N1NJ10

Resources

General
- Files extentions : https://fileinfo.com/filetypes/encoded
- Windows Auth serires : https://syfuhs.net/understanding-windows-auth
Rules
- JTR : https://www.openwall.com/john/doc/RULES.shtml || https://www.openwall.com/john/doc/EXAMPLES.shtml
- Hashcat : https://hashcat.net/wiki/doku.php?id=rule_based_attack
- Learing JTR rules With Examples : https://web.archive.org/web/20260102231149/https://miloserdov.org/?p=5477#511 || https://denizhalil.com/2024/11/04/custom-rules-john-the-ripper
Hashes Fromat
- hashcat : https://hashcat.net/wiki/doku.php?id=example_hashes
- JTR : https://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats

Commands

General

Check

echo -n Soccer06! | md5sum
echo -n Soccer06! | sha256sum
 
 
cat /etc/pam.d/common-password # Linux configration file

Gather

cewl https://facebook.com -d 3 -m 8 -x 10  --lowercase -w smart.wordlist

John

Extentions

unshadow /etc/passwd /etc/shadow > combined.txt
 
locate *2john*

Cracking

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt # wordlist
john hash.txt --format=crypt --single #Single (generate password list rules based on the info's on the hash )
 
john --incremental hash.txt --format=crypt # predect the human passwords 'grep Incremental modes' -A 100 /etc/john/john.conf'
 
 
john hash.txt /usr/share/wordlists/rockyou.txt  --format=ripemd-128

Rules

john --config=/usr/share/john/john.conf --rules=Toggle --wordlist=passowrds.txt --stdout

Hashcat

Cracking

hashcat -m 3000 -a 0 ntlm.hash rockyou.txt #LANMAN
hashcat -a 3 -m 0 1e293d6912d074c0fd15844d803400dd '?u?l?l?l?l?d?s' # mask attack
 
 
hashcat --help | grep sha512

Rules

ls -l /usr/share/hashcat/rules

hashcat --stdout password.txt -r Hob0Rules/d3adhob0.rule

hashcat -a 0 -m 1000 <NTLMHASHES> wordlists/rockyou.txt -r hob064.rule -o cracked.txt

hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best66.rule # rules

Services

SSH

keypairs

# John
ssh2john id_simulation > key.hash
john --wordlist=/usr/share/wordlists/rockyou.txt key.hash
 
#hashcat 
ssh2john id_simulation > key.hash
sed -i 's/^[^:]*://' key.hash
hashcat -m 5200 --force -a 0 Backup.psafe3 /usr/share/wordlists/rockyou.txt

Bitlocker

bitlocker2john -i CTF_Challenge.vhdx > back.hash
hashcat -a 0 -m 22100 '$bitlocker$0$16$07914c73176374c81c02564aff8dafd5$1048576$12$9036bb21898bdc0103000000$60$ee39c413e0d5e110c7851811acd2088db3ed64a3da85c66da1b0192b0a00bc81d30be6c5bfdeb1825835a8128a54fcc9f90eae530d24ba01f57cbc99' /usr/share/wordlists/rockyou.txt # user hash (this is for protalbe files)
 
# Getting in (vhdx)
 
file CTF_Challenge.vhdx
qemu-nbd --connect=/dev/nbd0 CTF_Challenge.vhdx # Treating as a disk 
blkid /dev/nbd0p1 # Properties of this device 
sudo hexdump -C /dev/nbd0p1 | head # Magic bytes (FVE-FS)
 
dislocker -V /dev/nbd0p1 -upassword123 -- ./bitlockermount # Generating the decryptoin file 
mount -o loop,ro bitlockermount/dislocker-file ./bitlocker # Converting it to a partition 
 
umount ./bitlocker
qemu-nbd --disconnect /dev/nbd0
 
 
# Getting in (vhd)
 
sudo losetup -fP --show Private.vhd
lsblk -f /dev/loop0 # making a loop device 
 
sudo dislocker -V /dev/loop0p1 -u'francisco' -- ./bitlockermount
sudo mount -o loop,ro ./bitlockermount/dislocker-file ./bitlocker

