Identify types of password hashes and apply various techniques to efficiently determine plain text passwords.  Most passwords are stored in a hash format and the cracking tools can use brute-force or some sort of dictionary (wordlist) as input.

Key Concepts:

  1. Encoding, Encryption and Hashing:
    • Encoding – transpose data into an efficient publicly available format for processing (e.g., base64, hex, file conversions, etc.)
    • Encryption – transpose data into a format for confidentiality using secret keys that must be protected (e.g., AES, RSA, etc.)
    • Hash – one-way encryption algorithm performed on data (message) to produce a separate hash number (aka checksum) which is used to verify data integrity.
  2. Password Formats:
    • plain Text (aka cleartext) – data that is transmitted or stored unencrypted (‘in the clear’).
    • Password hash – approach for storing passwords in the format $id$salt$hash where the id is the hashing algorithm.
    • Salt – random data added to hashed data, passwords or passphrases to safeguard passwords in plain text storage.
  3. Other Related Concepts:
    • Rainbow Table –  precomputed table for reversing hash functions, usually for cracking password hashes.
    • Dictionary (Wordlist) – Large lists of commonly used words and phrases used as input into a dictionary attack.
    • Linux Passwd & Shadow Files:
      • /etc/passwd‘ – text file containing user account info, including an ‘x’ if a encrypted password is in the shadow file.
      • /etc/shadow” – is readable only by the root account and contains user name, hash ID, salt, hashed password and other info.

/etc/passwd format

Recommended CTF Password Cracking Steps:

  1. CFT PW challenges frequently involve Hash cracking using Hashcat with special wordlists, masks and/or rules applied.
  2. Read the challenge carefully for clues.
  3. Determine how and where the Password is stored.
    • The hash format is most common.
    • Linux Hash ID, Salt and Hashed Passwords are stored in the /etc/shadow file.
  4. Determine the Hash type to set the Hash mode in hashcat (e.g., SHA, MD4, MD5, etc)
  5. Identify any PW rules – that can be applied to the character set (e.g., length, alpha/numeric characters , upper/lower case, special characters, special words, etc.)
  6. Determine HashCat Attack mode:
    • Dictionary (-a 0)
    • Combination (-a 1)
    • Mask (-a 3)
    • Hybrid (-a 6 and -a 7)
  7. Identify Wordlist needed for Dictionary , Combination and Hybrid mode) e.g., rockyou.txt, etc)
  8. Store passwords in an input file (e.g., [PW_FILE]
  9. Setup and Run Hashcat (apply attack mode, hash id, input file, word list & mask)   – see examples below

Hashcat Parameter Examples

Recommended CTF Tools


  • /usr/share/dirb/wordlists
  • /usr/share/dirbuster/wordlists
  • dnsmap.txt -> /usr/share/dnsmap/wordlist_TLAs.txt
  • fasttrack.txt -> /usr/share/set/src/fasttrack/wordlist.txt
  • fern-wifi -> /usr/share/fern-wifi-cracker/extras/wordlists
  • metasploit -> /usr/share/metasploit-framework/data/wordlists
  • nmap.lst -> /usr/share/nmap/nselib/data/passwords.lst
  • sqlmap.txt -> /usr/share/sqlmap/txt/wordlist.txt
  • wfuzz -> /usr/share/wfuzz/wordlist
  • hascat ->  /usr/share/wordlists/rockyou.txt



  1. Password Cracking by Nikita Zaitsev
  2. Cracking Salted Hashes pdf –
  3. Youtube: Passwords & hash functions (Simply Explained) (7:27)
  4. Youtube:  NCL Summer Live – Cracking Password Hashes – Aug 19 2021 (01:06:27)  
  5. Youtube: Brute Force Attacks – CompTIA Network+ N10-007 – 4.4 (02:03)
  6. Why do you need to Salt and Hash passwords? by Phillip Brown
  7. Youtube:  COMPTIA SECURITY+ SY0-501 TRAINING COURSE (section 6.1 – Cryptography)
  8. Youtube: Passwords: Am i a joke to you? #JohntheRipper (44:27)
  9. Password cracking with John the Ripper on Linux
  10. Challenge Examples and Example Wordlists