Cheat sheet — Password & Credential Attacks¶
Companion to Module 09 — Password & Credential Attacks · CC BY 4.0 — print it, pin it, share it.
Last reviewed: 2026-07
Only crack hashes you obtained from systems you own or have explicit written permission to test.
Identify the hash first¶
hashid '$2b$12$...' # guess the hash type
# or feed a file: hashid -m hashes.txt (-m prints the hashcat mode)
hashcat --example-hashes | less # canonical example for every mode (confirm the format)
Common hashcat modes: 0 MD5 · 100 SHA1 · 1000 NTLM · 1800 sha512crypt ($6$) · 3200 bcrypt ($2*$) · 5600 NetNTLMv2 · 13100 Kerberoast (TGS).
Hashcat — attack modes (progressively smarter guessing)¶
# -a 0 dictionary (straight wordlist)
hashcat -m 1000 -a 0 hashes.txt rockyou.txt
# -a 0 + rules (mutate words: Password -> P@ssw0rd!)
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r rules/best64.rule
# -a 3 mask / brute force (known structure) — ?l lower ?u upper ?d digit ?s special ?a all
hashcat -m 0 -a 3 hashes.txt '?u?l?l?l?l?d?d?d'
# -a 6 hybrid: wordlist + mask appended
hashcat -m 0 -a 6 hashes.txt rockyou.txt '?d?d?d'
Hashcat — running and managing¶
hashcat -m 1000 -a 0 hashes.txt rockyou.txt --force # ignore benign warnings
hashcat -m 1000 hashes.txt rockyou.txt -O -w 3 # -O optimized kernel, -w tune workload
hashcat -m 1000 hashes.txt --show # print already-cracked pairs
hashcat --restore # resume an interrupted session
hashcat -b # benchmark your GPU
# status keys while running: s = status, p = pause, q = quit
John the Ripper — quick and format-flexible¶
john --list=formats | less # supported hash formats
john --format=nt hashes.txt --wordlist=rockyou.txt --rules
john hashes.txt # auto-detect + default modes
john --show hashes.txt # display cracked passwords
# turn app files into crackable hashes with the *2john helpers:
zip2john secret.zip > zip.hash
ssh2john id_rsa > key.hash
Capturing credentials (not just cracking)¶
# spraying: ONE password across MANY users (avoids lockout that per-user brute force triggers)
# e.g. with crackmapexec — one attempt per account, then move on:
crackmapexec smb 10.0.0.0/24 -u users.txt -p 'Winter2026!' --continue-on-success
Gotchas worth remembering¶
- Security is cost-per-guess. MD5/NTLM fall at billions/sec on a GPU — a dumped database is effectively plaintext within hours. bcrypt/argon2 are designed to make each guess thousands of times costlier, so the same dump is infeasible. The hash type, not the wordlist, decides whether you win.
- Reuse beats cracking. The dominant real-world vector isn't GPU horsepower — it's credentials from one breach sprayed everywhere else. Check breach data and try spraying before you burn hours on a slow hash.
- Spray, don't brute-force, against live services. Many passwords against one account locks it and alerts the SOC; one password across many accounts stays under lockout thresholds. Watch the policy.
- Confirm the hash type before you spend GPU-hours.
hashidguesses and is often wrong (e.g.$2a$bcrypt vs a truncated SHA); the wrong-mcracks nothing while looking busy. Verify against--example-hashes. - Rules are the highest-leverage knob.
best64.ruleover a good wordlist finds far more than a longer wordlist alone — most real passwords are a dictionary word plus a predictable mutation.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).