Home / Password Attacks

Password Attacks & Hash Cracking NEW

Passwords remain the weakest link in security. Despite decades of security awareness, humans still choose terrible passwords, reuse them everywhere, and store them poorly. Understanding how attackers crack passwords is essential for building better defenses.

The Password Reality

81% of breaches involve weak or stolen passwords. The average person reuses passwords across 14 accounts. Password cracking has become industrialized—attackers can test billions of combinations per second.

Common Hash Types

Common Hash Formats 
# MD5 (32 hex chars) - Weak, fast to crack
5f4dcc3b5aa765d61d8327deb882cf99

# SHA1 (40 hex chars) - Weak, no salting
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

# SHA256 (64 hex chars) - Stronger, but still fast
5e884898da28047d9d6b084f2b1bf4dfcd83d1e53e84eb8e9e04095e08d8d6e2

# bcrypt - Slow by design, includes salt
$2a$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW

# NTLM (Windows) - Fast, no salting
32ed87bdb5fdc5e9cba88547376818d4

# Kerberos TGS (Kerberoasting target)
$krb5tgs$23$*user$realm$spn*$hash...

# sha512crypt (Linux /etc/shadow)
$6$rounds=5000$saltsalt$hash...

# WPA2 handshake (wireless)
Captured in .cap/.hccapx format

Hashcat - GPU-Accelerated Cracking

The world's fastest password cracker. Leverages GPU parallelism to test billions of hashes per second. Essential tool for any red teamer.

Basic Usage

Bash: Hashcat Examples 
# Dictionary attack on MD5
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

# Common hash modes (-m):
# 0     = MD5
# 100   = SHA1
# 1000  = NTLM
# 1800  = sha512crypt (Linux)
# 3200  = bcrypt
# 5600  = NetNTLMv2
# 13100 = Kerberos TGS
# 22000 = WPA-PBKDF2-PMKID+EAPOL

# Attack modes (-a):
# 0 = Dictionary
# 1 = Combination
# 3 = Brute-force/Mask
# 6 = Dictionary + Mask
# 7 = Mask + Dictionary

# Brute-force with mask (8 char lowercase + digit)
hashcat -m 0 -a 3 hashes.txt ?l?l?l?l?l?l?l?d

# Mask charsets:
# ?l = lowercase (a-z)
# ?u = uppercase (A-Z)
# ?d = digits (0-9)
# ?s = special (!@#$...)
# ?a = all printable

Rule-Based Attacks

Bash: Hashcat Rules 
# Apply rules to transform wordlist
hashcat -m 0 -a 0 hashes.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule

# Common rules:
# best64.rule     - Top 64 most effective rules
# rockyou-30000.rule - Derived from rockyou analysis
# d3ad0ne.rule    - Large rule set
# dive.rule       - Deep mutations

# Example rule transformations:
# password → Password (capitalize first)
# password → password1 (append digit)
# password → p@ssword (leet speak)
# password → drowssap (reverse)
# password → PASSWORD (uppercase)
# password → password123 (append common suffix)

# Custom rule example (append year + !)
echo 'c $2$0$2$4$!' > custom.rule
hashcat -m 0 -a 0 hashes.txt wordlist.txt -r custom.rule
# password → Password2024!

Combinator Attack

Bash: Combining Wordlists 
# Combine two wordlists (word1 + word2)
hashcat -m 0 -a 1 hashes.txt wordlist1.txt wordlist2.txt

# wordlist1: love, hate, password
# wordlist2: 123, 2024, you
# Produces: love123, love2024, loveyou, hate123, hate2024...

# Useful for patterns like: [word][number], [name][year]

John the Ripper

Classic password cracker with excellent format support. Better for CPU-based attacks and some niche formats that Hashcat doesn't support.

Bash: John the Ripper Examples 
# Auto-detect hash type and crack
john hashes.txt

# Specify wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

# Use specific format
john --format=raw-md5 hashes.txt
john --format=nt hashes.txt
john --format=sha512crypt hashes.txt

# Extract hashes from files
# Linux password file
unshadow /etc/passwd /etc/shadow > unshadowed.txt
john unshadowed.txt

# SSH private keys
ssh2john id_rsa > ssh_hash.txt
john ssh_hash.txt

# Zip files
zip2john protected.zip > zip_hash.txt
john zip_hash.txt

# Show cracked passwords
john --show hashes.txt

# Rules (mangling)
john --wordlist=words.txt --rules hashes.txt

# Incremental (brute force)
john --incremental hashes.txt
*2john Tools Hash Extraction

Extract hashes from various formats: ssh2john, zip2john, rar2john, pdf2john, keepass2john, and more.

Rainbow Tables

Precomputed hash-to-password lookup tables. Trade storage space for cracking time. Devastating against unsalted hashes.

