
Cracking Passwords with Hashcat Medium
This module covers the fundamentals of password cracking using the Hashcat tool.
Created by mrb3n
Co-Authors: ippsec, MinatoTW
Summary
This module introduces the fundamentals of password cracking, with a focus on using Hashcat
effectively. During security assessments, we often run into times when we need to perform offline password cracking for everything from the password hash of a password-protected document to password hashes in a database dump retrieved from a SQL Injection attack or a variety of different hash types retrieved during the course of a penetration test of an Active Directory environment. Cracking a password hash may be necessary for furthering access during an assessment or demonstrating to a client that their password policy needs to be enhanced by cracking password hashes and reporting on metrics such as password complexity and password re-use. In this module, we will cover:
- An intro to password cracking
- An overview of
Hashcat
-
Hashcat
attack types - Cracking common hashes
- Creating custom wordlists
- Using
Hashcat
rule sets - Using
Hashcat
masks
This module is broken down into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts introduced in each section. You can do this in the Pwnbox provided in the interactive sections or your own virtual machine.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
The module is classified as "Medium" but assumes a working knowledge of the Linux command line and an understanding of information security fundamentals.
A firm grasp of the following modules can be considered prerequisites for successful completion of this module:
- Introduction to Networking
- Linux Fundamentals
Sections
- Intro to Password Cracking
- Hashing vs. Encryption
- Identifying Hashes
- Hashcat Overview
- Dictionary Attack
- Combination Attack
- Mask Attack
- Hybrid Mode
- Creating Custom Wordlists
- Working with Rules
- Cracking Common Hashes
- Cracking Miscellaneous Files & Hashes
- Cracking Wireless (WPA/WPA2) Handshakes with Hashcat
- Skills Assessment - Hashcat
Relevant Paths
This module progresses you towards the following Paths

Medium 91 Sections
Cubes Required: 470
In this path, modules cover the basic tools needed to be successful in network and web application penetration testing. This is not an exhaustive listing of all tools (both open source and commercial) available to us as security practitioners but covers tried and true tools that we find ourselves using on every technical assessment that we perform. Learning how to use the basic toolset is essential, as many different tools are used in penetration testing. We need to understand which of them to use for the various situations we will come across.