# Audit Password Hashes with Hashcat

Password audit work is risky when teams lack a clear, authorized workflow. This skill guides Hashcat planning, execution, evidence handling, and remediation reporting.

## Install

```bash
npx skillstore add agentsecops/crack-hashcat
```

## Metadata

- - Slug: agentsecops-crack-hashcat
- - Version: 0.1.0
- - Author: AgentSecOps
- - GitHub username: AgentSecOps
- - License: MIT
- - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/offsec/crack-hashcat
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: high
- - Risk factors: external\_commands, network, filesystem, env\_access, scripts
- - Quality score: 38
- - Quality tier: warning
- - Public page: https://skillstore.pages.dev/skills/agentsecops-crack-hashcat
- - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-crack-hashcat/manifest

## Capabilities

- Identifies common Hashcat hash modes for MD5, SHA1, NTLM, bcrypt, WPA2, and Kerberos ticket material.
- Guides dictionary, mask, hybrid, combinator, and rule-based attack planning for authorized audits.
- Provides workflow steps for preparing hash files, managing sessions, and reviewing cracking status.
- Explains performance tuning options for GPU devices, workloads, optimized kernels, and runtime limits.
- Connects cracking results to password policy analysis, reporting, and defensive remediation.

## Use Cases

- Enterprise Password Audit: Plan an authorized Hashcat audit, select attack modes, and summarize weak password patterns for remediation.
- Forensic Password Recovery: Recover access to approved evidence materials while documenting custody, scope, and secure result handling.
- Password Policy Validation: Use cracking results to assess whether current password rules resist common wordlists and predictable masks.

## Prompt Templates

### Plan a Basic Audit

```
I have written authorization for a password hash audit. Help me identify the hash type, choose a safe first attack mode, and define handling rules for results.
```

### Choose Attack Strategy

```
Given these authorized hash types and password policy details, recommend a Hashcat attack sequence with expected tradeoffs and stopping criteria.
```

### Analyze Audit Results

```
Review my authorized cracking results summary and turn it into password policy findings, risk themes, and remediation priorities without exposing plaintext passwords.
```

### Design an Evidence-Safe Workflow

```
Create a controlled Hashcat workflow for sensitive credential evidence, including authorization checks, storage controls, audit logging, reporting, and secure deletion.
```

## Limitations

- It does not verify that the user has legal authorization to crack a given hash set.
- It does not execute Hashcat automatically or validate commands against the local system.
- It cannot guarantee successful recovery for strong passwords or slow hash algorithms.
- It requires careful handling of plaintext passwords and extracted credential material.

## Best Practices

- Get written authorization and define scope before handling any hashes or plaintext results.
- Store hash files, potfiles, and reports in encrypted locations with limited access.
- Report patterns and remediation priorities instead of sharing plaintext passwords broadly.

## Anti Patterns

- Do not crack hashes from systems, users, or networks outside the approved scope.
- Do not paste real hashes or cracked passwords into public tools or shared chats.
- Do not run copied installer scripts or cracking commands without reviewing their effects.

## Security Audit

- - Safe to publish: false
- - Audited at: 2026-06-28T05:16:50.927\+00:00
- - Summary: Static analysis findings are largely true positives for dual-use credential access and password cracking workflows, including privileged hash extraction and cracked password handling. No evidence found of prompt injection, hidden exfiltration, or confirmed malicious intent, but the skill provides operational guidance that can enable unauthorized credential attacks if misused.

## Stats

- - Views: 409
- - Downloads: 4
- - Favorites: 0
- - Popularity score: 0