Passwords & brute-force cheatsheet¶
When a payload is passworded, guess before you brute-force — then reach for wordlists. Recipes below are ordered by likelihood of success.
Guess first¶
The passphrase is very often one of these — try them (and their lower/upper/leet variants) before any wordlist:
- the filename (with and without extension) and the challenge name;
- the image/audio subject or author;
- any string already in
strings/exiftooloutput; - the empty password
''(the single most-forgotten step for steghide).
$ steghide extract -sf image.jpg -p '' # always try this
$ for p in "$(basename image.jpg .jpg)" "$(cat clue.txt)"; do \
steghide extract -sf image.jpg -p "$p" && break; done
Wordlists¶
$ ls -la /usr/share/wordlists/rockyou.txt # the default CTF list
$ gunzip -k /usr/share/wordlists/rockyou.txt.gz # if it's still gzipped
Generate a targeted list from page/challenge words when rockyou fails:
cewl https://challenge.example -w words.txt, or mangle with
john --wordlist=words.txt --rules --stdout.
steghide (JPEG/BMP/WAV/AU)¶
$ stegseek image.jpg /usr/share/wordlists/rockyou.txt # ~seconds on rockyou
$ stegseek --seed image.jpg # detect payload, no wordlist
stegseek is far faster than the classic
stegcracker. On success it writes the passphrase and the extracted file.
ZIP¶
$ zip2john secret.zip > zip.hash && john --wordlist=rockyou.txt zip.hash
$ fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt secret.zip # -u verifies
$ fcrackzip -b -c 'a1' -l 1-6 secret.zip # brute force
- ZipCrypto + known inner file → skip cracking entirely, use a
known-plaintext attack with
bkcrack(see the files cheatsheet).
PDF / Office / other¶
$ pdf2john secret.pdf > h && john --wordlist=rockyou.txt h
$ office2john secret.docx > h && john --wordlist=rockyou.txt h
$ john --show h # print the cracked password
*2john helpers exist for RAR (rar2john), 7z (7z2john.pl), KeePass
(keepass2john), and more. For GPUs, feed the same hash to hashcat with the
matching mode (hashcat --help | grep -i zip).
WPA handshakes¶
$ aircrack-ng -w rockyou.txt capture.pcap # or hcxpcapngtool → hashcat -m 22000
Know when to stop
Strong crypto (AES-256 zip, modern Office, WPA3) will not fall to rockyou. If the "password" resists, re-read the challenge — the key is usually findable (a clue, a reused string, a known-plaintext file), not brute-forced.
Related¶
- Tools: stegseek · steghide · strings · exiftool.
- Archives & known-plaintext: Files & Archives cheatsheet.