Get AI summaries of any video or article — Sign up free
how to HACK a password // password cracking with Kali Linux and HashCat thumbnail

how to HACK a password // password cracking with Kali Linux and HashCat

NetworkChuck·
5 min read

Based on NetworkChuck's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Hydra enables online dictionary attacks by testing passwords from a word list against a live service such as SSH.

Briefing

Password cracking is presented as a two-step process: first identify a likely username, then recover the password either by trying guesses against a live login (online) or by testing candidate passwords against a stored password hash (offline). The practical takeaway is that offline cracking with tools like Hashcat is usually faster and less likely to trigger account lockouts, while online cracking with Hydra is more visible because it generates repeated login attempts.

The walkthrough begins with a “brute force” mindset—trying simple passwords like 000000, 000001, and so on—then pivots to more efficient automation. Instead of guessing blindly, it uses Hydra to perform an online dictionary attack against an SSH service. Hydra is configured with a username and a target host, then fed a password list so it can rapidly test many candidates. The transcript emphasizes that this approach relies on a dictionary attack: using lists of common passwords rather than every possible combination. It also points to a built-in Kali Linux word list (notably “rockyou.txt,” distributed as a compressed file) and shows how to locate, decompress, and inspect it.

After demonstrating that the online approach can quickly find a password when the word list contains the right candidate, the discussion flags the operational downside: repeated login attempts can trigger defenses such as firewalls, rate limits, and account lockouts, plus timeouts can slow progress. That leads to the more effective offline method.

Offline cracking is explained through how password storage typically works. When a user sets a password, the system stores a cryptographic hash rather than the plaintext password. During login, the entered password is hashed using the same algorithm (examples mentioned include MD5, SHA-256, and NTLM), and the resulting hash is compared to the stored value. Because hashes can’t be “reversed” in a straightforward way, the recovery strategy becomes brute forcing the hash: take a candidate password from a word list, hash it locally, and check whether the computed hash matches the target hash.

Hashcat is then introduced as the tool for this offline workflow. The transcript walks through creating a file of hashes (by extracting from the system’s shadow file) and running Hashcat with a straight dictionary attack (option “-a 0”). It also covers selecting the correct hash mode with “-m,” using “1800” for SHA-512 Unix passwords in the example and “1000” for NTLM for a Windows-based example. Output is written to a results file (via “-o”), and the cracked password appears among the candidates once the hash match is found.

The segment ends with a challenge: crack the server’s passwords using the learned online (Hydra + word list) and offline (Hashcat + hash + word list) techniques. It repeatedly stresses that doing this without explicit permission is illegal, and frames the exercise as limited to systems where permission is granted or in a self-built lab environment.

Cornell Notes

The transcript contrasts two password-cracking paths: online guessing against a live service and offline cracking against stored password hashes. Online attacks use Hydra with a dictionary (word list) to try many passwords quickly over SSH, but they risk detection, throttling, and lockouts. Offline attacks use Hashcat to test candidate passwords locally by hashing each guess and comparing it to a target hash extracted from the system’s shadow file. Because password systems store hashes (not plaintext), offline cracking can be faster and less disruptive, provided the correct hash type/mode is used (e.g., SHA-512 Unix mode 1800, NTLM mode 1000).

Why does the transcript move from brute force guessing to dictionary attacks?

Pure brute force tries passwords in sequence (e.g., 000000, 000001, 000002) until a match appears, which can take years. A dictionary attack instead supplies Hydra with a curated list of likely passwords (like Kali Linux’s “rockyou.txt”), so the tool tests many realistic candidates quickly. The efficiency comes from prioritizing passwords that humans actually reuse, rather than exploring the entire keyspace.

What makes online cracking with Hydra different from offline cracking?

Online cracking attempts logins against a live service (SSH in the example). Each wrong guess produces an authentication failure, which can trigger defenses like firewalls, rate limiting, and account lockouts, plus it suffers from network timeouts. Offline cracking avoids repeated logins by using a stored password hash; candidate passwords are hashed locally and compared to the target hash, reducing visibility and often speeding up the process.

How does a password hash enable offline cracking?

When a password is set, the system stores a hash (a complex string of characters) rather than plaintext. During login, the entered password is hashed with the same algorithm and the result is compared to the stored hash. Offline cracking leverages this by taking a word list, hashing each candidate locally (e.g., with MD5/SHA-512/NTLM depending on the mode), and stopping when the computed hash matches the stored one.

Why does Hashcat require a specific hash mode (the “-m” option)?

Different systems use different hashing algorithms and formats. Hashcat’s “-m” selects the correct hash type so it knows how to interpret the hash and which hashing function to apply to each candidate. The transcript cites “1800” for SHA-512 Unix passwords and “1000” for NTLM; using the wrong mode would prevent correct matching even if the word list contains the right password.

What role do word lists play in both Hydra and Hashcat?

Word lists provide the candidate passwords. Hydra uses them for online dictionary attacks by sending each candidate to the live authentication service. Hashcat uses the same idea offline: it iterates through the word list, hashes each candidate, and checks for a match against the extracted hash. In both cases, the quality and size of the word list strongly influence success.

What operational risks are highlighted for online cracking?

The transcript warns that repeated login attempts can cause defensive systems to intervene—firewalls may block traffic, accounts may lock, and timeouts can slow the attack. Offline cracking is presented as a “better way” because it doesn’t require repeated authentication attempts against the server.

Review Questions

  1. In what ways do online dictionary attacks and offline hash cracking differ in how they generate evidence of the attack?
  2. How does selecting the correct Hashcat hash mode (e.g., 1800 vs 1000) affect whether a cracked password can be found?
  3. Why might a large word list still fail even when the correct password exists somewhere in the password space?

Key Points

  1. 1

    Hydra enables online dictionary attacks by testing passwords from a word list against a live service such as SSH.

  2. 2

    Online cracking is more likely to trigger defenses like rate limiting, firewalls, and account lockouts due to repeated authentication failures.

  3. 3

    Password systems typically store cryptographic hashes rather than plaintext passwords, which changes the cracking strategy.

  4. 4

    Offline cracking with Hashcat works by hashing candidate passwords locally and comparing results to stored hashes extracted from the shadow file.

  5. 5

    Hashcat success depends on using the correct hash mode (e.g., 1800 for SHA-512 Unix passwords and 1000 for NTLM).

  6. 6

    Word lists (such as Kali Linux’s rockyou.txt) are central to both online and offline dictionary-based cracking workflows.

  7. 7

    Carrying out password cracking without explicit permission is illegal; the transcript frames the activity as restricted to authorized targets or self-built labs.

Highlights

Hydra’s online dictionary attack trades brute-force completeness for speed by testing a curated password list against a live SSH login.
Offline cracking avoids repeated logins by comparing locally computed hashes against stored password hashes.
Hashcat’s hash mode selection (the “-m” parameter) is critical: SHA-512 Unix and NTLM require different modes to match correctly.
The rockyou.txt word list is used as a high-yield starting point because it contains many real-world passwords.

Topics

  • Password Cracking
  • Hydra Dictionary Attack
  • Hashcat Offline Cracking
  • SSH Authentication
  • Password Hashes

Mentioned

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library