HackTheBox Academy - Password Attacks

Updated 25-05-2026
#htb #hackthebox #academy #note

This module is designed to help you understand and learn the basic concepts of different password attacks.

Password Cracking Techniques

John

  • Single crack mode is a rule-based cracking technique that generates password candidates based on the victim’s username, home directory name, and GECOS values (full name, room number, phone number, etc.)
  • Wordlist mode is used to crack passwords with a dictionary attack, meaning it attempts all passwords in a supplied wordlist against the password hash
  • Incremental mode generates candidate passwords based on a statistical model (Markov chains); it is designed to test all character combinations defined by a specific character set
  • 2john tools can be used to crack files
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# single crack mode
john --single passwd

# wordlist mode
john --wordlist=<wordlist_file> <hash_file>

# incremental mode
john --incremental <hash_file>
# customize incremental mode
grep '# Incremental modes' -A 100 /etc/john/john.conf

# identify hash format
hashid -j 193069ceb0461e1d40d216e32c79c704

# --format to set format of target hash
john --format=afs [...] <hash_file>

# cracking files using 2john tools
<tool> <file_to_crack> > file.hash
pdf2john
ssh2john

# see all 2john tools
locate *2john*

Hashcat

  • hashcat website hosts a comprehensive list of example hashes
  •  hashID can be used to quickly identify the hashcat hash type
  • Hashcat has many different attack mode, including dictionarymaskcombinator, and association
    • Dictionary attack (-a 0) is where user provides password hashes and a wordlist as input, and Hashcat tests each word in the list as a potential password
    • Mask attack (-a 3) is a type of brute-force attack in which the keyspace is explicitly defined by the user
  • if wordlist alone is not enough to crack a password hash, we can use rules; rules files can be found at /usr/share/hashcat/rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
hashcat -a 0 -m 0 <hashes> [wordlist, rule, mask, ...]

# hash types
hashcat --help

# identify hash type using hashid
hashid -m '$1$FNr44XZC$wQxY6HHLrgrGX0e1195k.1'

# dictionary attack
hashcat -a 0 -m 0 e3e3ec5831ad5e7288241960e5d4fdb8 /usr/share/wordlists/rockyou.txt

# dictionary attack with rules
hashcat -a 0 -m 0 1b0556a75770563578569ae21392630c /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# mask attack password which starts with an uppercase letter, continue with four lowercase letters, a digit, and then a symbol
hashcat -a 3 -m 0 1e293d6912d074c0fd15844d803400dd '?u?l?l?l?l?d?s'

Writing Custom Wordlists and Rules

  • We can use Hashcat to combine lists of potential names and labels with specific mutation rules to create custom wordlists how a given word should be transformed
  • Each rule is written on a new line and determines
  • Function Description
    : Do nothing
    l Lowercase all letters
    u Uppercase all letters
    c Capitalize the first letter and lowercase others
    sXY Replace all instances of X with Y
    $! Add the exclamation character at the end 
1
2
3
4
5
6
# apply rule in each word of password.list to create a password a new password list using the fule
hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

# mutation after applying rules
cat mut_password.list 
password Password passw0rd Passw0rd p@ssword P@ssword P@ssw0rd password! Password! passw0rd! p@ssword! Passw0rd! P@ssword! p@ssw0rd! P@ssw0rd!

Generating wordlists using CeWL

  •  CeWL can be used to scan potential words from a company’s website and save them in a separate list
  • We can also combine this list with the desired rules to create a customized password list
1
cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist

Exercise

  • add relevant OSNIT about Mark White to file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ echo '''mark
white
august
5
1998
nexura
ltd
san
francisco
ca
usa
bella
maria
alex
baseball
''' > mark.wordlist
  • create custom rule
1
2
3
4
5
6
7
8
9
10
11
12
13
$ echo ':                                                 
c so0 
c so0 sa@ 
c sa@ 
c sa@ so0 
$! 
$! c 
$! so0 
$! sa@ 
$! c so0 
$! c sa@ 
$! so0 sa@ 
$! c so0 sa@' > custom.rule
  • create two-word combinations of every word the list with the same list
1
$ hashcat --stdout -a 1 mark.wordlist mark.wordlist > mark_combined.wordlist
  • create a password wordlist that’s atleast 12 characters long
1
$ awk 'length($0) >= 12' mark_combined.wordlist > mark_12wordlist
  • crack password
1
2
3
4
5
6
7
8
# crack password using the rule directly with -r flag
$ hashcat -a 0 -m 0 97268a8ae45ac7d15c3cea4ce6ea550b mark_12wordlist -r custom.rule


# or apply the rule to password list to create a new password list
$ hashcat --force mark_12wordlist -r custom.rule --stdout | sort -u > mut_password.list

$ hashcat -a 0 -m 0 97268a8ae45ac7d15c3cea4ce6ea550b mut_password.list