[ Certified Ethical Hacker v10 ] :: [ Chapter 5 cont’d] :: Hash Cracking

This entry is part 9 of 30 in the series [ Certified Ethical Hacker Training ]

Hash Cracking Passwords

Hash-cracking communities:

Password dictionaries:

Kali supplies you with several wordlists and hash lists in /usr/share/.

John the Ripper

John the Ripper is quite old, and still an excellent tool. John can use Kali’s built-in wordlists: /usr/share/wordlists/rockyou.txt.gz etc.

“How to crack passwords using john the ripper in kali linux”


1 Create a simple text file with a hashed password (which is “password”):

echo -n password | md5sum | tr -d " -" >> /root/testhash.txt

Now use the RockYou wordlist to crack the password:

john --format=raw-md5 --show /usr/share/wordlists/rockyou.txt.gz /root/testhash.txt

2 Follow the steps on this page:


Brutus is ancient Windows software for cracking passwords. You may get lucky with it today, but really just know the tool for the CEH exam.



Hydra is a very fast online password cracking tool, which can perform rapid dictionary attacks against more than 50 Protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases and much more. THC (The Hackers Choice) created Hydra for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.”



Hashcat is the bad daddy of hash cracking. No, I don’t wanna argue about it, just learn to use it and then we’ll talk.

Requires 4 arguments:

-m or –hash-type (use –help to list hash types; use -m 1000 for Windows NT hashes)
Example hashes: https://hashcat.net/wiki/doku.php?id=example_hashes

-a or –attack-mode (method: dictionary, brute-force; use -a 0 to use a dictionary attack)

[filename|hash] (hashes to crack, e.g. ./hashes/ntlm.txt; you can supply a single hash directly)

[dictionary|mask|directory] (A wordlist, mask or directory containing wordlist(s), e.g. rockyou.txt)

See this really excellent step-by-step example:


Exercise: Dictionary Attack

1 Hashcat doesn’t support compressed lists, so unzip Kali’s supplied RockYou wordlist,  /usr/share/wordlists/rockyou.txt.gz:

gunzip  /usr/share/wordlists/rockyou.txt.gz

2 Create a folder called hashlists in your home directory. Make a hash file called win.hash inside it:

touch ./hashlists/win.hash

Go to this page to create some NTLM hashes. Place them in the win.hash file:

3 Now run hashcat to crack the hashes, using the RockYou wordlist:

hashcat -m 1000 -a 0 --force ./hashlists/win.hash /usr/share/wordlists/rockyou.txt

Cracked hashes go into hashcat.potfile in the user’s home directory, in a folder named .hashcat – unless you specify an output file with the -o option (see the next example).

Exercise: Rule Set Permutations

Rule Sets allow permutations like “Airplane1 to Airplane59”.

For deep details see this page:

Rule Set rules are in /usr/share/hashcat/rules/, for example the best64.rule rule list.

3 Use this command to crack the hashes in win.hash:

hashcat -m 1000 -a 0 -o /root/cracked.txt -r /usr/share/hashcat/rules/best64.rule  ./hashlists/win.hash /usr/share/wordlists/rockyou.txt

Exercise: Mask Attack

See this explanation straight from the Hashcat people:

And see this page for examples (halfway down the page):

You will need at least these four options for hashcat:

hashcat-binary attack-mode hash-file mask

For instance:

hashcat -a 3 hash.file ?a?a?a

?d Digit (repeat 5 times for 5 places)

?l lowercase letter

?u uppercase letter

?s special char

?a all character sets

For example, look for all three-character passwords:

hashcat -m 1000 -a 3 ./testhash.txt ?a?a?a

Up to 7 chars is reasonable, 8 takes days, 9 takes years (on generic hardware).

4 What would the command be to look for all five-character passwords?

Exercise: Combinator Attacks

Use two wordlists, or the same wordlist twice, and try all possible combinations:

hashcat -m 0 -a 1 ./testhash.txt [wordlist1] [wordlist2]

5 Follow this page step-by-step:

The LinkedIn hashdump and more instructions:

And another good tutorial on masks: