Password Cracking — Hashcat & John
Offline hash cracking, online brute force, wordlist generation.
After every breach you'll dump hashes; before every engagement you'll spray weak passwords. Cracking and password attacks split into "offline against hashes" (Hashcat / John) and "online against services" (Hydra / Medusa / kerbrute / NetExec). For AD-specific cred attacks see Active Directory Pentesting. For wireless handshake cracking see Wi-Fi Pentesting. For storing stolen creds safely see Secrets Management.
Offline GPU cracking
-
★ ★ Hashcat — the GPU king; supports 350+ hash modes (NTLM, NetNTLMv2, WPA, MD5, SHA-2, bcrypt, scrypt, KeePass, MS Office, PDF, Bitcoin wallet …). Free. Runs on AMD / NVIDIA / Apple Silicon Metal.
- Mode cheatsheet:
1000NTLM,5600NetNTLMv2,13100Kerberos TGS-REP,18200Kerberos AS-REP,22000WPA-PBKDF2-PMKID+EAPOL,1800sha512crypt,7500Kerberos TGS,3200bcrypt,13400KeePass. - Attack modes:
-a 0straight wordlist,-a 3mask,-a 6hybrid wordlist+mask,-a 9association. - Rules:
OneRuleToRuleThemAll.rule,dive.rule,clem9669rules pack.
- Mode cheatsheet:
-
★ John the Ripper (jumbo) — older, still excellent; richer for "mixed format / I just want one binary that handles everything." Better at exotic formats (KeePass2, MS Office, ZIP, RAR, GPG keys). Free.
*2johnhelpers (zip2john,office2john,keepass2john,ssh2john,pdf2john).--rules=Jumbo— built-in mangling.
-
hashcat.launcher / HashTopolis — GUI / distributed cracking front-ends.
-
HashTopolis — distributed Hashcat with web UI; coordinate a GPU farm.
Wordlists worth having
- ★ rockyou.txt — the eternal default; ships with Kali.
- ★ SecLists (danielmiessler) — broad collection: passwords, usernames, fuzzing payloads, web content discovery. Free.
- rockyou2024 / breach-compilation — leaked-corpus mega-lists; multi-GB.
- Probable-Wordlists (berzerk0) — frequency-sorted top-N picks.
- HaveIBeenPwned passwords —
Pwned-Passwords-NTLM-ordered-by-countis excellent NTLM list. - Crackstation HumanPasswords — billions of entries.
- CeWL — scrape a website, build a custom wordlist of words used there.
- Crunch — generate masks (
crunch 8 8 abcdef…0123 -t @@@@@@@@). - Maskprocessor (mp64) — Hashcat's mask generator.
- RSMangler — permute / mangle a base wordlist.
- kwprocessor — keyboard-walk wordlists ("qwerty1!").
- PCFG-cracker / OMEN — probabilistic / Markov-model wordlist generators.
Online password attacks
- Hydra (THC) — universal online brute-forcer (SSH, FTP, HTTP basic / form, RDP, SMB, etc.). Free.
- Medusa — alternative; sometimes faster, fewer protocols.
- Patator — modern Python brute-forcer; nicer scripting.
- NetExec --spray — AD password spray over SMB / WinRM / LDAP / Kerberos. Default for AD work; see Active Directory Pentesting.
- Kerbrute — Kerberos pre-auth user enum + spray.
- trevorspray — modern Python sprayer with proxy / FireProx support.
- MSOLSpray / MSOLSprayer — O365 / Entra ID sprayer.
Cred / hash recovery sources
- Mimikatz / DCSync — extract NT hashes from a DC. See Active Directory.
- Impacket secretsdump — pull hashes remotely.
- lsassy / nanodump — modern lsass dump tooling.
- Shadow Copies /
ntdsutil— offline NTDS.dit handling. - Volatility / MemProcFS — pull creds from memory dumps; see Memory Forensics.
Special-format crackers
- jwt-cracker / jwt_tool — HS256 secret recovery.
- bkcrack — known-plaintext PKZIP; classic ZIP files.
- pdfcrack / pdf2john — PDF passwords.
- bitcracker / hashcat 22100 — BitLocker.
- DPAPI — Mimikatz / impacket-dpapi.
- fcrackzip — old-school zip.
Realistic expectations (2026 GPUs)
- NTLM on a modern RTX 4090: ~300 GH/s. 8-character mixed-case alphanumeric in hours.
- bcrypt cost 12: ~3.5 KH/s on the same card. Practically uncrackable beyond 8-char human passwords.
- Argon2id: even slower; trust it for new applications.
- Modern WPA2 (PBKDF2-SHA1, 4096 iters): ~3 MH/s; long passphrases still hold.
Tips that actually matter
- ★ Crack with rules, not pure wordlists. rockyou + OneRuleToRuleThemAll gets 60–80% of breached corp creds.
- Order: dictionary → rules → mask → hybrid. Don't go straight to brute.
- Pot file management. Keep
--potfile-pathso re-runs don't re-crack. - Don't crack what you don't need. Bcrypt at scale is a waste of GPU hours; pivot.
- Defender side: require length not complexity, ban breached passwords (HIBP API), enforce MFA — see Auth and Bot Protection.
Pick this if…
- Default GPU cracker: Hashcat.
- Maximum format coverage / quirky hashes: John the Ripper jumbo.
- Online brute / spray a service: Hydra, NetExec, kerbrute.
- Custom wordlist from a target site: CeWL.
- AD password spraying: NetExec or trevorspray.
- Distributed cracking farm: HashTopolis.