Password Cracking
Brute Force & Cracking cheatsheet — Login brute-force, password cracking, and hashcat/john usage.
Overview
Password Cracking involves recovering plaintext passwords from their hashed representations using tools like Hashcat and John the Ripper. Successful cracking depends on the quality of wordlists, rule-based mutation, and understanding of target password policies.
Password cracking is a critical post-exploitation technique for credential recovery and lateral movement.
Category: Brute Force & Cracking — Login brute-force, password cracking, and hashcat/john usage.
Key Commands & Payloads
The following commands and payloads are commonly used when testing for or exploiting Password Cracking:
hashcat -m 1000 -a 0 hashes.txt rockyou.txthashcat -m 1000 -a 0 hashes.txt rockyou.txt -r rules/best64.rulehashcat -m 13100 -a 0 kerberoast.txt wordlist.txthashcat -m 18200 -a 0 asrep.txt wordlist.txthashcat -m 1000 -a 3 hashes.txt ?a?a?a?a?a?a?a?a (brute-force)hashcat -m 1000 -a 6 hashes.txt wordlist.txt ?d?d?d (hybrid)john --wordlist=rockyou.txt hashes.txtjohn --wordlist=rockyou.txt --rules hashes.txtjohn --show cracked.txtjohn --incremental hashes.txtTools & Techniques
Recommended tools for Password Cracking:
- Hashcat: GPU-accelerated password cracking
- John the Ripper: CPU-based password cracking
- Online databases: hashes.org, crackstation.net
- Wordlists: rockyou.txt, SecLists, Have I Been Pwned
- Rule-based attacks: best64.rule, OneRuleToRuleThemAll
- Mask attacks: brute-force with known password patterns
Prevention & Mitigation
Security recommendations to prevent Password Cracking:
- Enforce strong password policies (length > 12 chars, complexity)
- Use multi-factor authentication (MFA) everywhere
- Use modern hashing algorithms with salt (bcrypt, scrypt, Argon2)
- Implement account lockout after failed attempts
- Use password managers to generate random passwords
- Regularly audit password strength with cracking tools
- Implement passphrases instead of complex passwords
References
Additional resources: