Password cracking is a core competency for penetration testers. Whether you've dumped NTLM hashes from a domain controller or captured NetNTLMv2 handshakes over the wire, turning those hashes into plaintext passwords can unlock entire networks. This guide covers the complete cracking workflow.

Step 1: Hash Identification

Hashcat Cracking Speed (RTX 4090, MH/s)

MD5

164,000 MH/s

SHA-1

54,000 MH/s

SHA-256

22,000 MH/s

NTLM

358,000 MH/s

bcrypt (cost 12)

0.024 MH/s

WPA2

0.68 MH/s

SHA-512crypt

0.45 MH/s

Hash Type	Hashcat Mode (-m)	John Format	Example Length	Common Use
MD5	0	raw-md5	32 chars	Legacy apps, CTF
SHA-1	100	raw-sha1	40 chars	Legacy apps
SHA-256	1400	raw-sha256	64 chars	APIs, tokens
NTLM	1000	nt	32 chars	Windows AD, SMB
NetNTLMv2	5600	netntlmv2	Variable	Responder captures
bcrypt	3200	bcrypt	60 chars	Modern web apps
SHA-512crypt	1800	sha512crypt	106 chars	Linux /etc/shadow
Kerberoast (RC4)	13100	krb5tgs	Variable	AD attacks
AS-REP (RC4)	18200	krb5asrep	Variable	AD attacks

Before cracking, identify the hash type. Using the wrong mode wastes hours:

# hashid — identifies multiple possible hash types
hashid '$2a$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW'
# [+] Blowfish(OpenBSD) [Hashcat Mode: 3200]

# name-that-hash — more modern, better output
nth --text "5f4dcc3b5aa765d61d8327deb882cf99"
# Most Likely: MD5, HC: 0

# hash-identifier (classic tool)
hash-identifier
# (paste hash at prompt)

# Manual identification cheatsheet:
# 32 chars hex      = MD5 (0) or NTLM (1000)
# 40 chars hex      = SHA-1 (100)
# 64 chars hex      = SHA-256 (1400)
# $1$               = MD5crypt (500)
# $2a$/$2b$         = bcrypt (3200)
# $6$               = SHA-512crypt (1800)
# $y$               = yescrypt (15700)
# NTLM              = 32 hex chars from Windows SAM/LSASS
# NetNTLMv2         = username::domain:challenge:response format
# Kerberos 5 TGS    = $krb5tgs$23$ prefix
# AS-REP            = $krb5asrep$23$ prefix

Hashcat Attack Modes

Hashcat supports six attack modes. Understanding when to use each is the difference between cracking in minutes and cracking never:

Mode 0: Straight (Dictionary)

# Try every word in a wordlist directly
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt

# With rules (mutates each word: capitalize, append numbers, etc.)
hashcat -m 1000 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Multiple rule files
hashcat -m 1000 hashes.txt rockyou.txt     -r rules/best64.rule -r rules/toggles5.rule

Mode 1: Combination

# Concatenates every word from list1 with every word from list2
hashcat -m 1000 hashes.txt wordlist1.txt wordlist2.txt
# "password" + "123" = "password123"
# Useful for corporate password patterns

Mode 3: Brute-Force (Mask)

# Crack all 8-char passwords: uppercase, lowercase, digit
hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?l?l?d?d

# Mask characters:
# ?u = uppercase (A-Z)
# ?l = lowercase (a-z)
# ?d = digit (0-9)
# ?s = special (!@#...)
# ?a = all printable
# ?b = all bytes (0x00-0xFF)

# Common corporate password pattern: Capital + 6 lower + 2 digits
hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?l?l?l?d?d

Mode 6: Hybrid (Wordlist + Mask)

# Wordlist word + suffix mask: "password!1", "dragon2025"
hashcat -m 1000 hashes.txt -a 6 rockyou.txt ?d?d?d?d

# Mode 7: Prefix mask + Wordlist
hashcat -m 1000 hashes.txt -a 7 ?d?d?d?d rockyou.txt

Critical Hash Modes for Pentesters

# NTLM (Windows local accounts, pass-the-hash source)
hashcat -m 1000 ntlm_hashes.txt rockyou.txt

# NetNTLMv2 (captured with Responder over the network)
hashcat -m 5600 netntlmv2.txt rockyou.txt -r rules/best64.rule

# Kerberoast (TGS tickets from Active Directory)
hashcat -m 13100 kerberoast_hashes.txt rockyou.txt     -r rules/d3ad0ne.rule

