Hash Cracking

Overview

Hash cracking recovers plaintext passwords from captured hashes. After extracting hashes from SAM, NTDS.dit, /etc/shadow, Kerberoast/AS-REP responses, or network captures, offline cracking uses GPU-accelerated tools (hashcat) or CPU-based tools (john) against wordlists and rules. The two main approaches are dictionary attacks (wordlist + rules) and brute-force/mask attacks.

ATT&CK Mapping

  • Tactic: TA0006 - Credential Access
  • Technique: T1110.002 - Brute Force: Password Cracking

Prerequisites

  • Hash file with extracted hashes
  • Wordlists (rockyou.txt, SecLists)
  • hashcat and/or john installed
  • GPU recommended for hashcat (CPU fallback available)

Techniques

Hash Identification

# hashid
# https://github.com/psypanda/hashID
hashid '<hash_value>'
hashid -m '<hash_value>'    # Show hashcat mode

# hash-identifier
hash-identifier
# Paste hash when prompted

# Common hash patterns
# $1$salt$hash          = md5crypt (Unix)
# $5$salt$hash          = sha256crypt (Unix)
# $6$salt$hash          = sha512crypt (Unix)
# $y$salt$hash          = yescrypt (Unix)
# $2a$/$2b$cost$hash    = bcrypt
# $apr1$salt$hash       = Apache MD5
# 32 hex chars           = MD5 or NTLM
# 40 hex chars           = SHA1
# LMHash:NTHash          = Windows (from SAM/secretsdump)
# $krb5tgs$23$*...       = Kerberoast
# $krb5asrep$23$...      = AS-REP Roast
# username::domain:...   = NetNTLMv2

Common Hashcat Modes

Mode Hash Type
0 MD5
100 SHA1
500 md5crypt (Unix $1$)
1000 NTLM
1800 sha512crypt (Unix $6$)
3000 LM
3200 bcrypt
5500 NetNTLMv1
5600 NetNTLMv2
13100 Kerberos 5 TGS-REP (Kerberoast)
16500 JWT
18200 Kerberos 5 AS-REP
22000 WPA-PBKDF2-PMKID+EAPOL
1600 Apache $apr1$ MD5

Hashcat Usage

# hashcat
# https://hashcat.net/hashcat/

# Basic dictionary attack
hashcat -m <mode> hashes.txt /usr/share/wordlists/rockyou.txt

# With rules (common mutations: capitalize, append numbers, leet speak)
hashcat -m <mode> hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best66.rule

# Show cracked results
hashcat -m <mode> hashes.txt --show

# Force CPU (if no GPU available)
hashcat -m <mode> hashes.txt /usr/share/wordlists/rockyou.txt -D 1

# Brute-force with mask
hashcat -m <mode> hashes.txt -a 3 '?u?l?l?l?l?l?d?d'
# ?l = lowercase, ?u = uppercase, ?d = digit, ?s = special, ?a = all

# Incremental mask attack (1 to 8 characters)
hashcat -m <mode> hashes.txt -a 3 --increment --increment-min 1 --increment-max 8 '?a?a?a?a?a?a?a?a'

# Hybrid: wordlist + mask (append 4 digits to each word)
hashcat -m <mode> hashes.txt -a 6 /usr/share/wordlists/rockyou.txt '?d?d?d?d'

# Resume interrupted session (session file stores all parameters, no args needed)
hashcat --restore

Hashcat rules on Kali:

Rule File Description
/usr/share/hashcat/rules/best66.rule 66 most effective rules
/usr/share/hashcat/rules/rockyou-30000.rule Top 30,000 rules from rockyou analysis
/usr/share/hashcat/rules/d3ad0ne.rule Comprehensive rule set
/usr/share/hashcat/rules/dive.rule Large rule set for thorough cracking

Community rule sets not included with Kali (download separately):

  • OneRuleToRuleThemStill.ruleGitHub

John the Ripper Usage

# john
# https://github.com/openwall/john

# Auto-detect hash type
john hashes.txt

# Specify format
john --format=raw-md5 hashes.txt
john --format=nt hashes.txt
john --format=sha512crypt hashes.txt
john --format=krb5tgs hashes.txt
john --format=netntlmv2 hashes.txt

# With wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

# With rules
john --wordlist=/usr/share/wordlists/rockyou.txt --rules=best64 hashes.txt

# Show cracked passwords
john --show hashes.txt

# Incremental mode (brute-force)
john --incremental hashes.txt

Practical Cracking Scenarios

Windows NTLM hashes (from SAM/secretsdump):

# Format: Username:RID:LMHash:NTHash:::
# Extract just the NT hashes
cut -d: -f4 secretsdump_output.txt > ntlm_hashes.txt

hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best66.rule

Kerberoast hashes:

hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best66.rule

AS-REP Roast hashes:

hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best66.rule

Linux /etc/shadow (sha512crypt):

# Use unshadow to combine passwd and shadow
unshadow /etc/passwd /etc/shadow > unshadowed.txt
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

# Or with hashcat
hashcat -m 1800 shadow_hashes.txt /usr/share/wordlists/rockyou.txt

NetNTLMv2 (from Responder/LLMNR capture):

hashcat -m 5600 netntlmv2_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best66.rule

Wordlists

Wordlist Path Entries
rockyou /usr/share/wordlists/rockyou.txt ~14 million
SecLists passwords /usr/share/seclists/Passwords/ Various
SecLists darkweb /usr/share/seclists/Passwords/darkweb2017-top10000.txt 10,000

Custom Wordlist Generation

# cewl — generate wordlist from website
# https://github.com/digininja/CeWL
cewl http://target.com -d 2 -m 5 -w custom_wordlist.txt

# Add common mutations via hashcat rules after generating base wordlist

Detection Methods

Host-Based Detection

  • Not typically detectable — offline cracking happens on the attacker's machine
  • Monitor for hash extraction (LSASS access, SAM saves, DCSync) as the precursor

Mitigation Strategies

  • Enforce strong passwords — minimum 12 characters, complexity requirements
  • Use bcrypt/scrypt/argon2 — slow hashing algorithms resist GPU cracking
  • Password blacklists — block common passwords (Azure AD Password Protection, custom dictionaries)
  • Multi-factor authentication — passwords alone should not be sufficient
  • Regular password audits — periodically test domain hashes against common wordlists to identify weak passwords

References

Official Documentation

MITRE ATT&CK