← Back to Lessons

Enumeration, Hashes, and John - A Journey Through the Cracks in the System

Some vulnerabilities don’t exploit complex flaws. They don’t require advanced scripts or sophisticated techniques. Sometimes, you just need to try to get in… and realize no one closed the door. That’s Broken Access Control.

When a web application doesn’t properly control which users can access which resources, access rules break down. Normally, certain files like admin.php should be protected behind a login or specific roles. But if control fails, any user—authenticated or not—can access them simply by knowing the path. Discovering those paths is called enumeration, and it’s one of the first steps in almost any web analysis. As a hacker, you need to look for what isn’t shown to you. Tools like gobuster, dirb, or ffuf brute-force common paths (/admin, /panel, /login, etc.) using dictionaries with typical file names. It’s not magic: it’s persistence, patience, and strategy.

Once inside a sensitive file like an admin panel, you might find something even more valuable: users and their passwords… or rather, their hashes.

Hash

A hash is the result of applying a mathematical algorithm to a password. It takes an input—for example, password123—and turns it into a long, seemingly random string. You can’t “decrypt” a hash like a traditional encrypted message, because there’s no reversibility. But you can guess which password generated it by comparing thousands or millions of passwords and their hashes until you find a match.

One of the most common, though obsolete, hash algorithms is MD5. It transforms any input into a 32-character hexadecimal string. The problem is that MD5 is fast, predictable, and widely studied, making it vulnerable to attacks like dictionary cracking. That’s where two of the most powerful tools at your disposal come in: John the Ripper and Hashcat.

Both test passwords from a dictionary file like rockyou.txt, which contains millions of real passwords leaked over time. John is simpler, more immediate. Ideal when you’re starting out. Hashcat, on the other hand, is more aggressive, allows advanced configurations, and leverages your machine’s GPU to speed up the process.

To use them, you first need to have the hash in a file, recognize its type (in this case MD5), and then launch the attack. Sometimes passwords aren’t visible. They’re disguised. You don’t see "mypassword123", you see something like f379eaf3c831b04de153469d1bec345e. That’s not a password, it’s a hash, and your job as an ethical hacker is to look at that code and ask yourself What is it really hiding? That’s what John the Ripper and Hashcat are for.

They are two legendary password cracking tools. Not magic. Not infallible. But powerful, if you know how to use them.

John the Ripper was born as a simple, fast, and effective tool. Its philosophy is straightforward: take a hash file, compare them with a dictionary of possible passwords, and see if there are matches. Nothing more. Nothing less. You can use it with this command:

1john --wordlist=rockyou.txt hashes.txt

John will read each line of rockyou.txt (a dictionary with millions of real passwords) and generate the corresponding hash according to the type (for example, MD5). It will compare them with those in hashes.txt. If it finds a match, it will show it to you.

It’s a tool that invites you to start without fear. Lightweight. Human. Ideal when you’re taking your first steps. But if you’re looking for brute force, raw power, and wild speed, then you need Hashcat.

Hashcat

Hashcat was designed to break hashes at absurdly high speeds. It uses your machine’s GPU (yes, the graphics card) to launch parallel attacks, calculating billions of combinations per second.

To use Hashcat, you need to understand the type of hash you’re working with. For example:

  • m 0 is MD5
  • m 100 is SHA1
  • m 500 is Unix MD5

And also choose the attack mode. The most common is dictionary (-a 0):

1hashcat -m 0 -a 0 hashes.txt rockyou.txt

Hashcat can seem intimidating at first. But like many things in cybersecurity, the closer you get, the more sense it makes. You can give it rules, combinations, masks, mutation techniques. You can tell it how to think. How to persist, and best of all, you can learn to observe. To see the patterns. To understand that behind every cracked password there’s a story of carelessness, haste, repetition.

You’re here to study those stories. To make them visible. To strengthen the system by understanding its weakest points. John and Hashcat don’t do the work for you. They only reflect your effort, your understanding, and your perseverance. The passwords you manage to crack won’t be trophies, they’ll be evidence that you’re growing.

For example, with John:

1john --wordlist=rockyou.txt hash.txt

Or with Hashcat:

1hashcat -m 0 -a 0 hash.txt rockyou.txt

That -m 0 indicates you’re working with MD5. That -a 0 means you’re doing a dictionary attack. In essence, this is password cracking: trying and trying until something fits. It’s not about luck. It’s knowledge, tools, and determination.

And above all, it’s understanding that every time you crack a hash, you’re understanding a human weakness: simple passwords, design errors, poorly closed doors. But you’re not here to judge that. You’re here to discover it. To learn. To become better.

Don’t underestimate what you can achieve with a curious mind, a well-chosen dictionary, and a well-understood tool.