Note: This tool must only be used for password recovery or other good intentions.
Example 1: Cracking a MD5 password hash
Let's say we got hold of the combination:
username: admin password hash: 2cb42f8734ea607eefed3b70af13bbd3
To crack this hash with Hashcat, we have to figure out first which hashing algorithm that is:
hashid 2cb42f8734ea607eefed3b70af13bbd3
Since this outputs many possibilities, we will go with MD5, since that is an often used algorithm. The setting for MD5 is "-a 0", check this table for other hashing types: https://hashcat.net/wiki/doku.php?id=example_hashes. We use the rockyou.txt word list for passwords that have been leaked and collected in this list (https://www.kaggle.com/datasets/wjburns/common-password-list-rockyoutxt).
hashcat -a 0 -m 0 "2cb42f8734ea607eefed3b70af13bbd3" /usr/share/wordlists/rockyou.txt
After a short while, the output should include something like this:
2cb42f8734ea607eefed3b70af13bbd3:qwerty789Status...........: Cracked
So in this case, the password is "qwerty789".
Example 2: Cracking a MD5 APR1 password hash
The credentials we got are:
vdaisley:$apr1$10NUB/S2$58eeNVirnRDB5zAIbIxTY0
You can paste the password hash into ChatGPT to get informed that this a MD5 APR1 password hash, Apache's MD5-based algorithm.
From the Hashcat wiki, we know that the hash type for this hash is 1600 (-m 1600), so the Hashcat command will be:
hashcat -m 1600 -a 0 '$apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0' /usr/share/wordlists/rockyou.txt
Relevant output:
$apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0:calculus20Status...........: Cracked
The password is "calculus20".
If the password was cracked once, add the
--show flag
to the Hashcat command, to show it again.
More examples to be added in the future.