Hashcracky Guide

Choose a section to get started

Quick Navigation

Application Guide Hash Recovery Guide Contact Us

1. Hashcracky Application Guide

Learn how to use the Hashcracky platform and participate in competitions

Table of Contents

  1. What is Hashcracky?
  2. Competitions and Events
  3. Leaderboards and Scoring
  4. Making Submissions
  5. API Usage
  6. Code of Conduct

What is Hashcracky?

Hashcracky is a competitive cryptographic hash recovery platform designed for security professionals and enthusiasts of all skill levels. We provide challenges and events where players solve hash-cracking puzzles in a fun, educational, and competitive environment.

Important: All hashes used in competitions are artificially generated for educational purposes. We never use real-world hashes or actual leaked credentials. Each hash is carefully crafted to teach specific concepts and techniques while ensuring a safe learning environment. Hashcracky is intended for entertainment, educational, and research purposes only. Always practice ethical hacking and respect legal boundaries.

Competitions and Events

Competitions progress through several stages:

  1. Upcoming: Competition announced but not yet active
  2. Active: Hash lists available for download, submissions accepted
  3. Idle (8 hours): Winners locked, no submissions accepted
  4. Past: Competition archived, submissions accepted

Leaderboards and Scoring

Scoring System

Points are different per recovered hash based on:

  • Hash difficulty (algorithm complexity)
  • Composition of the plaintext (length, character set)

Points are awarded to individual players based on the total value of hashes they recover. Leaderboards update in real-time as submissions are processed. If a user is on a team, their founds are dynamically compared to the entire team to update team scores.

Crown System

The top five players in each competition receive crowns that persist on their profiles. The winner receives two crowns instead of one. Crowns are visible across all leaderboards.

Making Submissions

Submission Format

Submissions can be made in multiple formats: 

# Example: Hash:Plaintext
5f4dcc3b5aa765d61d8327deb882cf99:password

# Example: Hash:SaltPlaintext
e16b2ab8d12314bf4efbd6203906ea6c:testpassword

# Example: Hash:Salt:Plaintext
e16b2ab8d12314bf4efbd6203906ea6c:test:password

Submission Methods

  • Web Interface: Upload through the submission page
  • API: POST to /api/submit with authentication

Accepted Content Types

  • multipart/form-data - File uploads
  • application/json - API submissions

API Usage

curl -H "Authorization: Bearer YOUR_TOKEN" \
     https://hashcracky.com/api/endpoint

Rate Limits

API endpoints are rate-limited to prevent abuse. Exceeding limits returns HTTP 429. Wait for the time specified in the Retry-After header.

Code of Conduct

We expect all participants to maintain a positive, respectful environment:

  • Do not engage in any form of cheating or generally uncool behavior.
  • Do not attempt to disrupt the event or the experience of other players.
  • Do not use any form of offensive language in public names or communications with other players and organizers.
  • Do not solicit or accept help from external parties while an event is active.

Violations may result in warnings, temporary suspensions, or permanent bans.

2. Hashcracky Hash Recovery Guide

Master the fundamentals of cryptographic hash recovery techniques

Table of Contents

  1. Hashing Foundations
  2. Getting Started with Hash Cracking
  3. Understanding Attack Types
  4. Understanding Rules
  5. Understanding Masks
  6. Introduction to Analysis
  7. Defending Applications

Note: This guide focuses on getting started with basic techniques. For advanced strategies, we recomend the In.security Password Cracking 101+1 Training.

Hashing Foundations

Hashing is a fundamental concept in cybersecurity and is the result of a one-way algorithm to transform plaintext into ciphertext. The act of hash cracking is replicating the one-way transformation with known plaintexts to identify a match in ciphertext. If the ciphertext matches, then the plaintexts probably also match.

Hashes are often used in security-specific applications:

  • Application message and data integrity
  • Application authentication and identity management
  • Active Directory environments as user hashes

Rainbow Tables

What about rainbow tables? Why should I care about cracking hashes when I can look them up?

Rainbow tables are largely dead for password-cracking applications. With few exceptions, rainbow tables tend to be too static, rigid, and resource-intensive compared to the dynamic needs of modern password cracking. The rise of modern protection techniques like key stretching and cryptographic salts has shifted the time-memory trade-off. Modern cracking is heavily optimized for exploiting the human element of password creation, and compute needs and availability have changed making it more uncommon to maintain statically calculated hashes.

Salts and Peppers

Salts and peppers are additional data added to the hashing process to enhance security. A salt is a random value added to the plaintext before hashing, while a pepper is a secret value applied outside the stored hash (often via application logic or HMAC). Salts ensure identical passwords produce different hashes; peppers raise effort for attackers missing server-side secrets. 

