How to Brute Force a Password?

Today, I’ll show you how to brute force a password from a MD5 hash or other algorithms
You probably already know what is a brute force, but you are looking for some tools to use
I’ll give you that in this post

How to brute force a password?
The brute force strategy is to try any possibilities, one by one, until finding the good password
For a MD5 hash if the database doesn’t find a result, you can use other tools like HashCat or John the Ripper to do this

In the following paragraph, I’ll explain you how the brute force is working exactly, which tools you can use and how to use them

Brute force theory

Let’s start with a bit of theory

MD5 algorithm reminder

As a reminder, did you know how the MD5 algorithm works?

The MD5 algorithm take any word or text in input and produce a 32 characters hexadecimal string
Ex: “MD5Online” => “d49019c7a78cdaac54250ac56d0eda8a”

The MD5 encryption is very fast, you can see on our website that it takes a few seconds including the page load
On a powerful computer, it’s even faster

So, we’ll use this encryption speed for the brute force attack

Brute force process

The goal of a brute force, is not trying to decrypt the MD5 hash, but to encrypt thousands of words until we get the same string

We can work with a dictionary of common passwords, but most of the time you’ll need to start from 0 and try longer and longer password
For example, encrypting “a” and compare with the MD5 hash, if not the same encrypt “b” and compare with the MD5 hash, etc …

This can take time if the encoded password was a long one
That’s why security advisors recommend taking a long password with special characters
But you can reduce this time, by using a good CPU/GPU (see our resources page) or cloud computing

Dictionary attack

First of all, I recommend trying your MD5 hash in our MD5 decryption tool
You’ll save a lot of time if the MD5 hash is inside
We have currently over 1,154 billion hashes decrypted and growing
You’ll need a lot of time to try all of this by brute force
If you are trying to decrypt an SHA1 password (40 characters), click on the link to our other website to try it

In brute force softwares, you can also use your own dictionary
If you have information about the password source, it can help you find the password faster (company name, family first names, birth dates, …)
By generating a massive dictionary with all this information compiled, you can also save a lot of time

Brute force tools

Let’s move to the practice part
I’ll show you two tools here, but there are other ones if you prefer
The process is always the same

HashCat

HashCat is currently considered as the faster tool to brute force passwords
It’s free, and you can download it from the official website (click on the link)
It’s available for any operating system, I’ll show you how to use it on Windows and Linux

Installation

The installation for any os is almost the same on Windows and Linux
Download the binaries archive from the official website (link above), and extract it somewhere

Windows

To use it on Windows, follow this:

  • Create a new file with a hash to brute force inside
    I recommend starting by creating a file “hash.hash” in the hashcat folder
    Then add this MD5 hash inside: 7f138a09169b250e9dcb378140907378
    It’s an easy MD5 password, with 3 characters
  • Then open a command prompt
    Start menu > start typing “command” and click to open the app
  • Then move to the HashCat directory
    For example: cd C:\hashcat
    Or: cd C:\Users\<USERNAME>\Downloads\hashcat-x.x.x
  • Finally, use thehash cat command below to brute force the hash file
    hashcat64.exe -a 3 -m 0 -w 4 hash.hash -i ?a?a?a --force
  • Option details:
    • -a: The attack mode (3 = Brute force)
    • -m: The hash type on your file (0 = MD5)
    • -w: The workload profile (4 = Nightmare mode)
    • -i: Incremental mode with this mask (3 characters including lowercase/uppercase/number/special)
    • –force: I don’t know if you’ll need this, but on my laptop I have to use it to avoid an error
  • Then check the hash.potfile to see what HashCat have found

Did you find the password? 🙂

Linux

On Linux it’s almost the same thing, so please read the previous paragraph and adapt it

The Command Prompt is often called “Terminal” on Linux, you should probably already know it better than Windows users 🙂
And the HashCat command is “./hashcat64.bin” instead of “hashcat64.exe”

If you have a specific device, you can also download the source archive, and compile it with “make”
It’s quick, and you’ll get an optimized binary for your system

John The Ripper

John the Ripper is another tool you can use for brute force

Windows

John the Ripper is available for Windows, but their creators highly recommend to use HashSuite instead
You can find the software on this link

There are several versions, but you can take the free one for this test
You just need to know that there is a limit at 6 characters, but it’s ok for now

  • Extract the downloaded archive and go inside
  • You’ll see a “Hash_Suite_64.exe”
  • Click on it, HashSuite opens
  • In the top menu, click on the keys on the right
  • Choose Import > From file
  • Browse to the hash.hash file from the hashcat directory
    Or if you didn’t install it previously, create a new file with one MD5 inside
    You can use “7f138a09169b250e9dcb378140907378” for example
  • Then, on the Main submenu, click on “Start”
  • After  a few seconds, the MD5 is now decrypted:

Linux

On Linux, you can download JohnTheRipper from GitHub

  • Clone the GitHub repository
    cd /opt
    git clone https://github.com/magnumripper/JohnTheRipper
  • Then compile it as usual on Linux:
    cd JohnTheRipper/src
    ./configure && make
  • If it ask you for any dependencies missing, install them with your current package manager (apt, yum, …)
  • Finally, you can start your first brute force with:
    cd ../run
    ./john --format=raw-md5 /root/hash --fork=8
  • Replace /root/hash with the filename containing your hashes
    Then update the fork value with the number of CPU cores you want to assign to this task
    It’s not mandatory, on a weak device you can remove it

You’ll get the result in the same folder, but you can use the –show option to display it directly

Related questions

What is the speed I can get in brute force mode? It highly depend on your hardware (CPU and GPU). With the best graphic card of the moment, searchers find that you can try 758kH/s. But I can’t say a number, it will change every month, and doesn’t really apply to your system, so try it 🙂

Can I brute force anything? Same answer, it highly depends on your hardware, but you can probably can’t go over 8 characters passwords with a standard computer.

Conclusion

That’s it, you know how to brute force passwords, with the theory and the practice with two different tools
Hope you’ll try it soon and get the results you hope

I just give you the basics here, feel free to check the official document from HashCat and JohnTheRipper to get all the options you can use with these commands