You've dumped some password hashes. How do you crack them?
Short answer
First identify the hash format (hashid or context), then run hashcat or John with the correct mode against a wordlist like rockyou, applying rules to mutate candidates. Use the right format flag (NTLM, sha512crypt, NetNTLMv2, etc.) so the tool hashes guesses the same way the target did.
Hashes turn up everywhere on the exam — /etc/shadow, the Windows SAM, web app databases, config files, captured NetNTLMv2 from a Responder session. Cracking them is a deterministic process, not guesswork, and the first step is the one people skip.
Identify the hash
You cannot crack what you cannot classify. Use the context (Linux $6$ prefix means sha512crypt; a 32-hex string from the SAM is likely NTLM) and tools like hashid or an online hash identifier to narrow the format. The format dictates the exact mode flag you give the cracker — get it wrong and every guess is hashed differently from the target, so nothing matches.
Pick the tool and mode
- hashcat is GPU-accelerated and fastest; you pass a numeric mode (
-m 1000NTLM,-m 1800sha512crypt,-m 5600NetNTLMv2) and an attack mode (-a 0for wordlist). - John the Ripper auto-detects many formats and is convenient on CPU-only boxes;
unshadowmerges passwd and shadow first.
Drive it with wordlists and rules
The standard dictionary attack runs rockyou.txt. Add a rule set (hashcat's best64 or John's --rules) to mutate each word — appending years, capitalising, leetspeak — which catches the overwhelming majority of human passwords without resorting to slow pure brute force.
Crack or relay?
Slow hashes (sha512crypt, bcrypt) may not crack in exam time, so weigh alternatives. A captured NetNTLMv2 hash, for instance, often pays off faster relayed to another host than cracked, since it is deliberately slow to attack offline. (For the SAM/NTLM extract-then-crack flow specifically, see extracting and cracking the NTLM with hashcat.)
What interviewers look for
The disciplined order — classify the hash, set the correct mode, then wordlist-plus-rules — and knowing when slow hashes or relaying change the plan. "I'd just decrypt it" reveals a misunderstanding of how hashes work.
Likely follow-ups
- Why must you select the correct hash mode before cracking?
- When would you crack offline versus relay a captured NetNTLMv2 hash?