Tooling

Password Cracking — Hashcat & John

Offline hash cracking, online brute force, wordlist generation.

After every breach you'll dump hashes; before every engagement you'll spray weak passwords. Cracking and password attacks split into "offline against hashes" (Hashcat / John) and "online against services" (Hydra / Medusa / kerbrute / NetExec). For AD-specific cred attacks see Active Directory Pentesting. For wireless handshake cracking see Wi-Fi Pentesting. For storing stolen creds safely see Secrets Management.

Offline GPU cracking

  • ★ ★ Hashcat — the GPU king; supports 350+ hash modes (NTLM, NetNTLMv2, WPA, MD5, SHA-2, bcrypt, scrypt, KeePass, MS Office, PDF, Bitcoin wallet …). Free. Runs on AMD / NVIDIA / Apple Silicon Metal.

    • Mode cheatsheet: 1000 NTLM, 5600 NetNTLMv2, 13100 Kerberos TGS-REP, 18200 Kerberos AS-REP, 22000 WPA-PBKDF2-PMKID+EAPOL, 1800 sha512crypt, 7500 Kerberos TGS, 3200 bcrypt, 13400 KeePass.
    • Attack modes: -a 0 straight wordlist, -a 3 mask, -a 6 hybrid wordlist+mask, -a 9 association.
    • Rules: OneRuleToRuleThemAll.rule, dive.rule, clem9669 rules pack.
  • John the Ripper (jumbo) — older, still excellent; richer for "mixed format / I just want one binary that handles everything." Better at exotic formats (KeePass2, MS Office, ZIP, RAR, GPG keys). Free.

    • *2john helpers (zip2john, office2john, keepass2john, ssh2john, pdf2john).
    • --rules=Jumbo — built-in mangling.
  • hashcat.launcher / HashTopolis — GUI / distributed cracking front-ends.

  • HashTopolis — distributed Hashcat with web UI; coordinate a GPU farm.

Wordlists worth having

  • rockyou.txt — the eternal default; ships with Kali.
  • SecLists (danielmiessler) — broad collection: passwords, usernames, fuzzing payloads, web content discovery. Free.
  • rockyou2024 / breach-compilation — leaked-corpus mega-lists; multi-GB.
  • Probable-Wordlists (berzerk0) — frequency-sorted top-N picks.
  • HaveIBeenPwned passwordsPwned-Passwords-NTLM-ordered-by-count is excellent NTLM list.
  • Crackstation HumanPasswords — billions of entries.
  • CeWL — scrape a website, build a custom wordlist of words used there.
  • Crunch — generate masks (crunch 8 8 abcdef…0123 -t @@@@@@@@).
  • Maskprocessor (mp64) — Hashcat's mask generator.
  • RSMangler — permute / mangle a base wordlist.
  • kwprocessor — keyboard-walk wordlists ("qwerty1!").
  • PCFG-cracker / OMEN — probabilistic / Markov-model wordlist generators.

Online password attacks

  • Hydra (THC) — universal online brute-forcer (SSH, FTP, HTTP basic / form, RDP, SMB, etc.). Free.
  • Medusa — alternative; sometimes faster, fewer protocols.
  • Patator — modern Python brute-forcer; nicer scripting.
  • NetExec --spray — AD password spray over SMB / WinRM / LDAP / Kerberos. Default for AD work; see Active Directory Pentesting.
  • Kerbrute — Kerberos pre-auth user enum + spray.
  • trevorspray — modern Python sprayer with proxy / FireProx support.
  • MSOLSpray / MSOLSprayer — O365 / Entra ID sprayer.

Cred / hash recovery sources

  • Mimikatz / DCSync — extract NT hashes from a DC. See Active Directory.
  • Impacket secretsdump — pull hashes remotely.
  • lsassy / nanodump — modern lsass dump tooling.
  • Shadow Copies / ntdsutil — offline NTDS.dit handling.
  • Volatility / MemProcFS — pull creds from memory dumps; see Memory Forensics.

Special-format crackers

  • jwt-cracker / jwt_tool — HS256 secret recovery.
  • bkcrack — known-plaintext PKZIP; classic ZIP files.
  • pdfcrack / pdf2john — PDF passwords.
  • bitcracker / hashcat 22100 — BitLocker.
  • DPAPI — Mimikatz / impacket-dpapi.
  • fcrackzip — old-school zip.

Realistic expectations (2026 GPUs)

  • NTLM on a modern RTX 4090: ~300 GH/s. 8-character mixed-case alphanumeric in hours.
  • bcrypt cost 12: ~3.5 KH/s on the same card. Practically uncrackable beyond 8-char human passwords.
  • Argon2id: even slower; trust it for new applications.
  • Modern WPA2 (PBKDF2-SHA1, 4096 iters): ~3 MH/s; long passphrases still hold.

Tips that actually matter

  • Crack with rules, not pure wordlists. rockyou + OneRuleToRuleThemAll gets 60–80% of breached corp creds.
  • Order: dictionary → rules → mask → hybrid. Don't go straight to brute.
  • Pot file management. Keep --potfile-path so re-runs don't re-crack.
  • Don't crack what you don't need. Bcrypt at scale is a waste of GPU hours; pivot.
  • Defender side: require length not complexity, ban breached passwords (HIBP API), enforce MFA — see Auth and Bot Protection.

Pick this if…

  • Default GPU cracker: Hashcat.
  • Maximum format coverage / quirky hashes: John the Ripper jumbo.
  • Online brute / spray a service: Hydra, NetExec, kerbrute.
  • Custom wordlist from a target site: CeWL.
  • AD password spraying: NetExec or trevorspray.
  • Distributed cracking farm: HashTopolis.

On this page