Last updated: March 2026
Complete Guide to Password Cracking Tools on Kali Linux 2026
Kali Linux ships with a full arsenal of password auditing and cracking tools. The four you will reach for most often are Hashcat (offline GPU cracking), Hydra (online brute-force), Aircrack-ng (WiFi handshake cracking), and John the Ripper (versatile offline cracker). Nessus complements these by identifying which systems are vulnerable before you ever try a password. This guide explains each tool, when to use it, and links to hands-on tutorials for every workflow.
Legal disclaimer: All techniques described here are for authorized penetration testing, security research, and educational purposes only. Never test systems you do not own or have explicit written permission to test. Unauthorized access is illegal under the Computer Fraud and Abuse Act (CFAA) and equivalent laws worldwide.
Tool Overview: Which Tool Does What?
| Tool | Type | Speed | Best Use Case |
|---|---|---|---|
| Hashcat | Offline cracker | Billions/sec (GPU) | Cracking captured hash dumps |
| John the Ripper | Offline cracker | Millions/sec (CPU) | Quick local cracking, format detection |
| Hydra | Online brute-force | Limited by network | SSH, FTP, HTTP login forms |
| Aircrack-ng | WiFi handshake | GPU-assisted | WPA2/WPA3 handshake cracking |
| Nessus | Vulnerability scanner | N/A | Finding weak/default credentials |
Hashcat: GPU-Accelerated Offline Cracking
Hashcat is the world's fastest password recovery tool. It runs on your GPU rather than CPU, reaching speeds exceeding 100 billion MD5 hashes per second on an RTX 4090. Hashcat works exclusively on captured hashes — it never contacts the target system during cracking.
Core Attack Modes
- -a 0 — Dictionary attack: Test every word in a wordlist (e.g., rockyou.txt) against the hash
- -a 1 — Combinator attack: Combine words from two wordlists
- -a 3 — Mask/brute-force attack: Try all combinations matching a pattern (e.g.,
?u?l?l?l?d?d) - -a 6 — Hybrid wordlist + mask: Append mask patterns to dictionary words
- -r — Rule-based attack: Apply transformation rules to wordlist entries
Quick Start Example
# Crack an MD5 hash using rockyou.txt
hashcat -m 0 -a 0 5f4dcc3b5aa765d61d8327deb882cf99 /usr/share/wordlists/rockyou.txt
# Crack WPA2 handshake
hashcat -m 22000 -a 0 capture.hc22000 /usr/share/wordlists/rockyou.txt
For GPU selection and performance numbers across RTX 5090, 4090, and AMD RX 7900 XTX, see the Hashcat GPU Benchmark Table 2026.
Hands-on tutorials: - Hashcat Wordlist Attack Tutorial — dictionary attacks with rockyou.txt - Hashcat Rule-Based Attacks Guide — custom rules and OneRuleToRuleThemAll - Hashcat vs Hydra: Which Tool to Use? — compare offline vs online cracking
Hydra: Online Brute-Force Attacks
THC-Hydra performs online password attacks — it actually connects to the target service and tries credentials in real time. This makes it inherently slower than offline cracking (network latency and service rate limiting are your constraints) but essential when you only have a login form and no hash dump.
Hydra supports over 50 protocols including SSH, FTP, HTTP/HTTPS, RDP, SMB, MySQL, PostgreSQL, SMTP, and more.
Basic Hydra Syntax
# SSH brute-force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100
# FTP with username list
hydra -L users.txt -P passwords.txt ftp://192.168.1.100
# HTTP POST form
hydra -l admin -P rockyou.txt 192.168.1.100 http-post-form \
"/login:username=^USER^&password=^PASS^:Invalid credentials"
When to Use Hydra vs Hashcat
Use Hydra when you have access to a live login service but no hash. Use Hashcat when you have captured a hash (from a database dump, /etc/shadow, NTLM capture, or WPA2 handshake). See the full Hashcat vs Hydra comparison for a detailed breakdown.
Aircrack-ng: WiFi WPA2 Handshake Cracking
Aircrack-ng is a suite of tools for WiFi security auditing. The workflow involves three stages: capture a WPA2 four-way handshake using airodump-ng and aireplay-ng, then crack the handshake offline using aircrack-ng (CPU-based) or export to Hashcat for GPU acceleration.
The WiFi Cracking Suite
airmon-ng— Put your adapter into monitor modeairodump-ng— Scan and capture WiFi trafficaireplay-ng— Send deauthentication packets to force a handshakeaircrack-ng— Crack the captured handshake with a wordlisthcxdumptool/hcxtools— Capture PMKID (no deauth needed)
Quick Workflow
# 1. Enable monitor mode
sudo airmon-ng start wlan0
# 2. Scan networks
sudo airodump-ng wlan0mon
# 3. Capture handshake for target network
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# 4. Force handshake via deauth (in another terminal)
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
# 5. Crack with wordlist
aircrack-ng capture-01.cap -w /usr/share/wordlists/rockyou.txt
A monitor-mode capable adapter is required. See the Aircrack-ng WPA2 Handshake Tutorial for the complete workflow, and How to Install Aircrack-ng on Kali and Debian for installation. For adapter recommendations, check the Alfa AWUS036ACH Monitor Mode Guide.
