1 = combination, 3 = brute force mask, 6 = hybrid
# hashes.txt  contains the MD5 hashes to crack, one per line
# rockyou.txt  the wordlist — tried against each hash in sequence
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

# Rule-based attack — applies transformation rules to each wordlist entry
# -r points to a rules file — best64.rule applies 64 common password mutations
#    (capitalise, append numbers, substitute letters, add symbols etc.)
# Catches passwords like Password1, p@ssword, password! that plain wordlists miss
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt \
  -r /usr/share/hashcat/rules/best64.rule

# Show cracked results after the run
# --show reads from hashcat's potfile (~/.hashcat/hashcat.potfile)
hashcat -m 0 hashes.txt --show

hashcat (v6.2.6) starting...

OpenCL API (OpenCL 3.0) - Platform #1 [NVIDIA]
* Device #1: NVIDIA GeForce RTX 3070, 7680/8191 MiB, 46MCU

Hashes: 3 digests; 3 unique digests, 1 unique salts
Speed: 14284.4 MH/s (14 billion hashes/second)

5f4dcc3b5aa765d61d8327deb882cf99:password
e10adc3949ba59abbe56e057f20f883e:123456
d8578edf8458ce06fbc5bb76a58c5ca4:qwerty

Session..........: hashcat
Status...........: Cracked
Recovered........: 3/3 (100.00%)
Time.Started.....: Mon Nov 12 09:41:22 2024
Time.Estimated...: 0 secs

--- --show output ---
5f4dcc3b5aa765d61d8327deb882cf99:password
e10adc3949ba59abbe56e057f20f883e:123456
d8578edf8458ce06fbc5bb76a58c5ca4:qwerty

Wordlists — the quality of your list determines the quality of your results

The wordlist is the most important variable in a dictionary attack. A bad wordlist against a weak password produces nothing. A good wordlist against a strong password also produces nothing. The art is matching the wordlist to the target context — what kind of organisation is this, what are their password policies, what language do they operate in, are there any clues from the OSINT phase?

The custom list line in that table is worth expanding on. During recon you gathered the company name, location, product names, and sometimes employee names. A surprising number of people use their company name, the city they work in, or the name of their organisation's primary product as the base of their password. Building a short targeted wordlist from OSINT data — 50 to 100 entries — and running it first takes thirty seconds and occasionally cracks something that rockyou.txt would never touch.

Practice questions

Quiz