Password Cracking Modes
The hashcat and John modes you actually need for the hashes you meet on engagements, plus the convert-to-hash tools. Each command is its own copy block.
Identify the hash first
hashid:
hashid '<hash>'name-that-hash:
nth --text '<hash>'hashcat modes you reach for
| Mode | Hash |
|---|---|
0 | MD5 |
100 | SHA1 |
1000 | NTLM (Windows local / dumped) |
5600 | NetNTLMv2 (Responder capture) |
13100 | Kerberoast (TGS-REP, RC4) |
18200 | AS-REP roast |
1800 | sha512crypt $6$ (Linux /etc/shadow) |
500 | md5crypt $1$ |
3200 | bcrypt $2*$ |
13400 | KeePass |
22921 | RSA/OpenSSH private key |
hashcat
NetNTLMv2:
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txtNTLM with a rule:
hashcat -m 1000 hash.txt rockyou.txt -r /usr/share/hashcat/rules/best64.ruleKerberoast:
hashcat -m 13100 hash.txt rockyou.txtJohn the Ripper
With a format:
john --format=netntlmv2 hash.txt --wordlist=rockyou.txtAuto-detect:
john hash.txt --wordlist=rockyou.txtShow cracked:
john --show hash.txtConvert things into crackable hashes
SSH key:
ssh2john id_rsa > hashKeePass database:
keepass2john file.kdbx > hashZip:
zip2john file.zip > hashOffice document:
office2john file.docx > hashNetNTLMv2 (5600) and Kerberoast (13100) are the two you will run most in AD. Always try
best64.rulebefore bigger wordlists.