Sam

hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
john --format=NT hashes.txt  /usr/share/wordlists/rockyou.tx

Linux

cp /etc/passwd /tmp/passwd.bak
cp /etc/shadow /tmp/shadow.bak
 
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes
 
hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

Tips & Tricks

Deafult

pip3 install defaultcreds-cheat-sheet
creds search mysql

Filtration

awk 'length($0) > 8' oh.txt > popy.txt # less than 8

Tools & Sites

Leaked Check
- HaveIBeenPwned : https://haveibeenpwned.com/
- Dehashed : https://dehashed.com/
Databases
- WikiLeaks : https://www.wikileaks.org/
- ddosecrets : https://ddosecrets.com/
Search Engine
- Mega : https://meawfy.com/
Tools
- Bulk_extractor : https://github.com/simsong/bulk_extractor
- Hashcat-Gui : https://github.com/rgroesslinger/hashcat-gui
- RuleProccessor Y : https://github.com/0xVavaldi/ruleprocessorY
- Name-That-Hash : https://github.com/bee-san/Name-That-Hash/tree/main
- anarchy : https://github.com/urbanadventurer/username-anarchy
Rules
- Hob0Rules : https://github.com/praetorian-inc/Hob0Rules
- Rules-Collection : https://github.com/n0kovo/hashcat-rules-collection/tree/main
- Hashcat Rule : https://github.com/clem9669/hashcat-rule
Guide
- Awesome List : https://github.com/n0kovo/awesome-password-cracking
Cracking Sites
- ntlm.pw : https://ntlm.pw/
- dcode.fr : https://www.dcode.fr/en
- crackstation.net : https://crackstation.net/
- hashes.com : https://hashes.com/
Calculating & Identefication Sites
- CyberChef : https://gchq.github.io/CyberChef/
- nth : https://nth.skerritt.blog/
Rainbow Tables
- freerainbowtables : https://freerainbowtables.com/
Deafult Creds
- Routers : https://www.softwaretestinghelp.com/default-router-username-and-password-list/
- Cheat Sheet : https://github.com/ihebski/DefaultCreds-cheat-sheet

Dorks

Mega.nz leak on X
combolists

Notes

Attacks

This is a high-level overview of password cracking methods

flowchart TD
    root["Password Cracking Methods"] --> active["Active Calculation (CPU/GPU)"]
    root --> passive["Pre-Computed Lookup (Storage)"]

    passive --> rainbow["Rainbow Tables: Pre-computed hashes (fails on salted hashes)"]

    active --> dict["Dictionary: try words from a list (rockyou.txt)"]
    active --> combo["Combination: combine words from lists (admin + 123)"]
    active --> brute["Brute Force: try all combinations (a...zzzz)"]
    active --> mask["Mask: brute-force fixed pattern (?u?l?l?l?d?d)"]
    active --> hybrid["Hybrid: wordlist plus brute-force (password + ?d?d)"]