$ password="password"
$ salt="test"
$ echo -n "${salt}${password}" | openssl dgst -sha256
SHA2-256(stdin)= 9f735e0df9a1ddc702bf0a1a7b83033f9f7153a00c29de82cedadc9957289b05

Iterations

Iterations increase the security of hashes by increasing the number of times the hashing algorithm is applied. This raises the computational cost to crack. For example, the rounds parameter in sha256crypt determines how many times the SHA-256 hashing algorithm is repeatedly applied to the password and salt. 

$ mkpasswd --method=sha256crypt --rounds=1000 --salt=12324566 password
$5$rounds=1000$12324566$9KqrHsJ9mSQJMYBJ0iBLSN4gZaOOPWGbD2NuKz4K1XC

$ mkpasswd --method=sha256crypt --rounds=2000 --salt=12324566 password
$5$rounds=2000$12324566$UpQkGap2msCkdYtu21Va3uEX4Va7vAbyHtX22psDFn7

Hash-Based Message Authentication Code (HMAC)

HMAC creates a keyed hash of data. It is often used to verify integrity and authenticity. In the password context, HMAC is a common way to apply peppers so that computing the hash requires a secret key in addition to the password. 

$ message="The quick brown fox jumps over the lazy dog"
$ key="key"
$ printf "%s" "$message" | openssl dgst -sha256 -hmac "$key"
HMAC-SHA256(stdin)= f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8

Nested Algorithms

Some hashing algorithms use multiple rounds of different hashing algorithms to increase security. For example, sha512crypt uses multiple rounds of SHA-512 to create a more secure hash. Sometimes developers will nest algorithms in an attempt to increase security. This is not recommended, as it can lead to unexpected vulnerabilities with little benefit. 

$ plaintext="password"; hash="$plaintext"; for i in {1..5}; do hash=$(printf %s "$hash" | md5sum | awk '{print $1}'); printf "Iteration %d: %s\n" "$i" "$hash"; done
Iteration 1: 5f4dcc3b5aa765d61d8327deb882cf99
Iteration 2: 696d29e0940a4957748fe3fc9efd22a3
Iteration 3: 5a22e6c339c96c9c0513a46e44c39683
Iteration 4: e777a29bee9227c8a6a86e0bad61fc40
Iteration 5: 7b3b4de00794a247cf8df8e6fbfe19bf

Getting Started with Hash Cracking

We highly recommend learning the basics of command line interfaces (CLI). Many tasks are easier via CLI, and it’s the fastest way to iterate on cracking strategies. We recommend Hashcat:

  • Hashcat — powerful, open-source, supports a wide range of algorithms
  • Hashcat Utils — companion utilities

Identify the Hash Type

$ hashcat hashes.left --identify

Start Cracking

Choose an attack based on the pattern being replicated. Hash cracking is cyclical and incorporates new data, tuning attacks, and maximizing work sent to the GPU. 

$ hashcat -m 1300 -a 0 hashes.left wordlist.txt
$ hashcat -m 17300 -a 0 hashes.left rules.txt
$ hashcat -m 17700 -a 3 hashes.left ?l?l?l?l?l?l

Helpful Hashcat Flags

  • -O (--optimized-kernel-enable): Use optimized kernels if available. This reduces the maximum candidate length but increases speed.
  • --bitmap-max=28: Expands the bitmap to a larger amount, likely increasing attack speed.
  • --restorefile-path & --session: Keeps a session log file for the task to be resumed if interrupted.
  • --loopback: Once a session ends, go back over new founds with the same rules used.
  • --show & --left: Good for collecting founds, lefts, and removing bad hashes.

Separating Hashes and Plains

$ awk -F ':' '{print $NF}' file > plaintext.txt
$ cut -d ':' -f2- file > plaintext.txt

Understanding Attack Types

One of the primary goals of hash cracking is replicating human transformations in a computationally effective manner. There are many ways to reach the same plaintext, but only a subset are efficient. Focus on the methodology and patterns; tools are a means to enact strategy.

Dictionary (Straight) Attacks

Use a wordlist of base words, known plaintexts, or common passwords. Often paired with rules to transform candidates. In Hashcat, this is -a 0. 

$ hashcat -m 0 -a 0 hashes.txt wordlist.txt
$ hashcat -m 0 -a 0 hashes.txt wordlist.txt -r rule-file.txt

Combination Attacks

Concatenate two lists (optionally apply rules to each side). In Hashcat, this is -a 1. See also combinator from hashcat-utils for writing combined lists to disk. 

