Hash cracking is a fundamental skill for penetration testers. Whether you've extracted password hashes from a compromised database, captured NTLM hashes during a network assessment, or recovered hashed credentials from configuration files, knowing how to efficiently recover the plaintext passwords is essential for demonstrating impact and continuing your assessment.

Before diving into cracking techniques, let's understand why passwords are hashed in the first place. When you create an account on a website, your password shouldn't be stored in plaintext. Instead, it's run through a cryptographic hash function that produces a fixed-length string of characters.

Hash functions are designed to be one-way: easy to compute in one direction but computationally infeasible to reverse. When you log in, the system hashes your input and compares it to the stored hash — it never needs to know your actual password.

• Deterministic - Same input always produces the same output
• Fixed output length - Regardless of input size, output is always the same length
• Avalanche effect - Small input changes produce drastically different outputs
• Pre-image resistance - Given a hash, it should be infeasible to find the original input
• Collision resistance - It should be infeasible to find two inputs with the same hash

Different systems use different hashing algorithms. Recognizing the hash type is the first step in any cracking attempt. Here are the most common ones you'll encounter during penetration tests.

MD5 produces a 128-bit (32 character hex) hash. Despite being cryptographically broken, it's still widely used in legacy systems.

• Length: 32 hexadecimal characters
• Example: 5f4dcc3b5aa765d61d8327deb882cf99
• Status: Cryptographically broken, fast to crack

SHA1 produces a 160-bit (40 character hex) hash. Also considered insecure for cryptographic purposes but still found in many applications.

• Length: 40 hexadecimal characters
• Example: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
• Status: Deprecated, collisions demonstrated

SHA256 produces a 256-bit (64 character hex) hash. Part of the SHA-2 family, it's currently considered secure and widely adopted.

• Length: 64 hexadecimal characters
• Example: 5e884898da28047d9165...a1b4c8fcbd
• Status: Currently secure, slower to crack

Larger variants of SHA-2 with 384-bit (96 char) and 512-bit (128 char) outputs respectively. More secure but also more computationally intensive.

MySQL uses its own hash formats for password storage.

• MySQL3: 16 character hash (old, very weak)
• MySQL5: 40 character hash starting with * (e.g., *2470C0C06DEE42FD1618BB...)

Modern password hashing algorithms designed specifically for password storage. They include built-in salting and are intentionally slow to resist brute-force attacks.

• bcrypt: Starts with $2a$, $2b$, or $2y$
• Argon2: Winner of the Password Hashing Competition, starts with $argon2

Identifying the hash type is crucial before attempting to crack it. Here are the key indicators to look for.

• 16 chars — MySQL3, Half MD5
• 32 chars — MD5, NTLM, MD4
• 40 chars — SHA1, MySQL5 (with *)
• 64 chars — SHA256, SHA3-256
• 96 chars — SHA384
• 128 chars — SHA512, Whirlpool

• $1$ - MD5 (Unix crypt)
• $2a$, $2b$, $2y$ - bcrypt
• $5$ - SHA256 (Unix crypt)
• $6$ - SHA512 (Unix crypt)
• * - MySQL5
• $argon2i$, $argon2id$ - Argon2

When in doubt, use hash identification tools. Tools like hashid, hash-identifier, or online services can analyze a hash and suggest possible algorithms.

There are several approaches to recovering plaintext from hashes. Each has its strengths and ideal use cases.

The most common approach. You hash each word in a wordlist and compare it to your target hash. Effective against weak passwords.

• Pros: Fast, effective against common passwords
• Cons: Only works if password is in the wordlist
• Best for: Common passwords, leaked password lists

Systematically try every possible combination of characters. Guaranteed to find the password eventually, but can take impossibly long for complex passwords.

• Pros: Will find any password given enough time
• Cons: Extremely slow for long/complex passwords
• Best for: Short passwords, known character sets

Pre-computed tables of hash-to-plaintext mappings. Trade storage space for computation time. Extremely fast lookups but require massive storage.

• Pros: Very fast lookups, no computation needed
• Cons: Huge storage requirements, defeated by salting
• Best for: Unsalted hashes, legacy systems

Apply transformation rules to dictionary words (e.g., capitalize first letter, add numbers, substitute characters). Dramatically expands coverage.

• Pros: Catches common password patterns (Password1!, p@ssw0rd)
• Cons: Slower than pure dictionary attacks
• Best for: Corporate environments, policy-compliant passwords

Services that maintain massive databases of pre-cracked hashes. Simply submit your hash and get the plaintext instantly if it exists in their database.

• Pros: Instant results, no hardware needed, billions of hashes
• Cons: Only works for previously cracked passwords
• Best for: First-pass cracking, common passwords, bulk hash lists

Let's compare the most popular tools for password hash cracking.