Cracking Types

Attack Type / Mode John the Ripper Description Hashcat Equivalent Mode Hashcat Description Key Differences / Notes
Wordlist / Dictionary Wordlist mode — Uses a dictionary or wordlist file; applies mangling rules to generate variations. Fast for common/weak passwords. Straight mode (-a 0) Uses a single dictionary/wordlist; can apply rules (-r) for mutations. Both are dictionary-based. JtR’s rules are very flexible (often more powerful out-of-the-box); Hashcat excels on GPU for speed + huge wordlists.
Single crack (user-specific) Single crack mode — Focuses on known user info (username, GECOS/full name, home dir) to generate targeted candidates + heavy mangling rules. Very fast when you have passwd/shadow-style data. No direct equivalent (closest: rules on small custom lists or association -a 9) Uses username/filename hints in some advanced setups, but not as built-in/automated. JtR’s single crack is unique and often faster for salted/hashed passwd files with user metadata. Hashcat requires manual setup for similar targeted attacks.
Incremental / Brute-force Incremental mode — Smart brute-force; systematically tries combinations using trigraph frequencies (Markov-like) for probable order, within defined keyspace/charset/length. Most thorough but slowest. Brute-force / Mask attack (-a 3) Exhaustive combinations from given charsets (?l, ?u, ?d, etc.) per position; highly optimized for GPU. JtR is “smarter” (prioritizes likely combos first); Hashcat is raw power (faster on GPU, especially for masks that reduce keyspace intelligently).
Combination (two wordlists) No direct built-in (can achieve via rules, external mode, or piping) Combination mode (-a 1) Concatenates words from two (or more) dictionaries to create passphrases. Hashcat has native, efficient support; JtR can approximate but is less straightforward.
Hybrid / Advanced variants Supported via rules on wordlist/single/incremental; can combine with external generators. Hybrid (-a 6 or -a 7) + rules Wordlist + mask (append/prepend chars like ?d?d?d) or mask + wordlist. Hashcat’s hybrid modes are more built-in and GPU-optimized; JtR relies more on rules/flexibility.

Attack Type / Mode	John the Ripper Description	Hashcat Equivalent Mode	Hashcat Description	Key Differences / Notes
Wordlist / Dictionary	Wordlist mode — Uses a dictionary or wordlist file; applies mangling rules to generate variations. Fast for common/weak passwords.	Straight mode (-a 0)	Uses a single dictionary/wordlist; can apply rules (-r) for mutations.	Both are dictionary-based. JtR’s rules are very flexible (often more powerful out-of-the-box); Hashcat excels on GPU for speed + huge wordlists.
Single crack (user-specific)	Single crack mode — Focuses on known user info (username, GECOS/full name, home dir) to generate targeted candidates + heavy mangling rules. Very fast when you have passwd/shadow-style data.	No direct equivalent (closest: rules on small custom lists or association -a 9)	Uses username/filename hints in some advanced setups, but not as built-in/automated.	JtR’s single crack is unique and often faster for salted/hashed passwd files with user metadata. Hashcat requires manual setup for similar targeted attacks.
Incremental / Brute-force	Incremental mode — Smart brute-force; systematically tries combinations using trigraph frequencies (Markov-like) for probable order, within defined keyspace/charset/length. Most thorough but slowest.	Brute-force / Mask attack (-a 3)	Exhaustive combinations from given charsets (?l, ?u, ?d, etc.) per position; highly optimized for GPU.	JtR is “smarter” (prioritizes likely combos first); Hashcat is raw power (faster on GPU, especially for masks that reduce keyspace intelligently).
Combination (two wordlists)	No direct built-in (can achieve via rules, external mode, or piping)	Combination mode (-a 1)	Concatenates words from two (or more) dictionaries to create passphrases.	Hashcat has native, efficient support; JtR can approximate but is less straightforward.
Hybrid / Advanced variants	Supported via rules on wordlist/single/incremental; can combine with external generators.	Hybrid (-a 6 or -a 7) + rules	Wordlist + mask (append/prepend chars like ?d?d?d) or mask + wordlist.	Hashcat’s hybrid modes are more built-in and GPU-optimized; JtR relies more on rules/flexibility.