# AS-REP Roasting (accounts with PreAuth disabled)
hashcat -m 18200 asrep_hashes.txt rockyou.txt

# bcrypt (web app hashes — very slow, use targeted wordlists)
hashcat -m 3200 bcrypt_hashes.txt targeted_passwords.txt

# SHA-512crypt (Linux /etc/shadow)
hashcat -m 1800 shadow_hashes.txt rockyou.txt

# MD5crypt (older Linux systems)
hashcat -m 500 md5crypt_hashes.txt rockyou.txt

# WPA2 (wireless assessment)
hashcat -m 22000 capture.hccapx rockyou.txt

John the Ripper

John excels at automatic format detection and cracking /etc/shadow and various application formats:

# Auto-detect format and crack
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

# Specify format explicitly
john --format=NT hashes.txt --wordlist=rockyou.txt
john --format=sha512crypt shadow.txt --wordlist=rockyou.txt

# List supported formats
john --list=formats | grep -i bcrypt

# Resume interrupted session
john --restore

# Show cracked passwords
john --show hashes.txt

# Generate rules-based wordlist with John's mangling
john --wordlist=rockyou.txt --rules --stdout > mangled.txt

Wordlists and Rules Strategy

# Essential wordlists (in order of usefulness):
# 1. rockyou.txt (14M passwords — always first)
# 2. SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt
# 3. HashesOrg database dumps (domain-specific)
# 4. CrackStation wordlist (1.5B words)

# Essential rule files:
# best64.rule — 64 common mutations (fastest)
# d3ad0ne.rule — 34K rules (comprehensive)
# dive.rule — 99K rules (extreme, slow)
# OneRuleToRuleThemAll.rule — community favorite

# Build targeted wordlists with CUPP (Common User Passwords Profiler)
python3 cupp.py -i  # interactive mode, asks about the target

# Or with cewl (website scraper):
cewl https://target.com -d 3 -m 6 -w custom_wordlist.txt

GPU vs CPU and Performance Tuning

# Check GPU is being used
hashcat -I  # shows detected OpenCL devices

# GPU cracking is orders of magnitude faster:
# MD5: ~50 billion/sec (GPU) vs 500M/sec (CPU)
# bcrypt: ~20K/sec (GPU) vs 2K/sec (CPU)

# Performance flags
hashcat -m 1000 hashes.txt rockyou.txt     -w 3           # workload profile: 1=low, 4=nightmare
    --opencl-device-types 2   # GPU only
    --gpu-temp-abort 90        # abort if GPU hits 90°C

# For bcrypt and other slow hashes, use CPU (--force) — GPU has less parallelism gain
hashcat -m 3200 hashes.txt rockyou.txt --force -D 1

Use the Hash Cracking Tool to identify your hash type and generate the correct Hashcat command instantly. When cracking Active Directory Kerberoast or AS-REP hashes, the Active Directory Generator produces the full attack chain from ticket extraction to cracking.

Custom Rule Creation

# Hashcat rule syntax
# l = lowercase all
# u = uppercase all
# c = capitalize first letter
# $X = append character X
# ^X = prepend character X
# sXY = substitute character X with Y

# Example: "password" -> "P@ssw0rd!"
# Rule: c s4@ s0O $!
# c (capitalize): Password
# s4@ (4->@): P@ssword
# s0O (o->0): P@ssw0rd
# $! (append !): P@ssw0rd!

