Hash Identification and Cracking: From Type Detection to Cracked Plaintext
Password hash cracking is a core post-exploitation skill. After dumping a SAM database, extracting hashes from a database, or capturing NTLMv2 hashes from a Responder session, you need to efficiently recover plaintext passwords. This guide covers everything from identifying an unknown hash type to choosing the right attack strategy for cracking it.
Common Hash Formats
Hash Cracking Speed by Type — RTX 4090 (simplified, MH/s)
Lower bar = harder to crack = better for password storage. bcrypt and Argon2 are intentionally slow.
Hash Type Identification Reference
| Hash Type | Length (chars) | Hashcat -m | John --format | Example |
|---|---|---|---|---|
| MD5 | 32 | 0 | raw-md5 | 5f4dcc3b5aa765d61d8327deb882cf99 |
| SHA-1 | 40 | 100 | raw-sha1 | aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d |
| SHA-256 | 64 | 1400 | raw-sha256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| NTLM | 32 | 1000 | nt | b4b9b02e6f09a9bd760f388b67351e2b |
| NetNTLMv2 | Variable | 5600 | netntlmv2 | user::DOMAIN:challenge:hash |
| bcrypt | 60 | 3200 | bcrypt | $2a$12$...60chars... |
| SHA-512crypt | 106 | 1800 | sha512crypt | $6$salt$...86chars... |
| Kerberos TGS (RC4) | Variable | 13100 | krb5tgs | $krb5tgs$23$... |
| PBKDF2-SHA256 | Variable | 10900 | PBKDF2-HMACSHA256 | pbkdf2_sha256$260000$... |
Identifying the hash type is the first step. Key characteristics:
| Hash Type | Length (chars) | Example / Prefix | Hashcat Mode |
|---|---|---|---|
| MD5 | 32 | 5f4dcc3b5aa765d61d8327deb882cf99 | 0 |
| SHA-1 | 40 | 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 | 100 |
| SHA-256 | 64 | 5e884898da28047151d0e56f8dc629277... | 1400 |
| SHA-512 | 128 | b109f3bbbc244eb82441917ed06d618b... | 1700 |
| bcrypt | 60 | $2a$12$... or $2b$12$... | 3200 |
| NTLM | 32 | 8846f7eaee8fb117ad06bdd830b7586c | 1000 |
| NetNTLMv1 | variable | user::domain:challenge:hash:hash | 5500 |
| NetNTLMv2 | variable | user::domain:challenge:hash:blob | 5600 |
| Kerberos RC4 (TGS) | variable | $krb5tgs$23$*... | 13100 |
| AS-REP (Kerberoast) | variable | $krb5asrep$23$... | 18200 |
| sha512crypt ($6$) | variable | $6$salt$... | 1800 |
| Argon2 | variable | $argon2id$v=19$... | argon2 |
Identifying Hashes by Characteristics
By Length and Character Set
- 32 hex chars — likely MD5 or NTLM (identical format, different contexts)
- 40 hex chars — likely SHA-1
- 64 hex chars — likely SHA-256
- 128 hex chars — likely SHA-512
- 60 chars starting with
$2a$,$2b$, or$2y$— bcrypt - Variable length with
$6$prefix — sha512crypt (Linux /etc/shadow)
Automated Identification Tools
# hashid — identifies by pattern
hashid '5f4dcc3b5aa765d61d8327deb882cf99'
hashid -m '5f4dcc3b5aa765d61d8327deb882cf99' # include hashcat mode numbers
# hash-identifier (older but widely installed)
hash-identifier
# Name That Hash (more modern, color output)
nth --text '5f4dcc3b5aa765d61d8327deb882cf99'NTLM vs MD5 Disambiguation
NTLM and MD5 produce the same format. Context determines which it is: SAM/NTDS.dit dump → NTLM. Web application database → probably MD5. You can test both in parallel.
