Dictionary Attack - Password Cracking Intelligence

📖

Method

Wordlist + Mutation Rules

Curated word files combined with substitution rules crack 65%+ of real-world passwords

⚡

Speed

Up to 350 Billion/sec

GPU-accelerated hashcat on MD5 hashes; weak passwords fall in milliseconds

📦

Top Wordlist

RockYou2024 - 10B Entries

Compiled from real breach data; covers the vast majority of passwords humans actually choose

🎯

Success Rate

65–90% Against Weak Hashes

MD5/SHA-1 hashed databases cracked at scale; bcrypt/Argon2 resistant but not immune

// Live Crack Simulation - Demo Mode

▶ hashcat - dictionary mode [--attack-mode 0] [--rules best64.rule]

password123MISS 0.00s

qwertyMISS 0.00s

letmeinMISS 0.00s

Attempts Made

0/s

Attempts / sec

Wordlist Progress 0%

Target Hash (MD5)

5f4dcc3b5aa765d61d8327deb882cf99 → password

READY

Status

// Wordlist Categories - Click to Explore

🔤

// Category 01

Common Words
& Phrases

The most prevalent passwords in every breach - simple words, predictable sequences, and keyboard walks that humans gravitate toward for memorability.

// Top Candidates

password · 123456
qwerty · letmein
welcome · monkey
dragon · master
sunshine · shadow
abc123 · iloveyou

// Why It Works

57% of people use the same password across multiple sites. The top 100 passwords account for over 30% of all real-world credentials. Most wordlists include these in the first 1,000 entries - cracked before a second has passed.

👤

// Category 02

Names, Places
& Pop Culture

Personal names, sports teams, celebrities, fictional characters, and geographic locations - chosen for familiarity, making them highly predictable.

// Sample Entries

michael · ashley
batman · superman
liverpool · chelsea
jessica · daniel
london · paris
starwars · pokemon

// Attacker Advantage

Wordlists like names.txt (2M+ first names) cover the vast majority of what users choose. Social media OSINT generates personalised wordlists using the target's pet name, hometown, and birthday.

🔧

// Category 03

Mutations
& Leet Speak

Rule engines apply thousands of transformations - capitalisation, number suffixes, symbol substitutions - multiplying wordlist coverage without brute force cost.

// Mutation Examples

password → P@ssw0rd
password → Password1!
dragon → Dr@g0n
welcome → W3lc0me!
secret → $ecret99
admin → @dm1n#1

// Rule Engine Power

Hashcat's best64.rule applies 77 transformations per word, expanding a 10M wordlist to 770M candidates. Most users believe adding @, 1, or ! makes them safe - mutation rules exploit this.

💾

// Category 04

Breach Corpus
& Credential Dumps

Billions of real passwords harvested from historical data breaches - the most effective wordlist category because it reflects actual human password choices at massive scale.

// Major Wordlists

RockYou2024 - 10B
RockYou2021 - 8.4B
Collection #1-5 - 2.2B
LinkedIn 2016 - 117M
Adobe 2013 - 150M
COMB 2021 - 3.2B

// Effectiveness

Breach-derived wordlists achieve 65–90% crack rates because they contain real passwords. The average person reuses passwords across 14 different sites.

🎯

// Category 05

Targeted &
OSINT-Built Lists

Custom wordlists built from publicly available personal information about a specific target - highly effective against individual accounts when generic lists fail.

// OSINT Sources

Pet names (social media)
Birth dates (public records)
Sports teams (profile bios)
Partner names (tagged posts)
Hometown (location data)
Company name + year

// Tool: CeWL / CUPP

CUPP generates targeted wordlists from OSINT data. CeWL scrapes a target's website to build domain-specific wordlists. Combined, they reduce the search space from billions to thousands of highly probable candidates.

🧬

// Category 06

Hybrid Attack
& Combinator

Combines dictionary words with brute-force appending or prepending of numbers/symbols, and splices two wordlists together - dramatically expanding coverage beyond pure dictionaries.

// Hybrid Patterns

word + ?d?d → word12
word + ?d?d?d?d → word2024
?uword → Word (cap)
word! → word!
word1+word2 → passfish
word+!@# → pass!@#

// Attack Mode 6 & 7

Hashcat -a 6 appends/prepends brute-force character sets to each dictionary word. -a 7 is the reverse. Combinator mode (-a 1) concatenates every word in list A with every word in list B, generating compounds like sunshinefish.

// Attack Flow - Click Any Phase Node

🔍 01 Target
Recon Identify system

→

💾 02 Hash
Acquisition Obtain password DB

→

📖 03 Wordlist
Selection Curate dictionary

→

⚙️ 04 Rule
Config Mutation rules

→

⚡ 05 Attack
Execution GPU crack run

→

✅ 06 Credential
Harvest Collect plaintext

→

🚀 07 Access &
Pivot Exploit & escalate

// Step-Through Workflow - Full Phase Analysis

// Phase 01 - Reconnaissance

Target Recon

Before running a single guess, attackers identify what authentication system, hash algorithm, and account lockout policies protect the target. Understanding the hash type is critical - it determines wordlist priority, rule complexity, and expected crack speed by orders of magnitude.

