Hashcat & John the Ripper Cheatsheet — lbyte.id

Password cracking turns captured hashes into credentials. Hashcat uses GPU acceleration for speed; John the Ripper is flexible and cross-platform. Both are essential in the toolkit.

Hash Identification

# hashid
hashid 'HASH_VALUE'
hashid -m 'HASH_VALUE'   # include hashcat mode number

# hash-identifier
hash-identifier
# paste hash, it guesses the type

# Common formats reference:
# MD5      $1$  or 32 hex chars
# SHA-1    40 hex chars
# SHA-256  64 hex chars
# bcrypt   $2a$ $2b$ $2y$
# NTLM     32 hex chars (like MD5 but from Windows)
# NetNTLMv2  User::Domain:Challenge:Hash:Blob
# Kerberos 5  $krb5tgs$23$ (RC4) or $krb5tgs$17$ (AES128) or $krb5tgs$18$ (AES256)
# AS-REP   $krb5asrep$23$
# SHA-512 crypt  $6$
# WPA      PMKID or 22000 format

---

Hashcat — Attack Modes

# Modes overview
# -a 0: Wordlist (dictionary)
# -a 1: Combinator (word1+word2)
# -a 3: Mask (brute force with pattern)
# -a 6: Hybrid (wordlist + mask)
# -a 7: Hybrid (mask + wordlist)

Mode 0 — Dictionary Attack

hashcat -a 0 -m HASH_TYPE hashes.txt wordlist.txt

# With rules
hashcat -a 0 -m 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
hashcat -a 0 -m 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/d3ad0ne.rule

# Multiple wordlists
hashcat -a 0 -m 0 hashes.txt wordlist1.txt wordlist2.txt

# Show cracked
hashcat -a 0 -m 0 hashes.txt rockyou.txt --show

Mode 3 — Mask (Brute Force)

# Charset symbols:
# ?l = lowercase (a-z)
# ?u = uppercase (A-Z)
# ?d = digit (0-9)
# ?s = special (!@#$...)
# ?a = all printable
# ?b = all bytes

# 8 char password: upper + lower + digit
hashcat -a 3 -m 0 hashes.txt ?u?l?l?l?l?l?l?d

# Exactly 8 digits
hashcat -a 3 -m 0 hashes.txt ?d?d?d?d?d?d?d?d

# Pattern: Capital + 6 lower + 2 digits
hashcat -a 3 -m 0 hashes.txt ?u?l?l?l?l?l?l?d?d

# Custom charset
hashcat -a 3 -m 0 hashes.txt -1 ?l?d ?1?1?1?1?1?1?1?1

# Increment (try all lengths 1..8)
hashcat -a 3 -m 0 hashes.txt ?a?a?a?a?a?a?a?a --increment --increment-min 1

Mode 1 — Combinator

# Combine two wordlists: word1word2
hashcat -a 1 -m 0 hashes.txt wordlist1.txt wordlist2.txt

# With rules on each side
hashcat -a 1 -m 0 hashes.txt wordlist1.txt wordlist2.txt -j 'c' -k '$!'

Mode 6 / 7 — Hybrid

# Wordlist + mask (append digits)
hashcat -a 6 -m 0 hashes.txt rockyou.txt ?d?d?d?d

# Mask + wordlist (prepend digits)
hashcat -a 7 -m 0 hashes.txt ?d?d?d?d rockyou.txt

---

Common Hash Types (-m values)

# Windows / Active Directory
-m 1000    # NTLM
-m 3000    # LM
-m 5600    # NetNTLMv2
-m 5500    # NetNTLMv1
-m 13100   # Kerberos 5 TGS (Kerberoasting) RC4
-m 19600   # Kerberos 5 TGS AES128
-m 19700   # Kerberos 5 TGS AES256
-m 18200   # Kerberos 5 AS-REP (AS-REP Roasting)

# Unix
-m 500     # MD5crypt ($1$)
-m 1800    # sha512crypt ($6$)
-m 3200    # bcrypt ($2*)
-m 7400    # sha256crypt ($5$)

# Web / databases
-m 0       # MD5
-m 100     # SHA1
-m 1400    # SHA256
-m 1700    # SHA512
-m 400     # phpass ($P$) — WordPress, Joomla
-m 3711    # Mediawiki
-m 12     # PostgreSQL MD5

# WPA / WiFi
-m 22000   # WPA-PBKDF2-PMKID+EAPOL (newer)
-m 2500    # WPA/WPA2 (legacy)
-m 16800   # WPA-PMKID-PBKDF2

---

Rules

# Built-in rule files (usually in /usr/share/hashcat/rules/)
best64.rule          # 64 most effective rules
d3ad0ne.rule         # community rules
dive.rule            # very large ruleset
rockyou-30000.rule   # derived from rockyou patterns
toggles5.rule        # case toggles
leetspeak.rule       # l33t speak transforms

# Create custom rule
# Rules operate on password candidates
# c = capitalize first letter
# l = lowercase all
# u = uppercase all
# r = reverse
# d = duplicate (passpass)
# $ = append char (e.g., $1 appends "1")
# ^ = prepend char (e.g., ^! prepends "!")
# [ = delete first char
# ] = delete last char
# sa@ = substitute a→@ (l33t)
# so0 = substitute o→0

