Home

Published

- 6 min read

Hash Cracking Strategies: Tackle the complex ones

offensive security Evasion cybersecurity Persistence Redteam
img of Hash Cracking Strategies: Tackle the complex ones

Running rockyou is easy enough - but nowadays hardly succesful, at least not as goto-solution. Using a short list approach, especially if it’s such a high-percenter, still makes sense, yet we wanted to take the chance and get a bit deeper into the topic.

Note: This article is one of our list articles (pun not intended) that we’ll extend over time.

How to tackle long and complex passwords

There certainly isn’t one single approach that we could recommend: The title implies it - long or complex hashes are hard to crack, no matter the hardware. That means 8 random chars still presents more or less the same limit it did 20 years ago, except when we’re talking about the most easy-to-crack algorithms (like NTLM), highend hardware like NVidia cloud or a 8x RTX 4090 rig, or somewhere between a month and a year of time and electrical energy (about the value of a 4090).

Since WPA2 hashes have a min-length of 8 chars and router manufacturers nowadays use defaults that often are 16-48 numbers long, this is a bit of a challenge. Using the strategies below however we managed to reverse more than a few hashes, that did have such properties, we just described.

Make empathic lists

  • Beacons and post-it notes are still great sources and always will be
  • OSINT and scrape (known Police strategy)
  • Rule-it-up, combinate
  • Defaults

The reason why beacons may contain passwords is simple: Human error.
People want to enter a password but the interface on their phone has already gone back to entering a station name - from now on you tell the world your password wherever you go. We recommend checking and clearing your known-stations list in your devices regularly.

Use larger lists

  • crackstation.txt
  • hashes.org.txt
  • 250Gb self-compiled combo-list of 1 Million German words, with leat rules and special chars
  • Bible Passwords, Seasons-Month-Year and other language or topic-specific combos

Making lists intentionally larger is a common scenario for us these days. Passwords became harder to crack, at the same time, most of us have more GPU computing power than ever before. You might want to check from time to time, that the attack truly goes as planed, using

powershell
   $ .\hashcat.exe <...your params...> --stdout

can show you, how combinator attacks would work out. We were quite surprised to find, for some reason (likely unicode or endianess), hashcat didn’t produce:

   Password!!
Password!?
Password??
12345678!!
..

but instead:

   Password
!!
Password
!?
Password
??
12345678
!!
..

What a waste.

Create proper large-lists

Sources:

  • Existing Wordlists
  • Custom Python Helper Tools (e.g. for Season, Month, Year - from Arabic, Czech, Danish to German, Polish, Russian)
  • Hashcats (older) tools, look in the tools folder, and stdout mode
  • Large-Language Models training data, Dictionaries, Wikipedia
  • Webscrapes, WiFi Beacons & Station Names, Manufacturers (Simon’s iPhone), DoB lists in various formats
  • Combos, that are currently unsupported by hashcat, e.g. Leetspeak Rule + mode 6 + mode 7 (adding rnd. chars in front and back)
  • Adapted list collections: copy your 10 best, longest lists into a folder WPA and use grep to sort out all words shorter than 8 chars - this makes crackstation.txt take 1h instead of 3h
  • Router Manufacturer default password analysis and generator tools, e.g. Fritz!Box long number keys
  • Combine good lists like rockyou with stuff like year-endings

This can take a long time and require lots of disk space but it’s worth it. Do it once each time you’re cracking, do it properly each time, you end up with a large collection.

Example Results:

   Gebirgslandschaf+|
|Gebirgslandschaf+|
}Gebirgslandschaf+
Gebirgslandschaf+}
}Gebirgslandschaf+}
*.Gebirgslandschaf+
Gebirgslandschaf+*.
*.Gebirgslandschaf+*.
#.Gebirgslandschaf+
Gebirgslandschaf+#.
#.Gebirgslandschaf+#.
@.Gebirgslandschaf+
Gebirgslandschaf+@.
|#Gebur7s7ags7radi7ion|#
}#Gebur7s7ags7radi7ion
Gebur7s7ags7radi7ion}#
}#Gebur7s7ags7radi7ion}#
-<Gebur7sun7erlagen-<
_<Gebur7sun7erlagen
Gebur7sun7erlagen_<
_<Gebur7sun7erlagen_<
<<Gebur7sun7erlagen
Gebur7sun7erlagen<<
<<Gebur7sun7erlagen<<
Geburst@gsfeier],
],Geburst@gsfeier],
),Geburst@gsfeier
Geburst@gsfeier),
),Geburst@gsfeier),
',Geburst@gsfeier