Hashcat: Core Syntax and Attack Modes
# Basic syntax
hashcat -m <mode> -a <attack> <hashfile> <wordlist/mask> [options]
# Attack modes
-a 0 # Dictionary attack (wordlist)
-a 1 # Combinator attack (combine two wordlists)
-a 3 # Brute force / mask attack
-a 6 # Hybrid: wordlist + mask
-a 7 # Hybrid: mask + wordlist
# Useful options
--status # print status every 10 seconds
--status-timer=5 # print status every 5 seconds
-O # enable optimized kernels (faster, limits password length)
--show # show cracked hashes after the run
-o cracked.txt # output file for cracked hashes
--username # input file has "username:hash" formatEffective Wordlists
- rockyou.txt — 14 million passwords from the 2009 RockYou breach. Available on Kali at
/usr/share/wordlists/rockyou.txt.gz. - SecLists Passwords —
/usr/share/seclists/Passwords/contains dozens of targeted lists: common corporate passwords, keyboard walks, leaked databases. - weakpass — weakpass.com offers curated large wordlists optimized for different hash types.
- Custom wordlists — generate from target website content with CeWL:
cewl -d 3 -m 6 https://example.com -w custom.txt
Hashcat Rules
Rules transform wordlist entries to generate variants without expanding the wordlist file size. Rules are one of the most effective cracking tools available:
# Apply rules to a wordlist attack
hashcat -m 1000 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Stack multiple rule files
hashcat -m 1000 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/toggles1.rule
# Key rule files by effectiveness:
# best64.rule — 64 high-value transformations (capitalize, append digits/symbols)
# d3ad0ne.rule — 34,000 rules, excellent for real-world passwords
# OneRuleToRuleThemAll.rule — community-curated, very effective
# dive.rule — 100,000+ rules, slow but thoroughCommon Rule Syntax
: # do nothing (pass through)
c # capitalize first letter
u # uppercase all
l # lowercase all
r # reverse
$1 # append "1"
$! # append "!"
^1 # prepend "1"
sa@ # substitute 'a' with '@'
se3 # substitute 'e' with '3'
so0 # substitute 'o' with '0'
D3 # delete character at position 3Brute Force with Character Masks
Masks define the character set for each position in the password. Use when you know the password policy:
# Mask charset placeholders
?l # lowercase a-z
?u # uppercase A-Z
?d # digits 0-9
?s # special !@#$%...
?a # all printable ASCII (?l?u?d?s combined)
# Examples
# 8-char all-lowercase brute force
hashcat -m 0 hashes.txt -a 3 ?l?l?l?l?l?l?l?l
# Corporate password policy: 1 upper + 6 lower + 2 digits (common pattern)
hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?l?l?l?d?d
# Incremental length brute force (--increment)
hashcat -m 1000 hashes.txt -a 3 ?a?a?a?a?a?a?a?a --increment --increment-min=5John the Ripper
John is better at some formats that hashcat handles awkwardly, and has automatic format detection:
# Auto-detect format and run default rules
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
# Specific format
john --format=netntlmv2 --wordlist=rockyou.txt hashes.txt
# Show cracked hashes
john --show hashes.txt
# Format flags for common types:
# --format=NT NTLM
# --format=md5crypt Linux MD5 ($1$)
# --format=sha512crypt Linux SHA512 ($6$)
# --format=krb5tgs Kerberoast TGS
# --format=krb5asrep AS-REP RoastGPU Rental for Expensive Hashes
bcrypt, Argon2, and sha512crypt with high work factors are extremely slow to crack locally. GPU rental services like vast.ai or Lambda Labs offer RTX 4090s by the hour, making a previously impractical crack feasible for a few dollars.
For MD5, SHA-1, and NTLM, online services like CrackStation and Hashes.com have rainbow tables covering billions of common passwords — submit first to avoid wasting cracking time on already-known hashes.
Putting It Together: NTLM Cracking Workflow
# 1. Dump NTLM hashes from a compromised Windows host
secretsdump.py -just-dc-ntlm domain/user:pass@dc-ip
# 2. Check online services first (fastest)
# Submit to https://hashes.com/en/decrypt/hash
# 3. Dictionary + best64 rules (fastest local approach)
hashcat -m 1000 ntlm-hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule -O
# 4. Dictionary + d3ad0ne rules (broader coverage)
hashcat -m 1000 ntlm-hashes.txt rockyou.txt -r /usr/share/hashcat/rules/d3ad0ne.rule -O
# 5. Targeted mask (if password policy is known)
hashcat -m 1000 ntlm-hashes.txt -a 3 ?u?l?l?l?l?l?d?d?s
# 6. Show results
hashcat -m 1000 ntlm-hashes.txt --showDocument cracked credentials and their impact in the Pentest Findings Documenter and score them with the CVSS Calculator. Weak or reused passwords from NTLM cracking typically support High or Critical findings depending on the account's privilege level.
Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides