Exam objective: 4.3 Brute force, dictionary, mask, password spraying — offline tools hashcat and John the Ripper.
In this lab you will identify, crack, and report hashes using hashcat (GPU-friendly) and John the Ripper (CPU-flexible).
Save a sample bank to hashes.txt:
5f4dcc3b5aa765d61d8327deb882cf99
$1$abc$VxMaa11ZGc.K0jchnLrcv1
$2y$10$ZJL0DvDIIfo7AjwONJqGSeKBtFM5Lh6JdK9gQAB7l2Xm.D8YxNyKO
aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
hashid -m hashes.txt
# or
hash-identifierYou'll see: MD5, MD5(Unix), bcrypt, NTLM.
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt-m 0MD5.-a 0straight (dictionary).
Common modes:
| Mode | Hash |
|---|---|
| 0 | MD5 |
| 100 | SHA-1 |
| 1000 | NTLM |
| 1800 | sha512crypt ( |
| 3200 | bcrypt ( |
| 5600 | NetNTLMv2 |
| 13100 | Kerberos TGS (krb5tgs |
| 18200 | Kerberos AS-REP (krb5asrep |
Apply mangling rules to a base wordlist:
hashcat -m 0 -a 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rulebest64.rule adds digits, capitalises, leet-speaks. Stronger: dive.rule, rockyou-30000.rule.
When you know the policy ("8 chars min, uppercase + digit"):
hashcat -m 1000 -a 3 ntlm.txt '?u?l?l?l?l?l?d?d'Charsets: ?l lower, ?u upper, ?d digit, ?s symbol, ?a all.
hashcat -m 0 -a 6 hashes.txt rockyou.txt '?d?d?d?d'
# wordlist + 4 digits suffix (e.g. Password2026)john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --show --format=NT hashes.txtJohn auto-identifies many formats. Run incremental mode:
john --incremental hashes.txtJohn excels at uncommon formats (ZIP, RAR, GPG, KeePass) via *2john helpers:
zip2john /tmp/file.zip > zip.hash
john --wordlist=rockyou.txt zip.hashAlways report:
- Hash type and source (where you got it).
- Cracked plain text — redact in the report unless client requests full disclosure.
- Speed achieved — gives mitigation context (a 9-char bcrypt password at 50 H/s on a 4090 is not the same risk as MD5).
- Recommendation: migrate to bcrypt/Argon2id, enforce MFA, deploy breached-password screening.
- How to identify a hash with
hashid/hash-identifier. - The four hashcat attack modes (straight, brute, hybrid).
- John the Ripper for unusual formats (
zip2john,rar2john,keepass2john). - How to write up cracked-credential findings safely.