Password Cracking Methodology#
A repeatable cracking pipeline for the operator. Install the tooling, understand the core concepts, then move through the cracking playbook step by step.
Tooling#
Install on a Windows or Unix host.
Hashcat (v5.1 or newer)
John the Ripper (v1.8.0 Jumbo)
PACK (Password Analysis and Cracking Toolkit) v0.0.4
hashcat-utils (v1.9)
Command structure#
hashcat/john, the binary names.#type, hash type (John abbreviation or Hashcat number).hash.txt, target hashes.dict.txt, dictionary / wordlist.rule.txt, permutation rules.passwords.txt, cracked results.outfile.txt, generic output.
Hash format examples.
Core cracking knowledge#
Encoding, hashing, encrypting.
Encoding transforms data into a publicly known scheme.
Hashing is one-way cryptography, nearly impossible to reverse.
Encrypting is reversible with a key.
CPU vs GPU.
CPU, 2 to 72 cores, sequential serial processing.
GPU, thousands of cores with thousands of threads, parallel.
Cracking time.
keyspace = charset ^ length # ?a?a?a?a = 95^4 = 81,450,625
hashrate = function / hardware power # bcrypt on GTX1080 = 13094 H/s
crack_time = keyspace / hashrate # 81,450,625 / 13094 = 6,220 seconds
Salts and iterations.
Salt, random data added as input to a one-way function.
Iterations, number of times the algorithm is run.
Hash identification, no foolproof method exists. Use clues
($6$ sha512crypt). The best approach is to know where the hash was
extracted and identify the function for that software.
Attacks#
Dictionary / wordlist, precompiled words, phrases, common strings to match a password.
Brute force, every possible combination of a character set up to a given length.
Rule, generate permutations against a wordlist by modifying, trimming, extending, expanding, combining, or skipping.
Mask, targeted brute force using placeholders for character positions (
?a?a?a?l?d?d).Hybrid, dictionary plus mask placeholders (
dict.txt ?d?d?d).
Cracking rig#
From a basic laptop to a 64-GPU cluster, this is the hardware on which password attacks run. Benchmark first, then plan attacks based on the rig’s capabilities.
Do not assume forum results transfer; success depends on tuning to the target hash.
Dictionary and brute force together are not the end of an attack plan. True mastery is the analysis of patterns, behaviors, and policies that recovers the last 20%.
Methodology#
Extract hashes, pull from target, identify the hash function, format the output.
Format hashes, match the tool’s preferred layout (Hashcat takes
<user>:<hash>or plain<hash>per line).Evaluate hash strength, use a slow vs fast hash table to plan how liberal to be with dictionaries and attacks.
Calculate rig capabilities, benchmark.
$ john --test $ hashcat -b
Formulate plan, work the playbook below.
Analyze passwords, after cracking a sufficient slice analyze the results for clues and patterns.
Custom attacks, build mask attacks or rules to fit target behavior.
Advanced attacks, Princeprocessor, custom Markov chains, maskprocessor, custom dictionary attacks.
Repeat, return to step 4, tweak, grind.
Cracking playbook#
Assume the hashes are raw MD5 (fast hash) and some plaintext user passwords were captured. Where plaintext was not captured, skip to the dictionary attacks.
# 1. Custom wordlist
$ hashcat -a 0 -m 0 -w 4 hash.txt custom_list.txt
# 2. Custom wordlist + rules
$ hashcat -a 0 -m 0 -w 4 hash.txt custom_list.txt -r best64.rule --loopback
# 3. Dictionary
$ hashcat -a 0 -m 0 -w 4 hash.txt dict.txt
# 4. Dictionary + rules
$ hashcat -a 0 -m 0 -w 4 hash.txt dict.txt -r best64.rule --loopback
# 5. Custom wordlist + rules (cycle in new cracks)
$ awk -F ":" '{print $2}' hashcat.potfile >> custom_list.txt
$ hashcat -a 0 -m 0 -w 4 hash.txt custom_list.txt -r dive.rule --loopback
# 6. Mask (search for common lengths and patterns from RockYou)
$ hashcat -a 3 -m 0 -w 4 hash.txt rockyou-1-60.hcmask
# 7. Hybrid dictionary + mask
$ hashcat -a 6 -m 0 -w 4 hash.txt dict.txt rockyou-1-60.hcmask
$ hashcat -a 7 -m 0 -w 4 hash.txt rockyou-1-60.hcmask dict.txt
# 8. Custom wordlist + rules (round 2)
$ awk -F ":" '{print $2}' hashcat.potfile >> custom_list.txt
$ hashcat -a 0 -m 0 -w 4 hash.txt custom_list.txt -r dive.rule --loopback
# 9. Combo
$ hashcat -a 1 -m 0 -w 4 hash.txt dict.txt dict.txt
# 10. Custom hybrid attack
$ awk -F ":" '{print $2}' hashcat.potfile >> custom_list.txt
$ hashcat -a 6 -m 0 -w 4 hash.txt custom_list.txt rockyou-1-60.hcmask
$ hashcat -a 7 -m 0 -w 4 hash.txt rockyou-1-60.hcmask custom_list.txt
# 11. Custom mask attack
$ hashcat -a 3 -m 0 -w 4 hash.txt custom_masks.hcmask
# 12. Brute force (when all else fails; usually pointless above 8 chars)
$ hashcat -a 3 -m 0 -w 4 hash.txt -i ?a?a?a?a?a?a?a?a