Identify authentication endpoint - web login, SSH, Active Directory, RDP, VPN
Probe for rate limiting, CAPTCHA, and account lockout thresholds before attacking
Determine hash algorithm via error messages, service banners, or obtained hash format
Collect usernames via LinkedIn, email enumeration, or OSINT - attack requires valid users
Assess online vs offline attack: offline hashes allow unlimited attempts at full GPU speed

// Technical Detail

# Identify hash type from format
hash-identifier hash_value

# MD5 format: 32 hex chars
5f4dcc3b5aa765d61d8327deb882cf99

# bcrypt format: $2y$...
$2y$10$... # 1.9M× slower

78%

of systems still use MD5 or SHA-1 to store passwords

No Limit

on attempt rate in offline hash cracking scenarios

// Phase 02 - Hash Acquisition

Obtaining the Database

Dictionary attacks are most powerful in offline mode - where the attacker holds a copy of the password hash database and can make unlimited attempts without triggering lockouts or alerts. Hash acquisition transforms a rate-limited online attack into an unrestricted offline cracking operation.

SQL injection against web application extracts users and password_hash columns
Exploiting CVE to achieve RCE, then dump /etc/shadow or Windows SAM / NTDS.dit
Purchasing stolen database dumps from dark web marketplaces (Genesis, Exposed.vc)
Phishing attack on DBA to obtain direct database credentials for legitimate extraction
Online attack mode: test wordlist directly against live login with slow, distributed requests

// Technical Detail

# Linux shadow file
$ sudo cat /etc/shadow

# Windows NTLM (mimikatz)
> sekurlsa::logonpasswords

# AD domain hashes
> ntdsutil "ac i ntds" "ifm"

# SQL injection
$ sqlmap -u target --dump

average dark web price for 1,000 hashed credentials

27s

to crack 50% of a typical unsalted MD5 database

// Phase 03 - Wordlist Selection

Building the Dictionary

Wordlist selection and curation is the single biggest determinant of attack success. Attackers layer multiple sources - breach corpora, common password lists, domain-specific vocabulary, and targeted OSINT data - and deduplicate the final list to maximise unique candidate coverage per second of compute time.

Start with RockYou2024 (10B) as the base layer - covers the broadest password space
Append domain-specific wordlist from CeWL scrape of target's website
Add CUPP-generated personal wordlist if specific individuals are targeted
Sort and deduplicate with hashcat --stdout | sort -u to remove redundant candidates
Prioritise by probability - most common passwords first to get early wins

// Technical Detail

# Layer 1 - Breach corpus
rockyou2024.txt 10.0B

# Layer 2 - Common passwords
darkweb2017-top10K.txt 10K

# Layer 3 - Domain words (CeWL)
target-cewl.txt ~2K

# Layer 4 - Personal (CUPP)
target-personal.txt ~500

10B

entries in RockYou2024, the largest public wordlist

2min

to exhaust top-1M wordlist on MD5 with single GPU

// Phase 04 - Rule Config

Mutation Rules

Rule engines multiply wordlist coverage without linear compute cost. Each rule applies a transformation - capitalise, substitute characters, append numbers, prepend symbols - to every word in the list, generating thousands of variants per base word. This is what defeats "complexity requirements" that rely on simple substitutions.

best64.rule - 64 high-yield transformations covering 90%+ of real-world complexity patterns
OneRuleToRuleThemAll - 52,000 rules derived from cracked real-world password analysis
Capitalisation rules: first-letter, last-letter, toggle, ALL CAPS variants
Leet substitution: a→@, e→3, i→1, o→0, s→$ applied in all combinations
Append/prepend: years (2020–2024), common suffixes (!,1,123,#1,@), common prefixes

// Technical Detail

# Capitalise first letter
c password → Password

# Append '1' to end
$1 password → password1

# Replace 'a' with '@'
sa@ master → m@ster

# Combined rule
c sa@ $1 $!
password → P@ssword1!

77×

candidate multiplier with best64.rule applied

52K

rules in OneRuleToRuleThemAll, the most comprehensive set

// Phase 05 - Attack Execution

The Crack Run

With hashes, wordlists, and rules prepared, the cracking session begins. Modern GPU clusters run at hundreds of billions of hashes per second for weak algorithms. Attackers prioritise high-probability candidates first, often recovering 60%+ of a database within the first hour of a well-configured run.

