Home About Blog Media Free Courses Workshops

Password Cracking

Hashcat for the Win

Cracking Passwords

This workshop utilizes knowledge about Linux, Windows and computer hardware. Participants will need a system they have administrative control over to install and run various software and virtual machines in order to learn how to effectively crack Windows passwords.

Go to Part 2

Cracking Terminology

The Old Ways: Rainbowtables


Rainbowtables such as Project Rainbowcrack and Free Rainbow Tables require terabyes of fast storage to read from. They are ineffective against passwords with salts. Rainbowtables are very specific to a given password hash and type, and would need to be generated for multiple hash types. They are slow to generate and unable to meet the demand of modern password cracking where being dymanic, agile, flexible and scalable are key. Rainbowtables are static, rigid; to this end, they should only be mentioned as a history lesson, and nothing more.

Hashcat Overview

Hashcat is a powerful GPU password cracker. It is free, open source and available on most Operating Systems. It is agile, scalable and up to date. The Hashcat Wiki is highly recommended to keep open as a reference for this workshop.

You should install the latest version of hashcat on your system or virtual machine:

For higher level processing with GPUs, ensure your video driver is also up to date. Hashcat is able to break a large number of hashes (see the hashes list in the wiki).
Many Hashes For this workshop, we will focus on NTLM.

How NTLM Works

NTLM follows a very basic process:

This process is seen in action on CyberChef: CyberChef Here you can see what is created on CyberChef is what Mimikatz pulls up from a Windows 11 computer:

CyberChef and Mimikatz

Cracking Passwords

For this lab, please download 2020-200_most_used_passwords.txt from this link.

This is a basic layout on how we will use hashcat from the command line. Most of the command will be the same regardless of the OS. Crack the following password using the following example command: First Crack

Hash 1

Submit your answer

When you successfully crack a password, you will notice a couple of things: Results1

Hash 2

Submit your answer

Hash 3

Submit your answer

Adding Variables

Wordlists can only take you so far since the text files cannot account for various mutations. Hashcat has the functionality to insert variables that don't exist in the wordlist but can help find the hash. Adding Variables

The following hash has one extra digit at the end. Use variables to solve:

Hash 4

Submit your answer

The following hash has four extra characters at the end. Use variables to solve:

Hash 5

Submit your answer

Cracking hash5 may result in an odd answer that is not human readable. You will need to convert the hexadecimal result to see what the password is. Results with Hex

Take the hash and convert it in CyberChef as shown below: Converting Hex

The following hash has four extra characters at the beginning. Use variables to solve:

Hash 6

Submit your answer

Useful Links


As written in the wiki, this is a complicated attack mode with a wide variety of modifications, making it flexible, accurate and efficient. A simple rule can be using "$1" to append a digit, making password into password1. Here are some other examples:

Generating Rules with maskprocessor

Download and complie or extract the maskprocessor from Github.


With the software ready for use, run the following command that will make a 3 digit rule file:

./mp64.bin -o append_3_digits.rule '$?d $?d $?d'
Making a rule

This rule file will append three digits to whatever password it is trying to break, and it will do it in succession as shown above. Combine the rule we just created and the wordlist to find the following password:

Hash 7

Submit your answer

In the same wiki, there is a section on generating rules on the fly.
Using generated rules

Use this part of the wiki to find the following password; you may need to play with various numbers of rules to get the right answer. Don’t give up right away!

Hash 8

Submit your answer


Mask attacks are a more specific version of brute force. We use certain candidate keyspaces to crack more efficiently. Masks are simple strings that use placeholders, with a question mark and a static letter to define the variable. Built in Character Sets

The following hash can be cracked with a mask only; you don't need the wordlist. This password contains 4 lowercase letters:

Hash 9

Submit your answer

The following password has 3 digits and lowercase letters; there is no need for the wordlist

Hash 10

Submit your answer

The following password has 7 uppercase letters and 1 digit (though not in that order); it is a word from the wordlist, but you don't need the wordlist to solve.

Hash 11

Submit your answer

Hashcat has some built in rules and masks for you to use. Find them in the program's folders:
Built in rules and masks

TrustedSec's Hate_crack repository has some masks that you can use as well:
hatecrack github

Advanced Attack: PRINCE

PRINCE (PRobability INfinite Chained Elements) takes one input wordlist and builds “chains” of combined words automatically. It is simple to use, requires no monitoring by the hacker, any extensions or syntax knowledge. The tool builds its own wordlist, hybrid, keyboard walks/passphrases and brute force for you. Download from Github here; this thread is also useful to understand PRINCE. As with the prior tool, you'll need to compile or extract to run.
Prince Processor on Github

NOTE FOR MAC USERS: this issue explains what you need to do in order to get the tool working on macOS. macOS issue

