Identify types of password hashes and apply various techniques to efficiently determine plain text passwords.  Most passwords are stored in a hash format and the cracking tools can use brute-force or some sort of dictionary (wordlist) as input.

Key Concepts:

  1. Encoding, Encryption and Hashing:
    • Encoding – transpose data into an efficient publicly available format for processing (e.g., base64, hex, file conversions, etc.)
    • Encryption – transpose data into a format for confidentiality using secret keys that must be protected (e.g., AES, RSA, etc.)
    • Hash – one-way encryption algorithm performed on data (message) to produce a separate hash number (aka checksum) which is used to verify data integrity.
  2. Password Formats:
    • plain Text (aka cleartext) – data that is transmitted or stored unencrypted (‘in the clear’).
    • Password hash – approach for storing passwords in the format $id$salt$hash where the id is the hashing algorithm.
    • Salt – random data added to hashed data, passwords or passphrases to safeguard passwords in plain text storage.
  3. Other Related Concepts:
    • Rainbow Table –  precomputed table for reversing hash functions, usually for cracking password hashes.
    • Dictionary (Wordlist) – Large lists of commonly used words and phrases used as input into a dictionary attack.
    • Linux Passwd & Shadow Files:
      • /etc/passwd‘ – text file containing user account info, including an ‘x’ if a encrypted password is in the shadow file.
      • /etc/shadow” – is readable only by the root account and contains user name, hash ID, salt, hashed password and other info.

Recommended CTF Password Cracking Steps:

  1. CFT PW challenges frequently involve Hash cracking using Hashcat with special wordlists, masks and/or rules applied.
  2. Read the challenge carefully for clues.
  3. Determine how and where the Password is stored.
    • The hash format is most common.
    • Linux Hash ID, Salt and Hashed Passwords are stored in the /etc/shadow file.
  4. Determine the Hash type to set the Hash mode in hashcat (e.g., SHA, MD4, MD5, etc)
  5. Identify any PW rules – that can be applied to the character set (e.g., length, alpha/numeric characters , upper/lower case, special characters, special words, etc.)
  6. Determine HashCat Attack mode:
    • Dictionary (-a 0)
    • Combination (-a 1)
    • Mask (-a 3)
    • Hybrid (-a 6 and -a 7)
  7. Identify Wordlist needed for Dictionary , Combination and Hybrid mode) e.g., rockyou.txt, etc)
  8. Store passwords in an input file (e.g., [PW_FILE]
  9. Setup and Run Hashcat (apply attack mode, hash id, input file, word list & mask)   – see examples below

Recommended CTF Tools


  1. Password Cracking by Nikita Zaitsev
  2. Cracking Salted Hashes pdf –
  3. YouTube: Passwords & hash functions (Simply Explained) (7:27)
  4. Why do you need to Salt and Hash passwords? by Phillip Brown
  5. Professor Messer COMPTIA SECURITY+ SY0-501 TRAINING COURSE (section 6.1 – Cryptography)
  6. Challenge Examples and Example Wordlists