# Save to myrule.rule:
c s4@ s0O $!

hashcat -m 1000 hashes.txt rockyou.txt -r myrule.rule

Step 1: Hash Identification

Hashcat Cracking Speed (RTX 4090, MH/s)

MD5

164,000 MH/s

SHA-1

54,000 MH/s

SHA-256

22,000 MH/s

NTLM

358,000 MH/s

bcrypt (cost 12)

0.024 MH/s

WPA2

0.68 MH/s

SHA-512crypt

0.45 MH/s

Hash Type	Hashcat Mode (-m)	John Format	Example Length	Common Use
MD5	0	raw-md5	32 chars	Legacy apps, CTF
SHA-1	100	raw-sha1	40 chars	Legacy apps
SHA-256	1400	raw-sha256	64 chars	APIs, tokens
NTLM	1000	nt	32 chars	Windows AD, SMB
NetNTLMv2	5600	netntlmv2	Variable	Responder captures
bcrypt	3200	bcrypt	60 chars	Modern web apps
SHA-512crypt	1800	sha512crypt	106 chars	Linux /etc/shadow
Kerberoast (RC4)	13100	krb5tgs	Variable	AD attacks
AS-REP (RC4)	18200	krb5asrep	Variable	AD attacks

Before cracking, identify the hash type. Using the wrong mode wastes hours:

# hashid — identifies multiple possible hash types
hashid '$2a$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW'
# [+] Blowfish(OpenBSD) [Hashcat Mode: 3200]

# name-that-hash — more modern, better output
nth --text "5f4dcc3b5aa765d61d8327deb882cf99"
# Most Likely: MD5, HC: 0

# hash-identifier (classic tool)
hash-identifier
# (paste hash at prompt)

# Manual identification cheatsheet:
# 32 chars hex      = MD5 (0) or NTLM (1000)
# 40 chars hex      = SHA-1 (100)
# 64 chars hex      = SHA-256 (1400)
# $1$               = MD5crypt (500)
# $2a$/$2b$         = bcrypt (3200)
# $6$               = SHA-512crypt (1800)
# $y$               = yescrypt (15700)
# NTLM              = 32 hex chars from Windows SAM/LSASS
# NetNTLMv2         = username::domain:challenge:response format
# Kerberos 5 TGS    = $krb5tgs$23$ prefix
# AS-REP            = $krb5asrep$23$ prefix

Hashcat Attack Modes

Hashcat supports six attack modes. Understanding when to use each is the difference between cracking in minutes and cracking never:

Mode 0: Straight (Dictionary)

# Try every word in a wordlist directly
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt

# With rules (mutates each word: capitalize, append numbers, etc.)
hashcat -m 1000 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Multiple rule files
hashcat -m 1000 hashes.txt rockyou.txt     -r rules/best64.rule -r rules/toggles5.rule

Mode 1: Combination

# Concatenates every word from list1 with every word from list2
hashcat -m 1000 hashes.txt wordlist1.txt wordlist2.txt
# "password" + "123" = "password123"
# Useful for corporate password patterns

Mode 3: Brute-Force (Mask)

# Crack all 8-char passwords: uppercase, lowercase, digit
hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?l?l?d?d

# Mask characters:
# ?u = uppercase (A-Z)
# ?l = lowercase (a-z)
# ?d = digit (0-9)
# ?s = special (!@#...)
# ?a = all printable
# ?b = all bytes (0x00-0xFF)

# Common corporate password pattern: Capital + 6 lower + 2 digits
hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?l?l?l?d?d

Mode 6: Hybrid (Wordlist + Mask)

# Wordlist word + suffix mask: "password!1", "dragon2025"
hashcat -m 1000 hashes.txt -a 6 rockyou.txt ?d?d?d?d

# Mode 7: Prefix mask + Wordlist
hashcat -m 1000 hashes.txt -a 7 ?d?d?d?d rockyou.txt

Critical Hash Modes for Pentesters

# NTLM (Windows local accounts, pass-the-hash source)
hashcat -m 1000 ntlm_hashes.txt rockyou.txt

# NetNTLMv2 (captured with Responder over the network)
hashcat -m 5600 netntlmv2.txt rockyou.txt -r rules/best64.rule

# Kerberoast (TGS tickets from Active Directory)
hashcat -m 13100 kerberoast_hashes.txt rockyou.txt     -r rules/d3ad0ne.rule

