Ethical Hacking #Hashcat#John the Ripper#password cracking

Password Cracking with Hashcat and John: Beginner's Guide

Master password cracking: hash types, dictionary attacks, rule-based cracking, GPU acceleration with Hashcat, and CTF techniques.

11 min read

Password cracking is a fundamental skill in cybersecurity. When you compromise a system or capture hashes, cracking weak passwords is often the fastest path to escalation. Two tools dominate the field: Hashcat (GPU-accelerated) and John the Ripper (CPU-based). This guide covers both.

Understanding Password Hashes

Before cracking, understand what you’re working with.

Hash Types

Passwords are never stored in plaintext. Instead, systems use hash functions that produce a fixed-length output from input data.

Common hash types:

AlgorithmHash LengthExample
MD532 hex chars5d41402abc4b2a76b9719d911017c592
SHA-140 hex charsaaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
SHA-25664 hex chars2c26b46911185131006745033c5f069766ebd2d1d2daae3d7964629058bfa823
bcrypt60 chars$2b$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW
argon2Variable$argon2i$v=19$m=16,t=2,p=1$…

Important: Hashes are one-way. You cannot reverse them. Cracking requires trying many passwords and comparing their hashes.

Identifying Hash Type

By format:

  • 32 hex chars → likely MD5
  • 40 hex chars → likely SHA-1
  • 64 hex chars → likely SHA-256
  • Starts with $2 → bcrypt
  • Starts with $6 → SHA-512 (Linux)
  • Starts with $argon → argon2

Using hash-identifier:

hash-identifier
[*] Enter the hash to identify the hash type
[*] Example usage: hash-identifier
Hash: 5d41402abc4b2a76b9719d911017c592

Possible Hashes:
[+] MD5
[+] MD4
[+] Double MD5

Using online tools (cautiously):

https://www.tunnelsup.com/hash-analyzer/ - Identifies hash type (don’t upload sensitive hashes)

Installation

Hashcat

Linux (Debian/Ubuntu):

sudo apt install hashcat

Check GPU support:

hashcat -I
# Output shows GPU/CPU devices available

For NVIDIA:

sudo apt install nvidia-cuda-toolkit
hashcat -I  # Should show CUDA device

John the Ripper

Linux:

sudo apt install john

Community version vs. Jumbo:

Community edition is installed by default. For more hash types, build Jumbo (enhanced):

git clone https://github.com/openwall/john.git
cd john/src
./configure
make
# Binary at ../run/john

Hash Cracking Techniques

1. Dictionary Attack

Try every word in a wordlist against the hash.

Wordlists:

# Built-in wordlist
ls /usr/share/wordlists/
# Output: rockyou.txt, dirb/, dirbuster/, ...

# rockyou.txt is the most common (14 million passwords)
wc -l /usr/share/wordlists/rockyou.txt
# 14344391 rockyou.txt

With John:

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

With Hashcat:

hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
# -m 0: MD5 hash type

2. Rule-Based Attack

Modify dictionary words using rules (add numbers, uppercase, etc.).

John rules (built-in):

john --wordlist=/usr/share/wordlists/rockyou.txt --rules hashes.txt

Custom rule example:

Create file custom_rules.txt:

# Capitalize first letter and add number
c$[0-9]

# Reverse word
r

# Add exclamation mark
$!

Use custom rules:

john --wordlist=/usr/share/wordlists/rockyou.txt --rules=custom_rules.txt hashes.txt

Hashcat rules:

# Popular rule: OneRuleToRuleThemAll
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/OneRuleToRuleThemAll.rule

3. Brute Force

Try all possible combinations (very slow for long passwords).

With John:

john --incremental hashes.txt
# Tries all character combinations

With Hashcat (length 6 lowercase):

hashcat -m 0 hashes.txt -a 3 ?l?l?l?l?l?l
# -a 3: Brute force
# ?l: lowercase letter

Mask syntax:

CharacterMeaning
?llowercase (a-z)
?uuppercase (A-Z)
?ddigit (0-9)
?sspecial (@, #, !, etc.)
?aany character

4. Combinator Attack (Hashcat)

Combine two wordlists:

hashcat -m 0 hashes.txt wordlist1.txt wordlist2.txt -a 1
# -a 1: Combinator (concatenate words)

Tries: password1password2, password1admin, user1user2, etc.

Practical Examples

Example 1: Crack MD5 Hash

Hash: 5d41402abc4b2a76b9719d911017c592

Step 1: Identify type

hash-identifier <<< "5d41402abc4b2a76b9719d911017c592"
# Result: MD5

Step 2: Create hash file

echo "5d41402abc4b2a76b9719d911017c592" > md5_hash.txt

Step 3: Crack with John

john --wordlist=/usr/share/wordlists/rockyou.txt md5_hash.txt
# Output: password (5d41402abc4b2a76b9719d911017c592)

Password was “password” (very common).

Example 2: Linux /etc/shadow Cracking

Linux password hashes are in /etc/shadow (SHA-512 with salt).

Example shadow entry:

user:$6$rounds=656000$abcd1234efgh5678$..........................:18000:0:99999:7:::

Format: username:hash:…

Convert to John format:

unshadow /etc/passwd /etc/shadow > combined.txt

Crack:

john --wordlist=/usr/share/wordlists/rockyou.txt combined.txt
# John automatically detects SHA-512

Example 3: Windows NTLM Hashes

Windows stores password hashes as NTLM (MD4-based).

