cybersecurity
sql-injection
ethical-hacking
hashcat
john-the-ripper
sqlmap
Sometimes, what brings down walls is not force. It's precision. A character, an unclosed quote, a line of code no one reviewed. In cybersecurity, the smallest mistakes open the biggest doors. And one of the most exploited doors in history has a name: SQL Injection.
First, the basics:
SQL is a language designed to communicate with databases. Every time an application saves a username, password, email, or transaction, it probably does so using SQL. And when the user logs in or searches for information, the application dynamically builds SQL queries to access that data. The problem is when that query is not properly controlled.
Imagine a login form that directly inserts what the user types into an SQL query, without validating or filtering it. That becomes an open door. Because you can write not only your name... but also malicious instructions to alter the system's logic. This technique is called SQL injection and allows, among other things:
Classic injection example:
1SELECT * FROM users WHERE username = '$user' AND password = '$pass';
If you enter the following as the username:
1' OR '1'='1
And leave the password blank, the query becomes:
1SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';
And since '1'='1' is always true... you get access anyway, without credentials or permissions. This is where SQLMap comes in.
It's an automated tool that detects and exploits SQL injections in web applications. You don't need to write manual payloads or try combinations blindly. SQLMap does that work for you.
What SQLMap can do:
When you identify that a web application dynamically builds queries and doesn't validate user input. You can test with characters like ' or common payloads. If you see SQL errors, strange behavior, or bypasses, SQLMap can probably help you exploit that gap.
1sqlmap -u "url/page.php?id=1" --batch
1sqlmap -u "url/page.php?id=1" --dbs --batch
1sqlmap -u "url/page.php?id=1" -D database_name --tables --batch
1sqlmap -u "url/page.php?id=1" -D database_name -T users --columns --batch
1sqlmap -u "url/page.php?id=1" -D database_name -T users -C username,password --dump --batch
Remember: many passwords are stored encrypted (for example, in MD5, a hashing algorithm). If SQLMap returns hashes, they are not plain-text passwords, but you can crack them with tools like Hashcat or John the Ripper.
A necessary warning:
SQLMap is a powerful tool. Even brutal. But it's not to be used carelessly or thoughtlessly. It's not about just pressing buttons. It's about understanding what you're doing, what it means, and the consequences it can have.
Use it on your lab machines as part of your training. Because all knowledge, like any weapon, must be wielded with ethics.
Breaking a password is not just a technical act. It's about understanding how humans think. Because behind every hash, behind every layer of security, there's someone who chose a word they thought was secret. And cracking is the art of proving that nothing is truly secret.
Password cracking is the process of recovering a plain-text password from its encrypted (hashed) version. It's a fundamental skill in ethical hacking because it allows you to check how strong (or weak) the passwords people use are.
Passwords are not stored as-is. That would be a security suicide. They are stored as hashes, which are encrypted representations using functions like MD5, SHA1, bcrypt, among others.
But here's the detail:
These hashes are not reversible encryptions. They can't be "decrypted." What we do is compare, try thousands (or millions) of possible passwords, applying the same hash function, until we find one that produces the same result.
Because human passwords are, in general, predictable. Because we use dates, names, common words, keyboard patterns, and because hashes, while mathematically solid, don't protect against poor password choices.
With enough power, good dictionaries, and the right tools, cracking becomes a very real possibility.
There are two main ways:
rockyou.txt) is used and each one is tested against the hash.And to do this, we have two great allies: John the Ripper and Hashcat.
It's a classic tool, simple but powerful. Ideal for getting started.
Example usage with a dictionary:
1john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
View results (when passwords are found):
1john --show hash.txt
John automatically detects the hash type in most cases. But if it doesn't, you can specify it with --format=md5 or the appropriate one.
Hashcat is faster, more versatile, and optimized for GPU. Ideal for massive attacks. First, you need to know what type of hash you're attacking. You can use hashid or hash-identifier to detect it.
Basic usage example with a dictionary:
1hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
m 0: MD5 (each hash type has a number)a 0: dictionary attackhash.txt: file containing the hashrockyou.txt: password dictionaryView results:
1hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --show
You can pause and resume Hashcat without losing progress, making it ideal for long sessions.
You find them in compromised databases, poorly protected configuration files, manipulated images, forgotten backups, or even in memory. And often they're in formats like:
121232f297a57a5a743894a0e4a801fc3
(which is, by the way, the MD5 hash of “admin”).
Cracking is also understanding that every hash represents a poorly kept secret and that properly protecting a password doesn't start with a strange symbol, but with a responsible decision. Keep practicing. Keep breaking things, so you can build them better.