If you ran the princeprocessor against the wordlist we have been using in this workshop, what is the result?
See output from princeprocessor

Seeing what results from sending a wordlist into princeprocessor, we will do that again, but also pipe that output into hashcat to solve the following hash: solving a hash using prince

Hash 12

Submit your answer

Use the same command, but change the wordlist to use Permutations/1337speak.txt instead to solve the following hash:

Hash 13

Submit your answer

Password Analysis

Historical Tips

20-60-20 Rule

The following chart shows how most passwords are sorted by difficulty.
20 60 20 rule

Cracking Methodology

  1. Extract hashes: Pull hashes from target, identify hashing function
  2. Format hashes: Prepare hashes for your tool’s preferred method
  3. Evaluate hash strength: If slow hash, you need to be more selective of dictionaries and attacks used; if fast, be more liberal with attack strategy
  4. Calculate cracking rig capabilities: Baseline your rig to better assess its capabilities against a specific hash
  5. Formulate plan: Create an attack plan based on known/unknown knowledge
  6. Analyze passwords: Analyze results for any clues/patterns from cracked hashes to aid the success in the remaining
  7. Custom attacks: Leverage the new knowledge to fine tune the attack to the target user’s behavior or preferences
  8. Advanced attacks: Use more advanced tools to dig deeper
  9. Repeat until solved

Basic Cracking Playbook

  1. Custom wordlist: Compile your known plain text passwords into a custom wordlist file
  2. Custom wordlist + rules: Run your custom wordlist with permutation rules for variations
  3. Dictionary/wordlist: Look for common passwords and leaked passwords in a well-known list
  4. Dictionary/Wordlist + rules: Add permutation rules to your dictionary looking for subtle changes
  5. Custom wordlist + rules: Add any newly discovered passwords to custom wordlist and add permutation rules
  6. Mask: Use hashcat’s masks to search keyspace for common password lengths and patterns
  7. Hybrid Dictionary + Mask: Look for larger variations of common words/known passwords by appending/prepending masks to those candidates
  8. Custom wordlist + rules: Add any newly discovered passwords back to custom wordlist and add permutation rules, looking for subtle variations
  9. Combo: Individually combine dictionary password candidates together to form new candidates
  10. Custom hybrid attack: Add any newly discovered passwords back to custom wordlist
  11. Custom mask attack: Custom mask attacks based on currently cracked passwords
  12. Brute force: When all else fails; be selective on how large a keyspace your rig can adequately brute-force. Above 8 chars is harder due to hardware limitations and password entropy/complexity


The potilfe stores what passwords were found by hashcat. The default potfile does not differentiate between hash types; it only stores all hashes found in the order they were found. You can use

to specifically select where you want hashes saved, for example, saving all the SHA1 hashes in one potfile and all the NTLM in another.
Contents of the potfile

Distributed Cracking Software

Cracking Challenges:

Submit your answers at this link. Use the hints at the bottom of each section to help you if you get stuck.

Challenge Number NTLM Hash Challenge Number NTLM Hash Challenge Number NTLM Hash
Set 1, Hint 1

Challenges 1-3 are based on one of the words from the first wordlist we used in the workshop.

Set 1, Hint 2

Challenges 1-3 are permutations on the word "monkey".

Set 2, Hint 1

Challenges 4-6 are combinations of common words and a single digit.

Set 2, Hint 2

Challenges 4-6 should be quickly solveable with a wordlist and appending a mask digit.

Set 3, Hint 1

Challenges 7-9 are are phone numbers.

Challenge Number NTLM Hash Challenge Number NTLM Hash Challenge Number NTLM Hash
Set 4, Hint 1

Challenges 10-12 are short phrases.

Set 4, Hint 2

Challenges 10-12 are breakfast food related.

Set 4, Hint 3

Challenges 10-12 one password has a special character, another has a digit.Between all three, there are only two captial letters.

Set 5, Hint 1

Challenges 13-15 are used by system/network administrators.

Set 5, Hint 2

Challenges 13-15 all contain the lowercase word "admin".

Set 5, Hint 3

Challenges 13-15 all have the word "admin" and contain digits. Only one has a special character.

Set 6, Hint 1

Challenges 16-18 are all iPhone related passwords

Set 6, Hint 2

Challenges 16-18 are passwords that express how the user feels about the iPhone.

Set 6, Hint 3

Challenges 16-18 are passphrases with digits and no special characters.

Challenge Number NTLM Hash Challenge Number NTLM Hash Challenge Number NTLM Hash
Set 7, Hint 1

Challenges 19-21 three word passphrases.

Set 8, Hint 1

Challenges 22-24 are all related to laptop.

Set 9, Hint 1

Challenges 25-27 are all related to dojo.

Part 2

Part 2

Use this tool to get the 7zip password.