# AS-REP Roasting (accounts with PreAuth disabled)
hashcat -m 18200 asrep_hashes.txt rockyou.txt

# bcrypt (web app hashes — very slow, use targeted wordlists)
hashcat -m 3200 bcrypt_hashes.txt targeted_passwords.txt

# SHA-512crypt (Linux /etc/shadow)
hashcat -m 1800 shadow_hashes.txt rockyou.txt

# MD5crypt (older Linux systems)
hashcat -m 500 md5crypt_hashes.txt rockyou.txt

# WPA2 (wireless assessment)
hashcat -m 22000 capture.hccapx rockyou.txt

John the Ripper

John excels at automatic format detection and cracking /etc/shadow and various application formats:

# Auto-detect format and crack
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

# Specify format explicitly
john --format=NT hashes.txt --wordlist=rockyou.txt
john --format=sha512crypt shadow.txt --wordlist=rockyou.txt

# List supported formats
john --list=formats | grep -i bcrypt

# Resume interrupted session
john --restore

# Show cracked passwords
john --show hashes.txt

# Generate rules-based wordlist with John's mangling
john --wordlist=rockyou.txt --rules --stdout > mangled.txt

Wordlists and Rules Strategy

# Essential wordlists (in order of usefulness):
# 1. rockyou.txt (14M passwords — always first)
# 2. SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt
# 3. HashesOrg database dumps (domain-specific)
# 4. CrackStation wordlist (1.5B words)

# Essential rule files:
# best64.rule — 64 common mutations (fastest)
# d3ad0ne.rule — 34K rules (comprehensive)
# dive.rule — 99K rules (extreme, slow)
# OneRuleToRuleThemAll.rule — community favorite

# Build targeted wordlists with CUPP (Common User Passwords Profiler)
python3 cupp.py -i  # interactive mode, asks about the target

# Or with cewl (website scraper):
cewl https://target.com -d 3 -m 6 -w custom_wordlist.txt

GPU vs CPU and Performance Tuning

# Check GPU is being used
hashcat -I  # shows detected OpenCL devices

# GPU cracking is orders of magnitude faster:
# MD5: ~50 billion/sec (GPU) vs 500M/sec (CPU)
# bcrypt: ~20K/sec (GPU) vs 2K/sec (CPU)

# Performance flags
hashcat -m 1000 hashes.txt rockyou.txt     -w 3           # workload profile: 1=low, 4=nightmare
    --opencl-device-types 2   # GPU only
    --gpu-temp-abort 90        # abort if GPU hits 90°C

# For bcrypt and other slow hashes, use CPU (--force) — GPU has less parallelism gain
hashcat -m 3200 hashes.txt rockyou.txt --force -D 1

Custom Rule Creation

# Hashcat rule syntax
# l = lowercase all
# u = uppercase all
# c = capitalize first letter
# $X = append character X
# ^X = prepend character X
# sXY = substitute character X with Y

# Example: "password" -> "P@ssw0rd!"
# Rule: c s4@ s0O $!
# c (capitalize): Password
# s4@ (4->@): P@ssword
# s0O (o->0): P@ssw0rd
# $! (append !): P@ssw0rd!

# Save to myrule.rule:
c s4@ s0O $!

hashcat -m 1000 hashes.txt rockyou.txt -r myrule.rule

Password Cracking with Hashcat and John the Ripper: A Complete Guide

Step 1: Hash Identification

Hashcat Cracking Speed (RTX 4090, MH/s)

Hashcat Attack Modes

Mode 0: Straight (Dictionary)

Mode 1: Combination

Mode 3: Brute-Force (Mask)

Mode 6: Hybrid (Wordlist + Mask)

Critical Hash Modes for Pentesters

John the Ripper

Wordlists and Rules Strategy

GPU vs CPU and Performance Tuning

Custom Rule Creation

Related Articles

Password Cracking with Hashcat and John the Ripper: A Complete Guide

Step 1: Hash Identification

Hashcat Cracking Speed (RTX 4090, MH/s)

Hashcat Attack Modes

Mode 0: Straight (Dictionary)

Mode 1: Combination

Mode 3: Brute-Force (Mask)

Mode 6: Hybrid (Wordlist + Mask)

Critical Hash Modes for Pentesters

John the Ripper

Wordlists and Rules Strategy

GPU vs CPU and Performance Tuning

Custom Rule Creation

Related Articles