Cracking Passwords

1) Check Crackstation

It will be able to crack very simple hashes.

2) Identify Hash Type (and Salt)

Note: This requires Python.

You can install it like so:

$ pip install hashid


$ python -m hashid [OPTIONS] [HASH]

None of the options are necessary so I won’t write them out. Plus, they’re on the GitHub page.

Note: Careful because it doesn’t seem to identify salts very well even if it seems sure.

A small comment: Only the last tool was able to successfully identify an NTLM hash correctly. Remember to use some common sense when dealing with hashes. If you get hashes that are from a Windows machine, you can narrow down your search for example.

What is a salt?

Adding some data to the input of a hash function to guarantee a unique output. This helps to avoid hash collisions and slows down hackers who are brute-forcing credentials.

If we see a database with duplicate hashes, we know that there are no salts. A lot of duplicate hashes could signal that default passwords are still being used.

Salts are useless if they’re not HIDDEN.

3a) John

Crack simple password hashes (WITH NO SALT).



The HASH FILE follows the following syntax:





Results can be found in /home/USER/.john/john.pot.

Important Options

  • --wordlist= (Specify the wordlist you’re going to use in a dictionary attack.)
  • --list=formats | grep [HASH TYPE] (Search for the hash type you need for the format option.)
  • --format=[HASH TYPE] (The hash type you want.)

Note: John typically can identify the hash function but if it doesn’t do so correctly, now you know how to specify it!

3b) Hashcat

Crack password hashes (the best tool for this).



The HASH FILE follows the syntax decribed in the example hashes page mentioned in the Hash Types section.

When the results appear, check status. If it says cracked, the password has been cracked. If it says, exhausted, then it did everything you told it to do and could not crack it. Cracked passwords are shown at the bottom as “Candidates”.

Important Options

Hash Types (-m)

Attack Modes (-a)

  • Dictionary = -a 0
  • Combinator = -a 1
  • Brute-force/Mask = -a 3
  • Hybrid = -a 6 or -a 7

Mask Attacks

A more specific brute-force attack. You need to know certain things about the password like length, etc.

A placeholder can consist of a variable which is indicated by the ? (question mark symbol) followed by one of the built-in charset variable names (l, u, d, s, a), or one of the custom ones (1, 2, 3, 4). A ? (question mark symbol) itself is written as two question mark symbols (??).

Built-in charsets

  • ?l = abcdefghijklmnopqrstuvwxyz
  • ?d = 0123456789
  • ?h = 0123456789abcdef
  • ?H = 0123456789ABCDEF
  • ?s = «space»!”#$%&'()*+,-./:;<=>?@[]^_`{|}~
  • ?a = ?l?u?d?s
  • ?b = 0x00 – 0xff

3c) Hydra

Hydra is best for cracking login credentials (not hashes). Things like SSH, FTP, web pages, etc.




Against SSH (or any other protocol with a login):


Against a web page:


Important Options

  • -L (Supply multiple usernames (like in a wordlist) or use -l to supply one username.)
  • -P (Path to dictionary attack wordlist or use -p to supply one password.)

This will be updated accordingly with what I learn.