The Be Sure Blog

Code Snippets | Problem Solving | Tips & Tricks

The Be Sure Blog banner

Hashcat: Advanced password recovery

posted on 17.8.2023 by Below Surface in "Hashcat"

Note: This tool must only be used for password recovery or other good intentions.

Example 1: Cracking a MD5 password hash

Let's say we got hold of the combination:

username: admin
password hash: 2cb42f8734ea607eefed3b70af13bbd3

To crack this hash with Hashcat, we have to figure out first which hashing algorithm that is:

hashid 2cb42f8734ea607eefed3b70af13bbd3

Since this outputs many possibilities, we will go with MD5, since that is an often used algorithm. The setting for MD5 is "-a 0", check this table for other hashing types: We use the rockyou.txt word list for passwords that have been leaked and collected in this list (

hashcat -a 0 -m 0 "2cb42f8734ea607eefed3b70af13bbd3" /usr/share/wordlists/rockyou.txt

After a short while, the output should include something like this:


Status...........: Cracked

So in this case, the password is "qwerty789".

Example 2: Cracking a MD5 APR1 password hash

The credentials we got are:


You can paste the password hash into ChatGPT to get informed that this a MD5 APR1 password hash, Apache's MD5-based algorithm.

From the Hashcat wiki, we know that the hash type for this hash is 1600 (-m 1600), so the Hashcat command will be:

hashcat -m 1600 -a 0 '$apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0' /usr/share/wordlists/rockyou.txt

Relevant output:


Status...........: Cracked

The password is "calculus20".

If the password was cracked once, add the

--show flag

to the Hashcat command, to show it again.

More examples to be added in the future.


password recovery
password cracking
hash cracking