12. Password Cracking & Identity
Shattering the Hash
When an attacker exfiltrates a database or dumps the /etc/shadow file on a Linux system, they don't receive plaintext passwords—they receive hashes. Password cracking is the process of reversing or guessing those hashes offline to reveal the original credentials. Understanding this process is essential for defenders who need to test their own password policies and for understanding the real-world impact of a database breach.
This is offline work—no network connection to the target is required after the hash dump. The attacker can run cracking tools at home on their own hardware indefinitely, making any rate limiting, account lockout, or MFA completely irrelevant. The only defenses that matter are the strength of the original passwords and the quality of the hashing algorithm used to store them.
🔎 What Hash Cracking Actually Is
A cryptographic hash is a one-way function—you cannot mathematically reverse SHA-256(password) to get "password." So how does cracking work? Through educated guessing at scale:
- Start with a candidate password (e.g., "password123")
- Hash it with the same algorithm used to store the target hash (SHA-256, MD5, bcrypt)
- Compare the result to the stolen hash
- If they match: password cracked. If not: try the next candidate.
That's it. The "magic" of password cracking is pure computational power—testing billions of candidates per second until one matches. With a modern GPU running Hashcat, you can test 100+ billion MD5 hashes per second. SHA-256 is slower at around 10 billion per second. bcrypt at cost factor 10: approximately 20,000 per second. That difference—5 million times slower—is why algorithm choice is critical.
🔨 Cracking Methodologies
Dictionary Attacks — The First Strike
A dictionary attack uses a wordlist of candidate passwords. The cracking tool hashes each word in the list and compares it to the target hash. If a match is found, the password is revealed.
Why they're so effective: Humans are terrible at creating truly random passwords. Given no constraints, most people choose words from dictionaries, proper names, keyboard patterns, or simple combinations. Studies of leaked password databases consistently show that the top 10,000 passwords cover 30–40% of all user accounts in any given breach.
Key wordlists:
- rockyou.txt: 14 million real-world passwords leaked from the RockYou breach in 2009. The most commonly used wordlist. Available in Kali at
/usr/share/wordlists/rockyou.txt.gz. - SecLists: A comprehensive collection of wordlists maintained by Daniel Miessler. Includes password lists, usernames, URLs, and fuzzing payloads. Essential for pentesting.
- Custom wordlists (CeWL): Crawl a target's website and extract words to build a custom wordlist. Employees frequently use company names, product names, and internal jargon in passwords.
cewl https://target.com -d 2 -m 5 > company_wordlist.txt
Rule-Based Attacks — Supercharging Dictionaries
Most users take a simple word and apply predictable transformations: capitalize the first letter, add a number at the end, replace letters with symbols. Rule-based attacks apply these transformations programmatically to every word in a wordlist, without needing to pre-generate all variations.
Common Hashcat rules:
- Capitalize first letter:
c→ "password" → "Password" - Append numbers 0-9:
$1→ "password" → "password1" - Toggle case:
t→ "password" → "pAsSwOrD" - Reverse word:
r→ "password" → "drowssap" - Leet speak substitution:
sa@→ "password" → "p@ssword"
hashcat -a 0 -r /usr/share/hashcat/rules/best64.rule hashes.txt rockyou.txt applies 64 of the most effective rules to every word in rockyou.txt—generating and testing hundreds of millions of variations automatically.
Brute-Force Attacks — When All Else Fails
Brute force tries every possible combination of characters systematically. It's guaranteed to succeed eventually but may take an impractical amount of time for complex passwords.
Realistic timelines (Hashcat, RTX 4090 GPU, MD5):
- All lowercase 6-char: ~0.001 seconds
- Lowercase + digits 8-char: ~2 seconds
- Full ASCII 8-char: ~30 minutes
- Full ASCII 10-char: ~6 years
- Full ASCII 12-char: ~thousands of years
Brute force is practical for short passwords and weak hashing algorithms (MD5). Against bcrypt or Argon2, even 6-character passwords become infeasible to brute force within a reasonable timeframe because each test takes 100-10,000x longer.
hashcat -a 3 hashes.txt ?l?l?l?l?l?l?d?d — Brute-force 6 lowercase + 2 digits (e.g., "password12")
Rainbow Table Attacks — Pre-Computed Lookups
Rainbow tables are massive pre-computed lookup databases mapping every possible hash back to its plaintext. Instead of computing the hash at crack time, the attacker simply looks up the hash in the table—an instant lookup regardless of password complexity.
