Skip to content

Password Cracking Cheetsheet

Straight up Cheetsheet for CTFs. There's a flow sometimes where they start easy and progress to harder so I'm making a cheatsheet of the likely stages.

Online Resources

RockYou passwords from LMs, MD5s, SHA1s, and SHA256 hashes are most easily found in here so you don't have to bother running them through john or hashcat if the cracking has already been done for you.

Simple Hashcat Mask

hashcat -m 0 -a 6 pass2.txt knownBeginningWord.txt "?d?d?d?d"
This is taking the known begining of the password and running it through all versions of the password with 4 digits appended to it.

Simple Wordlists

john --wordlist=pokemon.txt --format=Raw-MD5 hashes.txt

cat ~/.john/john.pot
 ```

## Ophcrack 
Rainbow tables are necessary for some of the Windows NTLM password hashes if they aren't in the ntlm.pw website.  This can require downloading the correct rainbow tables into the `/usr/share/ophcrack/table/<nameofrainbowtable>/` directory and then installing that into Ophcrack. Once done, you can load each hash individually and then run the hashes against the rainbow table.  

Ophcrack is preinstalled in Kali. 
Rainbow tables are downloadable from [here](https://ophcrack.sourceforge.io/tables.php)

## Custom Wordlists for MD5 Hashes
```bash
hashcat -m 0 -a 6 pass6SVU.txt law-and-order-svu-episode-titles.txt "?d?d?"

Specific Hash Type - PDF

When given an encrypted file, we need to find the password. First, run file to get teh basic deets on the pdf version. 

file encrypted.pdf
It returned 1.7 for the version so now we look for which hash-type that would be: 
hashcat --example-hashes | grep -i 'pdf 1.7' -B 8 -A 7
Looks like we're going with 10600 or 10700.

But we don't have the hash for the pdf yet. To retrieve that, we can use: 

pdf2john encrypted.pdf > pdfhash.txt
This gives us our hash, though you will need to remove the filename from the beginning of the output so that it starts with the actual hash looking something like this: 
$pdf$5*6*256*-1028*1*16*1dffd5f4a85d4a2a9b632fe8b2cf400d*127*aa3f91765a570bef95ca28fc879f038707f53a4c30ae3fde2ab5a516e62f269b16028aa82b4146ad88e738376693c1f800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000*127*842c2b4513ea81921e9965c51dc0c9747ce97fb9e1b576b92a899b9a8ddd8c35fe7a4ca4e85b45a484b805ad6d0b84cd00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000*32*f2f6780f8510d8d74afa92b7ceaef61049e5b1b8120fb6fcdebc4aedc7098d3b*32*42a11c5982292ed8b495dac13ea095d0067f5de287304a11ce3085c54a86b547
Now this saved hash can be run through haschat: 
hashcat -m 10700 pdfhash.txt rockyou.txt
For whatever reason, running this through macos threw an error, but running on Kali did not. If it seems to not be working, use Kali.

To view the password: 

hashcat pdfhash.txt -m 10700 --show
The cracking can also be done through john once you have the hash: 
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
(the hash will be recognized as a pdf hash so you do not need to enter the hash type) 
john --show hash.txt

Cracking $y$ YesCrypt

Cracking yescrypt can be done from Kali Linux box. If you're given the /etc/shadow file, save the user's entry (minus their username:) and then run that through john like so: 

john --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt yescrypthash.txt
The yescrypthash.txt would look something like this:
$y$j9T$/WzixhAsn8sdXhCquYzh01$KZlio78LilItobsx/17ecFf1e2SbsduhP1sZEWuHrL4