Password Safari: Hunting Single Prey and Entire Herds

I already have other blog posts about cracking passwords, or more corporately, called reverse engineering passwords, this post will outline how to use hashcat with incremental complexities to try and crack a list of usernames and passwords - however, in this scenario I was only after one account in particular.

Prerequisites

1. Kali and Hashcat installed
2. Prepared hash file (JustTheHashes.txt) with one NTLM hash per line.
3. Prepared password list (RockYou2024.txt) and a rules file (OneRuleToRuleThemAll.rule) to apply common mutations like capitalization.

RockYou2024 Download

If you need the RockYou2024 list you can get it from the magnet link here

Step 1 — Straight Dictionary Attack with Rules

If I want to try my wordlist against the hashes while applying rules, I run:

hashcat -m 1000 -a 0 JustTheHashes.txt RockYou2024.txt OneRuleToRuleThemAll.rule --optimized-kernel-enable -w 3 -d 1

Step 2 — Dictionary + Rules Attack (Explicit)

To run an explicit dictionary + rules attack, I use:

hashcat -m 1000 -a 0 JustTheHashes.txt RockYou2024.txt -r OneRuleToRuleThemAll.rule --optimized-kernel-enable -w 3 -d 1

This gives me flexibility if I want to swap in different rules later while keeping everything GPU-optimized.

Step 3 — Hybrid Attack (Dictionary + Mask)

When I know the password is a word from my list plus extra characters at the end, I perform a hybrid attack.

Three trailing digits:

hashcat -m 1000 -a 6 JustTheHashes.txt RockYou2024.txt ?d?d?d --optimized-kernel-enable -w 3 -d 1

Six trailing digits:

hashcat -m 1000 -a 6 JustTheHashes.txt RockYou2024.txt ?d?d?d?d?d?d --optimized-kernel-enable -w 3 -d 1

I can also switch ?d to ?a if letters, digits, and symbols may appear in the trailing mask.

Step 4 - Reverse Hybrid Attack (for pre-pending before the words)

hashcat -m 1000 -a 7 JustTheHashes.txt ?d?d?d Rockyou2024.txt -O -w 3 -d 1

Step 5 - Dynamic Hybrid Script

To save time and cover multiple hybrid scenarios automatically, I wrote a script that:

• Runs a dictionary attack with rules
• Runs a dictionary + rules attack explicitly
• Runs a dynamic hybrid attack with 1 → 12 trailing characters with rules applied
• Keeps everything GPU-optimized
• Outputs results to separate files

Script : HybridCracking.sh

#!/bin/bash
# Hashcat workflow
# Mode: NTLM (m=1000)
# GPU: Availble (use -d 1 if GPU index 1, otherwise drop -d)

HASH_FILE="JustTheHashes.txt"
DICT_FILE="rockyou.txt"
RULES_FILE="rules/OneRuleToRuleThemAll.rule"
GPU_ID=1
STATUS_INTERVAL=10
WORKLOAD=3
MAX_TRAILING=6      # keep small for Q4000 performance
CHARSET="?d"        # digits, change to ?a for full set

# --- Straight dictionary attack ---
hashcat -m 1000 -a 0 "$HASH_FILE" "$DICT_FILE" \
  -r "$RULES_FILE" \
  -w $WORKLOAD -d $GPU_ID \
  --status --status-timer=$STATUS_INTERVAL \
  -o cracked_dictionary.txt

# --- Hybrid attack: dictionary + mask (up to MAX_TRAILING digits) ---
for ((i=1; i<=MAX_TRAILING; i++)); do
    MASK=$(head -c $((i*2)) < /dev/zero | tr '\0' "$CHARSET")
    echo "Running hybrid attack with $i trailing chars: $MASK"

    hashcat -m 1000 -a 6 "$HASH_FILE" "$DICT_FILE" "$MASK" \
      -r "$RULES_FILE" \
      -w $WORKLOAD -d $GPU_ID \
      --status --status-timer=$STATUS_INTERVAL \
      -o "cracked_hybrid_${i}.txt"
done

echo "Done. Check cracked_dictionary.txt and cracked_hybrid_*.txt"

What if you are working with a single hash?

If you are only working with just one hash, the strategy changes. Instead of optimising for speed across thousands of hashes,  you can dig deeper into rule-based and hybrid attacks without worrying about wasting GPU time on other hashes.