Hashcat attack mode 0 (dictionary) with -r rules is the standard starting configuration
Multi-GPU rigs (4–8× RTX 4090) achieve 350 GH/s on MD5 for under $20K hardware cost
Cloud cracking: spot instances on AWS/GCP provide on-demand GPU power for ~$3/hour
Rainbow table lookup used as a pre-computation shortcut for unsalted legacy hashes
Session resumption: long runs saved and continued - multi-day campaigns for harder targets

// Technical Detail

hashcat -m 0 # MD5 mode
-a 0 # dict attack
hashes.txt # target file
rockyou.txt # wordlist
-r best64.rule # mutations
--force # ignore warnings
-O # optimise GPU

$3/h

cost to rent GPU cracking power on cloud spot instances

60%+

of typical enterprise hash DB cracked in first hour

// Phase 06 - Credential Harvest

Collecting Plaintext

As hashes are cracked, plaintext passwords are saved to a potfile - hashcat's persistent match database. Recovered credentials are then triaged: high-value accounts (admin, root, executive) are prioritised. Password patterns observed in cracked credentials are used to build targeted rules for remaining uncracked hashes.

Potfile (hashcat.potfile) accumulates all cracked hash:plaintext pairs automatically
Map cracked passwords back to usernames to build a valid credential pair list
Analyse cracked passwords for organisation-specific patterns (Company2024!, AcmeCorp#1)
Build custom rules from observed patterns to target remaining uncracked accounts
Credential stuffing: test harvested pairs against other services (email, banking, SSO)

// Technical Detail

# Show cracked passwords
hashcat --show -m 0 hashes.txt

# Output example:
5f4dc... : password
e10adc... : 123456
25f9e... : Acme2024!
7c4a8... : Summer#23

# Pattern found: Acme + Year + !
→ Build targeted rule set

91%

of people reuse passwords across personal and work accounts

4.7×

average number of accounts sharing the same password

// Phase 07 - Access & Pivot

Exploitation & Pivot

Cracked credentials are weaponised for initial access and lateral movement. Even a single low-privilege account is valuable - it provides a foothold for privilege escalation, internal network reconnaissance, and the discovery of further credentials to crack. Credential stuffing extends the blast radius across every service the user has an account on.

Highest-privilege cracked accounts targeted first - admin, root, service accounts
Credential stuffing: valid pairs tested against 200+ popular web services automatically
Internal pivot: cracked VPN credential provides direct corporate network access
Pass-the-hash: NTLM hashes used directly without cracking for Windows lateral movement
Password spraying: confirmed valid passwords tried against all accounts in the environment

// Technical Detail

[T+0] Hash database acquired
[T+1h] 60% passwords cracked
[T+2h] Admin account recovered
[T+3h] VPN access established
[T+4h] Lateral movement begins
[T+6h] Domain controller hit
[T+8h] Full domain compromise

median time from hash dump to full domain compromise

$4.5M

average cost of a credential-based breach (IBM 2023)

Phase 1 of 7

// Password Vulnerability - Time to Crack with Dictionary + Rules

Example Password

password

INSTANT

Crack time < 1ms

< 1ms

Entry #1 in every wordlist. Found in 3.5B breach records. No rules needed.

Example Password

P@ssw0rd!

FAST

Crack time ~3 sec

~3 sec

Classic leet substitution on "password" - covered by every rule set. Useless complexity.

Example Password

Summer2024!

MODERATE

Crack time ~4 hrs

~4 hrs

Common word + year + symbol - caught by hybrid mode 6. Still crackable in one session.

Example Password

k#9pL!rX2@mQ

RESISTANT

Crack time ∞ impractical

∞ impractical

Random 12-char mixed. Not in any wordlist. No rule reaches it. Use a password manager.

// Defensive Countermeasures

🔐

Strong Hashing: bcrypt / Argon2

Replace MD5 and SHA-1 with bcrypt, scrypt, or Argon2. These are intentionally slow - bcrypt reduces cracking speed by 1,000,000× compared to MD5, rendering dictionary attacks computationally impractical even with GPU clusters.

🧂

Unique Salts Per Password

A unique random salt per password defeats rainbow table lookups and forces per-hash computation. Two users with the same password produce completely different hashes - preventing batch cracking across the entire database.

🎲

Passphrase + Password Manager

Long, random passphrases (4+ random words) or fully random passwords stored in a password manager are immune to dictionary attacks. Length defeats brute force; randomness defeats wordlists and rules alike.

🔑

MFA on All Accounts

Even a cracked password is useless if MFA is enforced. TOTP, FIDO2 hardware keys, and push-based authentication ensure that credential recovery alone does not grant access.

🚫

Breach Password Screening

Integrate with HaveIBeenPwned's Pwned Passwords API to reject any password that appears in known breach databases at registration and reset time - blocking the exact wordlists attackers use.

⏱️

Rate Limiting & Lockout

Enforce exponential backoff, CAPTCHA, and account lockout on online login endpoints. This forces attackers into offline mode - meaning they first need to compromise your database before attempting to crack it.