Context: Both John the Ripper and Hashcat read hashes from a file — not from the command line directly. Before cracking, you must place each hash into a text file. This activity walks through saving hashes extracted from different sources.
analyst@forensic-ws:~/cracking
analyst@forensic-ws:~/cracking$
Key takeaway: Use > to create/overwrite a file and >> to append. Always cat the file to verify before cracking. One hash per line. Misformatted files are the #1 cause of "no hashes loaded" errors.
Activity 2: Identifying Hash Types
Context: Both tools require you to specify the hash type. Wrong type = zero results. You must identify the algorithm before cracking. This activity covers visual identification, CLI tools, and online resources.
Pattern
Likely Algorithm
John Format
Hashcat Mode
32 hex characters
MD5
raw-md5
-m 0
40 hex characters
SHA-1
raw-sha1
-m 100
64 hex characters
SHA-256
raw-sha256
-m 1400
Starts with $6$
SHA-512 (Linux)
sha512crypt
-m 1800
Starts with $2b$ or $2a$
bcrypt
bcrypt
-m 3200
32 hex characters (from SAM)
NTLM
nt
-m 1000
analyst@forensic-ws:~/cracking
analyst@forensic-ws:~/cracking$
Key takeaway: When in doubt, use hashid or hash-identifier to narrow down the algorithm. Always cross-reference with John's --list=formats and Hashcat's example hashes wiki page to confirm the exact format string or mode number.
Activity 3: Cracking with John the Ripper
Scenario: You extracted two NTLM hashes from a Windows SAM database during a forensic investigation. Your task: use John the Ripper with a wordlist and rules to recover the plaintext passwords. The hashes are already saved in ntlm_hashes.txt.
analyst@forensic-ws:~/cracking
analyst@forensic-ws:~/cracking$
Key takeaway: John auto-detects many formats but specifying --format is faster and avoids misidentification. The --rules flag applies mutations (capitalize, append digits, leet-speak) to every wordlist entry, dramatically expanding coverage. Use --show to display cracked results at any time.
Activity 4: Cracking with Hashcat
Scenario: You recovered a Linux /etc/shadow file during a server compromise investigation. It contains SHA-512 password hashes. Use Hashcat's GPU acceleration to crack them. The hashes are already saved in shadow_hashes.txt.
analyst@forensic-ws:~/cracking
analyst@forensic-ws:~/cracking$
Key takeaway: Hashcat requires the -m mode number (no auto-detect). Use -a 0 for dictionary, -a 3 for mask/brute-force. The -r flag loads rule files for mutations. Use --show after cracking to display results. SHA-512 crypt is deliberately slow — even GPU acceleration takes time on hardened hashes.
Activity 5: Full Cracking Workflow
Scenario: During a breach investigation, you recovered a database dump containing user credentials. The passwords are hashed, but you don't know the algorithm. Walk through the complete workflow: save the hash, identify it, try John for quick triage, then Hashcat for GPU power. The hash is: $2b$12$LJ3m4ys3Lg2VBe5E4J9wYOVMknGaGOF/nZAHkm.vElRiCeFXGn2dq
analyst@forensic-ws:~/cracking
analyst@forensic-ws:~/cracking$
Important: bcrypt is deliberately slow — it is designed to resist GPU attacks. A cost factor of 12 means 2¹² = 4,096 iterations per guess. Even a high-end GPU can only test a few thousand bcrypt hashes per second, compared to billions of NTLM per second. This is why modern applications should use bcrypt, scrypt, or Argon2 instead of fast hashes like MD5 or SHA-1.