JTR Rule

Rule Name Command Code Action Input Example Output Example
Reverse r Reverses the entire string. admin nimda
Duplicate d Duplicates the word. test testtest
Reflect f Appends the reversed word to the original. abc abccba
Toggle Case Tn Toggles case at position n (starts at 0). password Password (if T0)
Lowercase l Converts the entire word to lowercase. Admin admin
Uppercase u Converts the entire word to uppercase. admin ADMIN
Capitalize c Capitalizes the first letter, lowers the rest. admin Admin
Invert Cap C Lowers the first letter, capitalizes the rest. Admin aDMIN
Swap Case s Swaps the case of every character. PaSs pAsS
Append $x Adds character x to the end. pass pass1 (if $1)
Prepend ^x Adds character x to the beginning. pass !pass (if ^!)
Insert inx Inserts character x at position n. pass pa1ss (if i21)
Overstrike onx Replaces character at position n with x. pass paXs (if o2X)
Delete Char Dn Deletes the character at position n. pass pss (if D1)
Delete First [ Removes the first character. apple pple
Delete Last ] Removes the last character. apple appl
Truncate 'n Cuts the word after n characters. password pass (if '4)
Rotate Left { Rotates characters to the left. 1234 2341
Rotate Right } Rotates characters to the right. 1234 4123
Pluralize p Naively appends ‘s’ (or ‘es’ rules). car cars
Reject Length >n Rejects word if length is LESS than n. pass (Rejected if >5)
Reject Length <n Rejects word if length is GREATER than n. password (Rejected if <5)
Reject Char !x Rejects word if it contains character x. admin (Rejected if !i)
Memorize M Memorizes the current word (for variables). pass (Stored in memory)

Rule Name	Command Code	Action	Input Example	Output Example
Reverse	`r`	Reverses the entire string.	`admin`	`nimda`
Duplicate	`d`	Duplicates the word.	`test`	`testtest`
Reflect	`f`	Appends the reversed word to the original.	`abc`	`abccba`
Toggle Case	`Tn`	Toggles case at position n (starts at 0).	`password`	`Password` (if `T0`)
Lowercase	`l`	Converts the entire word to lowercase.	`Admin`	`admin`
Uppercase	`u`	Converts the entire word to uppercase.	`admin`	`ADMIN`
Capitalize	`c`	Capitalizes the first letter, lowers the rest.	`admin`	`Admin`
Invert Cap	`C`	Lowers the first letter, capitalizes the rest.	`Admin`	`aDMIN`
Swap Case	`s`	Swaps the case of every character.	`PaSs`	`pAsS`
Append	`$x`	Adds character x to the end.	`pass`	`pass1` (if `$1`)
Prepend	`^x`	Adds character x to the beginning.	`pass`	`!pass` (if `^!`)
Insert	`inx`	Inserts character x at position n.	`pass`	`pa1ss` (if `i21`)
Overstrike	`onx`	Replaces character at position n with x.	`pass`	`paXs` (if `o2X`)
Delete Char	`Dn`	Deletes the character at position n.	`pass`	`pss` (if `D1`)
Delete First	`[`	Removes the first character.	`apple`	`pple`
Delete Last	`]`	Removes the last character.	`apple`	`appl`
Truncate	`'n`	Cuts the word after n characters.	`password`	`pass` (if `'4`)
Rotate Left	`{`	Rotates characters to the left.	`1234`	`2341`
Rotate Right	`}`	Rotates characters to the right.	`1234`	`4123`
Pluralize	`p`	Naively appends ‘s’ (or ‘es’ rules).	`car`	`cars`
Reject Length	`>n`	Rejects word if length is LESS than n.	`pass`	(Rejected if `>5`)
Reject Length	`<n`	Rejects word if length is GREATER than n.	`password`	(Rejected if `<5`)
Reject Char	`!x`	Rejects word if it contains character x.	`admin`	(Rejected if `!i`)
Memorize	`M`	Memorizes the current word (for variables).	`pass`	(Stored in memory)

Tips&Tricks

If you are cracking multiple hashes for a given hash type, it may be faster to gather them into one file and crack themall at once.

Windows login

Index

Password Cracking

Resources

Commands

Tools & Sites

Dorks

Notes

Nodes

Get Updated

Graph View

Table of Contents

Backlinks