Tools & Scripts 17 February 2026 6 min read

Password Cracking with Hashcat and John the Ripper: Complete Guide

Password cracking is a fundamental skill in penetration testing and security assessments. This guide covers how to use Hashcat and John the Ripper to crack password hashes, identify hash types, and optimize your cracking approach.

Understanding Password Hashes

Passwords are stored as hashes rather than plaintext. When you obtain hashes from a compromised system, you need to crack them to recover the original passwords.

Common Hash Types

# MD5
5d41402abc4b2a76b9719d911017c592

# SHA1
aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d

# SHA256
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

# NTLM (Windows)
32ed87bdb5fdc5e9cba88547376818d4

# NetNTLMv2
admin::DOMAIN:1122334455667788:aabbccdd...

# bcrypt
$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy

# Linux shadow (SHA512)
$6$rounds=5000$saltsalt$hashhashhashhash...

# MySQL
*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19

Identifying Hash Types

# Using hashid
hashid hash.txt
hashid '5d41402abc4b2a76b9719d911017c592'

# Using hash-identifier
hash-identifier

# Using name-that-hash
nth --text '5d41402abc4b2a76b9719d911017c592'

# Online tools
# hashes.com/en/tools/hash_identifier

Hashcat

Hashcat is the fastest password cracker, leveraging GPU acceleration for maximum performance.

Installation

# Kali Linux
sudo apt install hashcat

# Check GPU support
hashcat -I

Basic Syntax

hashcat -m [hash_type] -a [attack_mode] [hash_file] [wordlist/mask]

# -m : Hash type (see hashcat --help for full list)
# -a : Attack mode (0=dictionary, 1=combination, 3=brute-force, 6=hybrid)

Common Hash Type Codes

# Hash Mode (-m)
0     MD5
100   SHA1
1400  SHA256
1700  SHA512
1000  NTLM
3000  LM
5500  NetNTLMv1
5600  NetNTLMv2
3200  bcrypt
1800  sha512crypt (Linux)
500   md5crypt (Linux)
13100 Kerberos TGS-REP (Kerberoasting)
18200 Kerberos AS-REP (ASREPRoast)
7500  Kerberos AS-REQ Pre-Auth
22000 WPA-PBKDF2-PMKID+EAPOL

Dictionary Attack

# Basic dictionary attack
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

# With rules
hashcat -m 0 -a 0 hashes.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule

# Multiple rules
hashcat -m 0 -a 0 hashes.txt wordlist.txt -r rule1.rule -r rule2.rule

# Show cracked passwords
hashcat -m 0 hashes.txt --show

Brute Force Attack

# Mask attack (brute force)
hashcat -m 0 -a 3 hashes.txt ?a?a?a?a?a?a

# Character sets:
# ?l = lowercase (a-z)
# ?u = uppercase (A-Z)
# ?d = digits (0-9)
# ?s = special characters
# ?a = all characters
# ?b = binary (0x00-0xff)

# Examples
hashcat -m 0 -a 3 hashes.txt ?d?d?d?d?d?d      # 6 digits
hashcat -m 0 -a 3 hashes.txt ?u?l?l?l?l?l?d?d  # Ullllldd pattern
hashcat -m 0 -a 3 hashes.txt Company?d?d?d?d   # Company + 4 digits

# Increment mode (try shorter lengths first)
hashcat -m 0 -a 3 hashes.txt ?a?a?a?a?a?a --increment --increment-min=4

Hybrid Attacks

# Wordlist + mask (append)
hashcat -m 0 -a 6 hashes.txt wordlist.txt ?d?d?d

# Mask + wordlist (prepend)
hashcat -m 0 -a 7 hashes.txt ?d?d?d wordlist.txt

Useful Hashcat Options

# Output to file
hashcat -m 0 -a 0 hashes.txt wordlist.txt -o cracked.txt

# Status updates
hashcat -m 0 -a 0 hashes.txt wordlist.txt --status --status-timer=10

# Restore session
hashcat --restore

# Optimize for speed
hashcat -m 0 -a 0 hashes.txt wordlist.txt -O -w 3

# Force CPU (if GPU issues)
hashcat -m 0 -a 0 hashes.txt wordlist.txt -D 1

John the Ripper

John the Ripper (JtR) is a versatile password cracker that works well on CPU and supports many hash formats.