Example hash:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::

This is SAM database format (username:rid:lm_hash:ntlm_hash:…).

Crack NTLM:

hashcat -m 1000 sam.txt /usr/share/wordlists/rockyou.txt
# -m 1000: NTLM hash type

GPU Acceleration (Hashcat)

Hashcat supports GPU cracking, which is thousands of times faster than CPU.

Check GPU:

hashcat -I
# Shows available devices

Example: GPU cracking with NVIDIA CUDA:

hashcat -m 0 hashes.txt rockyou.txt -d 1
# -d 1: Use first GPU device

Performance comparison:

CPU (John): ~1 million hashes/second (MD5)
GPU (Hashcat NVIDIA): ~20 billion hashes/second (MD5)

That’s 20,000x faster — the difference between hours and seconds.

Finding Weak Passwords

Statistics from rockyou.txt breach:

Top 10 most common passwords:

  1. password - 290,730 uses
  2. 123456 - 185,000 uses
  3. 123456789 - 142,000 uses
  4. 12345678 - 111,000 uses
  5. 111111 - 85,000 uses
  6. 1234567 - 81,000 uses
  7. dragon - 78,000 uses
  8. 123123 - 72,000 uses
  9. baseball - 68,000 uses
  10. sunshine - 66,000 uses

Most passwords are extremely weak. Dictionary attack succeeds on ~80% of captured hashes.

Creating Your Own Wordlists

Merge multiple wordlists:

cat rockyou.txt common_passwords.txt custom_words.txt > merged.txt
sort -u merged.txt > unique_wordlist.txt

Generate from target info (OSINT):

  • Company name, variations, years
  • Employee names, usernames
  • Pet names, family names from social media
  • Common terms in industry

Tools for generation:

# Crunch: Generate combinations
crunch 6 8 abc123 -o wordlist.txt
# Generate 6-8 character combinations using charset 'abc123'

# Mentalist: GUI-based wordlist creator
pip3 install mentalist
mentalist

# CeWL: Crawl website and extract words
cewl https://example.com -m 5 -w wordlist.txt
# Extract words > 5 chars from site

CTF and Practical Labs

TryHackMe hash cracking rooms:

  • “Hash Cracking” room
  • “John the Ripper” room
  • “Hashcat” room

Practice platforms:

  • HackTheBox: Hash challenges
  • OverTheWire: Forensics levels
  • CTFtime.org: Real CTF competitions

Ethical Considerations

Legal uses:

  • Penetration testing (with authorization)
  • Password recovery (own systems)
  • CTF competitions
  • Security research (test environments)

Illegal uses:

  • Cracking passwords without authorization
  • Accessing accounts you don’t own
  • Password cracking for unauthorized systems

Responsible disclosure:

If you crack an admin password in an authorized test:

  1. Document it
  2. Report to client
  3. Don’t use it for unauthorized purposes
  4. Recommend password policy changes

Advanced Techniques

Pre-computed Tables (Rainbow Tables)

Rainbow tables are pre-computed hash:password mappings.

Risk: Massive storage (terabytes), but instant lookups.

Mitigation: Salting (adding random data to password before hashing) makes rainbow tables useless.

GPU Cluster Cracking

For ultimate speed, combine multiple GPUs:

# Hashcat distributed mode
hashcat --outfile-format=1 -m 0 hashes.txt rockyou.txt -d 1,2,3,4
# -d 1,2,3,4: Use 4 GPUs in parallel

Optimization Tips

  1. Use rockyou.txt first: Highest success rate
  2. Apply rules: Increase hit rate without much slowdown
  3. Use GPU: 10-1000x faster than CPU
  4. Batch multiple hashes: Crack many hashes at once (faster than individually)
  5. Build custom wordlists: OSINT-derived passwords work best for targets

Troubleshooting

Hashcat: “No devices found”

# Reinstall GPU drivers
sudo apt install nvidia-driver-XXX

# Or use CPU
hashcat -m 0 hash.txt rockyou.txt -d 2  # device 2 = CPU

John won’t recognize hash format

# Try manual format specification
john --format=md5 hashes.txt

# List all formats
john --list=formats

Out of memory

# Hashcat: Reduce workload
hashcat -m 0 hash.txt rockyou.txt -w 2  # -w 2 = low workload

# John: Incremental is memory-intensive, use wordlist instead

Conclusion

Password cracking is a fundamental skill. Most captured passwords crack quickly with dictionary attacks and GPU acceleration.

Key takeaways:

  1. Identify hash type before attempting to crack
  2. Dictionary attack first (80% success rate)
  3. Use GPU for speed (thousands of times faster)
  4. Create custom wordlists from OSINT data
  5. Apply rules to expand wordlist coverage
  6. Work ethically — only crack authorized passwords

Master Hashcat and John, and you’ll be able to crack most weak passwords in minutes. This skill applies directly to CTF competitions, penetration tests, and security forensics.

Fast password cracking separates hobbyists from professionals. Master it.

#wordlists #Kali Linux #CTF #hash #password cracking #John the Ripper #Hashcat

// related articles

ethical-hacking HackTheBox Beginner Guide 2026: How to Get Started 7 min read ethical-hacking LinPEAS: Linux Privilege Escalation Automation Guide 8 min read ethical-hacking Introduction to Metasploit Framework: Your First Exploit 11 min read