# Example rule file content:
cat custom.rule
c              # Password → Password
c$1            # Password1
c$123          # Password123
c$!            # Password!
c$2024         # Password2024

hashcat -a 0 -m 0 hashes.txt wordlist.txt -r custom.rule

---

Wordlists

# Download rockyou
gzip -d /usr/share/wordlists/rockyou.txt.gz

# Best wordlist collections
# SecLists: /usr/share/seclists/Passwords/
# Kaonashi: https://github.com/kaonashi-passwords/Kaonashi (filtered rockyou)
# hk_hlm_founds: https://github.com/danielmiessler/SecLists

# CeWL — generate wordlist from target website
cewl https://target.com -d 2 -m 5 -w cewl.txt
cewl https://target.com -d 3 --with-numbers -w cewl_nums.txt

# Username/password combos from breach data
# dehashed.com, haveibeenpwned.com (for research)

# Mentalist (GUI wordlist generator)
# https://github.com/sc0tfree/mentalist

---

John the Ripper

# Basic wordlist attack
john hashes.txt --wordlist=rockyou.txt

# With format specified
john hashes.txt --format=NT --wordlist=rockyou.txt
john hashes.txt --format=sha512crypt --wordlist=rockyou.txt
john hashes.txt --format=bcrypt --wordlist=rockyou.txt

# Auto-detect format
john hashes.txt --wordlist=rockyou.txt

# Show cracked
john hashes.txt --show

# List formats
john --list=formats
john --list=formats | grep -i ntlm

# Rules
john hashes.txt --wordlist=rockyou.txt --rules
john hashes.txt --wordlist=rockyou.txt --rules=All
john hashes.txt --wordlist=rockyou.txt --rules=Jumbo

# Incremental (brute force)
john hashes.txt --incremental
john hashes.txt --incremental=Alpha
john hashes.txt --incremental=Digits

# Restore interrupted session
john --restore

# Pipes
cat hashes.txt | john --stdin --format=NT

John Format Examples

# NTLM
john ntlm.txt --format=NT --wordlist=rockyou.txt

# NetNTLMv2
john netntlmv2.txt --format=netntlmv2 --wordlist=rockyou.txt

# bcrypt
john bcrypt.txt --format=bcrypt --wordlist=rockyou.txt

# Kerberoast
john kerberoast.txt --format=krb5tgs --wordlist=rockyou.txt

# AS-REP
john asreproast.txt --format=krb5asrep --wordlist=rockyou.txt

Format Converters (john helper scripts)

# Located in /usr/share/john/ or john's run/ folder

# Convert SAM/SYSTEM dump to john format
samdump2 SYSTEM SAM > hashes.txt
john hashes.txt --format=NT --wordlist=rockyou.txt

# /etc/shadow
unshadow /etc/passwd /etc/shadow > shadow.txt
john shadow.txt --wordlist=rockyou.txt

# SSH private key
ssh2john id_rsa > id_rsa.hash
john id_rsa.hash --wordlist=rockyou.txt

# Zip/7z/RAR password
zip2john archive.zip > zip.hash
7z2john archive.7z > 7z.hash
rar2john archive.rar > rar.hash
john zip.hash --wordlist=rockyou.txt

# Office document password
office2john document.docx > office.hash
john office.hash --wordlist=rockyou.txt

# PDF password
pdf2john document.pdf > pdf.hash
john pdf.hash --wordlist=rockyou.txt

# KeePass database
keepass2john database.kdbx > keepass.hash
john keepass.hash --wordlist=rockyou.txt

# Bitcoin wallet
bitcoin2john wallet.dat > wallet.hash
john wallet.hash --wordlist=rockyou.txt

---

Practical Workflows

# 1. Kerberoasting crack pipeline
impacket-GetUserSPNs domain.local/user:pass -dc-ip DC_IP -request -outputfile kerberoast.txt
hashcat -a 0 -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt
hashcat -a 0 -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt -r best64.rule

# 2. NTDS.dit crack (DCSync)
# secretsdump gives: user:rid:LM:NT:::
cut -d: -f4 ntds.dit.output > ntlm_hashes.txt
hashcat -a 0 -m 1000 ntlm_hashes.txt rockyou.txt
hashcat -a 0 -m 1000 ntlm_hashes.txt rockyou.txt -r d3ad0ne.rule

# 3. NetNTLMv2 from Responder
hashcat -a 0 -m 5600 netntlmv2.txt rockyou.txt
hashcat -a 0 -m 5600 netntlmv2.txt rockyou.txt -r best64.rule

# 4. Linux shadow
hashcat -a 0 -m 1800 shadow.txt rockyou.txt    # SHA-512

# 5. WordPress MD5
hashcat -a 0 -m 400 wordpress.txt rockyou.txt

# Performance tips
hashcat -a 0 -m 1000 hashes.txt rockyou.txt -O    # optimized kernels
hashcat -a 0 -m 1000 hashes.txt rockyou.txt -w 3  # workload profile (1=low, 4=max)
hashcat --benchmark -m 1000                        # test GPU speed