Hash Cracking Tutorial: Crack Passwords With Hashcat and John (2026)

What Is Hash Cracking?

Hash cracking is the process of recovering plaintext passwords from their cryptographic hash values using techniques like dictionary attacks, brute force, and rule-based mutations. During penetration tests, cracked credentials reveal password reuse, enable lateral movement, and expose weak password policies.

Hashing is a one-way function. You cannot reverse a SHA-256 hash mathematically. But you can hash millions of candidate passwords and compare the output to your target hash. When there is a match, you have the plaintext. That is all hash cracking really is: a massive comparison game where speed wins.

The most common hash types you will encounter:

• MD5 - 32 hexadecimal characters. Still common in leaked databases and older PHP applications despite being cryptographically broken since 2004.
• SHA-1 - 40 hex characters. Deprecated for certificates but still shows up in legacy systems and some database dumps.
• SHA-256 - 64 hex characters. Stronger, but unsalted SHA-256 is still crackable at high speed.
• bcrypt - Starts with $2b$ prefix. The gold standard for password storage. Cost factor makes it deliberately slow to crack.
• NTLM - 32 hex characters, used in Windows Active Directory environments. Fast to crack because there is no salting.

In practice, the hash type determines your entire approach. An unsalted MD5 cracks in seconds on a modern GPU. A bcrypt hash with cost factor 12 could take weeks for a single password. Knowing what you are up against before you start saves hours of wasted compute time.

How to Identify Hash Types

Before you fire up any cracking tool, you need to know what algorithm produced the hash. Running Hashcat with the wrong mode number wastes time and gives you zero results.

The quickest method is length-based identification. Count the characters:

• 32 hex characters: likely MD5 or NTLM
• 40 hex characters: likely SHA-1
• 64 hex characters: likely SHA-256

For automated identification, Kali Linux ships with two tools. hashid is the more reliable one:

$ hashid 5f4dcc3b5aa765d61d8327deb882cf99
Analyzing '5f4dcc3b5aa765d61d8327deb882cf99'
[+] MD2
[+] MD5
[+] MD4
[+] NTLM

It returns multiple possibilities ranked by likelihood. MD5 and NTLM both produce 32-character hex strings, so context matters. If you pulled the hash from a Windows SAM file or NTDS.dit, it is NTLM. If it came from a MySQL database, it is probably MD5.

Unix shadow file hashes are easier to identify because they include a prefix:

• $1$ - MD5crypt (ancient, still found on older systems)
• $5$ - SHA-256crypt
• $6$ - SHA-512crypt (default on most modern Linux distributions)
• $2b$ - bcrypt

Once you have identified the algorithm, map it to a Hashcat mode number. The ones you will use most often:

• -m 0 - MD5
• -m 100 - SHA-1
• -m 1000 - NTLM
• -m 1800 - SHA-512crypt (Linux shadow files)
• -m 3200 - bcrypt

Hash Cracking With Hashcat

Hashcat 6.2.6 is the tool you reach for when speed matters. It runs on GPUs, supports over 350 hash modes, and has the best rule engine available. If you have a dedicated GPU, Hashcat should be your primary cracking tool.

Dictionary Attack

A straight dictionary attack is always your first move. You are comparing every word in a wordlist against your target hashes:

hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

The flags break down simply. -m 0 sets the hash mode to MD5. -a 0 selects straight mode, which means dictionary-only with no mutations. hashes.txt contains your target hashes, one per line. The last argument is your wordlist.

Against a batch of unsalted MD5 hashes, this finishes in under a minute on any modern GPU. You will typically crack 20-40% of hashes in a dump with just rockyou.txt and no rules. Weak passwords like "password123" and "summer2024" fall immediately.

Hashcat saves cracked results to a potfile (~/.local/share/hashcat/hashcat.potfile by default). If you run the same hashes again, it skips already-cracked ones. You can view cracked results any time with hashcat --show -m 0 hashes.txt. This is useful when you want to generate a final report without re-running the full attack.

Rule-Based Attacks

Rules are where Hashcat really pulls ahead. Each rule mutates every word in your wordlist: toggling case, appending numbers, substituting letters for leet speak equivalents, reversing strings. A single wordlist entry like "password" becomes "Password", "password1", "p@ssword", "PASSWORD123", and hundreds of other variations.

hashcat -m 0 -a 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

The -r flag loads a rule file. Hashcat ships with several, but two cover the vast majority of real-world password patterns.

Skip writing custom rules until you have exhausted best64.rule and dive.rule. Those two cover roughly 80% of real-world password mutations that users actually create. Custom rules make sense for targeted attacks against a specific organization's password policy, but most pentesters never need them.

