I recently realized that there are very few hashcat tutorials that go beyond “here’s how to figure out your hash type” or “here is the rockyou password list & maybe one rule.” So I’m stepping away from Psudohash for just a moment (don’t worry, I’ll continue that series) to delve more deeply into how to crack difficult passwords.
Understanding the risk of weak passwords is essential to safeguarding an organization, which makes cracking weak but complex passwords an essential skill for penetration testers and security professionals. Many guides do a great job introducing dictionary attacks using password cracking tools such as hashcat or johntheripper. However, knowing where to go when those first few dictionary attacks do not work can leave you feeling exhausted.
While dictionary attacks and basic rulesets are effective for common passwords, more complex scenarios require mastering the basics and tailoring your approach to match your target.
Rockyou Didn’t Work, What Now?
1. Try Different Attack Types
There really is no alternative to learning the various attacks available in hashcat. Start by reading and understanding at least the attack modes listed in the help menu:
Don’t want to waste time? Run hashcat -a 3 -m [mode] [hash-input] before you start, and a great default attack will run while you read this article.
If you need additional resources about what each attack type is, the hashcat website is a great resource to learn about each type of attack and when you may want to use it. The summary and additional details they provide are:
-
- Dictionary attack – Trying all words in a list; also called “straight” mode (attack mode 0, -a 0)
-
- Combinator attack – Concatenating words from multiple wordlists (-a 1)
-
- Brute-force attack and Mask attack – Trying all characters from given charsets, per position (-a 3)
-
- Hybrid attack – Combining wordlists+masks (-a 6) and masks+wordlists (-a 7); can also be done with rules
-
- Association attack – Use a username, a filename, a hint, or any other pieces of information that could have had an influence in the password generation to attack one specific hash (-a 9)
Each attack type offers unique strengths, and being familiar with different attack types is essential for moving beyond the basics.
2. Optimize Hardware for Password Cracking
To maximize your password-cracking efficiency, you need to optimize your hardware. There is no alternative to a powerful GPU.
If you lack access to a modern GPU, cloud platforms like Amazon or Linode offer rental options. For budget-conscious users, services like Vast.ai provide cost-effective solutions, though I recommend sticking to their datacenter offerings for security reasons. A high-end GPU can drastically reduce cracking time from days to hours.
Once you are using at least one modern GPU, ensure you get the most out of it by using the correct flags in hashcat. You typically want to use -O the optimization flag in hashcat. Additionally, experiment with the -w 2 or -w 3 flags to increase resources available to hashcat.
3. Get a Better Wordlist
While prebuilt wordlists like rockyou.txt are a good starting point, they often lack organization-specific or complex patterns. Upgrading to more comprehensive or targeted wordlists can significantly improve your success rate.
Explore specialized wordlists such as Weakpass, which offers industry-specific and language-specific collections. Seclists, a popular GitHub repository, provides a wide range of security-related lists, including passwords and usernames. Additionally, projects like kaonashi may provide a natural step up from standard wordlists like rockyou.txt.
4. Hashcat Rules – Multiple Rules and Custom Rule Creation
Using multiple rules at the same time is a great way to add complexity to existing attacks. Hashcat will apply rule one, then apply rule two to each word in your dictionary. I would recommend using one smaller rule file and one larger rule file or two medium sized files, as it is easy to run out of memory when combining rules. However, starting is as simple as applying the -r argument twice:
hashcat -m [mode] -a 0 [hashes] [wordlist] -r [rule-file-1] -r [rule-file-2]For instance, if, during an internal network penetration test you have discovered passwords at MegaCorp frequently use Mega as a prefix, add rules to your custom rule file that account for variations of this pattern. Combine these with other rulesets to maximize your chances of success.
You may have notice that yubaba64.rule ends with appending the number 2011. We have a future blog post on this planned, but it would also be wise to add the current year to your rule file, by following the same formula: $2 $0 $2 $5.
If you do create a custom rule file, remember each file should contain a blank rule ( : ) to ensure it works when two rule files are applied simultaneously:
5. Targeted Mask Attacks
Do not let this guide be a substitute for learning how to make your own custom mask, but, in short, a mask attack allows for trying every possible combination of predefined and custom character sets.
Mask attacks are most effective when aligned with the target’s password policy and common structures. Begin by studying the target’s password requirements, such as the inclusion of uppercase letters, digits, or special characters.
Prioritize masks that reflect the target’s environment. For example, if the policy mandates 8 characters with at least one uppercase letter, one digit, and one special character, a mask like ?u?l?l?l?l?l?d?s might prove effective.
Spending an extra 10 to 20 minutes to correctly configure a mask file pays off the first time you skip a mask without any valid candidates. Consider if you were to blindly use kaonashi mask in an environment that does not require a special character. None of the first ten masks will have any potentially valid passwords:
6. Custom Wordlist Generation
Creating tailored wordlists can be a critical step in cracking passwords specific to your target environment. Tools like CeWL, which I hear Jason Taylor has a blog on coming up soon, allow you to scrape company websites for relevant keywords. Alternatively, tools like Psudohash can generate wordlists incorporating organization-specific terms and common permutations.
Incorporate OSINT (Open-Source Intelligence) such as employee names, locations, and industry jargon. Combine these with common password patterns, like adding 2024 or !@#. For example, targeting a company named TechCorp might yield wordlist entries such as TechCorp2024, Admin@TechCorp, and TechCorpNYC.
7. Stop Trying to Crack the Wrong Target
Even once you become experienced cracking passwords, it is good to cycle back through and check for obvious gotchas or items that you missed. For example, if you’ve captured an NTLM hash but are still cracking a DCC hash for the same target, switch to the NTLM hash, as it is quicker to crack. Similarly, if you’ve captured dozens of hashes but only need the domain administrator’s password, remove all other hashes to streamline your efforts.
Take the time to preprocess your data using tools like sed or awk to remove invalid candidates. For instance, if the target enforces a 12-character minimum, eliminate all masks shorter than 12 characters or ensure your rules include special characters where necessary. This may feel slow and clunky, but it often saves time in the long run.
8. Be Patient and Communicate
Literally and figuratively, cracking passwords takes time, skill, and resources. Password generators are extremely tough to beat, and even with 14×4090 RTX GPUs guessing every possible combination, it may not be feasible in the timebox of an assessment.
If, after a solid effort, it becomes apparent that it is very unlikely the password will be cracked during the assessment it is okay to ask your client if they would like to see what could happen if it were cracked. Some clients would like to know what might happen in the event the hash could be cracked in a timeframe just longer than the engagement window. Other clients may not, and that is alright as well. Communication is key for the best possible outcome.
And Finally…
Please check back for our next posts in this series and our other How To series.