$ hashcat -m 0 -a 1 hashes.txt wordlist1.txt wordlist2.txt
$ hashcat -m 0 -a 1 hashes.txt wordlist1.txt wordlist2.txt -j "\$\$a\$n\$d\$ :"
$ hashcat -m 0 -a 1 hashes.txt wordlist1.txt wordlist2.txt -k "sa4se3so0"

Brute Force (Mask) Attacks

Try all candidates in a keyspace. In Hashcat, this is -a 3. Use masks and custom charsets to constrain and accelerate search. 

$ hashcat -m 0 -a 3 hashes.txt ?l?l?l?l?l?l
$ hashcat -m 0 -a 3 hashes.txt ?d?d?d?d?d?d
$ hashcat -m 0 -a 3 hashes.txt ?u?u?u?u?u?u
$ hashcat -m 0 -a 3 hashes.txt ?a?a?a?a?a?a -i
$ hashcat -m 0 -a 3 hashes.txt ?1?1?1?1?1?1 -1 \?l\?d
$ hashcat -m 0 -a 3 hashes.txt short.mask

Hybrid Attacks

Combine dictionary and mask. In Hashcat this is -a 6 (right) and -a 7 (left). 

$ hashcat -m 0 -a 6 hashes.txt wordlist.txt ?d?d?d?d
$ hashcat -m 0 -a 7 hashes.txt ?d?d?d?d wordlist.txt
$ hashcat -m 0 -a 6 hashes.txt wordlist.txt ?l?l?l?l
$ hashcat -m 0 -a 7 hashes.txt ?l?l?l?l wordlist.txt
$ hashcat -m 0 -a 6 hashes.txt ?1?1?1?1?1?1 -1 \?l\?d
$ hashcat -m 0 -a 7 hashes.txt ?1?1?1?1?1?1 wordlist.txt -1 \?l\?d
$ hashcat -m 0 -a 6 hashes.txt wordlist.lst ?a?a?a -i
$ hashcat -m 0 -a 7 hashes.txt ?a?a?a wordlist.lst -i

Association Attacks (-a 9)

Association attacks excel when there is a large amount of unique salts to work this. This is because it removes the iteration through the different salts and “asserts” a plaintext belongs to a specific hash:salt combination.

  • By default, -a9 mode does not use the potfile and output needs to be directed.
  • The number of candidates is more limited due to leaning on rules, and only so many can be loaded at once.
  • The attack requires some pre-processing to get everything into the right format.
  • Every item in the left list must have a 1-1 pair in the wordlist.
  • Very specific use cases but can increase speeds dramatically because it is a different attack architecture.
$ hashcat -a9 left.lst single-word.lst -r rules.rule -o a9-algo.potfile
$ hashcat -a9 left.lst blank-lines.lst -r words.rule -r rules.rule -o a9-algo.potfile

Understanding Rules

Rules are ran on the GPU and maximize throughput. They can be stacked for complex transforms. In Hashcat, apply with -r. 

$ hashcat -m 0 -a 0 hashes.txt wordlist.txt -r best64.rule
$ hashcat -m 0 -a 0 hashes.txt wordlist.txt -r OneRuleToRuleTheMall.rule
$ hashcat -m 0 -a 0 hashes.txt wordlist.txt -r append.rule -r toggle.rule
$ hashcat -m 0 -a 0 hashes.txt wordlist.txt -r prepend-toggle.rule -r leetspeak.rule
$ hashcat -m 0 -a 0 hashes.txt wordlist.txt \
  --generate-rules=50000 --generate-rules-func-min=3 --generate-rules-func-max=3 \
  --generate-rules-func-sel=ioyrzZ+[]{}* --loopback

Common rule primitives:

  • : Do nothing (pass through).
  • l Lowercase candidate.
  • u Uppercase candidate.
  • c Capitalize first letter, lowercase rest.
  • Tn Toggle case at position n.
  • ^x Prepend x.
  • $x Append x.
  • [ Truncate left.
  • ] Truncate right.
  • inx Insert x at position n.
  • onx Overwrite at position n with x.
  • sxy Substitute x with y everywhere.
  • 'n Truncate to n characters.
  • @n Purge all instances of character n.
  • E (ex) Title case after every space or every character x.
  • Dn Delete character at position n.
  • d Duplicate candidate.

Example to add "TEST" to the front and back of each candidate:

^T ^E ^S ^T
$T $E $S $T

Understanding Masks

Masks specify a character class at each position. They’re ideal for modeling structures and narrowing keyspaces.