The world's fastest password recovery tool. Uses GPU acceleration to achieve incredible speeds. Supports 300+ hash types.

• Speed: Billions of hashes/second with modern GPUs
• Requirements: Powerful GPU (NVIDIA/AMD), significant power consumption
• Learning curve: Moderate to steep
• Cost: Free software, but requires expensive hardware

Classic password cracker with excellent format detection. CPU-based by default but supports OpenCL GPU acceleration.

• Speed: Slower than Hashcat on GPUs, competitive on CPUs
• Requirements: Runs on any hardware
• Learning curve: Moderate
• Best feature: Automatic hash type detection

Cloud-based services with massive pre-computed databases. No hardware required, instant results for known hashes.

• Speed: Instant lookup (milliseconds)
• Requirements: Internet connection only
• Learning curve: None
• Best feature: Billions of pre-cracked hashes available instantly

Let's put the performance differences in perspective with real-world scenarios.

• Hashcat (RTX 4090): Hours to days, 60-80% success rate
• John the Ripper (CPU): Days to weeks, 50-70% success rate
• Rainbow Tables: Minutes, 40-60% success rate
• Online Dehasher (HPlus): 2 seconds, 70-85% success rate

Success rate depends on password complexity. Common passwords have higher rates.

The key insight: always start with a database lookup. If the password has ever been cracked before and added to a dehasher's database, you get instant results. Only fall back to GPU cracking for unique, never-before-seen hashes.

Professional pentesters follow a systematic approach to maximize success while minimizing time spent.

Sort your hashes by type. Different algorithms require different approaches and have different success rates.

Submit all hashes to an online dehasher like HPlus. This takes seconds and will crack 70-85% of common passwords instantly. Why spend GPU hours on passwords that are already in a database?

For hashes not found in step 2, run dictionary attacks with common wordlists (rockyou.txt, SecLists, etc.) and basic rules.

Apply organization-specific rules based on password policies. If the target requires "8+ characters with uppercase and number," create rules targeting that pattern.

Only brute force when you know the password is short or you've identified the character set. Full brute force of long passwords isn't practical.

Modern systems add a random string (salt) to passwords before hashing. This makes each hash unique even for identical passwords, defeating rainbow tables and pre-computed lookups.

• Without salt: hash(password) - Same password = same hash
• With salt: hash(salt + password) - Same password = different hashes

For salted hashes, you must perform real-time computation. This is where GPU-based tools like Hashcat excel. Rainbow tables and simple database lookups won't work for properly salted hashes.

Hash cracking is a powerful technique that must be used responsibly and legally.

• Authorization: Only crack hashes from systems you're authorized to test
• Scope: Ensure hash cracking is within the engagement scope
• Data handling: Securely store and transmit recovered credentials
• Reporting: Document cracked passwords properly in your report
• Disclosure: Never use recovered credentials outside the authorized scope

Unauthorized hash cracking can violate computer fraud laws in most jurisdictions. Always have written authorization before attempting to crack password hashes.

Why spend hours on GPU cracking when the password might already be in a database? HPlus is our dedicated dehasher with over 90 billion hashes and 8 billion unique passwords. It should be your first stop before firing up Hashcat.

• 90B+ hashes - One of the largest hash databases available
• 8B+ unique passwords - Sourced from breaches, wordlists, and cracking operations
• 11 hash types - MD5, SHA1, SHA256, SHA384, SHA512, MySQL3, MySQL5, and more
• 5,000 lines/second - Process bulk hash lists in seconds
• Weekly updates - Database continuously expanded with new cracked hashes
• No hardware required - Skip the $2000+ GPU investment

The smart workflow: run your hashes through HPlus first, crack 70-85% instantly, then only use GPU resources for the remaining unique hashes. You'll save hours of computation time on every engagement.

• MD5 — 32 chars, Hashcat mode 0, Easy
• SHA1 — 40 chars, Hashcat mode 100, Easy
• SHA256 — 64 chars, Hashcat mode 1400, Medium
• SHA512 — 128 chars, Hashcat mode 1700, Medium
• MySQL5 — 40 chars (*), Hashcat mode 300, Easy
• NTLM — 32 chars, Hashcat mode 1000, Easy
• bcrypt — 60 chars ($2), Hashcat mode 3200, Hard
• Argon2 — Variable, Very Hard

Hash cracking is both an art and a science. The most effective pentesters don't just throw GPUs at the problem — they use a strategic approach that maximizes results while minimizing time and resources.

Remember the optimal workflow: identify your hash types, check online dehashers first for instant wins, then apply targeted attacks for the remaining hashes. This approach consistently delivers the best results in real-world penetration tests.

Whether you're cracking a single hash from a CTF or processing thousands of credentials from a database dump, understanding these fundamentals will make you a more effective security professional.