For MD5 unsalted hashes, rainbow tables covering all 8-character passwords (upper, lower, digits, symbols) are readily available for download and turn hours of cracking into milliseconds.
Why salting destroys rainbow tables: A salt is a unique random string added to each password before hashing. SHA-256(salt + password) instead of SHA-256(password). A rainbow table is built for a specific hash function with no salt. Salts add a unique variable to every hash—to use rainbow tables against salted hashes, you'd need a separate table for every possible salt value, which is computationally infeasible. Salting is why modern databases that use proper password storage are immune to rainbow table attacks.
Pass-the-Hash (PTH) — No Cracking Required
In Windows environments using NTLM authentication, the password hash itself is used directly for authentication—the protocol doesn't require the plaintext password. If an attacker dumps an NTLM hash from a compromised machine's memory using Mimikatz or hashdump, they can present that hash directly to authentication services and log in as that user. No cracking required. The hash IS the credential.
The Attack:
- Compromise a Windows machine (any method)
- Dump LSASS memory or the SAM database:
sekurlsa::logonpasswordsin Mimikatz - Extract NTLM hash: e.g.,
aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c - Pass the hash using Impacket:
python psexec.py -hashes aad3b...586c Administrator@10.0.0.1 - Authenticate as Administrator on the target system without ever knowing the password.
Why PTH is critical: In Active Directory environments with shared local administrator passwords (before LAPS was implemented), a single NTLM hash dump enables lateral movement to every machine in the organization sharing that credential. One compromised machine becomes every machine.
Defense against PTH: Microsoft's Local Administrator Password Solution (LAPS) generates unique, random local admin passwords per machine—eliminating the shared password problem. Windows Defender Credential Guard prevents NTLM hashes from being extracted from LSASS memory. Disabling NTLM and requiring Kerberos authentication further limits PTH attacks.
🛠️ The Cracker's Toolkit: John the Ripper and Hashcat
John the Ripper (John):
One of the oldest and most reliable password crackers. Excellent for quick, automated cracking tasks on CPU hardware. John automatically detects hash types and applies intelligent wordlists and rules without complex configuration:
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt— Basic dictionary attackjohn hashes.txt --format=sha256crypt --wordlist=rockyou.txt— Specify hash format explicitlyjohn hashes.txt --rules --wordlist=rockyou.txt— Apply built-in mangling rulesjohn --show hashes.txt— Display all cracked passwordsunshadow /etc/passwd /etc/shadow > combined.txt && john combined.txt— Crack Linux shadow file hashes
Hashcat — The Speed King:
Hashcat leverages GPU compute power to test billions of hashes per second—dramatically faster than CPU-based crackers for most hash types. It is the professional standard for serious cracking work:
hashcat -m 0 hashes.txt rockyou.txt— MD5 dictionary attack (-m 0 = MD5)hashcat -m 1000 hashes.txt rockyou.txt— NTLM dictionary attack (-m 1000 = NTLM)hashcat -m 1800 hashes.txt rockyou.txt— SHA-512crypt (Linux shadow) attackhashcat -m 3200 hashes.txt rockyou.txt— bcrypt attack (very slow, computationally expensive)hashcat -m 0 -a 3 hashes.txt ?u?l?l?l?d?d?d?d— Brute force: 1 uppercase + 3 lowercase + 4 digitshashcat -m 0 -a 6 hashes.txt rockyou.txt ?d?d?d?d— Hybrid: dictionary word + 4 digits (e.g., password2024)hashcat --show hashes.txt— Display cracked results from the potfile
Common Hashcat Hash Mode Numbers:
| Mode | Algorithm | Speed (RTX 4090) |
|---|---|---|
| 0 | MD5 | ~164 billion/sec |
| 100 | SHA1 | ~60 billion/sec |
| 1400 | SHA-256 | ~24 billion/sec |
| 1000 | NTLM | ~340 billion/sec |
| 1800 | SHA-512crypt (Linux) | ~2 million/sec |
| 3200 | bcrypt | ~200,000/sec |
| 13722 | Argon2id | ~2,000/sec |
This table illustrates exactly why algorithm choice matters. NTLM cracks at 340 billion attempts per second. Argon2id: 2,000. The same 8-character password that cracks in milliseconds against NTLM would take 170 million times longer against Argon2id.