Mask Attacks

When you know the password policy, mask attacks let you target a specific pattern:

hashcat -m 0 -a 3 hashes.txt ?u?l?l?l?l?d?d?d

This mask tries every combination matching the pattern: one uppercase letter, four lowercase letters, three digits. That covers passwords like "Admin001" or "Sales789".

The charset placeholders:

• ?l - lowercase (a-z)
• ?u - uppercase (A-Z)
• ?d - digit (0-9)
• ?s - special characters
• ?a - all of the above

Mask attacks are most effective when you have intelligence about the target's password policy. If the company requires "minimum 8 characters, at least one uppercase and one number," you can build a mask that matches exactly that policy and skip billions of impossible candidates.

On an RTX 4090, Hashcat cracks MD5 at roughly 164 billion hashes per second. NTLM runs at about 100 billion. bcrypt with cost factor 10 drops to around 184,000 hashes per second. These numbers explain why hash algorithm selection matters so much on the defensive side. The difference between MD5 and bcrypt is not incremental. It is six orders of magnitude.

Hash Cracking With John the Ripper

John the Ripper 1.9.0-jumbo-1 takes a different approach. It is CPU-friendly, auto-detects hash types, and shines in situations where Hashcat feels clunky.

Basic usage could not be simpler:

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

John detects the hash format automatically. No mode numbers to look up. If auto-detection picks the wrong format, you can override it with --format=Raw-MD5 or whatever matches your hash. When it finishes, view the results:

john --show hashes.txt

Where John really earns its place on every pentester's machine is the *2john family of scripts. These extract crackable hashes from encrypted files:

pdf2john document.pdf > pdf_hash.txt
zip2john archive.zip > zip_hash.txt
ssh2john id_rsa > ssh_hash.txt
keepass2john database.kdbx > kp_hash.txt

Hashcat cannot do this natively. You would need separate tools to extract the hash first, then feed it to Hashcat. John handles it all in one workflow.

During a recent engagement, a client stored KeePass databases on a shared network drive with no additional access controls. Running keepass2john followed by a dictionary attack cracked two master passwords in under ten minutes. Those databases contained domain admin credentials. Without John's extraction scripts, that attack chain would have required a separate tool for each file type.

John is the better choice when you have a mix of hash formats or need to crack non-password hashes from encrypted files. For raw GPU speed on a single hash type, Hashcat wins every time. Most experienced pentesters keep both installed and reach for whichever fits the job. There is no reason to pick sides.

Choosing the Right Wordlist and Attack Strategy

If you have read our Gobuster wordlist guide, you know that wordlist quality matters more than size. A 50 GB wordlist full of random strings cracks fewer passwords than a curated 500 MB list of real leaked passwords.

The essential wordlists:

• rockyou.txt - 14 million passwords from the 2009 RockYou breach. Ships with Kali. This is your default starting point for every engagement.
• SecLists Passwords directory - the SecLists repository on GitHub contains dozens of specialized wordlists sorted by source, language, and pattern.
• CeWL - generates target-specific wordlists by scraping a company's website. Picks up product names, employee names, and jargon that generic wordlists miss.

For a structured approach, work through attacks in this order:

1. Dictionary attack with rockyou.txt
2. Dictionary + rules (best64.rule first, then dive.rule)
3. Mask attack if password policy is known
4. Combinator attack for passphrase-style passwords
5. Targeted wordlist from CeWL + rules

In practice, steps 1 and 2 crack about 70-80% of the hashes in a typical engagement. If you are still stuck after rule-based attacks, the remaining passwords are usually strong enough that brute force is not realistic within a reasonable timeframe. At that point, move on to other attack vectors. Spending three days trying to brute-force a 16-character random password is time you could spend finding a different path to the same objective.

Legal and Ethical Considerations

Authorized penetration testing engagements and CTF competitions are the only appropriate contexts for cracking password hashes. Your scope of work document should explicitly mention password cracking as an approved activity. If it does not, get written confirmation before proceeding.

For safe practice, stick to purpose-built environments: HackerDNA labs, VulnHub machines, Hack The Box, or CTF platforms. These systems exist specifically for learning offensive techniques and carry no legal risk. Building a local lab with VirtualBox or Docker also works well for experimenting with different hash types and attack modes.

If you discover cracked passwords during an authorized test, handle them carefully. Report them through proper channels defined in your engagement agreement. Never retain copies of cracked credentials after the engagement ends, and never use them outside the agreed scope. Your client trusted you with access to their most sensitive data. Treat that trust seriously.

Password data from real breaches (beyond well-known training sets like rockyou.txt) should not be downloaded or stored. Using stolen credential databases, even for "research," creates legal exposure that is not worth the risk. The OWASP Password Storage Cheat Sheet provides good guidance on the defensive side if clients ask how to protect against the techniques you demonstrated.