password::cracking cheatsheet

tool hashcat · john wordlists · rules
StrategyHashcatJohnWordlistsRecipes
01Strategy First
Correct order
1. identify hash type correctly
2. use fastest targeted attack first
3. reuse cracked passwords to build better candidates
4. save potfiles / restore points
5. only brute-force when masks are justified

Bad workflow:
- giant brute force with no model
- random monster wordlists first
Attack ladder
Hashcat
straight → rules → combinator → hybrid → mask

John
single → wordlist+rules → incremental

Use masks when:
- structure is known
- policy is constrained
- previous cracks reveal a pattern
Identify correctly
hashid hash.txt
hashcat --example-hashes
john --list=formats | head

Never rely on length alone when formats collide.
02Hashcat Deep Dive
Core attack modes
-a 0  straight / dictionary
-a 1  combinator
-a 3  mask / brute force
-a 6  wordlist + mask
-a 7  mask + wordlist
-r    rules
--increment variable-length masks
High-value examples
hashcat -m 1000 -a 0 hashes rockyou.txt
hashcat -m 1000 -a 0 hashes rockyou.txt -r rules/best64.rule
hashcat -m 1000 -a 3 hashes ?u?l?l?l?l?d?d
hashcat -m 1000 -a 6 hashes words.txt ?d?d
hashcat -m 1000 -a 7 hashes ?u?l?l?l words.txt
Custom charsets / masks
-1 ?l?d
-2 _-!@
hashcat -a 3 hashes -1 ?l?d ?1?1?1?1?1?1

Model from policy:
first upper + 5 lowers + 2 digits
→ ?u?l?l?l?l?l?d?d
03John the Ripper Deep Dive
Best modes
john hashes.txt
john --single hashes.txt
john --wordlist=rockyou.txt --rules hashes.txt
john --incremental hashes.txt
john --show hashes.txt
Format helpers
zip2john file.zip > hash.txt
rar2john file.rar > hash.txt
7z2john.pl file.7z > hash.txt
ssh2john.py id_rsa > hash.txt
pdf2john.pl file.pdf > hash.txt
office2john.py doc.docx > hash.txt
When John shines
- easy helper tools for containers/files
- single mode using account metadata
- CPU-friendly workflows
- weird or older formats
- quick exploratory cracking
04Specific Wordlists and Candidate Generation
Target-driven lists
cewl   # scrape website words
CUPP   # person/company-oriented lists

Use:
- company names
- product names
- seasons / years
- slogans
- staff naming patterns
- leaked internal vocabulary
Pattern-driven tools
PACK             # analyze cracked passwords, generate masks/rules
maskprocessor    # fast mask word generation
princeprocessor # word chaining / passphrase candidates
crunch           # exhaustive lists when search space is narrow
Mutation helpers
best64.rule
dive.rule
OneRuleToRuleThemAll
Pantagrule   # larger, breach-derived rule sets

Start small and smart before huge rule explosions.
05Practical Recipes
Corporate target
cewl https://target.example -d 2 -m 5 -w site.txt
cat site.txt years.txt seasons.txt company.txt | sort -u > base.txt
hashcat -a 0 hashes base.txt -r rules/best64.rule
Known structure
Password policy:
- 8 chars
- first upper
- last 2 digits

hashcat -a 3 hashes ?u?l?l?l?l?l?d?d
Reuse cracked output
john --show hashes.txt
hashcat --show hashes.txt

Then:
- study recurring masks
- feed to PACK
- derive focused masks
- rerun targeted attacks