Got a fat NTDS.dit dump last week. 10,247 NTLM hashes from a mid-sized company, no context, no hints - just hashes. Figured I'd document the process since people keep asking me how this actually works in practice.
Running a multi-GPU RTX cluster, getting about 5.3 TH/s on NTLM mode 1000. Yeah, trillion with a T.
## First thing - don't even touch the GPUs yet
Before I waste a single watt of electricity, every hash goes through our lookup database. We've built up a collection of 1.5 billion+ cracked pairs over time. Flat file lookup, takes about 2 minutes for the whole batch.
4,312 out of 10,247 came back instantly. 42% of the dump, gone, no cracking needed. These are reused passwords from old breaches, defaults, the usual garbage that people keep recycling between their Netflix and their domain account.
(We actually have this as a free tool on hashcrack.net - paste an NTLM, MD5 or SHA1 hash and it checks against the full 1.5B database. Instant results if it's in there.)
## Wordlist + rules - where the real damage happens
Loaded up our main wordlist (~18GB, curated over the years) with a custom rule stack. At 5.3 TH/s the whole thing rips through in about 45 minutes.
3,891 more fell. We're at 80% now.
Looking at what cracked - it's depressing, honestly. Company2024! type stuff. Welcome1. First names with birthdays. The same patterns over and over. I've cracked maybe 200 dumps at this point and I could probably guess 30% of corporate passwords without any tools.
## Masks based on what already cracked
This is where it gets more targeted. I look at the passwords from stages 1 and 2, spot the patterns, and build masks:
?u?l?l?l?l?l?d?d?d?d?s - Capital + lowercase + 4 digits + symbol. Your classic Server2024! enjoyer.
Pure numeric 8-digit for the PIN crowd. Keyboard walks for the 1qaz2wsx people.
8-char masks at our speed = minutes. 9-10 chars with a targeted charset = still doable, maybe an hour or two depending on the mask.
+712. Running total: 87%.
## Hybrid + extended brute
Combinator mode (word + brute suffix), then full charset brute-force for anything 8 chars and under. The full 95^8 keyspace on NTLM takes about 20 minutes at our speed, which still blows my mind.
+387 more. Final count: 9,302 / 10,247 - 90.8% in about 3.5 hours.
The remaining ~9% are 11+ character passwords with no dictionary root. Genuinely random stuff, probably from a password manager. Could push to 93-95% with PRINCE and more time, but diminishing returns.
## The patterns never change
After doing this for a while you start seeing the same passwords everywhere:
Season+Year+Symbol is king. Summer2024!, Winter2023!, January2025#. Every. Single. Dump. I'm convinced there's a tutorial somewhere telling people this is a "strong password."
Company name + digits is #2. If the company is called Acme, I guarantee at least 15 people have Acme123 or Acme2024!.
First name + birthday rounds out the top 3. Michael1985, sarah0312, etc. Easy to guess if you have the username too (association attack, hashcat -a 9).
## Why NTLM is basically broken
No salt. No iterations. Single MD4 hash. It was designed for fast authentication on a trusted network, not to resist offline attacks. Every password a normal human would choose is crackable - it's just a question of GPU-hours.
The only thing that actually resists cracking is 14+ characters of random garbage. Which is why password managers exist. Or just use certificate auth and skip the whole mess.
If you want to check your own hashes
Free lookup for NTLM, MD5 and SHA1 at hashcrack.net — 1.5 billion pairs, instant results. No account needed.
For stuff the free lookup doesn’t catch, or for harder algorithms (Kerberos, bcrypt, MetaMask wallets, encrypted files) — we run a professional cracking service. $100/hash for fast types, no-crack-no-charge. Details on the site or DM on Telegram.
Obligatory disclaimer: this describes work done under authorized pentest engagements. Don’t crack hashes you don’t have permission to crack.
If you want to check your own hashes
Free lookup for NTLM, MD5 and SHA1 at hashcrack.net - 1.5 billion pairs, instant results. No account needed.
For stuff the free lookup doesn't catch, or for harder algorithms (Kerberos, bcrypt, MetaMask wallets, encrypted files) - we run a professional cracking service. $100/hash for fast types, no-crack-no-charge. Details on the site or DM on Telegram.
Obligatory disclaimer: this describes work done under authorized pentest engagements. Don't crack hashes you don't have permission to crack.
Top comments (0)