Basics of password cracking

Guillaume Quéré

OpenLDAP formats

OpenLDAP dumps from ldapsearch may contain a variety of hash algorithms and formats. Some are not crackable “as is” and will require adaptations:

OpenLDAP output Hashcat mode JtR format
{SHA} 101 Raw-SHA1
{SHA256} 1400 (*) Raw-SHA256 (*)
{SHA512} 1700 (*) Raw-SHA512 (*)
{SSHA} 111 Salted-SHA1
{SSHA512} 1711 SSHA512
{CRYPT} 1800 (**) sha512crypt (**)
{PBKDF2-SHA512} 12100 (***) pbkdf2-hmac-sha512 (**)

(*): Raw-SHA256 and Raw-SHA512 are exported in base64 format, but are expected in hex format. For hashcat, that’s username:hash and for JtR username:$SHA256$hash
(**): Simply remove the ‘{CRYPT}’ string. Note that dots ‘.’ are replacing the ‘+’ characters and are expected to stay like so.
(***): PBKDF2 for hashcat requires several modifications: in the base64 content, the dots ‘.’ become ‘+’. Also replace ‘{PBKDF2-SHA512}’ with ‘sha512:’. Also replace ‘$’ with ‘:’.
(****): PBKDF2 for JtR is in the hex format, separated by dots. e.g. username:$pbkdf2-hmac-sha512$iterations.salt.hash

Here are my converters for John and hashcat.

Where to get wordlists?

Where to get mutation rules?

Read this great article about crafting a superset of rules aptly named “One Rule To Rule Them All”. You probably won’t need another.

In what order to crack?

The goal here is to maximize efficiency: attack the weakest algorithms first with the fastest rules and then move on to gradually more time-consuming methods, ending with full keyspace exhaustion.




john --format=<format> target.txt --wordlist=dictionnary.txt
hashcat --username -m <mode> target.txt dictionnary.txt

Dictionary mutations

john --format=<format> target.txt --wordlist=dictionnary.txt --rules
hashcat --username -m <mode> target.txt dictionnary.txt -r OneRuleToRuleThemAll.rule


Defining custom masks can be especially useful if a restrictive password policy is in place. If, for instance, a company mandates that all passwords should be at least 8 characters long with lowercase, uppercase and specials characters then I can guarantee that this simple mask will recover 20% of the passwords:



?a = all
?s = special, printable non alphanumeric
?l = lowercase
?u = uppercase
?d = digits

Defining a custom charset:

hashcat --username -m <mode> target.txt -a 3 -1 '?u?d?l*#$@_' '?1?1?1?1?1?1?1?1'

This is described in more detail here for hashcat and here for John.

JtR specifics


Use the bleeding jumbo branch of the github repo.


Running John without specifying a dict will cause it to run some interesting basic checks, such as username=password.


This command gives test vectors for the desired format, which is especially useful when trying to convert a hash format to another:

john --format=<format> --list=format-tests
redmine: dynamic_1501

Hashcat specifics


Use the NVidia official driver. May require you to sometimes hold the kernel back when the ABI is changing (as is currently the case between 5.8 and 5.9). Follow the official installation procedure.

Hash format

username:hash => hashcat --username

hashcat -O: optimized run, can make a HUGE difference depending on the hashing algorithm.