Skip to content

Latest commit

 

History

History
123 lines (84 loc) · 2.83 KB

File metadata and controls

123 lines (84 loc) · 2.83 KB

Lab 24 — Offline Hash Cracking with hashcat and John

Exam objective: 4.3 Brute force, dictionary, mask, password spraying — offline tools hashcat and John the Ripper.

In this lab you will identify, crack, and report hashes using hashcat (GPU-friendly) and John the Ripper (CPU-flexible).


Step 1 — Identify the hash

Save a sample bank to hashes.txt:

5f4dcc3b5aa765d61d8327deb882cf99
$1$abc$VxMaa11ZGc.K0jchnLrcv1
$2y$10$ZJL0DvDIIfo7AjwONJqGSeKBtFM5Lh6JdK9gQAB7l2Xm.D8YxNyKO
aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
hashid -m hashes.txt
# or
hash-identifier

You'll see: MD5, MD5(Unix), bcrypt, NTLM.


Step 2 — Dictionary attack with hashcat

hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
  • -m 0 MD5.
  • -a 0 straight (dictionary).

Common modes:

Mode Hash
0 MD5
100 SHA-1
1000 NTLM
1800 sha512crypt ($6$)
3200 bcrypt ($2*$)
5600 NetNTLMv2
13100 Kerberos TGS (krb5tgs $23$)
18200 Kerberos AS-REP (krb5asrep $23$)

Step 3 — Rule-based attack

Apply mangling rules to a base wordlist:

hashcat -m 0 -a 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

best64.rule adds digits, capitalises, leet-speaks. Stronger: dive.rule, rockyou-30000.rule.


Step 4 — Mask attack (targeted brute force)

When you know the policy ("8 chars min, uppercase + digit"):

hashcat -m 1000 -a 3 ntlm.txt '?u?l?l?l?l?l?d?d'

Charsets: ?l lower, ?u upper, ?d digit, ?s symbol, ?a all.


Step 5 — Hybrid attack (dict + mask)

hashcat -m 0 -a 6 hashes.txt rockyou.txt '?d?d?d?d'
# wordlist + 4 digits suffix (e.g. Password2026)

Step 6 — John the Ripper

john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --show --format=NT hashes.txt

John auto-identifies many formats. Run incremental mode:

john --incremental hashes.txt

John excels at uncommon formats (ZIP, RAR, GPG, KeePass) via *2john helpers:

zip2john /tmp/file.zip > zip.hash
john --wordlist=rockyou.txt zip.hash

Step 7 — Reporting

Always report:

  • Hash type and source (where you got it).
  • Cracked plain textredact in the report unless client requests full disclosure.
  • Speed achieved — gives mitigation context (a 9-char bcrypt password at 50 H/s on a 4090 is not the same risk as MD5).
  • Recommendation: migrate to bcrypt/Argon2id, enforce MFA, deploy breached-password screening.

What you learned

  • How to identify a hash with hashid / hash-identifier.
  • The four hashcat attack modes (straight, brute, hybrid).
  • John the Ripper for unusual formats (zip2john, rar2john, keepass2john).
  • How to write up cracked-credential findings safely.