So you want to be a password cracker, huh? Let us show you how it's done. In this post you will learn how to crack passwords with hashcat dictionary attack.

First things first.

A few things are required for Hashcat to begin cracking in dictionary mode:

  • Hash(es) to crack
  • Hash id for given hash(es)
  • A dictionary

What is a dictionary attack mode? We will just hash all entries in a text file, one by one, and check if any of them equals to our hash to crack. If it does, we did it!

Grab the hashtype

The first step is to check what kind of hash we are dealing with, because we do not always know the hashing algorithm used. Why is it so important?

Hashcat requires the -m (-hash-type) parameter to begin cracking. Hash types are represented by numbers. For example, NTLM has the id 1000 (-m 1000).

So, how to get the hash type of a given hash? We can use special tools for that purpose. We can visit online sites such as:

https://www.tunnelsup.com/hash-analyzer https://hashes.com/en/tools/hash_identifier https://md5hashing.net/hash_type_checker

or use command-line tools such as:


All the above tools give one or more possible hashing algorithm names, and with that name we can get a hast-type id for hashcat.

We need to remember that in some cases, tools depend just on hash length to determine the type. Hash ABAF3912CA4ABADF8823CEC34B785BC8 could be MD5 as well as NTLM.


NTLM HASH: ABAF3912CA4ABADF8823CEC34B785BC8 - [AlphaPwners]

Haiti: haiti-hashenum

HashID: Pasted_image_20220801102633

Most of the times we use haiti, but you can grab any tool that does the job.

Sometimes we know the type of a hash, based on it's origin. Despite the same length as MD5, a hash grabbed form a Windows SAM would be a NTLM

Anything else?

Another method of determining a hashtype is using the hashcat list of example hashes. We can list them via command line with the simple command hashcat --example-hashes or visit https://hashcat.net/wiki/doku.php?id=example_hashes

Most of the time, we just need to copy the beginning of the hash and search/grep in the hashcat example_hashes page.

According to example_hashes:

the hash $2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6 would be 3200 bcrypt $2*$, Blowfish (Unix) hash.

the hash $office$*2007*20*128*16*411a51284e0d0200b131a89a5cc*1[...]81cde would be 9400 MS Office 2007 hash.

the hash $krb5asrep$23$administrator@company.local:36246105349[...]60e94 would be 18200 Kerberos 5, etype 23, AS-REP hash.

Let's crack some hashes!

The hash in the example below can be cracked using popular rockyou.txt dictionary. It's also our first choice on any CTF/HackTheBox/TryHackMe/Whatever where hash cracking or bruteforcing is involved.

You can download it, for example, from here: https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/wordlists/rockyou.txt.gz

Let's crack this beauty:


The hash algorithm is MD5, and in hashcat the proper id for MD5 is 0.

Hashcat supports many attacks such as:

  • Dictionary attack
  • Mask attack (kind of bruteforce)
  • Combinatory attack
  • Rule-based attack
  • Toggle-case attack

In this post, only a dictionary attack is used. Feel free to check next posts on hashes cracking to learn about other methods.

To use the dictionary attack, an -a toggle with value 0 must be provided.

To start cracking, we use

{{< code language="bash" title="Hashcat dictionary attack" id="1" expand="Show" collapse="Hide" isCollapsed="false" >}}

hashcat -m 0 -a 0 '0a909ffe7be1ffe2ec130aa243a64c26' 'rockyou.txt.gz' -O

{{< /code >}}

Command explanation:

-m 0 -> hash type id (in this case MD5)
-a 0 -> attack mode (in this case Dictionary attack, mode number 0) 0a909ffe7be1ffe2ec130aa243a64c26 -> a hash to crack
rockyou.txt.gz -> dictionary file (can be compressed)
-O -> Enable optimized kernels flag (limits password & salt length in exchange for speed)

Pasted_image_20220801140504 Pasted_image_20220801140535 Gotcha!

Pasted_image_20220801140616 To show previously cracked hashed in hashcat, a --show switch can be used.

{{< code language="bash" title="Show cracked hashes" id="2" expand="Show" collapse="Hide" isCollapsed="false" >}}

hashcat '0a909ffe7be1ffe2ec130aa243a64c26' --show

{{< /code >}}

When the password is cracked, the hashcat saves plaint text value it in the hashcat.potfile, in the format 'hash':'password'. On different systems or depending on the configuration/installation of the hashcat, the place where this file is located may be different e.g.

Kali Linux: ~/.local/share/hashcat/hashcat.potfile

Ubuntu system: ~/.local/share/hashcat/hashcat.potfile

If we cannot find the .potfile then just call the command:

{{< code language="bash" title="Locate hashcat.potfile" id="2" expand="Show" collapse="Hide" isCollapsed="false" >}}

find / -name hashcat.potfile

{{< /code >}}


More hashes more fun.

Hashcat, of course supports cracking many hashes at once. Just replace the hash we want to crack with the filename of the file containing hashes. File with hashes should contain only hashes of one algorithm, and every hash should be placed in a new line, like this:


[DOWNLOAD] unshade-hash-b1.txt - hashes to crack.

{{< code language="bash" title="cracking many hashes" id="3" expand="Show" collapse="Hide" isCollapsed="false" >}}

hashcat -m 0 -a 0 unshade-hash-b1.txt 'rockyou.txt.gz' -O

{{< /code >}}








Previous Post Next Post