Concept: Rainbow Table Attack 
# Traditional lookup table (huge storage)
5f4dcc3b5aa765d61d8327deb882cf99 → password
098f6bcd4621d373cade4e832627b4f6 → test
...
(Billions of entries, terabytes of storage)

# Rainbow table (clever compression)
# Uses reduction functions to create chains
# Store only chain endpoints
# Regenerate chain on lookup

# Example chain:
password → [hash] → [reduce] → jk8h2l → [hash] → [reduce] → ... → endpoint

# Lookup:
# 1. Hash target, apply reductions until match endpoint
# 2. Regenerate chain from start
# 3. Find password that hashes to target

# Tools:
# rtgen   - Generate rainbow tables
# rcrack  - Crack using rainbow tables
# Ophcrack - GUI tool with LM/NTLM tables

# Why salts defeat rainbow tables:
# password + "salt123" → completely different hash
# Would need separate rainbow table for every possible salt
# With 16-byte random salt: 2^128 possible tables needed = impossible

Online Password Attacks

Password Spraying

Concept: Password Spraying 
# Problem: Account lockout after N failed attempts
# Solution: Try common passwords across MANY accounts

# Instead of:
# user1: password1, password2, password3... (LOCKED OUT)

# Do:
# user1: Spring2024!
# user2: Spring2024!
# user3: Spring2024!
# (wait for lockout window)
# user1: Summer2024!
# user2: Summer2024!
# ...

# Common spray passwords:
# - Season + Year + !  (Spring2024!, Winter2024!)
# - Company + Year     (Acme2024, Acme2024!)
# - Month + Year       (January2024!)
# - Welcome + N        (Welcome1, Welcome123)
# - Password + N       (Password1, Password123!)

# Tools:
# Spray        - https://github.com/Greenwolf/Spray
# Ruler        - Exchange/O365 spraying
# CredMaster   - AWS/Azure/GCP credential testing
# SprayingToolkit - Multi-protocol spraying
CrackMapExec Network Password Spraying

Swiss army knife for spraying across SMB, WinRM, LDAP, MSSQL, SSH.

crackmapexec smb 10.10.10.0/24 -u users.txt -p 'Spring2024!' --continue-on-success

Credential Stuffing

Concept: Credential Stuffing 
# Use leaked credentials from breaches against other sites
# Relies on password reuse

# Workflow:
# 1. Obtain breach database (email:password pairs)
# 2. Target site with same user base (LinkedIn breach → target corp email logins)
# 3. Automate login attempts with credential pairs
# 4. Successful logins = compromised accounts

# Sources for credentials:
# - HaveIBeenPwned (check if exposed)
# - Breach compilation databases
# - Stealer logs from malware
# - Phishing campaign results

# Defenses:
# - Credential screening against known breaches
# - MFA (defeats stuffing even with valid password)
# - Rate limiting + CAPTCHA
# - Device fingerprinting

Custom Wordlist Generation

Bash: Wordlist Tools 
# CeWL - Generate wordlist from website
cewl https://target.com -d 3 -m 5 -w custom_words.txt

# CUPP - Common User Password Profiler
# Interactive - asks about target (name, DOB, pet, etc.)
cupp -i

# Crunch - Generate wordlists with patterns
# 8 char passwords: uppercase, lowercase, digit
crunch 8 8 -t @@@@@@%% -o wordlist.txt
# @ = lowercase, , = uppercase, % = digit

# Mentalist - GUI wordlist generator
# Chain multiple transformations

# TTPassGen - Generate from patterns
ttpassgen --rule '[?d]{6,8}' wordlist.txt

# Combine with target intelligence:
# - Company name variations
# - Product names
# - Employee names from LinkedIn
# - Office locations
# - Important dates

Efficient Cracking Strategy

Cracking Priority Order

Start fast, get quick wins, then go deep.

  1. Known passwords: Try passwords from same breach/target
  2. Top 1000 passwords: Quick dictionary run
  3. Rockyou.txt: ~14 million common passwords
  4. Rules on rockyou: Mutations of common passwords
  5. Target-specific wordlist: CeWL + CUPP output
  6. Larger dictionaries: Hashkiller, SecLists
  7. Rule combinations: Multiple rule files
  8. Mask attacks: Common patterns (?u?l?l?l?l?l?d?d)
  9. Hybrid attacks: Dictionary + mask
  10. Full brute force: Last resort (time-consuming)

Hardware & Performance

Approximate Hash Rates (RTX 4090) 
# Fast hashes (GPU-friendly)
MD5:        ~164 billion/sec (GH/s)
SHA1:       ~50 billion/sec
NTLM:       ~165 billion/sec
SHA256:     ~22 billion/sec

# Slow hashes (designed to resist cracking)
bcrypt (cost 12):  ~184 thousand/sec (KH/s)
scrypt:            ~2 million/sec
Argon2:            ~500 thousand/sec

# Why slow hashes matter:
# MD5:     8-char password cracked in minutes
# bcrypt:  Same password takes months/years

# Cloud cracking options:
# - AWS p3/p4 instances (V100/A100 GPUs)
# - Vast.ai (rent consumer GPUs cheap)
# - Hashtopolis (distributed cracking)

Password Attack Tools

Hashcat GPU Cracking

World's fastest password cracker. Supports 300+ hash types.

hashcat.net
John the Ripper CPU Cracking

Classic cracker with great format support and *2john extractors.

openwall.com/john
Hydra Online Brute Force

Network login cracker: SSH, FTP, HTTP, SMB, and more.

hydra -l admin -P passwords.txt ssh://target
CeWL Wordlist Gen

Custom wordlist generator by spidering target websites.

cewl -d 3 -m 5 https://target.com
CrackMapExec Network Spraying

Password spraying across network protocols.

github.com/crackmapexec
Hashtopolis Distributed

Distributed hashcat wrapper for multi-machine cracking.

github.com/hashtopolis
Previous API Security Next Credential Access