[ Certified Ethical Hacker v10 ] :: [ Module 4 ]

This entry is part 6 of 21 in the series [ Certified Ethical Hacker Training ]

Module 4: System Hacking (Exploitation)

Cracking for Fun and System Penetration

Hash-cracking communities:

Password dictionaries:

Kali supplies you with several wordlists and hash lists in /usr/share/.

John the Ripper

John can use Kali’s built-in wordlists: /usr/share/wordlists/rockyou.txt.gz etc.

“How to crack passwords using john the ripper in kali linux”


1 Create a simple text file with a hashed password (which is “password”):

echo -n password | md5sum | tr -d " -" >> /root/testhash.txt

Now use the RockYou wordlist to crack the password:

john --format=raw-md5 --show /usr/share/wordlists/rockyou.txt.gz /root/testhash.txt

2 Follow the steps on this page:


Requires 4 arguments:

-m or –hash-type (use –help to list hash types; use -m 1000 for Windows NT hashes
Example hashes: https://hashcat.net/wiki/doku.php?id=example_hashes

-a or –attack-mode (method: dictionary, brute-force; use -a 0 to use a dictionary attack)

[filename|hash] (hashes to crack, e.g. ./hashes/ntlm.txt; you can supply a single hash directly)

[dictionary|mask|directory] (A wordlist, mask or directory containing wordlist(s), e.g. rockyou.txt)

See this really excellent step-by-step example:


Exercise: Dictionary Attack

1 Hashcat doesn’t support compressed lists, so unzip Kali’s supplied RockYou wordlist,  /usr/share/wordlists/rockyou.txt.gz:

gunzip  /usr/share/wordlists/rockyou.txt.gz

2 Create a folder called hashlists in your home directory. Make a hash file called win.hash inside it:

touch ./hashlists/win.hash

Go to this page to create some NTLM hashes. Place them in the win.hash file:

3 Now run hashcat to crack the hashes, using the RockYou wordlist:

hashcat -m 1000 -a 0 --force ./hashlists/win.hash /usr/share/wordlists/rockyou.txt

Cracked hashes go into hashcat.potfile in the user’s home directory, in a folder named .hashcat – unless you specify an output file with the -o option (see the next example).

Exercise: Rule Set Permutations

Rule Sets allow permutations like “Airplane1 to Airplane59”.

For deep details see this page:

Rule Set rules are in /usr/share/hashcat/rules/, for example the best64.rule rule list.

3 Use this command to crack the hashes in win.hash:

hashcat -m 1000 -a 0 -o /root/cracked.txt -r /usr/share/hashcat/rules/best64.rule  ./hashlists/win.hash /usr/share/wordlists/rockyou.txt

Exercise: Mask Attack

See this explanation straight from the Hashcat people:

And see this page for examples (halfway down the page):

You will need at least these four options for hashcat:

hashcat-binary attack-mode hash-file mask

For instance:

hashcat -a 3 hash.file ?a?a?a

?d Digit (repeat 5 times for 5 places)

?l lowercase letter

?u uppercase letter

?s special char

?a all character sets

For example, look for all three-character passwords:

hashcat -m 1000 -a 3 ./testhash.txt ?a?a?a

Up to 7 chars is reasonable, 8 takes days, 9 takes years (on generic hardware).

4 What would the command be to look for all five-character passwords?

Exercise: Combinator Attacks

Use two wordlists, or the same wordlist twice, and try all possible combinations:

hashcat -m 0 -a 1 ./testhash.txt [wordlist1] [wordlist2]

5 Follow this page step-by-step:

The LinkedIn hashdump and more instructions:

And another good tutorial on masks:

Series Navigation<< [ Certified Ethical Hacker v10 ] :: [ Module 3 Continued ][ Certified Ethical Hacker v10 ] :: [ Module 5 ] >>

Leave a Reply