Cybersecurity Lab
Password Cracking with Hashcat
Cracked an MD5 password hash in under one second using Hashcat and the rockyou.txt wordlist, demonstrating how weak passwords and unsalted hashes are trivially compromised.
Completed2026Beginner
Objective
Understand dictionary-based hash cracking, practice Hashcat syntax, and document why MD5 with no salt offers no real protection against offline attacks.
Tools Used
HashcatKali Linuxrockyou.txt
Steps Performed
- Identified the target hash: `5f4dcc3b5aa765d61d8327deb882cf99` (MD5, mode 0).
- Selected the rockyou.txt wordlist (`/usr/share/wordlists/rockyou.txt`) — 14,344,392 common passwords.
- Ran Hashcat: `hashcat -m 0 5f4dcc3b5aa765d61d8327deb882cf99 /usr/share/wordlists/rockyou.txt`.
- Hashcat cracked the hash in under 1 second: plaintext = `password`.
- Documented session output including hash mode, speed, and recovered digest count.
Key Findings
- Hash `5f4dcc3b5aa765d61d8327deb882cf99` cracked to plaintext `password` in under 1 second.
- rockyou.txt contains 14.3 million real-world passwords — `password` appears near the top.
- MD5 without a salt is completely inadequate for password storage; results are instant with commodity hardware.
- Hashcat processed 44,145 hashes/second — real-world GPU rigs achieve billions per second.
Screenshots
Lessons Learned
- Common passwords stored as bare MD5 hashes offer no real-world protection.
- Salted hashing (bcrypt, Argon2) is the minimum bar for storing credentials.
- Offensive tools like Hashcat are essential knowledge for understanding why secure password policies matter.
Future Improvements
- Test SHA-256 and bcrypt hashes to compare cracking difficulty.
- Practice rule-based attacks and hybrid wordlist + mask attacks.
- Document a side-by-side comparison of MD5 vs bcrypt crack times.
References
- Hashcat documentation
- OWASP Password Storage Cheat Sheet
- rockyou.txt wordlist origin
