Home GuidesPassword Hash Cracking Guide

Password Hash Cracking Guide

Identify and crack password hashes with hashcat and John the Ripper — hash identification, attack modes, rules, masks, and wordlist strategy for authorized engagements.

Beginner

6 steps12 payload examples~60 min

Authorized testing only. Only use these techniques on systems you have explicit permission to test.

Identify the hash type first

Before cracking, determine the algorithm — the mode flag is everything. Look at length, character set, and prefixes ($2b$ = bcrypt, $6$ = sha512crypt, $krb5tgs$ = Kerberoast). Use the Hash Identifier to get the matching hashcat -m / john format.

Example payloads

hashid -m '5f4dcc3b5aa765d61d8327deb882cf99'

hashcat --identify hashes.txt

Pick the attack mode

Straight wordlist (-a 0) is the default and most productive. Combinator (-a 1), brute-force/mask (-a 3), and hybrid (-a 6/7) cover the rest. Start with a good wordlist before burning GPU cycles on masks.

Example payloads

hashcat -m 0 -a 0 hashes.txt rockyou.txt

hashcat -m 1000 -a 0 ntlm.txt rockyou.txt   # NTLM

Apply rules to multiply a wordlist

Rules mutate each candidate (append digits, capitalize, leetspeak). best64 and OneRuleToRuleThemAll dramatically expand coverage from a base wordlist without a bigger file.

Example payloads

hashcat -m 0 -a 0 hashes.txt rockyou.txt -r rules/best64.rule

john --wordlist=rockyou.txt --rules=Jumbo hashes.txt

Use masks for known patterns

When you know the structure (e.g. 8 chars ending in 4 digits), a mask is far faster than blind brute force. ?l lower, ?u upper, ?d digit, ?s symbol, ?a all.

Example payloads

hashcat -m 0 -a 3 hashes.txt '?u?l?l?l?l?d?d?d?d'

hashcat -m 0 -a 3 hashes.txt -1 ?l?d '?1?1?1?1?1?1'

Crack Kerberoast / AS-REP loot

Tickets harvested from Active Directory crack offline. Kerberoast TGS-REP is mode 13100; AS-REP is 18200. Feed the harvested $krb5tgs$ / $krb5asrep$ strings straight in.

Example payloads

hashcat -m 13100 -a 0 kerberoast.txt rockyou.txt -r rules/best64.rule

hashcat -m 18200 -a 0 asrep.txt rockyou.txt

Review results and report

Show cracked passwords with --show, quantify weak-password prevalence, and report patterns (season+year, company name) plus remediation: long passphrases, banned-password lists, and slow hashes (bcrypt/argon2) over fast ones (MD5/NTLM).

Example payloads

hashcat -m 0 hashes.txt --show

john --show hashes.txt

Related Resources

Hashcat Cheat Sheet

Quick reference

Hash Identifier & Cracker

Open the tool

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...

Identify the hash type first

Example payloads

hashid -m '5f4dcc3b5aa765d61d8327deb882cf99'

hashcat --identify hashes.txt

Pick the attack mode

Example payloads

hashcat -m 0 -a 0 hashes.txt rockyou.txt

hashcat -m 1000 -a 0 ntlm.txt rockyou.txt   # NTLM

Apply rules to multiply a wordlist

Rules mutate each candidate (append digits, capitalize, leetspeak). best64 and OneRuleToRuleThemAll dramatically expand coverage from a base wordlist without a bigger file.

Example payloads

hashcat -m 0 -a 0 hashes.txt rockyou.txt -r rules/best64.rule

john --wordlist=rockyou.txt --rules=Jumbo hashes.txt

Review results and report

Example payloads

hashcat -m 0 hashes.txt --show

john --show hashes.txt