Password Cracking

Sep 18, 2025

Slides

TODAY’S TOPIC — PASSWORD CRACKING!

What is a hash?

  • Deterministic function: same input → same output every time.
  • One-way: designed to make inversion computationally difficult (but not impossible for weak hashes or weak passwords).

What is a salt?

  • Random data unique to each password, combined with the password before hashing.
  • Prevents attackers from using precomputed lookup tables or quickly identifying repeated passwords across accounts.

Common hash types mentioned

  • MD5, SHA-1, NTLM — older, faster, easier to brute force; useful for learning/CTFs but not recommended in other contexts.

Rulefiles

  • Rulefiles define transformations applied to dictionary candidates (e.g., append numbers, replace letters).
  • You usually want to find a happy medium between a large wordlist + small rulefile (and the inverse)
  • Performance: applying rules multiplies the number of candidates to test (linear scaling with rule count).

Wordlists

  • Collections of candidate passwords aggregated from leaks/breaches (e.g., rockyou.txt). Useful for detecting weak or commonly-used passwords.

Piping / streaming

  • Advanced workflows use stdin/stdout piping to stream candidates into Hashcat

Attack modes (Hashcat)

  • -a flag selects attack mode (dictionary, combinator, mask, hybrid, etc.).
  • Most common: dictionary attack + rulefile applied.

Performance / Exhaustion

  • Time ≈ wordlist_size × rule_count × cost_of_hash_algorithm (very simplified).
  • Status: exhausted in Hashcat indicates the entire space defined by the wordlist + rulefile has been tested.

4) Demo (notes)

  • Wordlist used: rockyou.txt (common demonstration dataset).
  • Rulefile used: best64 (simple, commonly-used rulefile).
  • Approach shown: dictionary (rockyou) + best64 rules — tradeoffs: very large wordlist + small rulefile vs small wordlist + large rulefile. Aim for a middle ground based on target.

tldr

  • Hashes are deterministic cryptographic functions that map an input (password) to a fixed-size output. They don’t store plaintext, hashes are designed to be one-way.
  • Good cryptographic hash functions have very low probability of collisions (two different inputs producing the same output).
  • Salt = a per-password random value appended or prepended to the password before hashing. Salts prevent effective use of precomputed tables (rainbow tables) and make identical passwords produce different hashes.
  • old hash algorithms (e.g., MD5, SHA-1, NTLM) are faster to crack and are commonly used in CTFs or legacy contexts.
  • Modern password hashing schemes are just better
  • Hashcat basics: use -a to set attack mode – dictionary + rulefile combinations. Performance scales with wordlist sizexrule countxhash complexity.