John the Ripper: Versatile Offline Cracking
John the Ripper ("John") is a classic offline password cracker with automatic hash format detection. It runs primarily on CPU, making it slower than Hashcat on GPU workloads, but it excels at:
- Automatic format detection (
john --list=formats) - Cracking
/etc/shadowLinux password files - Handling unusual hash formats not well-supported by Hashcat
- Quick one-liner usage without needing to specify the hash type
Basic John Usage
# Auto-detect hash format and crack
john hashes.txt
# Use a wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
# Crack /etc/shadow directly
unshadow /etc/passwd /etc/shadow > combined.txt
john combined.txt
# Show cracked passwords
john --show hashes.txt
John the Ripper (Jumbo edition) is installed by default on Kali Linux. The community Jumbo version supports hundreds of additional formats including cryptocurrency wallets, office documents, and archive passwords.
Nessus: Finding Vulnerable Targets
While not a cracking tool itself, Nessus is a critical part of the security workflow. It scans your network to identify hosts with weak configurations, default credentials, and known CVEs before you attempt manual credential attacks.
Nessus Integration with Password Attacks
Nessus can: - Test for default credentials on network devices, printers, and services - Identify services running outdated or vulnerable software - Run credentialed scans to assess patch levels from inside the system - Generate reports prioritizing which vulnerabilities to address first
Access Nessus at https://localhost:8834 after installation.
Nessus tutorials: - How to Install Nessus on Ubuntu 2026 - Nessus Scan Configuration Best Practices - How to Reset Nessus Password — quick fix for locked accounts
Choosing the Right Tool: Decision Framework
Do you have a captured hash?
YES → Use Hashcat (GPU) or John (CPU/auto-detect)
└─ WiFi WPA2? → Use Aircrack-ng to capture, then Hashcat to crack
NO → Do you have a live login service?
YES → Use Hydra
NO → Use Nessus to scan first and identify targets
Common Attack Scenarios
Scenario 1: Penetration test, you dumped /etc/shadow
Use John for quick auto-detection or Hashcat with -m 1800 (sha512crypt) for GPU speed.
Scenario 2: You captured a WPA2 handshake from a WiFi network
Convert to hc22000 format with hcxtools, then crack with hashcat -m 22000.
Scenario 3: Web application with a login form
Use Hydra with http-post-form module and a targeted wordlist.
Scenario 4: Internal network assessment, looking for low-hanging fruit Run Nessus with default credential plugins enabled. It will flag printers, routers, and devices with factory passwords.
Wordlists: The Foundation of Dictionary Attacks
All dictionary-based tools depend on the quality of your wordlist. Kali Linux includes several:
# The most commonly used wordlist
ls -lh /usr/share/wordlists/rockyou.txt.gz
# Decompress if needed
sudo gunzip /usr/share/wordlists/rockyou.txt.gz
# Other Kali wordlists
ls /usr/share/wordlists/
Popular supplementary wordlists:
- rockyou2021.txt — Expanded 82GB compilation (~8.4 billion passwords)
- SecLists — apt install seclists — massive collection organized by category
- CeWL — Spider a target website and generate a custom wordlist from its content
- CUPP — Generate personalized wordlists based on target profile information
Performance Tips
- Always use GPU for Hashcat — CPU mode is 10-100x slower on modern hashes
- Use optimized kernels — Add
-Oflag to Hashcat for 10-20% speed boost on most modes - Start with rules, not brute-force —
best64.rulecovers most real-world passwords efficiently - Filter by minimum password policy — If you know a site enforces 8+ chars with mixed case, skip shorter candidates
- Use PMKID capture for WPA2 — No deauthentication needed; more reliable than handshake capture
FAQ
Q: Is Hashcat legal to use? A: Hashcat itself is legal software. Using it to crack passwords on systems or hashes you do not own or have authorization to test is illegal. Use it only on your own systems, in authorized penetration tests, or in legal CTF competitions.
Q: What is the difference between online and offline attacks? A: Offline attacks (Hashcat, John) work on captured hashes without touching the target. Offline attacks can run at billions of attempts per second. Online attacks (Hydra) connect to live services in real time, constrained by network speed, service rate limits, and lockout policies.
Q: Which GPU is best for Hashcat in 2026? A: The RTX 5090 delivers the highest raw performance (~3,800 kH/s on WPA2), but the RTX 4090 offers better value at ~$1,400 used. See the full GPU benchmark table for detailed comparisons.
Q: Can I run these tools on a regular laptop? A: Yes, but with reduced performance. A laptop with an NVIDIA GPU can run Hashcat via CUDA. For CPU-only systems, John the Ripper is a better fit. Online tools like Hydra are not GPU-dependent and work fine on any hardware.
Q: Do I need a special WiFi adapter for Aircrack-ng? A: Yes. You need an adapter that supports monitor mode and packet injection. The Alfa AWUS036NHA and AWUS036ACH are well-tested options. See the Alfa AWUS036ACH guide for setup instructions.