  • ?l abcdefghijklmnopqrstuvwxyz
  • ?u ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • ?d 0123456789
  • ?h 0123456789abcdef
  • ?H 0123456789ABCDEF
  • ?s space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  • ?a ?l?u?d?s
  • ?1 0x00–0xff (custom when defined)

Examples for “Hashcracky123!”:

?u?l?l?l?l?l?l?l?l?l?d?d?d?s
Hashcracky?d?d?d?s
Hashcracky?1?1?1?s -1 \?d
?1?1?1?1?1?1?1?1?1?1?d?d?d?s -1 \?l\?u\?d\?s
?1?1?1?1?1?1?1?1?1?1?2?2?2?2 -1 \?l\?u -2 \?d\?s

Introduction to Analysis

Analysis identifies patterns, trends, and anomalies. In Hashcracky, analysis can help reveal common sources or theme patterns per list. Capture Hashcat debug output to see which rules and candidates perform the best. 

$ hashcat -m 0 -a 0 hashes.txt wordlist.txt --debug-mode=1 --debug-file=data.debug

Hashcat debug modes:

  • 1: Finding-Rule
  • 2: Original-Word
  • 3: Original-Word:Finding-Rule
  • 4: Original-Word:Finding-Rule:Processed-Word
  • 5: Original-Word:Finding-Rule:Processed-Word:Wordlist

Frequency sort to find common entries:

awk '{freq[$0]++} END {for (line in freq) print freq[line], line}' data.debug | sort -nrk1

Questions for Formats and Masks

  • If all characters were masks, what would be the most common formats?
  • If all of certain characters were masks, what would be the most common formats?
  • What formats can be enumerated with brute force attacks and which cannot?
  • Is there a minimum length or complexity requirement for the data set?
  • Are there any unique character sets being used?

Questions for Common Words and Tokens

  • If all non-alpha were removed, what tokens would remain?
  • If all alpha were removed, what tokens would remain?
  • If all character boundaries were expanded (Password, 123); what groups would be formed?
  • Is there any common phrasing or repeated inserts?
  • Are there any keywords being reused in multiple formats?

Human Behavior and Efficient Modes

Understand the data, but do not fixate on assumptions based only on data patterns. People set passwords like humans, so there is an additional skill of using understood human behavior to craft new attacks from visible data points.

Use attack modes that can best simulate the target. You will be more efficient and have fewer pre-processing steps. When possible, use rules over other options. This will generally be the most efficient approach.

Defending Applications

  • Argon2id for systems that can tolerate authentication latency. Argon requires multiple tuning factors that need to be adjusted to maintain security. This is not a user friendly strategy but offers more customization for domain experts.
  • HMAC-Bcrypt for legacy systems and systems that cannot tolerate any authentication latency. Bcrypt has a single cost-factor that controls the number of iterations. This is a user friendly strategy for increasing algorithm strength.
  • PBKDF2 for FIPS-140 compliance requirements with a strong iteration count depending on the implemented algorithm.
  • Non-salted algorithms should always have a pepper or salt used to prevent shucking. For example, nesting Bcrypt(md5(password)) without a salt or a pepper means a user can use known MD5 hashes and somewhat reduce calculations. Shucking is also prevalent in NTLMv1 with serious impacts on the security of its usage.

Other Defenses

Known Breach Filtering: Effective at mitigating online attacks, but not as effective when the guess window increases with offline attacks. Combined with something like zxcvbn could further bolster this approach.

Password Blocklists: Effective as a layered control with other mitigations from guessing common metadata such as company names, years, 123’s, and others.

Local Administrator Password Solution (LAPS): Effective control at rotating high-value hashes and ensuring secure creation within Windows environments. Ensure users who can see the clear text password are protected, as they can be enumerated.

  • ms-Mcs-AdmPwd: Stores the clear text local administrator password.
  • ms-Mcs-AdmPwdExpirationTime: Determines when the password should be changed next.

Enforce Strong Authentication Mechanisms

Please use Multi-Factor Authentication (MFA) when possible. Please consider using multiple authentication mechanisms and have preference for stronger methods such as hardware tokens, passkeys, certificate based, and others.

Using code to enforce compliance can help alleviate many issues with passwords such as length, complexity, setting known breach passwords, and password filters consistently. Personally suggest passwords requirements with length 16 or greater and complexity requirements. Understand the interactions between user behavior and code requirements, such as setting too frequent of a password rotation. Code-based compliance combined with training is an effective strategy.

Contact

Questions, suggestions, or need help? Email us at contact@hashcracky.com

Hashcracky is a one-person operation; thank you for your patience with response times.