Short lists

Know that we’re talking mostly about our own custom lists - not Seclists “Top 10.000”. Things like seclists are still good and valid base material, but due to Cybersecurity gotten more mature and often times tools check a new Password against known wordlists, custom lists have grown much more important.

To get a valid quick shot we also make short lists - these are mostly not complete lists, but something like:
https://github.com/Network-Sec/Wordlists/blob/main/year_endings.txt

A very short list that goes like:

   22
22!!
2022
2022!!
23
23!
2023
2023!
...

which we use in Combinator attacks, to spice up beacon lists or other “10 min. runtime” lists.

Never give up

On a regular basis, we keep burning lots of electricity for only one or two matches. However, the harder earned results not only feel nore rewarding, chances are that you’re the only one, who managed to make it.

We had to learn, how important it is - although sometimes expensive and annyoing - to stay on track: Chances might feel slim after running a huge wordlist for 10h straight, yet we recommend to let each list run till the end.

In general that also means, you might have tried most of your “good” lists already, but anyway:

Fire again. Fire.

You never know ahead of time, if it’s DarkNet-Top-Million (an older, well-known wordlist from the famous Seclists archive), or an unmotivated combo attack from a weasily 200Kb list with two random chars in the end.

It truly works that way.

Set and forget

A common strategy we keep using: wildcards combined with rules - the command below will use all wordlists in the folder, including subfolders and try them with all rules.

bash
   $  .\hashcat.exe -m 22000 -a 0 .\hashes_10_01_2025_uniq.txt ..\SecLists\Passwords\*   -w 2 -O -d 2 -r .\rules\*

Keep only latest, unique hashes

Even though hashcat recognizes duplicate hashes, each hash still takes more time. When you collect more than a handful, this can result in significant performance loss.

To clarify, we don’t mean exact, 1:1 duplicates, but 10 different WPA2 handshakes for the same device and password. Here’s a quick loop, using one of our bin-tools, that does exactly that, keeping only the latest.

bash
   $ for line in $(hashdump_to_ssid.py hashes_10_01_2025.txt | sort -u | cut -d ":" -f 1); do tac hashes_10_01_2025.txt | grep -m 1 "$line" >> hashes_10_01_2025_uniq.txt ; done

Incrementing combos

bash
   $ .\hashcat.exe -m 22000 -d 2 -a 6 -i --increment-min=3 -1 ?l?d -2 ?u?l?d hashes.pcapng rockyou.txt ?2?1?1?1?s?s 
$ .\hashcat.exe -m 22000 -d 2 -a 6 -i -1 "?l?d!_-+*$" hashes.pcapng wpa2_ultimate.txt ?1?1?1?1

Custom Charset

bash
   $ .\hashcat.exe -a 3 .\hashes_uniq_06_02_25.txt -1 ?l?d -2 ?u?l -3 '?d!#_.$()' ?2?l?l?l?3?3?3?3  -d 2 -w 2 -O -S

Wordlists

specific for Wifi. We created couple of Wordlist Generator helper tools, you can find them in our GitHub: https://github.com/Network-Sec/Wordlists

More Wordlist resources:

Important: We can get a massive speed and success rate gain, if we exclude words shorter than 8 chars, as this is the min length for WPA2.

bash
   $ cat rockyou.txt | grep --binary-files=text -Pe "^[\w\d\s]{8,32}$" | sort -u > wifi_rockyou.txt

How to make your WiFi secure?

  • WPA2 or WPA3
  • Long passwords > 12 chars (we doubled on that)
  • Completely random characters, that don’t resemble any real word
  • Check or clear your device beacons from time to time (the “known networks” in your phone)
  • Consider the other way: Free & open guest network as DMZ, disconnected from your real one