HASH CRACK Password Cracking Manual

Share this…

wrote-password-cracking-manual. Password cracking has always been this niche activity during a routine pentest. You collect some hashes, fire up John The Ripper or Hashcat, and use default settings with rules and some lame dictionary you pulled off the internet and hit <enter>. You recover a fair amount of the passwords but fail to make any real breakthroughs. After digging through forums and blog posts looking for tool usage, password analysis, and examples you apply some new trick only to forget it by the next pentest. After falling victim to this vicious cycle I decided to write a password cracking manual, HASH CRACK.

hash crack password cracking manual

Inspired by the Red Team Field Manual (RTFM) and its concise format, I set about researching and compiling the most common tools and their usage. Broken into sections to help the beginner and advanced security professional assist in their usage and understanding of the hash cracking process. Stripped of all the fluff and cuts right to the point with a simple sentence or two about each command and corresponding example usage.

The core tools covered in this manual are John The Ripper (JTR) and Hashcat since they are both absolutely amazing software with a robust community. So a convenient cheat sheet for each tool is included towards the front of the manual for easy reference.

Cracking cheat sheets hashcrack

Also included is a chapter called “Common Hash Examples” which lists the 25 most frequent hash types encountered during a pentest with examples in Hashcat and JTR. No nonsense and straight to the point to aid a security professional on the spot.

common hash types hashcrack

Chapter Topics Covered

Required Software

Core Hash Cracking Knowledge

Cracking Methodology

Cheat Sheets

-John The Ripper


Extract Hashes

-System Hash Extraction (Windows, *Nix, and Mac)

-PCAP Hash Extraction

-Database Hash Extraction

-Misc Hash Extraction (Documents, browser, etc…)

Common Hash Examples

-MD5, NTLM, NTLMv2, LM, MD5crypt, SHA1, SHA256, bcrypt, PDF 1.4 – 1.6 (Acrobat 5-8), Microsoft OFFICE 2013, RAR3-HP, Winzip, 7zip, Bitcoin/Litecoin, MAC OSX v10.5-v10.6, MySQL 4.1-5+, Postgres, MSSQL(2012)-MSSQL(2014), Oracle 11g, Cisco TYPE 4 5 8 9, WPA PSK / WPA2 PSK

Password Analysis

Dictionary / Wordlist

-Online resources

-Wordlist creation

Rules & Masks

Foreign Character Sets

-(UTF8) Arabic, Bengali, Chinese, Japanese, Russian

-Hashcat and JTR built-in charsets


-PRINCE attack





-Online Resources

-John The Ripper Menu

-Hashcat Menu

-Hash Cracking Benchmarks (table)

-Hash Cracking Speed (table)

mask cheat sheet hashcrack
foreign character hashcrack

A few of the tools/resources covered in the HASH CRACK manual are Hashcat, John The RIpper, PACK (Password Analysis and Cracking Kit), PIPAL, PassPat, Creddump, Mimkatz, Pcredz, Aircrack-ng, Weakpass, Crackstation, and more. Updates and additions to the manual are planned for future chapters and sections based on customer feedback and geared towards assisting the network security professional.

Give Back To The Cracking Community

I highly encourage you DONATE to the dedicated contributing members of the cracking community and in that same vein a portion of the proceeds from the sale of this manual will be given to the various projects and researchers. So in the future when you see a donate button, click and give what you can.

Lastly, if you are a developer of one of the tools or online resources covered in the manual reach out to me on twitter @netmux and I’ll mail you a free copy. Because without you and your contributions to the community we would be stuck hacking together some pathetic piece of code, praying to eek out 100 c/s against MD4.