Installation

# Kali Linux (Jumbo version)
sudo apt install john

# Check version
john --version

Basic Usage

# Auto-detect hash type
john hashes.txt

# Specify format
john --format=raw-md5 hashes.txt

# Show cracked passwords
john --show hashes.txt

# List supported formats
john --list=formats

Dictionary Attack

# Wordlist attack
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

# With rules
john --wordlist=wordlist.txt --rules hashes.txt

# Specific rule set
john --wordlist=wordlist.txt --rules=best64 hashes.txt

Incremental Mode (Brute Force)

# Default incremental
john --incremental hashes.txt

# Specific character set
john --incremental=digits hashes.txt
john --incremental=lower hashes.txt
john --incremental=alpha hashes.txt

Mask Mode

# Mask attack
john --mask=?d?d?d?d?d?d hashes.txt

# Custom character sets
john --mask=?w?d?d?d?d --wordlist=words.txt hashes.txt

Extracting Hashes

John includes tools to extract hashes from various file formats:

# ZIP files
zip2john protected.zip > zip.hash
john zip.hash

# RAR files
rar2john protected.rar > rar.hash

# PDF files
pdf2john protected.pdf > pdf.hash

# Office documents
office2john document.docx > office.hash

# SSH private keys
ssh2john id_rsa > ssh.hash

# KeePass databases
keepass2john database.kdbx > keepass.hash

# 7z archives
7z2john archive.7z > 7z.hash

# Linux shadow file
unshadow /etc/passwd /etc/shadow > unshadowed.txt
john unshadowed.txt

Cracking Specific Hash Types

Windows NTLM Hashes

# From hashdump output: user:rid:lm:ntlm:::
# Extract just the NTLM portion

# Hashcat
hashcat -m 1000 -a 0 ntlm.txt rockyou.txt

# John
john --format=nt ntlm.txt --wordlist=rockyou.txt

Linux Shadow Hashes

# SHA512 ($6$)
hashcat -m 1800 -a 0 shadow.txt rockyou.txt
john --format=sha512crypt shadow.txt

# SHA256 ($5$)
hashcat -m 7400 -a 0 shadow.txt rockyou.txt

# MD5 ($1$)
hashcat -m 500 -a 0 shadow.txt rockyou.txt

Kerberos Hashes (Kerberoasting)

# TGS-REP (Kerberoasting)
hashcat -m 13100 -a 0 tgs.txt rockyou.txt

# AS-REP (ASREPRoasting)
hashcat -m 18200 -a 0 asrep.txt rockyou.txt

WPA/WPA2 Handshakes

# Convert cap to hccapx
cap2hccapx capture.cap capture.hccapx

# Or use hashcat-utils
hcxpcapngtool -o hash.hc22000 capture.pcapng

# Crack
hashcat -m 22000 -a 0 hash.hc22000 rockyou.txt

Wordlists and Rules

Popular Wordlists

# RockYou (most common)
/usr/share/wordlists/rockyou.txt

# SecLists
/usr/share/seclists/Passwords/

# Custom wordlists
# CeWL - generate from website
cewl https://target.com -w custom_words.txt

Hashcat Rules

# Built-in rules
/usr/share/hashcat/rules/best64.rule
/usr/share/hashcat/rules/rockyou-30000.rule
/usr/share/hashcat/rules/d3ad0ne.rule
/usr/share/hashcat/rules/dive.rule

# OneRuleToRuleThemAll
# Download from GitHub for comprehensive coverage

Performance Tips

  1. Use GPU: Hashcat with a good GPU is 50-100x faster than CPU
  2. Start with common passwords: Try rockyou.txt before brute force
  3. Use rules: Rules dramatically increase coverage with minimal speed impact
  4. Target weak algorithms first: MD5/NTLM crack faster than bcrypt
  5. Create targeted wordlists: Use CeWL on company websites
  6. Combine approaches: Dictionary, then rules, then hybrid, then brute force

Summary

Password cracking is essential for penetration testers to demonstrate the risk of weak passwords. Hashcat excels with GPU acceleration for fast cracking, while John the Ripper offers flexibility and great format support. Always use these tools ethically and only on systems you have permission to test.

Written by

Window Events

Leave a Reply

Your email address will not be published. Required fields are marked *