Cracking Passwords with John the Ripper and Hashcat
Red Teaming

Cracking Passwords with John the Ripper and Hashcat

Master advanced techniques and methodologies in red teaming

Jan 2, 2025
11 min read
AlphaSploit Team
Red Teaming

Introduction

Password cracking is a critical skill in penetration testing and security assessments. In this comprehensive guide, we'll explore how to use two of the most powerful password cracking tools: John the Ripper and Hashcat.

Understanding Password Hashing

Before diving into cracking, it's essential to understand how passwords are stored:

  • MD5: Fast but insecure (128-bit hash)
  • SHA-1: Deprecated due to vulnerabilities
  • SHA-256/512: Strong but still crackable with enough computing power
  • bcrypt/scrypt: Designed to be slow and resistant to brute-force

John the Ripper

John the Ripper is a fast password cracker that supports numerous hash types and attack modes.

Basic Usage

# Simple wordlist attack
john --wordlist=rockyou.txt hashes.txt

# Show cracked passwords
john --show hashes.txt

# Use specific format
john --format=raw-md5 --wordlist=rockyou.txt hashes.txt

Advanced Techniques

# Incremental mode (brute force)
john --incremental hashes.txt

# Rule-based attack
john --wordlist=rockyou.txt --rules hashes.txt

# Custom rules
john --wordlist=wordlist.txt --rules=custom hashes.txt

Hashcat

Hashcat is the world's fastest password recovery tool, utilizing GPU acceleration for maximum performance.

Hash Types

Identify your hash type using hash-identifier or hashcat's documentation:

# MD5
hashcat -m 0 -a 0 hash.txt wordlist.txt

# SHA-256
hashcat -m 1400 -a 0 hash.txt wordlist.txt

# NTLM
hashcat -m 1000 -a 0 hash.txt wordlist.txt

Attack Modes

Dictionary Attack (-a 0)

hashcat -m 0 -a 0 hash.txt rockyou.txt

Combination Attack (-a 1)

hashcat -m 0 -a 1 hash.txt wordlist1.txt wordlist2.txt

Brute-Force Attack (-a 3)

# 8 character lowercase
hashcat -m 0 -a 3 hash.txt ?l?l?l?l?l?l?l?l

# Mixed with mask
hashcat -m 0 -a 3 hash.txt ?u?l?l?l?l?d?d?d

Hybrid Attack (-a 6/-a 7)

# Wordlist + mask
hashcat -m 0 -a 6 hash.txt wordlist.txt ?d?d?d

# Mask + wordlist
hashcat -m 0 -a 7 hash.txt ?d?d?d wordlist.txt

Rule-Based Attacks

Rules transform wordlist entries to generate password candidates:

# Use built-in rules
hashcat -m 0 -a 0 hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule

# Common rule transformations
# Capitalize first letter
# Append numbers
# Replace letters with numbers (l33t speak)

GPU Optimization

# Check available devices
hashcat -I

# Use specific GPU
hashcat -m 0 -a 0 -d 1 hash.txt wordlist.txt

# Workload tuning
hashcat -m 0 -a 0 -w 3 hash.txt wordlist.txt

Practical Examples

Cracking Linux Shadow Hashes

# Extract hashes
unshadow passwd shadow > unshadowed.txt

# Crack with John
john --wordlist=rockyou.txt unshadowed.txt

# Crack with Hashcat (SHA-512)
hashcat -m 1800 -a 0 unshadowed.txt rockyou.txt

Cracking Windows NTLM Hashes

# Using Hashcat
hashcat -m 1000 -a 0 ntlm.txt rockyou.txt

# Using John
john --format=NT ntlm.txt --wordlist=rockyou.txt

Cracking ZIP/RAR Archives

# Extract hash from ZIP
zip2john protected.zip > zip.hash

# Crack with John
john zip.hash --wordlist=rockyou.txt

# Extract hash from RAR
rar2john protected.rar > rar.hash
john rar.hash --wordlist=rockyou.txt

Creating Custom Wordlists

# Using CeWL (website spider)
cewl https://target.com -w custom.txt

# Using crunch (pattern generator)
crunch 8 8 -t admin@@@ > passwords.txt

# Combine wordlists
cat wordlist1.txt wordlist2.txt | sort -u > combined.txt

Best Practices

  • Start with Dictionary Attacks: Most passwords are weak and will crack quickly
  • Use Rules: Significantly increase success rate without massive wordlists
  • Monitor Progress: Use --status flag to track cracking progress
  • Save Sessions: Use --session to resume interrupted cracks
  • Benchmark First: Test hash rates before large cracking jobs

Performance Tips

  • Use SSD for wordlist storage
  • Enable GPU acceleration when available
  • Use optimized rule sets like best64.rule
  • Disable antivirus during cracking (can slow down significantly)
  • Use potfile to avoid re-cracking known passwords

Legal and Ethical Considerations

Only crack passwords you have explicit permission to test. Unauthorized password cracking is illegal in most jurisdictions. Always:

  • Get written authorization
  • Work within scope of engagement
  • Document all activities
  • Secure recovered credentials
  • Report findings responsibly

Conclusion

Password cracking is a fundamental skill for security professionals. Mastering John the Ripper and Hashcat gives you powerful tools for security assessments. Remember to always use these tools ethically and legally.

Practice on intentionally vulnerable systems like HackTheBox, TryHackMe, or your own lab environment before attempting real-world assessments.

#password cracking#john the ripper#hashcat#bruteforce

Continue Learning

Next ArticleView All Posts