🔐 Identity Security: Beyond Passwords
Even perfectly cracked-resistant passwords are not enough. Modern identity security requires multiple layers:
Multi-Factor Authentication (MFA):
- Something you know: Password
- Something you have: Hardware token (YubiKey), authenticator app (TOTP/HOTP), SMS code
- Something you are: Biometrics (fingerprint, facial recognition)
MFA makes stolen passwords alone insufficient for authentication. An attacker with your NTLM hash cannot satisfy an MFA requirement. This is why enabling MFA—especially for privileged accounts, email, and VPN access—is the single highest-impact security improvement most organizations can make.
MFA Bypasses (Know These):
- MFA Fatigue (Push Bombing): Attacker has the password and triggers dozens of MFA push notifications to the victim's phone until the victim accidentally (or frustratedly) approves one. Microsoft reported this as one of the most common attack patterns against M365 accounts. Mitigation: use number-matching MFA that requires typing a displayed code, not just approve/deny.
- SIM Swapping: Attacker socially engineers a mobile carrier into transferring the victim's phone number to the attacker's SIM. SMS MFA codes now go to the attacker. Mitigation: use authenticator apps or hardware tokens instead of SMS MFA.
- Adversary-in-the-Middle (AiTM) Phishing: The phishing site acts as a real-time proxy between victim and legitimate service—capturing the session cookie after MFA is completed. Evilginx2 and Modlishka automate this. Mitigation: hardware security keys (FIDO2/WebAuthn) bind authentication to the specific domain and are immune to AiTM phishing.
Password Manager Adoption:
Password reuse is the primary reason stolen credentials from one breach enable access to other services (credential stuffing). Password managers (1Password, Bitwarden, KeePass) generate and store unique, random, strong passwords for every site—eliminating both password reuse and weak password selection. Every security professional should be using one and recommending them to users.
Privileged Access Management (PAM):
Enterprise environments require special controls for privileged accounts (domain admins, root, service accounts):
- Just-in-time (JIT) access: Privilege is granted only for the specific time window when it's needed, then revoked.
- Session recording: All privileged sessions are recorded and stored for audit and forensic purposes.
- Credential vaulting: Privileged passwords are stored in a PAM vault, rotated automatically, and never known to the administrators who use them—they check out credentials through the vault.
🧪 Lab Mission: Hash Cracking Challenge
Complete each task, documenting your commands and results:
- Identify the hash type for each of the following (use hashid or hash-identifier):
5f4dcc3b5aa765d61d8327deb882cf99,$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy,$6$salt$hash... - Crack the MD5 hash using John:
john md5_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 - Crack the same hash with Hashcat:
hashcat -m 0 md5_hash.txt rockyou.txt. Compare speeds. - Apply rules to crack a more complex hash:
hashcat -m 0 hash.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule - Attempt a hybrid attack:
hashcat -m 0 -a 6 hash.txt rockyou.txt ?d?d?d?d - If you have a Linux shadow file (from a lab VM), use
unshadowto combine passwd and shadow, then crack with John. - Explore Pass-the-Hash: Using a lab Windows VM, use Mimikatz to dump the NTLM hash, then use Impacket's psexec.py with the hash to authenticate without the password.
Analysis Questions: How does changing from MD5 to bcrypt affect your cracking speed? If a user's password is "Summer2024!" — would rockyou.txt alone crack it? What about with best64.rule applied? What does this tell you about the effectiveness of password complexity requirements vs. password length?
✅ Module 12 Summary
- Password cracking works by testing candidates against stolen hashes offline—network controls, lockouts, and MFA provide zero protection against offline cracking.
- The four main methodologies: Dictionary (wordlist), Rule-based (transformed wordlist), Brute-force (all combinations), and Hybrid (wordlist + patterns). Start with dictionary+rules before brute-force.
- Pass-the-Hash bypasses the need to crack at all in NTLM environments. Dump the hash, use the hash. Defend with LAPS and Credential Guard.
- Hashcat (GPU) is dramatically faster than John (CPU) for most hash types. Algorithm choice is the dominant factor: NTLM cracks at 340B/sec; Argon2id at ~2K/sec.
- MFA is the highest-impact identity security control available. Deploy it universally, especially on email, VPN, and privileged accounts. Prefer hardware keys (FIDO2) over SMS codes.
Knowledge Check
Ready to test your understanding of 12. Password Cracking & Identity?